Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: Waarp Administrator

Waarp:WaarpAdministrator:3.5.2

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
XML-APIS-2.5.0.jarpkg:maven/XML-APIS/XML-APIS@2.5.0 034
XMLEditor-2.2.jarpkg:maven/XMLEditor/XMLEditor@2.2 011
Xerces-2.5.0.jarpkg:maven/Xerces/Xerces@2.5.0 037
aopalliance-repackaged-2.5.0-b32.jarpkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.5.0-b32 021
commons-beanutils-1.9.4.jarcpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.4 0Highest41
commons-cli-1.4.jarpkg:maven/commons-cli/commons-cli@1.4 040
commons-codec-1.15.jarpkg:maven/commons-codec/commons-codec@1.15 041
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest41
commons-compress-1.20.jarcpe:2.3:a:apache:commons-compress:1.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*		pkg:maven/org.apache.commons/commons-compress@1.20 0Highest45
commons-daemon-1.2.4.jarcpe:2.3:a:apache:apache_commons_daemon:1.2.4:*:*:*:*:*:*:*pkg:maven/commons-daemon/commons-daemon@1.2.4 0Low43
commons-dbcp-1.4.jarpkg:maven/commons-dbcp/commons-dbcp@1.4 035
commons-exec-1.3.jarpkg:maven/org.apache.commons/commons-exec@1.3 039
commons-io-2.6.jarpkg:maven/commons-io/commons-io@2.6 040
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 036
commons-net-3.6-ftp.jarpkg:maven/commons-net/commons-net@3.6 027
commons-pool-1.6.jarpkg:maven/commons-pool/commons-pool@1.6 036
dom4j-2.0.3.jarcpe:2.3:a:dom4j_project:dom4j:2.0.3:*:*:*:*:*:*:*pkg:maven/org.dom4j/dom4j@2.0.3 0Highest16
ftp4j-1.7.2.jarpkg:maven/it.sauronsoftware/ftp4j@1.7.2 019
guava-20.0.jarcpe:2.3:a:google:guava:20.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@20.0MEDIUM2Highest24
h2-1.4.191.jarcpe:2.3:a:h2database:h2:1.4.191:*:*:*:*:*:*:*pkg:maven/com.h2database/h2@1.4.191 0Highest30
h2-1.4.191.jar: data.zip: table.js 00
h2-1.4.191.jar: data.zip: tree.js 00
hk2-api-2.5.0-b32.jarpkg:maven/org.glassfish.hk2/hk2-api@2.5.0-b32 025
hk2-locator-2.5.0-b32.jarpkg:maven/org.glassfish.hk2/hk2-locator@2.5.0-b32 021
hk2-utils-2.5.0-b32.jarcpe:2.3:a:oracle:utilities_framework:2.5.0.b32:*:*:*:*:*:*:*pkg:maven/org.glassfish.hk2/hk2-utils@2.5.0-b32 0Low29
hk2-utils-2.5.0-b32.jar (shaded: org.jvnet:tiger-types:1.4)pkg:maven/org.jvnet/tiger-types@1.4 012
httpclient-4.5.13.jarcpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 0Highest34
httpcore-4.4.14.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.14 034
jackson-core-2.7.9.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.7.9:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.7.9MEDIUM1Low46
jackson-databind-2.7.9.6.jarcpe:2.3:a:fasterxml:jackson-databind:2.7.9.6:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.7.9.6:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.6CRITICAL32Highest42
jackson-dataformat-smile-2.7.9.jarcpe:2.3:a:fasterxml:jackson-dataformat-xml:2.7.9:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-smile@2.7.9 0Highest42
jakarta.activation-api-1.2.1.jarpkg:maven/jakarta.activation/jakarta.activation-api@1.2.1 032
javassist-3.25.0-GA.jarpkg:maven/org.javassist/javassist@3.25.0-GA 026
javax.activation-1.2.0.jarpkg:maven/com.sun.activation/javax.activation@1.2.0 042
javax.annotation-api-1.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.2 037
javax.inject-2.5.0-b32.jarpkg:maven/org.glassfish.hk2.external/javax.inject@2.5.0-b32 023
javax.ws.rs-api-2.0.1.jarcpe:2.3:a:oracle:web_services:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 0Low41
jaxb-api-2.2.12.jarpkg:maven/javax.xml.bind/jaxb-api@2.2.12 042
jaxb-core-2.2.11.jarpkg:maven/com.sun.xml.bind/jaxb-core@2.2.11
pkg:maven/org.glassfish.jaxb/jaxb-core@2.2.11		 044
jaxb-core-2.2.11.jar (shaded: com.sun.istack:istack-commons-runtime:2.21)pkg:maven/com.sun.istack/istack-commons-runtime@2.21 011
jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:txw2:2.2.11)pkg:maven/org.glassfish.jaxb/txw2@2.2.11 011
jaxb-impl-2.2.11.jarpkg:maven/com.sun.xml.bind/jaxb-impl@2.2.11 040
jaxb-impl-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.2.11)pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.2.11 011
jaxen-1.2.0.jarpkg:maven/jaxen/jaxen@1.2.0 026
jersey-guava-2.25.1.jarcpe:2.3:a:jersey_project:jersey:2.25.1:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.bundles.repackaged/jersey-guava@2.25.1 0Highest26
joda-time-2.10.10.jarcpe:2.3:a:time_project:time:2.10.10:*:*:*:*:*:*:*pkg:maven/joda-time/joda-time@2.10.10 0Highest38
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
libthrift-0.9.3-1.jarcpe:2.3:a:apache:thrift:0.9.3.1:*:*:*:*:*:*:*pkg:maven/org.apache.thrift/libthrift@0.9.3-1HIGH5Highest23
log4j-1.2.14.jarcpe:2.3:a:apache:log4j:1.2.14:*:*:*:*:*:*:*pkg:maven/log4j/log4j@1.2.14CRITICAL2Highest23
logback-core-1.2.3.jarcpe:2.3:a:logback:logback:1.2.3:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.2.3 0Highest32
mariadb-java-client-1.7.4.jarpkg:maven/org.mariadb.jdbc/mariadb-java-client@1.7.4 029
mysql-connector-java-5.1.49.jarcpe:2.3:a:mysql:mysql:5.1.49:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_connector\/j:5.1.49:*:*:*:*:*:*:*		pkg:maven/mysql/mysql-connector-java@5.1.49HIGH3Highest38
netty-all-4.1.59.Final.jarcpe:2.3:a:netty:netty:4.1.59:*:*:*:*:*:*:*pkg:maven/io.netty/netty-all@4.1.59.Final 0Highest23
netty-http-java6-1.5.0.jarpkg:maven/Waarp/netty-http-java6@1.5.0 019
netty-tcnative-boringssl-static-2.0.36.Final.jarpkg:maven/io.netty/netty-tcnative-boringssl-static@2.0.36.Final 019
osgi-resource-locator-1.0.1.jarpkg:maven/org.glassfish.hk2/osgi-resource-locator@1.0.1 028
postgresql-42.2.19.jre6.jarcpe:2.3:a:postgresql:postgresql:42.2.19.jre6:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.2.19.jre6:*:*:*:*:*:*:*		pkg:maven/org.postgresql/postgresql@42.2.19.jre6 0Highest43
slf4j-api-1.7.30.jarpkg:maven/org.slf4j/slf4j-api@1.7.30 029
snmp4j-2.6.3.jarpkg:maven/org.snmp4j/snmp4j@2.6.3 022
snmp4j-agent-2.6.3.jarpkg:maven/org.snmp4j/snmp4j-agent@2.6.3 028
xercesImpl-2.12.1.jarcpe:2.3:a:exist-db:exist:2.12.1:*:*:*:*:*:*:*pkg:maven/org.exist-db.thirdparty.xerces/xercesImpl@2.12.1CRITICAL1Highest75

Dependencies

XML-APIS-2.5.0.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/XML-APIS/XML-APIS/2.5.0/XML-APIS-2.5.0.jar
MD5: d96b62c9d7c2a81efd1986b59582e4e1
SHA1: 5f3baec73262ebebc87a457fb24012bedb6f0ca6
SHA256:00e7ff4fb2f424bb3c6031b6e7ad03c2badf7af08c1798c8ede6a5d7b7843520
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

XMLEditor-2.2.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/XMLEditor/XMLEditor/2.2/XMLEditor-2.2.jar
MD5: 4a4a0b6d61460d738a469ad200809624
SHA1: 0b6ed34aa9b29b3e093ede285d08f6bce7128504
SHA256:a84c1f3cdd1d38bdea7fa1513c152b50957eef17bc7d42f585d2c2dc31b9663d
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

Xerces-2.5.0.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/Xerces/Xerces/2.5.0/Xerces-2.5.0.jar
MD5: 17c7b058d32d6df45456e1728a299ba1
SHA1: c0468bac6d11a07ffc69506003cfedc0ce54e172
SHA256:d1ff701c93fdd4838b95ccef54b83b3f2f9200052fe34fe8b82a0fbabfc1a72c
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

aopalliance-repackaged-2.5.0-b32.jar

Description:

Dependency Injection Kernel

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/org/glassfish/hk2/external/aopalliance-repackaged/2.5.0-b32/aopalliance-repackaged-2.5.0-b32.jar
MD5: 99809f55109881865ce8b47f03522fb6
SHA1: 6af37c3f8ec6f9e9653ec837eb508da28ce443cd
SHA256:32a44ed0258c00bb8f0acf7e4dbf000a377bd48702465f6195f878a6dc2024d6
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-beanutils-1.9.4.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-cli-1.4.jar

Description:

    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar
MD5: c966d7e03507c834d5b09b848560174e
SHA1: c51c00206bb913cd8612b24abd9fa98ae89719b1
SHA256:fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-codec-1.15.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-codec/commons-codec/1.15/commons-codec-1.15.jar
MD5: 303baf002ce6d382198090aedd9d79a2
SHA1: 49d94806b6e3dc933dacbd8acb0fdbab8ebd1e5d
SHA256:b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-compress-1.20.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar
MD5: 3f7237fb56029591b5bdd2698c196220
SHA1: b8df472b31e1f17c232d2ad78ceb1c84e00c641b
SHA256:0aeb625c948c697ea7b205156e112363b59ed5e2551212cd4e460bdb72c7c06e
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-daemon-1.2.4.jar

Description:

    Apache Commons Daemon software is a set of utilities and Java support
    classes for running Java applications as server processes. These are
    commonly known as 'daemon' processes in Unix terminology (hence the
    name). On Windows they are called 'services'.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-daemon/commons-daemon/1.2.4/commons-daemon-1.2.4.jar
MD5: 3b09311652913abfa26325b07ad35b14
SHA1: d60046797e74222fc6df647ffb9ab32946615264
SHA256:e9ca86791491454eb065475ded6f1d9669a6a015fd0f179ae0a92b20b8e0a71c
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-dbcp-1.4.jar

Description:

Commons Database Connection Pooling

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-dbcp/commons-dbcp/1.4/commons-dbcp-1.4.jar
MD5: b004158fab904f37f5831860898b3cd9
SHA1: 30be73c965cc990b153a100aaaaafcf239f82d39
SHA256:a6e2d83551d0e5b59aa942359f3010d35e79365e6552ad3dbaa6776e4851e4f6
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-exec-1.3.jar

Description:

Apache Commons Exec is a library to reliably execute external processes from within the JVM.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/apache/commons/commons-exec/1.3/commons-exec-1.3.jar
MD5: 8bb8fa2edfd60d5c7ed6bf9923d14aa8
SHA1: 8dfb9facd0830a27b1b5f29f84593f0aeee7773b
SHA256:cb49812dc1bfb0ea4f20f398bcae1a88c6406e213e67f7524fb10d4f8ad9347b
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-io-2.6.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
MD5: 467c2a1f64319c99b5faf03fc78572af
SHA1: 815893df5f31da2ece4040fe0a12fd44b577afaf
SHA256:f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-net-3.6-ftp.jar

File Path: /home/frederic/.m2/repository/commons-net/commons-net/3.6/commons-net-3.6-ftp.jar
MD5: 562c152e7dcc52fc1c943bbce6410f86
SHA1: 7d6800824dfed812250c64d9a8c9d4f4ddd5299b
SHA256:0c19e70f0e3fd5bf10bcecebf4ff22969dfa713a4ea2ee313df8673dc9761a74
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

commons-pool-1.6.jar

Description:

Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
SHA256:46c42b4a38dc6b2db53a9ee5c92c63db103665d56694e2cfce2c95d51a6860cc
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

dom4j-2.0.3.jar

Description:

flexible XML framework for Java

License:

BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /home/frederic/.m2/repository/org/dom4j/dom4j/2.0.3/dom4j-2.0.3.jar
MD5: e52772ce926518c4b58ce7084cb365f1
SHA1: 486bf7f9c368f621e616b9a3532253f23665a104
SHA256:b9ee0981b983ff71605c63cae5c12e0e5facb030bc1c1cd586447e28afc2876e
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

ftp4j-1.7.2.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/it/sauronsoftware/ftp4j/1.7.2/ftp4j-1.7.2.jar
MD5: 9b5971848287cbe7b44cbd65030bb8a6
SHA1: abd6a2ba75b142926052c4538611efda49e0b0e2
SHA256:af8093a956cc5fc7289e72607b7ece2325db292b1ab7cf728dc876d3ad69061d
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

guava-20.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar
MD5: f32a8a2524620dbecc9f6bf6a20c293f
SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
SHA256:36a666e3b71ae7f0f0dca23654b67e086e6c93d192f60ba5dfd5519db6c288c8
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

h2-1.4.191.jar

Description:

H2 Database Engine

License:

MPL 2.0, and EPL 1.0: http://h2database.com/html/license.html
File Path: /home/frederic/.m2/repository/com/h2database/h2/1.4.191/h2-1.4.191.jar
MD5: dda3c5e5615f0e29a9bc6b14d20fb0c2
SHA1: dec3540178ea889b2871b0ed56db14bbec9cfdfc
SHA256:e21ea665b74ec0115344b5afda5ec70ea27b528c3f103524e74c9854b1c4a284
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

h2-1.4.191.jar: data.zip: table.js

File Path: /home/frederic/.m2/repository/com/h2database/h2/1.4.191/h2-1.4.191.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: a914a66de53dcdeb39684f1ce8ce8527
SHA1: c41ef5fb193ac25622f4e129470339aec24d731a
SHA256:8c5b079b38e94718bb58a71b0e310bad6c1004670a19c1bc0f63b32fdd81134a
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

  • None

h2-1.4.191.jar: data.zip: tree.js

File Path: /home/frederic/.m2/repository/com/h2database/h2/1.4.191/h2-1.4.191.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 495277155635a72b0c69f987d938b6e1
SHA1: 446cad47e33a62baf330ee5200646b5ccb9c0df9
SHA256:14c797bd700570c38e8af1aa50ecea205a385be466ec9431e46dbe586ce7a61c
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

  • None

hk2-api-2.5.0-b32.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/org/glassfish/hk2/hk2-api/2.5.0-b32/hk2-api-2.5.0-b32.jar
MD5: 93322931c4ec277c5190c7cddf7ad155
SHA1: 6a576c9653832ce610b80a2f389374ef19d96171
SHA256:b3fe4f295ab8e74ea9d641717dc55e5768f1e5db3709e84235346a4d6bcde5c2
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

hk2-locator-2.5.0-b32.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/org/glassfish/hk2/hk2-locator/2.5.0-b32/hk2-locator-2.5.0-b32.jar
MD5: 5baf0f144cf8552a9fe476b096fc18a7
SHA1: 195474f8ad0a8d130e9ea949a771bcf1215fc33b
SHA256:27cacf80e8c088cc50f73b56344b779bdb7418e590a037659ab66b2b0cd9c492
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

hk2-utils-2.5.0-b32.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/org/glassfish/hk2/hk2-utils/2.5.0-b32/hk2-utils-2.5.0-b32.jar
MD5: acc873aece4f8e89814ac0300b549e3e
SHA1: 5108a926988c4ceda7f1e681dddfe3101454a002
SHA256:3912c470e621eb3e469c111f4c9a4dee486e2ce9db09a65b7609e006b6c3d38e
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

hk2-utils-2.5.0-b32.jar (shaded: org.jvnet:tiger-types:1.4)

File Path: /home/frederic/.m2/repository/org/glassfish/hk2/hk2-utils/2.5.0-b32/hk2-utils-2.5.0-b32.jar/META-INF/maven/org.jvnet/tiger-types/pom.xml
MD5: 51329dba505e7cc4a9bc2719cf195be0
SHA1: 5855a7ee03b816073c2b448bce93319bd71f7029
SHA256:58794aca99cadb3aab687b56fd6d84871956590323dd0ea5d611db759e78c6b9
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

httpclient-4.5.13.jar

Description:

   Apache HttpComponents Client

File Path: /home/frederic/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

httpcore-4.4.14.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/frederic/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jackson-core-2.7.9.jar

Description:

Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.9/jackson-core-2.7.9.jar
MD5: f5d0dfe03814113d792e75e885699640
SHA1: 09b530cec4fd2eb841ab8e79f19fc7cf0ec487b2
SHA256:bd90721420bb899a974ed09a107fef42ca8cc7c8e055762f6c81576132e5bbc5
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-databind-2.7.9.6.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.6/jackson-databind-2.7.9.6.jar
MD5: 56c7443cccf36b6bc6eb661a4d128762
SHA1: 562ce1931544a1ae4a3d0e8523c2068fea4198fa
SHA256:368c7a722e45d8bbbbbfad953f4999c383ecab5bf366fa85ed4115534e377a43
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-16942 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-16943 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-17531 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-20330  

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10672 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-10673 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-10968 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-10969  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11111 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11112 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11113 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11619 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11620 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14060 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14061 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14062 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14195 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-24616 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-24750 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-35490  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35491  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8840  

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9546  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9547  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9548  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-dataformat-smile-2.7.9.jar

Description:

Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-smile/2.7.9/jackson-dataformat-smile-2.7.9.jar
MD5: eb20c11444c0aeb464a7302930ec18e0
SHA1: 3aef8d360e5bb6f8044964ba831f5cd53a663fe3
SHA256:8df9cfc493a3e3c6c0d5eacf019ca06b2fae7f97eac4a7efdbab6694ba1dc643
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jakarta.activation-api-1.2.1.jar

Description:

JavaBeans Activation Framework API jar

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/frederic/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.1/jakarta.activation-api-1.2.1.jar
MD5: 9b647398add993324d3d9e5effa6005a
SHA1: 562a587face36ec7eff2db7f2fc95425c6602bc1
SHA256:8b0a0f52fa8b05c5431921a063ed866efaa41dadf2e3a7ee3e1961f2b0d9645b
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

javassist-3.25.0-GA.jar

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /home/frederic/.m2/repository/org/javassist/javassist/3.25.0-GA/javassist-3.25.0-GA.jar
MD5: 3a4267e01989478be188d127b7a39425
SHA1: 442dc1f9fd520130bd18da938622f4f9b2e5fba3
SHA256:5d49abd02997134f80041645e9668e1ff97afd69d2c2c55ae9fbd40dc073f97b
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

javax.activation-1.2.0.jar

Description:

JavaBeans Activation Framework

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /home/frederic/.m2/repository/com/sun/activation/javax.activation/1.2.0/javax.activation-1.2.0.jar
MD5: be7c430df50b330cffc4848a3abedbfb
SHA1: bf744c1e2776ed1de3c55c8dac1057ec331ef744
SHA256:993302b16cd7056f21e779cc577d175a810bb4900ef73cd8fbf2b50f928ba9ce
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

javax.annotation-api-1.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/frederic/.m2/repository/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

javax.inject-2.5.0-b32.jar

Description:

Injection API (JSR 330) version ${javax.inject.version} repackaged as OSGi bundle

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/org/glassfish/hk2/external/javax.inject/2.5.0-b32/javax.inject-2.5.0-b32.jar
MD5: b7e8633eb1e5aad9f44a37a3f3bfa8f5
SHA1: b2fa50c8186a38728c35fe6a9da57ce4cc806923
SHA256:437c92cf50a0efa6b501b8939b5b92ede7cfe4455cf06b68ec69d1b21ab921ed
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

javax.ws.rs-api-2.0.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxb-api-2.2.12.jar

Description:

JAXB (JSR 222) API

License:

CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/javax/xml/bind/jaxb-api/2.2.12/jaxb-api-2.2.12.jar
MD5: 62229737e570051d2ace48592faf7d4e
SHA1: 4c83805595b15acf41d71d49e3add7c0e85baaed
SHA256:68a621ec18485f951d09ac76f43e57eee394dbe42cb8f2a4c59c93296fa9dcc6
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxb-core-2.2.11.jar

Description:

Old JAXB Core module. Contains sources required by XJC, JXC and Runtime modules with dependencies.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/com/sun/xml/bind/jaxb-core/2.2.11/jaxb-core-2.2.11.jar
MD5: c5eca4e58a75eabe3379926803421bab
SHA1: c3f87d654f8d5943cd08592f3f758856544d279a
SHA256:b13da0c655a3d590a2a945553648c407e6347648c9f7a3f811b7b3a8a1974baa
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxb-core-2.2.11.jar (shaded: com.sun.istack:istack-commons-runtime:2.21)

File Path: /home/frederic/.m2/repository/com/sun/xml/bind/jaxb-core/2.2.11/jaxb-core-2.2.11.jar/META-INF/maven/com.sun.istack/istack-commons-runtime/pom.xml
MD5: caebf95d1d57fc0321b36137e246e192
SHA1: 04c234cf684a202c5c9bb7f0a198ba97e958f8f4
SHA256:ebe7137b5fbfd050545f9a7f3f339ae55beb0b53755071b4fd62aa024c626d1c
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:txw2:2.2.11)

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/frederic/.m2/repository/com/sun/xml/bind/jaxb-core/2.2.11/jaxb-core-2.2.11.jar/META-INF/maven/org.glassfish.jaxb/txw2/pom.xml
MD5: 83d24d59202baf2810daa01739963822
SHA1: 4be03527dbf2428f7ea99fb9c2f50f089dffad5e
SHA256:8514cb724b4fca59a5cf272b632e539bd0a0f3cacf1844082d0a173a86406bd8
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxb-impl-2.2.11.jar

Description:

Old JAXB Runtime module. Contains sources required for runtime processing.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/com/sun/xml/bind/jaxb-impl/2.2.11/jaxb-impl-2.2.11.jar
MD5: bea06b3ee5ef2c338beac9187b7782f3
SHA1: a49ce57aee680f9435f49ba6ef427d38c93247a6
SHA256:f91793a96f185a2fc004c86a37086f060985854ce6b19935e03c4de51e3201d2
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxb-impl-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.2.11)

Description:

JAXB (JSR 222) Reference Implementation

File Path: /home/frederic/.m2/repository/com/sun/xml/bind/jaxb-impl/2.2.11/jaxb-impl-2.2.11.jar/META-INF/maven/org.glassfish.jaxb/jaxb-runtime/pom.xml
MD5: fa2e4dc2609e6a4d96418f4ac6519e8d
SHA1: 6a1651361e4c2392aff30da0df648187f670f8cb
SHA256:e5327b31b595ab8143e97836d5ccdf85feb91e7ff5666f7b26913632facca4aa
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jaxen-1.2.0.jar

Description:

Jaxen is a universal XPath engine for Java.

License:

BSD License 2.0: https://raw.githubusercontent.com/jaxen-xpath/jaxen/master/LICENSE.txt
File Path: /home/frederic/.m2/repository/jaxen/jaxen/1.2.0/jaxen-1.2.0.jar
MD5: c32cf69356254b8f5050fce6e86358e9
SHA1: c10535a925bd35129a4329bc75065cc6b5293f2c
SHA256:70feef9dd75ad064def05a3ce8975aeba515ee7d1be146d12199c8828a64174c
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jersey-guava-2.25.1.jar

Description:

Jersey Guava Repackaged

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/org/glassfish/jersey/bundles/repackaged/jersey-guava/2.25.1/jersey-guava-2.25.1.jar
MD5: 08dc8642c4e990b054882cb4f422f88b
SHA1: a2bb4f8208e134cf2cf71dfb8824e42942f7bd06
SHA256:8a88a8ebae65cb4d77830b40f681bf742b55ec62e7a44cf91b8577a9396b9f81
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

joda-time-2.10.10.jar

Description:

Date and time library to replace JDK date handling

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/joda-time/joda-time/2.10.10/joda-time-2.10.10.jar
MD5: c2a46de8a73ec7b60011429561ae72e3
SHA1: 29e8126e31f41e5c12b9fe3a7eb02e704c47d70b
SHA256:dd8e7c92185a678d1b7b933f31209b6203c8ffa91e9880475a1be0346b9617e3
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

libthrift-0.9.3-1.jar

Description:

Thrift is a software framework for scalable cross-language services development.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/apache/thrift/libthrift/0.9.3-1/libthrift-0.9.3-1.jar
MD5: f30409cddd2782337118521abeee12c9
SHA1: 92967e32d04fd862eb679324a5c516810a5b2a28
SHA256:6837cd6009b8401ce7ef0dcccc80c30148265f7e97cd31dc33b278a268e9471b
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2018-11798  

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
CWE-538 File and Directory Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-1320  

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0205  

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0210  

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
CWE-125 Out-of-bounds Read

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13949  

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

log4j-1.2.14.jar

Description:

Log4j

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
MD5: 599b8ba07d1d04f0ea34414e861d7ad1
SHA1: 03b254c872b95141751f414e353a25c2ac261b51
SHA256:e3bff9ab64a09b1ac2800f3b5fb1e3d99728064acb6dd3924938507638a404fb
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2019-17571  

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9488  

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

logback-core-1.2.3.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/frederic/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
MD5: 841fc80c6edff60d947a3872a2db4d45
SHA1: 864344400c3d4d92dfeb0a305dc87d953677c03c
SHA256:5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

mariadb-java-client-1.7.4.jar

Description:

JDBC driver for MariaDB and MySQL

License:

LGPL-2.1
File Path: /home/frederic/.m2/repository/org/mariadb/jdbc/mariadb-java-client/1.7.4/mariadb-java-client-1.7.4.jar
MD5: b9549eb5ba94a85eb1754f030657b853
SHA1: fc07a80cf17857573632d950d7387232474007ba
SHA256:bd14e9d13e79a15b6b2ad4668492d926cf7bfe7da8f5a0434f1b6b65d62a7b6a
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

mysql-connector-java-5.1.49.jar

Description:

MySQL JDBC Type 4 driver

License:

The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
File Path: /home/frederic/.m2/repository/mysql/mysql-connector-java/5.1.49/mysql-connector-java-5.1.49.jar
MD5: b46c5a50b6d707b37bd34e27e0f6cbaf
SHA1: cf76d2e4c9c3782a85c15c87bec5772b34ffd0e5
SHA256:5bba9ff50e5e637a0996a730619dee19ccae274883a4d28c890d945252bb0e12
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2017-15945  

The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-3258 (OSSINDEX)  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:mysql:mysql-connector-java:5.1.49:*:*:*:*:*:*:*

CVE-2019-2692  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:L/AC:H/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

netty-all-4.1.59.Final.jar

File Path: /home/frederic/.m2/repository/io/netty/netty-all/4.1.59.Final/netty-all-4.1.59.Final.jar
MD5: 20d0265af69d43d65093d152d1ac5f51
SHA1: 4d83eab2c554587e15fa9cc20de48c530b23c479
SHA256:c483e8103dbce2a4b57e0b99ea2c128a29b57be677ee62e44d767fa425c3fe7a
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

netty-http-java6-1.5.0.jar

Description:

Waarp shaded jar for Netty HTTP Router for Java 6

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/Waarp/netty-http-java6/1.5.0/netty-http-java6-1.5.0.jar
MD5: c626a48ebeb6d2c0dfea9953a1db333b
SHA1: 11a3759b842014ccadd544dd58c9320a44ff41a1
SHA256:6676f2f137eace2c32a534567d92c2167aa9e27cc47de585c5d79e7e32bdf373
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

netty-tcnative-boringssl-static-2.0.36.Final.jar

Description:

    A Mavenized fork of Tomcat Native which incorporates various patches. This artifact is statically linked
    to BoringSSL and Apache APR.

File Path: /home/frederic/.m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.36.Final/netty-tcnative-boringssl-static-2.0.36.Final.jar
MD5: 61fca971d9f1175e934d5c01d3fcabeb
SHA1: f35f05118d846dfe30a4e7f757a47601ee9d0cea
SHA256:2c0d55797dbfcb3d8639eab4957b37a8d7982f32196f029b25a2ff0e326f118f
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

osgi-resource-locator-1.0.1.jar

Description:

 See http://wiki.glassfish.java.net/Wiki.jsp?page=JdkSpiOsgi for more information

License:

https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/frederic/.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.1/osgi-resource-locator-1.0.1.jar
MD5: 51e70ad8fc9d1e9fb19debeb55555b75
SHA1: 4ed2b2d4738aed5786cfa64cba5a332779c4c708
SHA256:775003be577e8806f51b6e442be1033d83be2cb2207227b349be0bf16e6c0843
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

postgresql-42.2.19.jre6.jar

Description:

PostgreSQL JDBC Driver Postgresql-jre6

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html
File Path: /home/frederic/.m2/repository/org/postgresql/postgresql/42.2.19.jre6/postgresql-42.2.19.jre6.jar
MD5: 3b73434467f488892dffe8948be277b1
SHA1: 3af16b10c6854d42389dffdeb5ca3aa6846c2095
SHA256:2467bbbb47b868e4ef801b6d20cfd76a0e6dfb8599df2e5d63a0521245cd4e0d
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

slf4j-api-1.7.30.jar

Description:

The slf4j API

File Path: /home/frederic/.m2/repository/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.jar
MD5: f8be00da99bc4ab64c79ab1e2be7cb7c
SHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922c
SHA256:cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

snmp4j-2.6.3.jar

Description:

SNMP API for Java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/snmp4j/snmp4j/2.6.3/snmp4j-2.6.3.jar
MD5: 3fbdac27dfc57221dfc8c2dd3e1ef7e7
SHA1: 6e30241759ed24efe9b64944ed52467122bafafa
SHA256:65cfa42dfe346bc991cbd3eb9e8356269f288c98cc12a423263ffcb78324a784
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

snmp4j-agent-2.6.3.jar

Description:

SNMP-Agent API for Java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/snmp4j/snmp4j-agent/2.6.3/snmp4j-agent-2.6.3.jar
MD5: 04b124cd7e7edb42ffbf23c4335a3e64
SHA1: 92ca6fedf945342a0b479963dd9c0a3700046335
SHA256:75646cbcc9a3b742e7bdd0b86226d8ab3eb0d473d230a4e013b601bbb8a0ffdf
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

xercesImpl-2.12.1.jar

Description:

        Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family.
        This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building
        parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is
        the reference implementation of XNI but other parser components, configurations, and parsers can be written
        using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
        Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema
        1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema
        Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for
        evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation
        of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete
        implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML
        Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that
        it does not yet provide an option to enable normalization checking as described in section 2.13 of this
        specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly
        serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/exist-db/thirdparty/xerces/xercesImpl/2.12.1/xercesImpl-2.12.1.jar
MD5: 9f82c362c893779109c1de812c5d4deb
SHA1: 3a206b25679f598a03374afd4e0410d8849b088b
SHA256:ae0c329a3187178c8e7b0369a5346845e426062ffbb8a08fc68ced6affe6c626
Referenced In Project/Scope:Waarp Administrator:compile

Identifiers

CVE-2018-1000823  

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (10.0)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.