Vulnerable Library - esapi-2.1.0.1.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2016-1000031
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
-> ❌ org.apache.commons.fileupload.FileItem (Vulnerable Component)
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2016-2510
Vulnerable Library - bsh-core-2.0b4.jar
BeanShell core
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ bsh-core-2.0b4.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Publish Date: 2016-04-07
URL: CVE-2016-2510
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2510
Release Date: 2016-04-07
Fix Resolution: 2.0b6
CVE-2016-3092
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
-> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
-> org.apache.commons.fileupload.FileUploadBase (Extension)
-> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl$FileItemStreamImpl (Extension)
-> ❌ org.apache.commons.fileupload.MultipartStream (Vulnerable Component)
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2012-0881
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- ❌ xercesImpl-2.8.0.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.apache.xerces.impl.xs.XSComplexTypeDecl (Extension)
...
-> org.apache.xerces.impl.xs.XSConstraints (Extension)
-> org.apache.xerces.impl.xs.SchemaGrammar$BuiltinSchemaGrammar (Extension)
-> ❌ org.apache.xerces.util.SymbolTable (Vulnerable Component)
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: 2.12.0
WS-2014-0034
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
-> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
-> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.1-jenkins-1
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2014-0107
Vulnerable Library - xalan-2.7.0.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- ❌ xalan-2.7.0.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Publish Date: 2014-04-15
URL: CVE-2014-0107
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
Release Date: 2014-04-15
Fix Resolution (xalan:xalan): 2.7.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-10086
Vulnerable Library - commons-beanutils-core-1.8.3.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ commons-beanutils-core-1.8.3.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
CVE-2014-0114
Vulnerable Library - commons-beanutils-core-1.8.3.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ commons-beanutils-core-1.8.3.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
CVE-2016-10006
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ antisamy-1.5.3.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.owasp.esapi.reference.validation.HTMLValidationRule (Extension)
-> org.owasp.validator.html.AntiSamy (Extension)
-> org.owasp.validator.html.scan.AntiSamySAXScanner (Extension)
-> ❌ org.owasp.validator.html.scan.MagicSAXFilter (Vulnerable Component)
Vulnerability Details
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
Publish Date: 2016-12-24
URL: CVE-2016-10006
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10006
Release Date: 2016-12-24
Fix Resolution (org.owasp.antisamy:antisamy): 1.5.5
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2017-14735
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- ❌ antisamy-1.5.3.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.owasp.esapi.reference.validation.HTMLValidationRule (Extension)
-> ❌ org.owasp.validator.html.Policy (Vulnerable Component)
Vulnerability Details
OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
Publish Date: 2017-09-25
URL: CVE-2017-14735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
Release Date: 2017-09-25
Fix Resolution (org.owasp.antisamy:antisamy): 1.5.7
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2013-4002
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- ❌ xercesImpl-2.8.0.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.owasp.validator.html.scan.AntiSamyDOMScanner (Extension)
...
-> org.apache.xerces.dom.DOMNormalizer (Extension)
-> org.apache.xerces.impl.dtd.XMLDTDLoader (Extension)
-> ❌ org.apache.xerces.impl.XMLScanner (Vulnerable Component)
Vulnerability Details
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
CVE-2009-2625
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- ❌ xercesImpl-2.8.0.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.owasp.validator.html.scan.AntiSamyDOMScanner (Extension)
...
-> org.apache.xerces.dom.DOMNormalizer (Extension)
-> org.apache.xerces.impl.dtd.XMLDTDLoader (Extension)
-> ❌ org.apache.xerces.impl.XMLScanner (Vulnerable Component)
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: apache-xerces:xercesImpl - 2.9.1;xerces:xercesImpl - 2.9.1-NODEP,2.3.0,2.9.0;org.apache.servicemix.bundles:org.apache.servicemix.bundles.xerces - 2.10.0_1
CVE-2012-5783
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Library home page: http://jakarta.apache.org/httpcomponents/httpclient-3.x/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- antisamy-1.5.3.jar
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.owasp.validator.css.ExternalCssScanner (Extension)
...
-> org.apache.commons.httpclient.SimpleHttpConnectionManager (Extension)
-> org.apache.commons.httpclient.protocol.Protocol (Extension)
-> ❌ org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory (Vulnerable Component)
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution (commons-httpclient:commons-httpclient): 3.1-HTTPCLIENT-1265
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-29425
Vulnerable Library - commons-io-2.2.jar
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- commons-fileupload-1.3.1.jar
- ❌ commons-io-2.2.jar (Vulnerable Library)
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
org.t246osslab.easybuggy.vulnerabilities.UnrestrictedSizeUploadServlet (Application)
-> ❌ org.apache.commons.io.FilenameUtils (Vulnerable Component)
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
⛑️ Automatic Remediation is available for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - bsh-core-2.0b4.jar
BeanShell core
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Publish Date: 2016-04-07
URL: CVE-2016-2510
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2510
Release Date: 2016-04-07
Fix Resolution: 2.0b6
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: 2.12.0
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.1-jenkins-1
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - xalan-2.7.0.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Publish Date: 2014-04-15
URL: CVE-2014-0107
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
Release Date: 2014-04-15
Fix Resolution (xalan:xalan): 2.7.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - commons-beanutils-core-1.8.3.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Vulnerable Library - commons-beanutils-core-1.8.3.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
The vulnerable code is not reachable.
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
Publish Date: 2016-12-24
URL: CVE-2016-10006
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10006
Release Date: 2016-12-24
Fix Resolution (org.owasp.antisamy:antisamy): 1.5.5
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
Publish Date: 2017-09-25
URL: CVE-2017-14735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
Release Date: 2017-09-25
Fix Resolution (org.owasp.antisamy:antisamy): 1.5.7
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: apache-xerces:xercesImpl - 2.9.1;xerces:xercesImpl - 2.9.1-NODEP,2.3.0,2.9.0;org.apache.servicemix.bundles:org.apache.servicemix.bundles.xerces - 2.10.0_1
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Library home page: http://jakarta.apache.org/httpcomponents/httpclient-3.x/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution (commons-httpclient:commons-httpclient): 3.1-HTTPCLIENT-1265
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - commons-io-2.2.jar
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5fcbcf42db4b6848b483f7c0d9a14f88a33779a8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially used
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
⛑️ Automatic Remediation is available for this issue.