This project forked from usdot-jpo-ode/jpo-ode
US Department of Transportation (USDOT) Intelligent Transportation Systems Operational Data Environment (ITS ODE). This is the main repository that integrates and coordinates ODE Submodules.
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
Vulnerable Library - jquery-2.1.1.jarWebJar for jQuery
Library home page: http://webjars.org
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: 3.5.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-context-5.3.7.jarSpring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Publish Date: 2022-04-14
URL: CVE-2022-22968
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22968
Release Date: 2022-04-14
Fix Resolution (org.springframework:spring-context): 5.3.19
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.13
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-2.1.1.jarWebJar for jQuery
Library home page: http://webjars.org
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: 3.0.0-alpha1
⛑️ Automatic Remediation will be attempted for this issue.
Library - javax.websocket-client-api-1.1.jarJSR 356: Java API for WebSocket
Library home page: http://websocket-spec.java.net
Path to dependency file: /jpo-ode-plugins/pom.xml
Path to library: /home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
CDDL 1.1
License Reference File: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL 2.0 Classpath
License Reference File: https://glassfish.java.net/public/CDDL+GPL_1_1.html
⛔ License Policy Violation - No GPL
Library - javax.activation-api-1.2.0.jarJavaBeans Activation Framework API jar
Library home page: http://java.net/all/javax.activation-api/
Path to dependency file: /jpo-ode-plugins/pom.xml
Path to library: /home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
CDDL 1.1
License Reference File: https://repo.maven.apache.org/maven2/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.pom
GPL 2.0 Classpath
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e96c8fbd-cb83-4584-9141-6ce6630e023b
⛔ License Policy Violation - No GPL
Vulnerable Library - netty-3.7.0.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Publish Date: 2014-07-31
URL: CVE-2014-3488
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488
Release Date: 2014-07-31
Fix Resolution: 3.9.2.Final
Vulnerable Library - netty-3.7.0.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Publish Date: 2017-10-18
URL: CVE-2015-2156
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
Release Date: 2017-10-18
Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - kafka_2.11-0.10.1.0.jarPath to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /m2/repository/org/apache/kafka/kafka_2.11/0.10.1.0/kafka_2.11-0.10.1.0.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka_2.11/0.10.1.0/kafka_2.11-0.10.1.0.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
Publish Date: 2018-07-26
URL: CVE-2018-1288
CVSS 3 Score Details (5.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288
Release Date: 2018-07-26
Fix Resolution: 0.10.2.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-2.1.1.jarWebJar for jQuery
Library home page: http://webjars.org
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: 3.5.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - gson-2.8.6.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /jpo-ode-common/pom.xml
Path to vulnerable library: /m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: 2.8.9
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jackson-databind-2.12.3.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /jpo-ode-common/pom.xml
Path to vulnerable library: /m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-11
Fix Resolution: 2.12.6.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
CVSS 3 Score Details (3.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-api-2.14.1.jarThe Apache Log4j API
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: jpo-ode/jpo-ode-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
Publish Date: 2021-11-27
URL: CVE-2021-44228
CVSS 3 Score Details (10.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jfh8-c2jp-5v3q
Release Date: 2021-12-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0
Vulnerable Library - netty-3.7.0.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
Publish Date: 2014-05-06
URL: CVE-2014-0193
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0193
Release Date: 2014-05-06
Fix Resolution: io.netty:netty-all:4.0.19.Final,io.netty:netty-codec-http:4.0.19.Final,io.netty:netty:3.6.9.Final,io.netty:netty:3.7.1.Final,io.netty:netty:3.8.2.Final,io.netty:netty:3.9.1.Final
⛔ Details - Ensure that HEALTHCHECK instructions have been added to container images
Vulnerable Libraries - spring-web-5.3.7.jar, spring-webmvc-5.3.7.jar, spring-core-5.3.7.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar
Dependency Hierarchy:
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar
Dependency Hierarchy:
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-web): 5.3.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.6
Fix Resolution (org.springframework:spring-webmvc): 5.3.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.6
Fix Resolution (org.springframework:spring-core): 5.3.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-data-rest-webmvc-3.5.1.jarSpring Data REST - WebMVC
Library home page: https://www.spring.io/spring-data
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-rest-webmvc/3.5.1/spring-data-rest-webmvc-3.5.1.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.
Publish Date: 2021-10-28
URL: CVE-2021-22047
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22047
Release Date: 2021-10-28
Fix Resolution (org.springframework.data:spring-data-rest-webmvc): 3.5.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-rest): 2.5.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - thymeleaf-spring5-3.0.12.RELEASE.jarModern server-side Java template engine for both web and standalone environments
Library home page: http://www.thymeleaf.org
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf-spring5/3.0.12.RELEASE/thymeleaf-spring5-3.0.12.RELEASE.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
Publish Date: 2021-11-09
URL: CVE-2021-43466
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.thymeleaf.org/releasenotes.html#thymeleaf-3.0.13
Release Date: 2021-11-09
Fix Resolution (org.thymeleaf:thymeleaf-spring5): 3.0.13.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.5.8
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-beans-5.3.7.jarSpring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.3.18
Direct dependency fix Resolution (org.springframework:spring-messaging): 5.3.18
⛑️ Automatic Remediation will be attempted for this issue.
Library - amqp-client-5.12.0.jarThe RabbitMQ Java client library allows Java applications to interface with RabbitMQ.
Library home page: https://www.rabbitmq.com
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to library: /home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.12.0/amqp-client-5.12.0.jar,/home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.12.0/amqp-client-5.12.0.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Apache 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cf34de58-3656-4437-bf31-f093eb647c9e
GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/1f4ed4ce-48af-4a60-9368-bb38dbb3c74f
Mozilla 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/f2638f89-5648-4e18-b8b9-7c88bc5811b4
⛔ License Policy Violation - No GPL
Vulnerable Library - gson-2.8.6.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /jpo-ode-common/pom.xml
Path to vulnerable library: /m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: 2.8.9
⛑️ Automatic Remediation will be attempted for this issue.
Library - jsr311-api-1.1.1.jarLibrary home page: https://jsr311.dev.java.net
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to library: /home/wss-scanner/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar,/home/wss-scanner/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
CDDL 1.1
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/4536c631-af26-4900-bd7a-696040f4766c
⛔ License Policy Violation - No GPL
Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-3.7.0.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
Vulnerable Library - tomcat-embed-core-9.0.46.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Publish Date: 2021-07-12
URL: CVE-2021-33037
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-07-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.48
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.2
⛑️ Automatic Remediation will be attempted for this issue.
⛔ Details - Ensure that HEALTHCHECK instructions have been added to container images
Vulnerable Library - ant-1.10.9.jarLibrary home page: https://ant.apache.org/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36373
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373
Release Date: 2021-07-14
Fix Resolution (org.apache.ant:ant): 1.10.11
Direct dependency fix Resolution (org.codehaus.groovy:groovy-all): 3.0.9
⛑️ Automatic Remediation will be attempted for this issue.
Library - rocksdbjni-5.18.4.jarRocksDB fat jar that contains .so files for linux32 and linux64, jnilib files for Mac OSX, and a .dll for Windows x64.
Library home page: http://rocksdb.org/
Path to dependency file: /jpo-ode-core/pom.xml
Path to library: /home/wss-scanner/.m2/repository/org/rocksdb/rocksdbjni/5.18.4/rocksdbjni-5.18.4.jar,/home/wss-scanner/.m2/repository/org/rocksdb/rocksdbjni/5.18.4/rocksdbjni-5.18.4.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Apache 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cf34de58-3656-4437-bf31-f093eb647c9e
GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/1f4ed4ce-48af-4a60-9368-bb38dbb3c74f
⛔ License Policy Violation - No GPL
Vulnerable Library - logback-classic-1.2.3.jarlogback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: jpo-ode/jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.
Publish Date: 2021-12-13
URL: WS-2021-0491
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://logback.qos.ch/news.html
Release Date: 2021-12-13
Fix Resolution: ch.qos.logback:logback-classic:1.2.8
Vulnerable Library - zookeeper-3.4.8.jarPath to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Publish Date: 2017-10-10
URL: CVE-2017-5637
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637
Release Date: 2017-10-09
Fix Resolution: org.apache.zookeeper:zookeeper - 3.4.10,3.5.3-beta
Vulnerable Library - zookeeper-3.4.8.jarPath to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Publish Date: 2018-05-21
URL: CVE-2018-8012
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012
Release Date: 2018-05-21
Fix Resolution: 3.4.10,3.5.4-beta
Vulnerable Libraries - spring-web-5.3.7.jar, spring-core-5.3.7.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar
Dependency Hierarchy:
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
Publish Date: 2022-01-10
URL: CVE-2021-22060
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2021-22060
Release Date: 2022-01-10
Fix Resolution (org.springframework:spring-web): 5.3.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8
Fix Resolution (org.springframework:spring-core): 5.3.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-expression-5.3.7.jarSpring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-expression): 5.3.17
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.11
⛑️ Automatic Remediation will be attempted for this issue.
⛔ Details - Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)
Vulnerable Library - zookeeper-3.4.8.jarPath to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Publish Date: 2019-05-23
URL: CVE-2019-0201
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://zookeeper.apache.org/security.html
Release Date: 2019-05-23
Fix Resolution: 3.4.14, 3.5.5
Vulnerable Library - spring-beans-5.3.7.jarSpring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /jpo-ode-svcs/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ״Spring4Shell״ or ״SpringShell״.
The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution).
Please note that the ease of exploitation may diverge by the code implementation.
Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux.
Spring Framework 5.3.18 and 5.2.20 have already been released.
WhiteSource’s research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.
This is a temporary WhiteSource ID until an official CVE ID will be released.
Publish Date: 2022-03-30
URL: WS-2022-0107
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-03-30
Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
Library - jakarta.annotation-api-1.3.5.jarJakarta Annotations API
Library home page: https://projects.eclipse.org/projects/ee4j.ca
Path to dependency file: /jpo-ode-common/pom.xml
Path to library: /home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Eclipse 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/67cc8d70-b680-4b02-9ebd-12aedc62fdcb
GPL 2.0 Classpath
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e96c8fbd-cb83-4584-9141-6ce6630e023b
⛔ License Policy Violation - No GPL
Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /jpo-ode-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy:
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution (ch.qos.logback:logback-classic): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - kafka-clients-2.7.1.jarLibrary home page: https://kafka.apache.org
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /m2/repository/org/apache/kafka/kafka-clients/2.7.1/kafka-clients-2.7.1.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.7.1/kafka-clients-2.7.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Publish Date: 2021-09-22
URL: CVE-2021-38153
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153
Release Date: 2021-09-22
Fix Resolution: 2.7.2
⛑️ Automatic Remediation will be attempted for this issue.
Library - jaxb-api-2.3.1.jarJAXB (JSR 222) API
Path to dependency file: /jpo-ode-plugins/pom.xml
Path to library: /home/wss-scanner/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/home/wss-scanner/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
CDDL 1.1
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/4536c631-af26-4900-bd7a-696040f4766c
GPL 2.0 Classpath
License Reference File: https://github.com/javaee/jaxb-spec/blob/master/LICENSE.txt
⛔ License Policy Violation - No GPL
Vulnerable Library - commons-io-2.4.jarThe Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: 2.7
⛑️ Automatic Remediation will be attempted for this issue.
⛔ Details - Ensure that a user for the container has been created
Vulnerable Library - jackson-databind-2.12.3.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /jpo-ode-common/pom.xml
Path to vulnerable library: /m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar
Dependency Hierarchy:
Found in base branch: dev
Vulnerability Details
FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.
Publish Date: 2021-11-20
URL: WS-2021-0616
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-11-20
Fix Resolution: 2.12.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - ant-1.10.9.jarLibrary home page: https://ant.apache.org/
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36374
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2021-07-14
Fix Resolution (org.apache.ant:ant): 1.10.11
Direct dependency fix Resolution (org.codehaus.groovy:groovy-all): 3.0.9
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-2.1.1.jarWebJar for jQuery
Library home page: http://webjars.org
Path to dependency file: /jpo-ode-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745
Found in base branch: dev
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
