Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: Waarp XMLEditor

Waarp:WaarpXmlEditor:3.5.2

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
XML-APIS-2.5.0.jarpkg:maven/XML-APIS/XML-APIS@2.5.0 034
XMLEditor-2.2.jarpkg:maven/XMLEditor/XMLEditor@2.2 011
Xerces-2.5.0.jarpkg:maven/Xerces/Xerces@2.5.0 037
commons-beanutils-1.9.4.jarcpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.4 0Highest41
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest41
commons-compress-1.20.jarcpe:2.3:a:apache:commons-compress:1.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*		pkg:maven/org.apache.commons/commons-compress@1.20 0Highest45
commons-daemon-1.2.4.jarcpe:2.3:a:apache:apache_commons_daemon:1.2.4:*:*:*:*:*:*:*pkg:maven/commons-daemon/commons-daemon@1.2.4 0Low43
commons-dbcp-1.4.jarpkg:maven/commons-dbcp/commons-dbcp@1.4 035
commons-io-2.6.jarpkg:maven/commons-io/commons-io@2.6 040
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 036
commons-pool-1.6.jarpkg:maven/commons-pool/commons-pool@1.6 036
dom4j-2.0.3.jarcpe:2.3:a:dom4j_project:dom4j:2.0.3:*:*:*:*:*:*:*pkg:maven/org.dom4j/dom4j@2.0.3 0Highest16
guava-20.0.jarcpe:2.3:a:google:guava:20.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@20.0MEDIUM2Highest24
h2-1.4.191.jarcpe:2.3:a:h2database:h2:1.4.191:*:*:*:*:*:*:*pkg:maven/com.h2database/h2@1.4.191 0Highest30
h2-1.4.191.jar: data.zip: table.js 00
h2-1.4.191.jar: data.zip: tree.js 00
jackson-core-2.7.9.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.7.9:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.7.9MEDIUM1Low46
jackson-databind-2.7.9.6.jarcpe:2.3:a:fasterxml:jackson-databind:2.7.9.6:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.7.9.6:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.6CRITICAL32Highest42
jackson-dataformat-smile-2.7.9.jarcpe:2.3:a:fasterxml:jackson-dataformat-xml:2.7.9:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-smile@2.7.9 0Highest42
javax.ws.rs-api-2.0.1.jarcpe:2.3:a:oracle:web_services:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 0Low41
jaxen-1.2.0.jarpkg:maven/jaxen/jaxen@1.2.0 026
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
logback-core-1.2.3.jarcpe:2.3:a:logback:logback:1.2.3:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.2.3 0Highest32
mariadb-java-client-1.7.4.jarpkg:maven/org.mariadb.jdbc/mariadb-java-client@1.7.4 029
mysql-connector-java-5.1.49.jarcpe:2.3:a:mysql:mysql:5.1.49:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_connector\/j:5.1.49:*:*:*:*:*:*:*		pkg:maven/mysql/mysql-connector-java@5.1.49HIGH3Highest38
netty-all-4.1.59.Final.jarcpe:2.3:a:netty:netty:4.1.59:*:*:*:*:*:*:*pkg:maven/io.netty/netty-all@4.1.59.Final 0Highest23
netty-http-java6-1.5.0.jarpkg:maven/Waarp/netty-http-java6@1.5.0 019
netty-tcnative-boringssl-static-2.0.36.Final.jarpkg:maven/io.netty/netty-tcnative-boringssl-static@2.0.36.Final 019
plugin-1.6.jarpkg:maven/sun.plugin/plugin@1.6 017
postgresql-42.2.19.jre6.jarcpe:2.3:a:postgresql:postgresql:42.2.19.jre6:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.2.19.jre6:*:*:*:*:*:*:*		pkg:maven/org.postgresql/postgresql@42.2.19.jre6 0Highest43
slf4j-api-1.7.30.jarpkg:maven/org.slf4j/slf4j-api@1.7.30 029
xercesImpl-2.12.1.jarcpe:2.3:a:exist-db:exist:2.12.1:*:*:*:*:*:*:*pkg:maven/org.exist-db.thirdparty.xerces/xercesImpl@2.12.1CRITICAL1Highest75

Dependencies

XML-APIS-2.5.0.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/XML-APIS/XML-APIS/2.5.0/XML-APIS-2.5.0.jar
MD5: d96b62c9d7c2a81efd1986b59582e4e1
SHA1: 5f3baec73262ebebc87a457fb24012bedb6f0ca6
SHA256:00e7ff4fb2f424bb3c6031b6e7ad03c2badf7af08c1798c8ede6a5d7b7843520
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

XMLEditor-2.2.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/XMLEditor/XMLEditor/2.2/XMLEditor-2.2.jar
MD5: 4a4a0b6d61460d738a469ad200809624
SHA1: 0b6ed34aa9b29b3e093ede285d08f6bce7128504
SHA256:a84c1f3cdd1d38bdea7fa1513c152b50957eef17bc7d42f585d2c2dc31b9663d
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

Xerces-2.5.0.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/Xerces/Xerces/2.5.0/Xerces-2.5.0.jar
MD5: 17c7b058d32d6df45456e1728a299ba1
SHA1: c0468bac6d11a07ffc69506003cfedc0ce54e172
SHA256:d1ff701c93fdd4838b95ccef54b83b3f2f9200052fe34fe8b82a0fbabfc1a72c
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-beanutils-1.9.4.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-compress-1.20.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar
MD5: 3f7237fb56029591b5bdd2698c196220
SHA1: b8df472b31e1f17c232d2ad78ceb1c84e00c641b
SHA256:0aeb625c948c697ea7b205156e112363b59ed5e2551212cd4e460bdb72c7c06e
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-daemon-1.2.4.jar

Description:

    Apache Commons Daemon software is a set of utilities and Java support
    classes for running Java applications as server processes. These are
    commonly known as 'daemon' processes in Unix terminology (hence the
    name). On Windows they are called 'services'.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-daemon/commons-daemon/1.2.4/commons-daemon-1.2.4.jar
MD5: 3b09311652913abfa26325b07ad35b14
SHA1: d60046797e74222fc6df647ffb9ab32946615264
SHA256:e9ca86791491454eb065475ded6f1d9669a6a015fd0f179ae0a92b20b8e0a71c
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-dbcp-1.4.jar

Description:

Commons Database Connection Pooling

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-dbcp/commons-dbcp/1.4/commons-dbcp-1.4.jar
MD5: b004158fab904f37f5831860898b3cd9
SHA1: 30be73c965cc990b153a100aaaaafcf239f82d39
SHA256:a6e2d83551d0e5b59aa942359f3010d35e79365e6552ad3dbaa6776e4851e4f6
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-io-2.6.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
MD5: 467c2a1f64319c99b5faf03fc78572af
SHA1: 815893df5f31da2ece4040fe0a12fd44b577afaf
SHA256:f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

commons-pool-1.6.jar

Description:

Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
SHA256:46c42b4a38dc6b2db53a9ee5c92c63db103665d56694e2cfce2c95d51a6860cc
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

dom4j-2.0.3.jar

Description:

flexible XML framework for Java

License:

BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /home/frederic/.m2/repository/org/dom4j/dom4j/2.0.3/dom4j-2.0.3.jar
MD5: e52772ce926518c4b58ce7084cb365f1
SHA1: 486bf7f9c368f621e616b9a3532253f23665a104
SHA256:b9ee0981b983ff71605c63cae5c12e0e5facb030bc1c1cd586447e28afc2876e
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

guava-20.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar
MD5: f32a8a2524620dbecc9f6bf6a20c293f
SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
SHA256:36a666e3b71ae7f0f0dca23654b67e086e6c93d192f60ba5dfd5519db6c288c8
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

h2-1.4.191.jar

Description:

H2 Database Engine

License:

MPL 2.0, and EPL 1.0: http://h2database.com/html/license.html
File Path: /home/frederic/.m2/repository/com/h2database/h2/1.4.191/h2-1.4.191.jar
MD5: dda3c5e5615f0e29a9bc6b14d20fb0c2
SHA1: dec3540178ea889b2871b0ed56db14bbec9cfdfc
SHA256:e21ea665b74ec0115344b5afda5ec70ea27b528c3f103524e74c9854b1c4a284
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

h2-1.4.191.jar: data.zip: table.js

File Path: /home/frederic/.m2/repository/com/h2database/h2/1.4.191/h2-1.4.191.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: a914a66de53dcdeb39684f1ce8ce8527
SHA1: c41ef5fb193ac25622f4e129470339aec24d731a
SHA256:8c5b079b38e94718bb58a71b0e310bad6c1004670a19c1bc0f63b32fdd81134a
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

  • None

h2-1.4.191.jar: data.zip: tree.js

File Path: /home/frederic/.m2/repository/com/h2database/h2/1.4.191/h2-1.4.191.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 495277155635a72b0c69f987d938b6e1
SHA1: 446cad47e33a62baf330ee5200646b5ccb9c0df9
SHA256:14c797bd700570c38e8af1aa50ecea205a385be466ec9431e46dbe586ce7a61c
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

  • None

jackson-core-2.7.9.jar

Description:

Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.9/jackson-core-2.7.9.jar
MD5: f5d0dfe03814113d792e75e885699640
SHA1: 09b530cec4fd2eb841ab8e79f19fc7cf0ec487b2
SHA256:bd90721420bb899a974ed09a107fef42ca8cc7c8e055762f6c81576132e5bbc5
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-databind-2.7.9.6.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.6/jackson-databind-2.7.9.6.jar
MD5: 56c7443cccf36b6bc6eb661a4d128762
SHA1: 562ce1931544a1ae4a3d0e8523c2068fea4198fa
SHA256:368c7a722e45d8bbbbbfad953f4999c383ecab5bf366fa85ed4115534e377a43
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-16942 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-16943 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-17531 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2019-20330  

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10672 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-10673 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-10968 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-10969  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11111 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11112 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11113 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11619 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-11620 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14060 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14061 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14062 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-14195 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-24616 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-24750 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.7.9.6:*:*:*:*:*:*:*

CVE-2020-35490  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35491  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8840  

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9546  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9547  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9548  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-dataformat-smile-2.7.9.jar

Description:

Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-smile/2.7.9/jackson-dataformat-smile-2.7.9.jar
MD5: eb20c11444c0aeb464a7302930ec18e0
SHA1: 3aef8d360e5bb6f8044964ba831f5cd53a663fe3
SHA256:8df9cfc493a3e3c6c0d5eacf019ca06b2fae7f97eac4a7efdbab6694ba1dc643
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

javax.ws.rs-api-2.0.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/frederic/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

jaxen-1.2.0.jar

Description:

Jaxen is a universal XPath engine for Java.

License:

BSD License 2.0: https://raw.githubusercontent.com/jaxen-xpath/jaxen/master/LICENSE.txt
File Path: /home/frederic/.m2/repository/jaxen/jaxen/1.2.0/jaxen-1.2.0.jar
MD5: c32cf69356254b8f5050fce6e86358e9
SHA1: c10535a925bd35129a4329bc75065cc6b5293f2c
SHA256:70feef9dd75ad064def05a3ce8975aeba515ee7d1be146d12199c8828a64174c
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

logback-core-1.2.3.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/frederic/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
MD5: 841fc80c6edff60d947a3872a2db4d45
SHA1: 864344400c3d4d92dfeb0a305dc87d953677c03c
SHA256:5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

mariadb-java-client-1.7.4.jar

Description:

JDBC driver for MariaDB and MySQL

License:

LGPL-2.1
File Path: /home/frederic/.m2/repository/org/mariadb/jdbc/mariadb-java-client/1.7.4/mariadb-java-client-1.7.4.jar
MD5: b9549eb5ba94a85eb1754f030657b853
SHA1: fc07a80cf17857573632d950d7387232474007ba
SHA256:bd14e9d13e79a15b6b2ad4668492d926cf7bfe7da8f5a0434f1b6b65d62a7b6a
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

mysql-connector-java-5.1.49.jar

Description:

MySQL JDBC Type 4 driver

License:

The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
File Path: /home/frederic/.m2/repository/mysql/mysql-connector-java/5.1.49/mysql-connector-java-5.1.49.jar
MD5: b46c5a50b6d707b37bd34e27e0f6cbaf
SHA1: cf76d2e4c9c3782a85c15c87bec5772b34ffd0e5
SHA256:5bba9ff50e5e637a0996a730619dee19ccae274883a4d28c890d945252bb0e12
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

CVE-2017-15945  

The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-3258 (OSSINDEX)  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:mysql:mysql-connector-java:5.1.49:*:*:*:*:*:*:*

CVE-2019-2692  

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:L/AC:H/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

netty-all-4.1.59.Final.jar

File Path: /home/frederic/.m2/repository/io/netty/netty-all/4.1.59.Final/netty-all-4.1.59.Final.jar
MD5: 20d0265af69d43d65093d152d1ac5f51
SHA1: 4d83eab2c554587e15fa9cc20de48c530b23c479
SHA256:c483e8103dbce2a4b57e0b99ea2c128a29b57be677ee62e44d767fa425c3fe7a
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

netty-http-java6-1.5.0.jar

Description:

Waarp shaded jar for Netty HTTP Router for Java 6

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/Waarp/netty-http-java6/1.5.0/netty-http-java6-1.5.0.jar
MD5: c626a48ebeb6d2c0dfea9953a1db333b
SHA1: 11a3759b842014ccadd544dd58c9320a44ff41a1
SHA256:6676f2f137eace2c32a534567d92c2167aa9e27cc47de585c5d79e7e32bdf373
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

netty-tcnative-boringssl-static-2.0.36.Final.jar

Description:

    A Mavenized fork of Tomcat Native which incorporates various patches. This artifact is statically linked
    to BoringSSL and Apache APR.

File Path: /home/frederic/.m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.36.Final/netty-tcnative-boringssl-static-2.0.36.Final.jar
MD5: 61fca971d9f1175e934d5c01d3fcabeb
SHA1: f35f05118d846dfe30a4e7f757a47601ee9d0cea
SHA256:2c0d55797dbfcb3d8639eab4957b37a8d7982f32196f029b25a2ff0e326f118f
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

plugin-1.6.jar

Description:

POM was created from install:install-file

File Path: /home/frederic/.m2/repository/sun/plugin/plugin/1.6/plugin-1.6.jar
MD5: 9f2c2d224a86c781c284ff697f96cb19
SHA1: 3b512f6b1a9b86c83a6e3b95632691e11100a76e
SHA256:35885c3b8bc43df3ada12e05ca74d582d7e4288a03d5f769077095df33cf9b1e
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

postgresql-42.2.19.jre6.jar

Description:

PostgreSQL JDBC Driver Postgresql-jre6

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html
File Path: /home/frederic/.m2/repository/org/postgresql/postgresql/42.2.19.jre6/postgresql-42.2.19.jre6.jar
MD5: 3b73434467f488892dffe8948be277b1
SHA1: 3af16b10c6854d42389dffdeb5ca3aa6846c2095
SHA256:2467bbbb47b868e4ef801b6d20cfd76a0e6dfb8599df2e5d63a0521245cd4e0d
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

slf4j-api-1.7.30.jar

Description:

The slf4j API

File Path: /home/frederic/.m2/repository/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.jar
MD5: f8be00da99bc4ab64c79ab1e2be7cb7c
SHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922c
SHA256:cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

xercesImpl-2.12.1.jar

Description:

        Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family.
        This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building
        parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is
        the reference implementation of XNI but other parser components, configurations, and parsers can be written
        using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
        Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema
        1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema
        Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for
        evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation
        of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete
        implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML
        Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that
        it does not yet provide an option to enable normalization checking as described in section 2.13 of this
        specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly
        serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/frederic/.m2/repository/org/exist-db/thirdparty/xerces/xercesImpl/2.12.1/xercesImpl-2.12.1.jar
MD5: 9f82c362c893779109c1de812c5d4deb
SHA1: 3a206b25679f598a03374afd4e0410d8849b088b
SHA256:ae0c329a3187178c8e7b0369a5346845e426062ffbb8a08fc68ced6affe6c626
Referenced In Project/Scope:Waarp XMLEditor:compile

Identifiers

CVE-2018-1000823  

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (10.0)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.