Giter VIP home page Giter VIP logo

snowdensb / jpo-ode Goto Github PK

View Code? Open in Web Editor NEW

This project forked from usdot-jpo-ode/jpo-ode

0.0 0.0 0.0 90.9 MB

US Department of Transportation (USDOT) Intelligent Transportation Systems Operational Data Environment (ITS ODE). This is the main repository that integrates and coordinates ODE Submodules.

Shell 0.44% Batchfile 0.07% Java 95.91% HTML 2.60% JavaScript 0.12% CSS 0.06% C 0.18% Dockerfile 0.18% Makefile 0.04% Python 0.40%

jpo-ode's People

Contributors

0111sandesh avatar abey-yoseph avatar alexsobledotgov avatar bbrotsos avatar dan-du-car avatar danrasband avatar dmccoystephenson avatar drewjj avatar hmusavi avatar jtbaird avatar mend-for-github-com[bot] avatar mgarramo avatar mvs5465 avatar paynebrandon avatar saikrishnabairamoni avatar schwartz-matthew-bah avatar snallamothu avatar snowdensb avatar southernsun avatar tonychen091 avatar tonyenglish avatar toryb1 avatar trevor-trou avatar

jpo-ode's Issues

CVE-2020-11022 (Medium) detected in jquery-2.1.1.jar

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: 3.5.0


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-17571 (Critical) detected in log4j-1.2.17.jar

CVE-2019-17571 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22968 (Medium) detected in spring-context-5.3.7.jar

CVE-2022-22968 - Medium Severity Vulnerability

Vulnerable Library - spring-context-5.3.7.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-2.5.0.jar
      • spring-context-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.3.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.13


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-9251 (Medium) detected in jquery-2.1.1.jar

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0-alpha1


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in javax.websocket-client-api-1.1.jar

License Policy Violation detected in javax.websocket-client-api-1.1.jar

Library - javax.websocket-client-api-1.1.jar

JSR 356: Java API for WebSocket

Library home page: http://websocket-spec.java.net

Path to dependency file: /jpo-ode-plugins/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar

Dependency Hierarchy:

  • javax.websocket-client-api-1.1.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://glassfish.java.net/public/CDDL+GPL_1_1.html

GPL 2.0 Classpath
License Reference File: https://glassfish.java.net/public/CDDL+GPL_1_1.html

    ⛔ License Policy Violation - No GPL

License Policy Violation detected in javax.activation-api-1.2.0.jar

License Policy Violation detected in javax.activation-api-1.2.0.jar

Library - javax.activation-api-1.2.0.jar

JavaBeans Activation Framework API jar

Library home page: http://java.net/all/javax.activation-api/

Path to dependency file: /jpo-ode-plugins/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar

Dependency Hierarchy:

  • jpo-ode-common-1.0.10-SNAPSHOT.jar (Root Library)
    • jaxb-api-2.3.1.jar
      • javax.activation-api-1.2.0.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://repo.maven.apache.org/maven2/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.pom

GPL 2.0 Classpath
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e96c8fbd-cb83-4584-9141-6ce6630e023b

    ⛔ License Policy Violation - No GPL

CVE-2014-3488 (High) detected in netty-3.7.0.Final.jar

CVE-2014-3488 - High Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Publish Date: 2014-07-31

URL: CVE-2014-3488

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488

Release Date: 2014-07-31

Fix Resolution: 3.9.2.Final

CVE-2015-2156 (High) detected in netty-3.7.0.Final.jar

CVE-2015-2156 - High Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Publish Date: 2017-10-18

URL: CVE-2015-2156

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156

Release Date: 2017-10-18

Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5

CVE-2021-4104 (High) detected in log4j-1.2.17.jar

CVE-2021-4104 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-1288 (Medium) detected in kafka_2.11-0.10.1.0.jar

CVE-2018-1288 - Medium Severity Vulnerability

Vulnerable Library - kafka_2.11-0.10.1.0.jar

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /m2/repository/org/apache/kafka/kafka_2.11/0.10.1.0/kafka_2.11-0.10.1.0.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka_2.11/0.10.1.0/kafka_2.11-0.10.1.0.jar

Dependency Hierarchy:

  • kafka_2.11-0.10.1.0.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Publish Date: 2018-07-26

URL: CVE-2018-1288

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288

Release Date: 2018-07-26

Fix Resolution: 0.10.2.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-11023 (Medium) detected in jquery-2.1.1.jar

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: 3.5.0


⛑️ Automatic Remediation will be attempted for this issue.

WS-2021-0419 (High) detected in gson-2.8.6.jar

WS-2021-0419 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • gson-2.8.6.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: 2.8.9


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-36518 (High) detected in jackson-databind-2.12.3.jar

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.12.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar

Dependency Hierarchy:

  • jackson-databind-2.12.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution: 2.12.6.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9488 (Low) detected in log4j-1.2.17.jar

CVE-2020-9488 - Low Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3


  • Check this box to open an automated fix PR

CVE-2022-23302 (High) detected in log4j-1.2.17.jar

CVE-2022-23302 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23307 (High) detected in log4j-1.2.17.jar

CVE-2022-23307 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44228 (High) detected in log4j-api-2.14.1.jar - autoclosed

CVE-2021-44228 - High Severity Vulnerability

Vulnerable Library - log4j-api-2.14.1.jar

The Apache Log4j API

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: jpo-ode/jpo-ode-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-starter-logging-2.5.0.jar
      • log4j-to-slf4j-2.14.1.jar
        • log4j-api-2.14.1.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.

Publish Date: 2021-11-27

URL: CVE-2021-44228

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jfh8-c2jp-5v3q

Release Date: 2021-12-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0

CVE-2014-0193 (Medium) detected in netty-3.7.0.Final.jar

CVE-2014-0193 - Medium Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

Publish Date: 2014-05-06

URL: CVE-2014-0193

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0193

Release Date: 2014-05-06

Fix Resolution: io.netty:netty-all:4.0.19.Final,io.netty:netty-codec-http:4.0.19.Final,io.netty:netty:3.6.9.Final,io.netty:netty:3.7.1.Final,io.netty:netty:3.8.2.Final,io.netty:netty:3.9.1.Final

CVE-2021-22096 (Medium) detected in multiple libraries

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-5.3.7.jar, spring-webmvc-5.3.7.jar, spring-core-5.3.7.jar

spring-web-5.3.7.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-web-5.3.7.jar (Vulnerable Library)
spring-webmvc-5.3.7.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-webmvc-5.3.7.jar (Vulnerable Library)
spring-core-5.3.7.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-core-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-web): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.6

Fix Resolution (org.springframework:spring-webmvc): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.6

Fix Resolution (org.springframework:spring-core): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.6


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23305 (Critical) detected in log4j-1.2.17.jar

CVE-2022-23305 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22047 (Medium) detected in spring-data-rest-webmvc-3.5.1.jar

CVE-2021-22047 - Medium Severity Vulnerability

Vulnerable Library - spring-data-rest-webmvc-3.5.1.jar

Spring Data REST - WebMVC

Library home page: https://www.spring.io/spring-data

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-rest-webmvc/3.5.1/spring-data-rest-webmvc-3.5.1.jar

Dependency Hierarchy:

  • spring-boot-starter-data-rest-2.5.0.jar (Root Library)
    • spring-data-rest-webmvc-3.5.1.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

Publish Date: 2021-10-28

URL: CVE-2021-22047

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22047

Release Date: 2021-10-28

Fix Resolution (org.springframework.data:spring-data-rest-webmvc): 3.5.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-rest): 2.5.6


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-43466 (Critical) detected in thymeleaf-spring5-3.0.12.RELEASE.jar

CVE-2021-43466 - Critical Severity Vulnerability

Vulnerable Library - thymeleaf-spring5-3.0.12.RELEASE.jar

Modern server-side Java template engine for both web and standalone environments

Library home page: http://www.thymeleaf.org

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf-spring5/3.0.12.RELEASE/thymeleaf-spring5-3.0.12.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-2.5.0.jar (Root Library)
    • thymeleaf-spring5-3.0.12.RELEASE.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

Publish Date: 2021-11-09

URL: CVE-2021-43466

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.thymeleaf.org/releasenotes.html#thymeleaf-3.0.13

Release Date: 2021-11-09

Fix Resolution (org.thymeleaf:thymeleaf-spring5): 3.0.13.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.5.8


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22965 (Critical) detected in spring-beans-5.3.7.jar

CVE-2022-22965 - Critical Severity Vulnerability

Vulnerable Library - spring-beans-5.3.7.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar

Dependency Hierarchy:

  • spring-messaging-5.3.7.jar (Root Library)
    • spring-beans-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.3.18

Direct dependency fix Resolution (org.springframework:spring-messaging): 5.3.18


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in amqp-client-5.12.0.jar

License Policy Violation detected in amqp-client-5.12.0.jar

Library - amqp-client-5.12.0.jar

The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.

Library home page: https://www.rabbitmq.com

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to library: /home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.12.0/amqp-client-5.12.0.jar,/home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.12.0/amqp-client-5.12.0.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • metrics-graphite-4.1.21.jar
      • amqp-client-5.12.0.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

Apache 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cf34de58-3656-4437-bf31-f093eb647c9e

GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/1f4ed4ce-48af-4a60-9368-bb38dbb3c74f

Mozilla 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/f2638f89-5648-4e18-b8b9-7c88bc5811b4

    ⛔ License Policy Violation - No GPL

CVE-2022-25647 (High) detected in gson-2.8.6.jar

CVE-2022-25647 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • gson-2.8.6.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: 2.8.9


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in jsr311-api-1.1.1.jar

License Policy Violation detected in jsr311-api-1.1.1.jar

Library - jsr311-api-1.1.1.jar

Library home page: https://jsr311.dev.java.net

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar,/home/wss-scanner/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar

Dependency Hierarchy:

  • jersey-core-1.19.1.jar (Root Library)
    • jsr311-api-1.1.1.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/4536c631-af26-4900-bd7a-696040f4766c

    ⛔ License Policy Violation - No GPL

CVE-2020-9493 (Critical) detected in log4j-1.2.17.jar

CVE-2020-9493 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-20444 (Critical) detected in netty-3.7.0.Final.jar

CVE-2019-20444 - Critical Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-all:4.1.44.Final

CVE-2021-33037 (Medium) detected in tomcat-embed-core-9.0.46.jar

CVE-2021-33037 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-boot-starter-tomcat-2.5.0.jar
      • tomcat-embed-core-9.0.46.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Publish Date: 2021-07-12

URL: CVE-2021-33037

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-07-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.48

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-36373 (Medium) detected in ant-1.10.9.jar

CVE-2021-36373 - Medium Severity Vulnerability

Vulnerable Library - ant-1.10.9.jar

Library home page: https://ant.apache.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar

Dependency Hierarchy:

  • groovy-all-3.0.8-groovydoc.jar (Root Library)
    • groovy-ant-3.0.8.jar
      • ant-1.10.9.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36373

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373

Release Date: 2021-07-14

Fix Resolution (org.apache.ant:ant): 1.10.11

Direct dependency fix Resolution (org.codehaus.groovy:groovy-all): 3.0.9


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in rocksdbjni-5.18.4.jar

License Policy Violation detected in rocksdbjni-5.18.4.jar

Library - rocksdbjni-5.18.4.jar

RocksDB fat jar that contains .so files for linux32 and linux64, jnilib files for Mac OSX, and a .dll for Windows x64.

Library home page: http://rocksdb.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to library: /home/wss-scanner/.m2/repository/org/rocksdb/rocksdbjni/5.18.4/rocksdbjni-5.18.4.jar,/home/wss-scanner/.m2/repository/org/rocksdb/rocksdbjni/5.18.4/rocksdbjni-5.18.4.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka-streams-2.7.1.jar
      • rocksdbjni-5.18.4.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

Apache 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cf34de58-3656-4437-bf31-f093eb647c9e

GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/1f4ed4ce-48af-4a60-9368-bb38dbb3c74f

    ⛔ License Policy Violation - No GPL

WS-2021-0491 (Medium) detected in logback-classic-1.2.3.jar - autoclosed

WS-2021-0491 - Medium Severity Vulnerability

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: jpo-ode/jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-starter-logging-2.5.0.jar
      • logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.

Publish Date: 2021-12-13

URL: WS-2021-0491

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://logback.qos.ch/news.html

Release Date: 2021-12-13

Fix Resolution: ch.qos.logback:logback-classic:1.2.8

CVE-2017-5637 (High) detected in zookeeper-3.4.8.jar

CVE-2017-5637 - High Severity Vulnerability

Vulnerable Library - zookeeper-3.4.8.jar

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Publish Date: 2017-10-10

URL: CVE-2017-5637

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637

Release Date: 2017-10-09

Fix Resolution: org.apache.zookeeper:zookeeper - 3.4.10,3.5.3-beta

CVE-2018-8012 (High) detected in zookeeper-3.4.8.jar

CVE-2018-8012 - High Severity Vulnerability

Vulnerable Library - zookeeper-3.4.8.jar

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Publish Date: 2018-05-21

URL: CVE-2018-8012

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Release Date: 2018-05-21

Fix Resolution: 3.4.10,3.5.4-beta

CVE-2021-22060 (Medium) detected in spring-web-5.3.7.jar, spring-core-5.3.7.jar

CVE-2021-22060 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-5.3.7.jar, spring-core-5.3.7.jar

spring-web-5.3.7.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-web-5.3.7.jar (Vulnerable Library)
spring-core-5.3.7.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-core-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-10

Fix Resolution (org.springframework:spring-web): 5.3.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8

Fix Resolution (org.springframework:spring-core): 5.3.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22950 (Medium) detected in spring-expression-5.3.7.jar

CVE-2022-22950 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.3.7.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-webmvc-5.3.7.jar
      • spring-expression-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.3.17

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.11


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-0201 (Medium) detected in zookeeper-3.4.8.jar

CVE-2019-0201 - Medium Severity Vulnerability

Vulnerable Library - zookeeper-3.4.8.jar

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution: 3.4.14, 3.5.5

WS-2022-0107 (High) detected in spring-beans-5.3.7.jar - autoclosed

WS-2022-0107 - High Severity Vulnerability

Vulnerable Library - spring-beans-5.3.7.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar

Dependency Hierarchy:

  • spring-messaging-5.3.7.jar (Root Library)
    • spring-beans-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ״Spring4Shell״ or ״SpringShell״.

The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution).
Please note that the ease of exploitation may diverge by the code implementation.

Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux.
Spring Framework 5.3.18 and 5.2.20 have already been released.

WhiteSource’s research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.
This is a temporary WhiteSource ID until an official CVE ID will be released.

Publish Date: 2022-03-30

URL: WS-2022-0107

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-03-30

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

License Policy Violation detected in jakarta.annotation-api-1.3.5.jar

License Policy Violation detected in jakarta.annotation-api-1.3.5.jar

Library - jakarta.annotation-api-1.3.5.jar

Jakarta Annotations API

Library home page: https://projects.eclipse.org/projects/ee4j.ca

Path to dependency file: /jpo-ode-common/pom.xml

Path to library: /home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • jakarta.annotation-api-1.3.5.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

Eclipse 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/67cc8d70-b680-4b02-9ebd-12aedc62fdcb

GPL 2.0 Classpath
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e96c8fbd-cb83-4584-9141-6ce6630e023b

    ⛔ License Policy Violation - No GPL

CVE-2021-42550 (Medium) detected in logback-core-1.2.3.jar, logback-classic-1.2.3.jar

CVE-2021-42550 - Medium Severity Vulnerability

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • logback-core-1.2.3.jar (Vulnerable Library)
logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-starter-logging-2.5.0.jar
      • logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-38153 (Medium) detected in kafka-clients-2.7.1.jar

CVE-2021-38153 - Medium Severity Vulnerability

Vulnerable Library - kafka-clients-2.7.1.jar

Library home page: https://kafka.apache.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /m2/repository/org/apache/kafka/kafka-clients/2.7.1/kafka-clients-2.7.1.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.7.1/kafka-clients-2.7.1.jar

Dependency Hierarchy:

  • kafka-clients-2.7.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Publish Date: 2021-09-22

URL: CVE-2021-38153

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153

Release Date: 2021-09-22

Fix Resolution: 2.7.2


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in jaxb-api-2.3.1.jar

License Policy Violation detected in jaxb-api-2.3.1.jar

Library - jaxb-api-2.3.1.jar

JAXB (JSR 222) API

Path to dependency file: /jpo-ode-plugins/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/home/wss-scanner/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar

Dependency Hierarchy:

  • jaxb-api-2.3.1.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/4536c631-af26-4900-bd7a-696040f4766c

GPL 2.0 Classpath
License Reference File: https://github.com/javaee/jaxb-spec/blob/master/LICENSE.txt

    ⛔ License Policy Violation - No GPL

CVE-2021-29425 (Medium) detected in commons-io-2.4.jar

CVE-2021-29425 - Medium Severity Vulnerability

Vulnerable Library - commons-io-2.4.jar

The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar

Dependency Hierarchy:

  • commons-io-2.4.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: 2.7


⛑️ Automatic Remediation will be attempted for this issue.

WS-2021-0616 (Medium) detected in jackson-databind-2.12.3.jar

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.12.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar

Dependency Hierarchy:

  • jackson-databind-2.12.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: 2.12.4


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-36374 (Medium) detected in ant-1.10.9.jar

CVE-2021-36374 - Medium Severity Vulnerability

Vulnerable Library - ant-1.10.9.jar

Library home page: https://ant.apache.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar

Dependency Hierarchy:

  • groovy-all-3.0.8-groovydoc.jar (Root Library)
    • groovy-ant-3.0.8.jar
      • ant-1.10.9.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36374

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2021-07-14

Fix Resolution (org.apache.ant:ant): 1.10.11

Direct dependency fix Resolution (org.codehaus.groovy:groovy-all): 3.0.9


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-11358 (Medium) detected in jquery-2.1.1.jar

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0


⛑️ Automatic Remediation will be attempted for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.