From 0ddad06b270b3e9a8150ba54e53d904ca6bb96a3 Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Thu, 23 Feb 2023 16:38:08 +0100 Subject: [PATCH] Support dependency-check 8.0.0 (#758) * Support dependency-check 8.0.0 * Add Unit tests for includedby --- examples/multi-module-maven/pom.xml | 2 +- examples/single-module-gradle/build.gradle | 2 +- .../build.gradle.kts | 2 +- examples/single-module-maven/pom.xml | 2 +- .../base/DependencyCheckUtils.java | 77 +- .../MavenDependencyDeserializer.java | 14 +- .../deserializer/MavenParentDeserializer.java | 16 +- .../PackageLockDependencyDeserializer.java | 10 +- .../parser/element/Dependency.java | 22 +- .../parser/element/Identifier.java | 40 +- .../parser/element/IncludedBy.java | 36 + .../parser/element/Vulnerability.java | 2 +- .../reason/GradleDependencyReason.java | 82 +- .../reason/MavenDependencyReason.java | 104 +- .../reason/NPMDependencyReason.java | 64 +- .../reason/SoftwareDependency.java | 54 + .../reason/maven/MavenDependency.java | 48 +- ...rent.java => MavenDependencyLocation.java} | 19 +- .../reason/maven/MavenPomModel.java | 12 +- .../reason/npm/NPMDependency.java | 50 +- .../reason/npm/NPMDependencyLocation.java | 54 + .../reason/npm/PackageLockModel.java | 6 +- .../DependencyCheckSensorTest.java | 8 +- .../base/DependencyCheckUtilsTest.java | 44 +- .../page/DependencyCheckReportPageTest.java | 1 - .../parser/NPMParserHelperTest.java | 6 +- .../parser/PomParserHelperTest.java | 21 +- .../parser/ReportParserTest.java | 36 +- .../parser/element/IdentifierTest.java | 69 - .../reason/DependencyReasonSearcherTest.java | 6 +- .../reason/GradleDependencyReasonTest.java | 29 +- .../reason/MavenDependencyReasonTest.java | 36 +- .../reason/NPMDependencyReasonTest.java | 10 +- .../src/test/resources/reason/build.gradle | 2 +- .../dependency-check-report.json | 19711 +++++++++++----- 35 files changed, 14088 insertions(+), 6609 deletions(-) create mode 100644 sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/IncludedBy.java create mode 100644 sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/SoftwareDependency.java rename sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/{MavenParent.java => MavenDependencyLocation.java} (83%) create mode 100644 sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependencyLocation.java delete mode 100644 sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java diff --git a/examples/multi-module-maven/pom.xml b/examples/multi-module-maven/pom.xml index 433e47a3..f0221d7e 100644 --- a/examples/multi-module-maven/pom.xml +++ b/examples/multi-module-maven/pom.xml @@ -54,7 +54,7 @@ org.owasp dependency-check-maven - 6.0.3 + 8.0.2 ALL diff --git a/examples/single-module-gradle/build.gradle b/examples/single-module-gradle/build.gradle index 211206bd..4c52d486 100644 --- a/examples/single-module-gradle/build.gradle +++ b/examples/single-module-gradle/build.gradle @@ -3,7 +3,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'org.owasp:dependency-check-gradle:6.5.3' + classpath 'org.owasp:dependency-check-gradle:8.0.2' } } diff --git a/examples/single-module-kotlin-dsl-gradle/build.gradle.kts b/examples/single-module-kotlin-dsl-gradle/build.gradle.kts index 59e595d3..c84e80bc 100644 --- a/examples/single-module-kotlin-dsl-gradle/build.gradle.kts +++ b/examples/single-module-kotlin-dsl-gradle/build.gradle.kts @@ -4,7 +4,7 @@ plugins { application kotlin("jvm") version "1.3.50" id("org.sonarqube") version "3.3" - id("org.owasp.dependencycheck") version "6.5.3" + id("org.owasp.dependencycheck") version "8.0.2" } repositories { diff --git a/examples/single-module-maven/pom.xml b/examples/single-module-maven/pom.xml index b7e263c8..8b910c39 100644 --- a/examples/single-module-maven/pom.xml +++ b/examples/single-module-maven/pom.xml @@ -71,7 +71,7 @@ org.owasp dependency-check-maven - 6.0.3 + 8.0.2 ALL diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java index ec59f1a7..47797eca 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java @@ -31,6 +31,9 @@ import org.sonar.dependencycheck.parser.element.Vulnerability; import org.sonar.dependencycheck.reason.DependencyReason; import org.sonar.dependencycheck.reason.Language; +import org.sonar.dependencycheck.reason.SoftwareDependency; +import org.sonar.dependencycheck.reason.maven.MavenDependency; +import org.sonar.dependencycheck.reason.npm.NPMDependency; import edu.umd.cs.findbugs.annotations.NonNull; @@ -108,36 +111,26 @@ public static Float severityToScore(String severity, Configuration config) { return DependencyCheckUtils.severityToScore(severity, severityBlocker, severityCritical, severityMajor, severityMinor); } - public static Optional getMavenIdentifier(@NonNull Dependency dependency) { + public static Optional getMavenDependency(@NonNull Dependency dependency) { Optional> packages = dependency.getPackages(); if (packages.isPresent()) { for (Identifier identifier : packages.get()) { - if (Identifier.isMavenPackage(identifier)) { - return Optional.of(identifier); + Optional softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId()); + if (softwareDependency.isPresent() && softwareDependency.get() instanceof MavenDependency) { + return Optional.of((MavenDependency) softwareDependency.get()); } } } return Optional.empty(); } - public static Optional getNPMIdentifier(@NonNull Dependency dependency) { + public static Optional getNPMDependency(@NonNull Dependency dependency) { Optional> packages = dependency.getPackages(); if (packages.isPresent()) { for (Identifier identifier : packages.get()) { - if (Identifier.isNPMPackage(identifier)) { - return Optional.of(identifier); - } - } - } - return Optional.empty(); - } - - public static Optional getJavaScriptIdentifier(@NonNull Dependency dependency) { - Optional> packages = dependency.getPackages(); - if (packages.isPresent()) { - for (Identifier identifier : packages.get()) { - if (Identifier.isJavaScriptPackage(identifier)) { - return Optional.of(identifier); + Optional softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId()); + if (softwareDependency.isPresent() && softwareDependency.get() instanceof NPMDependency) { + return Optional.of((NPMDependency) softwareDependency.get()); } } } @@ -208,4 +201,52 @@ public static Optional getBestDependencyReason(@NonNull Depend } return dependencyReasons.stream().sorted(comparatorFileLength).sorted(comparatorTextRange).findFirst(); } + + /** + * + * @param reference + * @return + */ + public static Optional convertToSoftwareDependency(@NonNull String reference) { + if (StringUtils.isNotBlank(reference)) { + if (reference.contains("maven")) { + return convertToMavenDependency(reference); + } else if (reference.contains("npm") || reference.contains("javascript")) { + return convertToNPMDependency(reference); + } + } + return Optional.empty(); + } + + private static Optional convertToMavenDependency(@NonNull String reference) { + // pkg:maven/struts/struts@1.2.8 -> struts/struts@1.2.8 + String dependency = StringUtils.substringAfter(reference, "/"); + String groupId = StringUtils.substringBefore(dependency, "/"); + String artifactId = StringUtils.substringBetween(dependency, "/", "@"); + if (StringUtils.isAnyBlank(groupId, artifactId)) { + return Optional.empty(); + } + String version = StringUtils.substringAfter(dependency, "@"); + return Optional.of(new MavenDependency(groupId, artifactId, StringUtils.isBlank(version) ? null : version)); + } + + private static Optional convertToNPMDependency(@NonNull String reference) { + // pkg:npm/arr-flatten@1.1.0 -> arr-flatten@1.1.0 + // pkg:npm/mime -> mime + String dependency = StringUtils.substringAfter(reference, "/"); + String name = StringUtils.substringBefore(dependency, "@"); + if (StringUtils.isBlank(name)) { + return Optional.empty(); + } + String version = StringUtils.substringAfter(dependency, "@"); + return Optional.of(new NPMDependency(name, StringUtils.isBlank(version) ? null : version)); + } + + public static boolean isMavenDependency(@NonNull SoftwareDependency dep) { + return dep instanceof MavenDependency; + } + + public static boolean isNPMDependency(@NonNull SoftwareDependency dep) { + return dep instanceof NPMDependency; + } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenDependencyDeserializer.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenDependencyDeserializer.java index 7ec8dee8..58374742 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenDependencyDeserializer.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenDependencyDeserializer.java @@ -24,7 +24,7 @@ import java.util.List; import org.apache.commons.lang3.StringUtils; -import org.sonar.dependencycheck.reason.maven.MavenDependency; +import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation; import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.core.JsonToken; @@ -33,7 +33,7 @@ import edu.umd.cs.findbugs.annotations.Nullable; -public class MavenDependencyDeserializer extends StdDeserializer>{ +public class MavenDependencyDeserializer extends StdDeserializer>{ /** * @@ -49,13 +49,14 @@ protected MavenDependencyDeserializer(@Nullable Class vc) { } @Override - public List deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { - List mavenDependencies = new LinkedList<>(); + public List deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { + List mavenDependencies = new LinkedList<>(); while (jsonParser.nextToken() != JsonToken.END_OBJECT) { if (StringUtils.equalsIgnoreCase("dependency", jsonParser.getCurrentName())) { // We found a dependency String groupId = ""; String artifactId = ""; + String version = ""; int startLineNr = jsonParser.getCurrentLocation().getLineNr(); while (jsonParser.nextToken() != JsonToken.END_OBJECT) { if (StringUtils.equalsIgnoreCase("artifactId", jsonParser.getCurrentName())) { @@ -64,9 +65,12 @@ public List deserialize(JsonParser jsonParser, DeserializationC if (StringUtils.equalsIgnoreCase("groupId", jsonParser.getCurrentName())) { groupId = jsonParser.getValueAsString(); } + if (StringUtils.equalsIgnoreCase("version", jsonParser.getCurrentName())) { + version = jsonParser.getValueAsString(); + } } int endLineNr = jsonParser.getCurrentLocation().getLineNr(); - mavenDependencies.add(new MavenDependency(groupId, artifactId, startLineNr, endLineNr)); + mavenDependencies.add(new MavenDependencyLocation(groupId, artifactId, version, startLineNr, endLineNr)); } } return mavenDependencies; diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenParentDeserializer.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenParentDeserializer.java index a5ca1b73..bab24d1e 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenParentDeserializer.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenParentDeserializer.java @@ -22,7 +22,7 @@ import java.io.IOException; import org.apache.commons.lang3.StringUtils; -import org.sonar.dependencycheck.reason.maven.MavenParent; +import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation; import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.core.JsonToken; @@ -31,7 +31,7 @@ import edu.umd.cs.findbugs.annotations.Nullable; -public class MavenParentDeserializer extends StdDeserializer{ +public class MavenParentDeserializer extends StdDeserializer{ /** * @@ -47,15 +47,23 @@ protected MavenParentDeserializer(@Nullable Class vc) { } @Override - public MavenParent deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { + public MavenDependencyLocation deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { int startLineNr = jsonParser.getCurrentLocation().getLineNr(); String groupId = ""; + String artifactId = ""; + String version = ""; while (jsonParser.nextToken() != JsonToken.END_OBJECT) { if (StringUtils.equalsIgnoreCase("groupId", jsonParser.getCurrentName())) { groupId = jsonParser.getValueAsString(); } + if (StringUtils.equalsIgnoreCase("artifactId", jsonParser.getCurrentName())) { + artifactId = jsonParser.getValueAsString(); + } + if (StringUtils.equalsIgnoreCase("version", jsonParser.getCurrentName())) { + version = jsonParser.getValueAsString(); + } } int endLineNr = jsonParser.getCurrentLocation().getLineNr(); - return new MavenParent(groupId, startLineNr, endLineNr); + return new MavenDependencyLocation(groupId, artifactId, version, startLineNr, endLineNr); } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/PackageLockDependencyDeserializer.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/PackageLockDependencyDeserializer.java index a85e629a..62808082 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/PackageLockDependencyDeserializer.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/PackageLockDependencyDeserializer.java @@ -24,7 +24,7 @@ import java.util.List; import org.apache.commons.lang3.StringUtils; -import org.sonar.dependencycheck.reason.npm.NPMDependency; +import org.sonar.dependencycheck.reason.npm.NPMDependencyLocation; import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.core.JsonToken; @@ -33,7 +33,7 @@ import edu.umd.cs.findbugs.annotations.Nullable; -public class PackageLockDependencyDeserializer extends StdDeserializer> { +public class PackageLockDependencyDeserializer extends StdDeserializer> { /** * */ @@ -48,15 +48,15 @@ protected PackageLockDependencyDeserializer(@Nullable Class vc) { } @Override - public List deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { - List npmDependencies = new LinkedList<>(); + public List deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { + List npmDependencies = new LinkedList<>(); while (!JsonToken.END_OBJECT.equals(jsonParser.nextToken())) { if (JsonToken.START_OBJECT.equals(jsonParser.currentToken())) { String name = jsonParser.getCurrentName(); int startLineNr = jsonParser.getCurrentLocation().getLineNr(); String version = scanWholeDependencyForVersion(jsonParser); int endLineNr = jsonParser.getCurrentLocation().getLineNr(); - npmDependencies.add(new NPMDependency(name, version, startLineNr, endLineNr)); + npmDependencies.add(new NPMDependencyLocation(name, version, startLineNr, endLineNr)); } } return npmDependencies; diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Dependency.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Dependency.java index 6b256520..3eb63347 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Dependency.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Dependency.java @@ -27,6 +27,8 @@ import java.util.Optional; import org.sonar.api.config.Configuration; +import org.sonar.dependencycheck.base.DependencyCheckUtils; +import org.sonar.dependencycheck.reason.SoftwareDependency; import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; @@ -46,6 +48,7 @@ public class Dependency { private final List vulnerabilities; private final Optional> packages; private final Optional> vulnerabilityIds; + private final Optional> includedBy; @JsonCreator public Dependency(@JsonProperty(value = "fileName", required = true) @NonNull String fileName, @@ -55,8 +58,8 @@ public Dependency(@JsonProperty(value = "fileName", required = true) @NonNull St @JsonProperty(value = "evidenceCollected") Map> evidenceCollected, @JsonProperty(value = "vulnerabilities") List vulnerabilities, @JsonProperty(value = "packages") @Nullable Collection packages, - @JsonProperty(value = "vulnerabilityIds") @Nullable Collection vulnerabilityIds) - { + @JsonProperty(value = "vulnerabilityIds") @Nullable Collection vulnerabilityIds, + @JsonProperty(value = "includedBy") @Nullable Collection includedBy) { this.fileName = fileName; this.filePath = filePath; this.md5 = Optional.ofNullable(md5Hash); @@ -65,6 +68,8 @@ public Dependency(@JsonProperty(value = "fileName", required = true) @NonNull St this.vulnerabilities = vulnerabilities; this.packages = Optional.ofNullable(packages); this.vulnerabilityIds = Optional.ofNullable(vulnerabilityIds); + this.includedBy = Optional.ofNullable(includedBy); + } public String getFileName() { @@ -104,10 +109,18 @@ public Optional> getVulnerabilityIds() { return vulnerabilityIds; } + /** + * @return the includedBy + */ + public Optional> getIncludedBy() { + return includedBy; + } + public boolean isJavaDependency() { if (packages.isPresent()) { for (Identifier identifier : packages.get()) { - if (Identifier.isMavenPackage(identifier)) { + Optional dep = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId()); + if (dep.isPresent() && DependencyCheckUtils.isMavenDependency(dep.get())) { return true; } } @@ -118,7 +131,8 @@ public boolean isJavaDependency() { public boolean isJavaScriptDependency() { if (packages.isPresent()) { for (Identifier identifier : packages.get()) { - if (Identifier.isNPMPackage(identifier) || Identifier.isJavaScriptPackage(identifier)) { + Optional dep = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId()); + if (dep.isPresent() && DependencyCheckUtils.isNPMDependency(dep.get())) { return true; } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java index 9b525654..0d4aefb3 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java @@ -22,8 +22,6 @@ import java.util.Optional; -import org.apache.commons.lang3.StringUtils; - import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; @@ -34,13 +32,13 @@ @JsonIgnoreProperties({"url", "description","notes"}) public class Identifier { private final String id; - private final Confidence confidence; + private final Optional confidence; @JsonCreator public Identifier(@JsonProperty(value = "id", required = true) @NonNull String id, @JsonProperty(value = "confidence") @Nullable Confidence confidence) { this.id = id; - this.confidence = confidence; + this.confidence = Optional.ofNullable(confidence); } /** * @return the id @@ -53,38 +51,6 @@ public String getId() { * @return the confidence */ public Optional getConfidence() { - return Optional.ofNullable(confidence); - } - public static Optional getPackageType(@NonNull Identifier identifier) { - if (StringUtils.isNotBlank(identifier.getId())) { - // pkg:maven/struts/struts@1.2.8 -> maven - // pkg:javascript/jquery@2.2.0 -> javascript - // pkg:npm/arr-flatten@1.1.0 -> npm - // pkg:npm/mime -> npm - return Optional.of(StringUtils.substringAfter(StringUtils.substringBefore(identifier.getId(), "/"), "pkg:")); - } - return Optional.empty(); - } - public static Optional getPackageArtifact(@NonNull Identifier identifier) { - if (StringUtils.isNotBlank(identifier.getId())) { - // pkg:maven/struts/struts@1.2.8 -> struts/struts@1.2.8 - // pkg:javascript/jquery@2.2.0 -> jquery@2.2.0 - // pkg:npm/arr-flatten@1.1.0 -> arr-flatten@1.1.0 - // pkg:npm/mime -> mime - return Optional.of(StringUtils.substringAfter(identifier.getId(), "/")); - } - return Optional.empty(); - } - - public static boolean isMavenPackage(@NonNull Identifier identifier) { - return "maven".equals(Identifier.getPackageType(identifier).orElse("")); - } - - public static boolean isNPMPackage(@NonNull Identifier identifier) { - return "npm".equals(Identifier.getPackageType(identifier).orElse("")); - } - - public static boolean isJavaScriptPackage(@NonNull Identifier identifier) { - return "javascript".equals(Identifier.getPackageType(identifier).orElse("")); + return confidence; } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/IncludedBy.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/IncludedBy.java new file mode 100644 index 00000000..5cd6bc42 --- /dev/null +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/IncludedBy.java @@ -0,0 +1,36 @@ +/* + * Dependency-Check Plugin for SonarQube + * Copyright (C) 2015-2021 dependency-check + * philipp.dallig@gmail.com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + +package org.sonar.dependencycheck.parser.element; + +import java.util.HashMap; + +public class IncludedBy extends HashMap { + + /** + * + */ + private static final long serialVersionUID = 1L; + public static final String REFERENCE_KEYWORD = "reference"; + + public String getReference() { + return get(REFERENCE_KEYWORD); + } +} diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Vulnerability.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Vulnerability.java index 4071717b..bd1fec13 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Vulnerability.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Vulnerability.java @@ -35,7 +35,7 @@ import edu.umd.cs.findbugs.annotations.NonNull; import edu.umd.cs.findbugs.annotations.Nullable; -@JsonIgnoreProperties({"notes", "references", "vulnerableSoftware", "unscored"}) +@JsonIgnoreProperties({"notes", "references", "vulnerableSoftware", "unscored", "knownExploitedVulnerability"}) public class Vulnerability { private static final Logger LOGGER = Loggers.get(Vulnerability.class); diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java index b712cb17..ab558c98 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java @@ -21,11 +21,13 @@ package org.sonar.dependencycheck.reason; import java.io.IOException; +import java.util.Collection; import java.util.HashMap; import java.util.Map; import java.util.Optional; import java.util.Scanner; +import org.apache.commons.lang3.StringUtils; import org.sonar.api.batch.fs.InputComponent; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.utils.log.Logger; @@ -33,7 +35,8 @@ import org.sonar.dependencycheck.base.DependencyCheckUtils; import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; -import org.sonar.dependencycheck.parser.element.Identifier; +import org.sonar.dependencycheck.parser.element.IncludedBy; +import org.sonar.dependencycheck.reason.maven.MavenDependency; import edu.umd.cs.findbugs.annotations.NonNull; @@ -63,47 +66,78 @@ public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency) { if (dependencyMap.containsKey(dependency)) { return dependencyMap.get(dependency); } else { - Optional gradleIdentifier = DependencyCheckUtils.getMavenIdentifier(dependency); - if (gradleIdentifier.isPresent()) { - tryArtifactMatch(gradleIdentifier.get()).ifPresent(textRange -> dependencyMap.put(dependency, textRange)); + Optional mavenDependency = DependencyCheckUtils.getMavenDependency(dependency); + if (mavenDependency.isPresent()) { + fillArtifactMatch(dependency, mavenDependency.get()); } else { LOGGER.debug("No artifactId found for Dependency {}", dependency.getFileName()); } + Optional> includedBys = dependency.getIncludedBy(); + if (includedBys.isPresent()) { + workOnIncludedBy(dependency, includedBys.get()); + } dependencyMap.computeIfAbsent(dependency, k -> addDependencyToFirstLine(k, buildGradle)); } return dependencyMap.get(dependency); } + private void workOnIncludedBy(@NonNull Dependency dependency, Collection includedBys) { + for (IncludedBy includedBy : includedBys) { + String reference = includedBy.getReference(); + if (StringUtils.isNotBlank(reference)) { + Optional softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(reference); + if (softwareDependency.isPresent() && DependencyCheckUtils.isMavenDependency(softwareDependency.get())) { + fillArtifactMatch(dependency, (MavenDependency) softwareDependency.get()); + } + } + } + } + + private void putDependencyMap(@NonNull Dependency dependency, TextRangeConfidence newTextRange) { + if (dependencyMap.containsKey(dependency)) { + TextRangeConfidence oldTextRange = dependencyMap.get(dependency); + if (oldTextRange.getConfidence().compareTo(newTextRange.getConfidence()) > 0) { + dependencyMap.put(dependency, newTextRange); + } + } else { + dependencyMap.put(dependency, newTextRange); + } + } + /** * - * This Methods tries to find the best TextRange for an given ArtifactId in the build.gradle file - * If the line parser doesn't find anything we return the TextRange with linenumber 1 - * TODO: It would be nice to have something similar to the command "gradlew app:dependencies" * At the moment a simple line parser without transitive dependencies * - * @param gradleIdentifier Identifier for gradle + * @param mavenDependency Identifier for gradle * @return TextRange if found in gradle, else null */ - private Optional tryArtifactMatch(Identifier gradleIdentifier) { - Optional packageArtifact = Identifier.getPackageArtifact(gradleIdentifier); - if (packageArtifact.isPresent()) { - // packageArtifact has something like struts/struts@1.2.8 - String[] gradleIdentifierSplit = packageArtifact.get().split("@"); - gradleIdentifierSplit = gradleIdentifierSplit[0].split("/"); - String artifactId = gradleIdentifierSplit[1]; - try (final Scanner scanner = new Scanner(content)) { - int linenumber = 0; - while (scanner.hasNextLine()) { - final String lineFromFile = scanner.nextLine(); - linenumber++; - if (lineFromFile.contains(artifactId)) { - LOGGER.debug("We found {} in {} on line {}", artifactId, buildGradle, linenumber); - return Optional.of(new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); + private void fillArtifactMatch(@NonNull Dependency dependency, MavenDependency mavenDependency) { + try (final Scanner scanner = new Scanner(content)) { + int linenumber = 0; + while (scanner.hasNextLine()) { + final String lineFromFile = scanner.nextLine(); + linenumber++; + if (lineFromFile.contains(mavenDependency.getArtifactId()) && + lineFromFile.contains(mavenDependency.getGroupId())) { + Optional depVersion = mavenDependency.getVersion(); + if (depVersion.isPresent() && + lineFromFile.contains(depVersion.get())) { + LOGGER.debug("Found a artifactId, groupId and version match in {}", buildGradle); + putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGHEST)); } + LOGGER.debug("Found a artifactId and groupId match in {} on line {}", buildGradle, linenumber); + putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGH)); + } + if (lineFromFile.contains(mavenDependency.getArtifactId())) { + LOGGER.debug("Found a artifactId match in {} for {}", buildGradle, mavenDependency.getArtifactId()); + putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); + } + if (lineFromFile.contains(mavenDependency.getGroupId())) { + LOGGER.debug("Found a groupId match in {} for {}", buildGradle, mavenDependency.getGroupId()); + putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); } } } - return Optional.empty(); } /** diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java index 3f766753..c0b7f193 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java @@ -21,6 +21,7 @@ package org.sonar.dependencycheck.reason; import java.io.IOException; +import java.util.Collection; import java.util.HashMap; import java.util.Map; import java.util.Optional; @@ -35,9 +36,9 @@ import org.sonar.dependencycheck.parser.ReportParserException; import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; -import org.sonar.dependencycheck.parser.element.Identifier; +import org.sonar.dependencycheck.parser.element.IncludedBy; import org.sonar.dependencycheck.reason.maven.MavenDependency; -import org.sonar.dependencycheck.reason.maven.MavenParent; +import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation; import org.sonar.dependencycheck.reason.maven.MavenPomModel; import edu.umd.cs.findbugs.annotations.NonNull; @@ -67,75 +68,82 @@ public MavenDependencyReason(@NonNull InputFile pom) { @NonNull public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency) { if (!dependencyMap.containsKey(dependency)) { - Optional mavenIdentifier = DependencyCheckUtils.getMavenIdentifier(dependency); - if (mavenIdentifier.isPresent()) { - fillArtifactMatch(dependency, mavenIdentifier.get()); + Optional mavenDependency = DependencyCheckUtils.getMavenDependency(dependency); + if (mavenDependency.isPresent()) { + fillArtifactMatch(dependency, mavenDependency.get()); } else { LOGGER.debug("No Identifier with type maven found for Dependency {}", dependency.getFileName()); } + Optional> includedBys = dependency.getIncludedBy(); + if (includedBys.isPresent()) { + workOnIncludedBy(dependency, includedBys.get()); + } dependencyMap.computeIfAbsent(dependency, k -> addDependencyToFirstLine(k, pom)); } return dependencyMap.get(dependency); } + private void workOnIncludedBy(@NonNull Dependency dependency, Collection includedBys) { + for (IncludedBy includedBy : includedBys) { + String reference = includedBy.getReference(); + if (StringUtils.isNotBlank(reference)) { + Optional softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(reference); + if (softwareDependency.isPresent() && DependencyCheckUtils.isMavenDependency(softwareDependency.get())) { + fillArtifactMatch(dependency, (MavenDependency) softwareDependency.get()); + } + } + } + } /** - * - * This Methods fills a map for a dependency TODO: It would be nice to have - * something similar to the command "mvn dependency:tree" At the moment a simple - * pom line parser without transitive dependencies * * @param dependency - * @param mavenIdentifier + * @param mavenDependency */ - private void fillArtifactMatch(@NonNull Dependency dependency, Identifier mavenIdentifier) { + private void fillArtifactMatch(@NonNull Dependency dependency, MavenDependency mavenDependency) { // Try to find in - for (MavenDependency mavenDependency : pomModel.getDependencies()) { - checkPomDependency(mavenIdentifier, mavenDependency) - .ifPresent(textRange -> dependencyMap.put(dependency, textRange)); + for (MavenDependencyLocation mavenDependencyLocation : pomModel.getDependencies()) { + checkPomDependency(mavenDependency, mavenDependencyLocation) + .ifPresent(textRange -> putDependencyMap(dependency, textRange)); } // Check Parent if present - pomModel.getParent().ifPresent(parent -> checkPomParent(mavenIdentifier, parent) - .ifPresent(textRange -> dependencyMap.put(dependency, textRange))); + pomModel.getParent() + .ifPresent(parent -> checkPomDependency(mavenDependency, parent) + .ifPresent(textRange -> putDependencyMap(dependency, textRange))); } - private Optional checkPomDependency(Identifier mavenIdentifier, MavenDependency dependency) { - Optional packageArtifact = Identifier.getPackageArtifact(mavenIdentifier); - if (packageArtifact.isPresent()) { - // packageArtifact has something like struts/struts@1.2.8 - String[] mavenIdentifierSplit = packageArtifact.get().split("@"); - mavenIdentifierSplit = mavenIdentifierSplit[0].split("/"); - String groupId = mavenIdentifierSplit[0]; - String artifactId = mavenIdentifierSplit[1]; - if (StringUtils.equals(artifactId, dependency.getArtifactId()) - && StringUtils.equals(groupId, dependency.getGroupId())) { - LOGGER.debug("Found a artifactId and groupId match in {}", pom); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(dependency.getStartLineNr()).start(), pom.selectLine(dependency.getEndLineNr()).end()), Confidence.HIGHEST)); - } - if (StringUtils.equals(artifactId, dependency.getArtifactId())) { - LOGGER.debug("Found a artifactId match in {} for {}", pom, artifactId); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(dependency.getStartLineNr()).start(), pom.selectLine(dependency.getEndLineNr()).end()), Confidence.HIGH)); - } - if (StringUtils.equals(groupId, dependency.getGroupId())) { - LOGGER.debug("Found a groupId match in {} for {}", pom, groupId); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(dependency.getStartLineNr()).start(), pom.selectLine(dependency.getEndLineNr()).end()), Confidence.MEDIUM)); + private void putDependencyMap(@NonNull Dependency dependency, TextRangeConfidence newTextRange) { + if (dependencyMap.containsKey(dependency)) { + TextRangeConfidence oldTextRange = dependencyMap.get(dependency); + if (oldTextRange.getConfidence().compareTo(newTextRange.getConfidence()) > 0) { + dependencyMap.put(dependency, newTextRange); } + } else { + dependencyMap.put(dependency, newTextRange); } - return Optional.empty(); } - private Optional checkPomParent(Identifier mavenIdentifier, MavenParent parent) { - Optional packageArtifact = Identifier.getPackageArtifact(mavenIdentifier); - if (packageArtifact.isPresent()) { - // packageArtifact has something like struts/struts@1.2.8 - String[] mavenIdentifierSplit = packageArtifact.get().split("@"); - mavenIdentifierSplit = mavenIdentifierSplit[0].split("/"); - String groupId = mavenIdentifierSplit[0]; - if (StringUtils.equals(groupId, parent.getGroupId())) { - LOGGER.debug("Found a groupId match in {} for {}", pom, groupId); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(parent.getStartLineNr()).start(), pom.selectLine(parent.getEndLineNr()).end()), Confidence.MEDIUM)); + private Optional checkPomDependency(MavenDependency mavenDependency, MavenDependencyLocation mavenDependencyLocation) { + if (StringUtils.equals(mavenDependency.getArtifactId(), mavenDependencyLocation.getArtifactId()) + && StringUtils.equals(mavenDependency.getGroupId(), mavenDependencyLocation.getGroupId())) { + Optional depVersion = mavenDependency.getVersion(); + Optional depLocVersion = mavenDependencyLocation.getVersion(); + if (depVersion.isPresent() && depLocVersion.isPresent() && + StringUtils.equals(depVersion.get(), depLocVersion.get())) { + LOGGER.debug("Found a artifactId, groupId and version match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); + return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.HIGHEST)); } + LOGGER.debug("Found a artifactId and groupId match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); + return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.HIGH)); + } + if (StringUtils.equals(mavenDependency.getArtifactId(), mavenDependencyLocation.getArtifactId())) { + LOGGER.debug("Found a artifactId match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); + return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.MEDIUM)); + } + if (StringUtils.equals(mavenDependency.getGroupId(), mavenDependencyLocation.getGroupId())) { + LOGGER.debug("Found a groupId match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); + return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.MEDIUM)); } - return Optional.empty(); + return Optional.empty(); } /** diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java index b986c2b8..ad16074a 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java @@ -35,12 +35,11 @@ import org.sonar.dependencycheck.parser.ReportParserException; import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; -import org.sonar.dependencycheck.parser.element.Identifier; import org.sonar.dependencycheck.reason.npm.NPMDependency; +import org.sonar.dependencycheck.reason.npm.NPMDependencyLocation; import org.sonar.dependencycheck.reason.npm.PackageLockModel; import edu.umd.cs.findbugs.annotations.NonNull; -import edu.umd.cs.findbugs.annotations.Nullable; public class NPMDependencyReason extends DependencyReason { @@ -78,57 +77,36 @@ public InputComponent getInputComponent() { @Override public TextRangeConfidence getBestTextRange(Dependency dependency) { if (!dependencyMap.containsKey(dependency)) { - Optional javaScriptIdentifier = DependencyCheckUtils.getJavaScriptIdentifier(dependency); - if (javaScriptIdentifier.isPresent()) { - fillArtifactMatch(dependency, javaScriptIdentifier.get()); + Optional npmDependency = DependencyCheckUtils.getNPMDependency(dependency); + if (npmDependency.isPresent()) { + fillArtifactMatch(dependency, npmDependency.get()); } else { - LOGGER.debug("No Identifier with type javascript found for Dependency {}", dependency.getFileName()); - } - Optional npmIdentifier = DependencyCheckUtils.getNPMIdentifier(dependency); - if (npmIdentifier.isPresent()) { - fillArtifactMatch(dependency, npmIdentifier.get()); - } else { - LOGGER.debug("No Identifier with type npm found for Dependency {}", dependency.getFileName()); + LOGGER.debug("No Identifier with type npm/javascript found for Dependency {}", dependency.getFileName()); } dependencyMap.computeIfAbsent(dependency, k -> addDependencyToFirstLine(k, packageLock)); } return dependencyMap.get(dependency); } - private void fillArtifactMatch(@NonNull Dependency dependency, Identifier npmIdentifier) { - String packageArtifact = Identifier.getPackageArtifact(npmIdentifier).orElse(null); - if (StringUtils.isNotBlank(packageArtifact)) { - String name; - String version; - if (packageArtifact.contains("@")) { - // packageArtifact is something like jquery@2.2.0 - String[] npmIdentifierSplit = packageArtifact.split("@"); - name = npmIdentifierSplit[0]; - version = npmIdentifierSplit[1]; - } else { - // It happens, that packageArtifact doesn't contain a version - // https://github.com/dependency-check/dependency-check-sonar-plugin/issues/242#issuecomment-605521827 - name = packageArtifact; - version = null; - } - - // Try to find in - for (NPMDependency npmDependency : packageLockModel.getDependencies()) { - checkNPMDependency(name, version , npmDependency) - .ifPresent(textrange -> dependencyMap.put(dependency, textrange)); - } + private void fillArtifactMatch(@NonNull Dependency dependency, NPMDependency npmDependency) { + // Try to find in + for (NPMDependencyLocation npmDependencyLocation : packageLockModel.getDependencies()) { + checkNPMDependency(npmDependency, npmDependencyLocation) + .ifPresent(textrange -> dependencyMap.put(dependency, textrange)); } } - private Optional checkNPMDependency(String name, @Nullable String version, NPMDependency dependency) { - if (StringUtils.equals(name, dependency.getName()) - && StringUtils.equals(version, dependency.getVersion())) { - LOGGER.debug("Found a name and version match in {}", packageLock); - return Optional.of(new TextRangeConfidence(packageLock.newRange(packageLock.selectLine(dependency.getStartLineNr()).start(), packageLock.selectLine(dependency.getEndLineNr()).end()), Confidence.HIGHEST)); - } - if (StringUtils.equals(name, dependency.getName())) { - LOGGER.debug("Found a name match in {} for {}", packageLock, name); - return Optional.of(new TextRangeConfidence(packageLock.newRange(packageLock.selectLine(dependency.getStartLineNr()).start(), packageLock.selectLine(dependency.getEndLineNr()).end()), Confidence.HIGH)); + private Optional checkNPMDependency(NPMDependency npmDependency, NPMDependencyLocation npmDependencyLocation) { + if (StringUtils.equals(npmDependency.getName(), npmDependencyLocation.getName())) { + Optional npmDepVersion = npmDependency.getVersion(); + Optional npmDepLocVersion = npmDependencyLocation.getVersion(); + if (npmDepVersion.isPresent() && npmDepLocVersion.isPresent() && + StringUtils.equals(npmDepVersion.get(), npmDepLocVersion.get())) { + LOGGER.debug("Found a name and version match in {}", packageLock); + return Optional.of(new TextRangeConfidence(packageLock.newRange(packageLock.selectLine(npmDependencyLocation.getStartLineNr()).start(), packageLock.selectLine(npmDependencyLocation.getEndLineNr()).end()), Confidence.HIGHEST)); + } + LOGGER.debug("Found a name match in {} for {}", packageLock, npmDependency.getName()); + return Optional.of(new TextRangeConfidence(packageLock.newRange(packageLock.selectLine(npmDependencyLocation.getStartLineNr()).start(), packageLock.selectLine(npmDependencyLocation.getEndLineNr()).end()), Confidence.HIGH)); } return Optional.empty(); } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/SoftwareDependency.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/SoftwareDependency.java new file mode 100644 index 00000000..fd2b06a9 --- /dev/null +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/SoftwareDependency.java @@ -0,0 +1,54 @@ +/* + * Dependency-Check Plugin for SonarQube + * Copyright (C) 2015-2021 dependency-check + * philipp.dallig@gmail.com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + +package org.sonar.dependencycheck.reason; + +import java.util.Optional; + +import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; + +public class SoftwareDependency { + private final String name; + private final Optional version; + /** + * @param version + * @param name + */ + public SoftwareDependency(@NonNull String name, @Nullable String version) { + super(); + this.name = name; + this.version = Optional.ofNullable(version); + } + /** + * @return the name + */ + @NonNull + public String getName() { + return name; + } + /** + * @return the version + */ + public Optional getVersion() { + return version; + } + +} diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependency.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependency.java index 72a73d22..a5659410 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependency.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependency.java @@ -20,51 +20,23 @@ package org.sonar.dependencycheck.reason.maven; -public class MavenDependency { +import org.sonar.dependencycheck.reason.SoftwareDependency; +import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; + +public class MavenDependency extends SoftwareDependency { private final String groupId; - private final String artifactId; - private final int startLineNr; - private final int endLineNr; - /** - * @param groupId - * @param artifactId - * @param startLineNr - * @param endLineNr - */ - public MavenDependency(String groupId, String artifactId, int startLineNr, int endLineNr) { + public MavenDependency(@NonNull String groupId, @NonNull String artifactId, @Nullable String version) { + super(artifactId, version); this.groupId = groupId; - this.artifactId = artifactId; - this.startLineNr = startLineNr; - this.endLineNr = endLineNr; - } - - /** - * @return the groupId - */ - public String getGroupId() { - return groupId; } - - /** - * @return the artifactId - */ public String getArtifactId() { - return artifactId; - } - - /** - * @return the startLineNr - */ - public int getStartLineNr() { - return startLineNr; + return getName(); } - /** - * @return the endLineNr - */ - public int getEndLineNr() { - return endLineNr; + public String getGroupId() { + return groupId; } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenParent.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependencyLocation.java similarity index 83% rename from sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenParent.java rename to sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependencyLocation.java index 0c9e8c68..de44c5e8 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenParent.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenDependencyLocation.java @@ -20,38 +20,35 @@ package org.sonar.dependencycheck.reason.maven; -public class MavenParent { +public class MavenDependencyLocation extends MavenDependency{ - private final String groupId; private final int startLineNr; private final int endLineNr; + /** * @param groupId + * @param artifactId + * @param version * @param startLineNr * @param endLineNr */ - public MavenParent(String groupId ,int startLineNr, int endLineNr) { - this.groupId = groupId; + public MavenDependencyLocation(String groupId, String artifactId, String version, int startLineNr, int endLineNr) { + super(groupId, artifactId, version); this.startLineNr = startLineNr; this.endLineNr = endLineNr; } - /** - * @return the groupId - */ - public String getGroupId() { - return groupId; - } + /** * @return the startLineNr */ public int getStartLineNr() { return startLineNr; } + /** * @return the endLineNr */ public int getEndLineNr() { return endLineNr; } - } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenPomModel.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenPomModel.java index 07cc9484..4c8d427c 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenPomModel.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/maven/MavenPomModel.java @@ -37,26 +37,26 @@ @JsonIgnoreProperties(ignoreUnknown = true) public class MavenPomModel { - private final List dependencies; - private final MavenParent parent; + private final List dependencies; + private final MavenDependencyLocation parent; /** * @param dependencies * @param parent */ @JsonCreator - public MavenPomModel(@JsonProperty(value = "dependencies") @JsonDeserialize(using = MavenDependencyDeserializer.class ) @Nullable List dependencies, - @JsonProperty(value = "parent") @JsonDeserialize(using = MavenParentDeserializer.class ) @Nullable MavenParent parent) { + public MavenPomModel(@JsonProperty(value = "dependencies") @JsonDeserialize(using = MavenDependencyDeserializer.class ) @Nullable List dependencies, + @JsonProperty(value = "parent") @JsonDeserialize(using = MavenParentDeserializer.class ) @Nullable MavenDependencyLocation parent) { this.dependencies = dependencies == null ? Collections.emptyList() : dependencies; this.parent = parent; } @NonNull - public List getDependencies() { + public List getDependencies() { return dependencies; } - public Optional getParent() { + public Optional getParent() { return Optional.ofNullable(parent); } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependency.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependency.java index 74b4c0b3..28a6cc59 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependency.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependency.java @@ -17,53 +17,17 @@ * along with this program; if not, write to the Free Software Foundation, * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ -package org.sonar.dependencycheck.reason.npm; - -public class NPMDependency { - private final String name; - private final String version; - private final int startLineNr; - private final int endLineNr; - - /** - * @param name - * @param version - * @param startLineNr - * @param endLineNr - */ - public NPMDependency(String name, String version, int startLineNr, int endLineNr) { - this.name = name; - this.version = version; - this.startLineNr = startLineNr; - this.endLineNr = endLineNr; - } +package org.sonar.dependencycheck.reason.npm; - /** - * @return the name - */ - public String getName() { - return name; - } +import org.sonar.dependencycheck.reason.SoftwareDependency; - /** - * @return the version - */ - public String getVersion() { - return version; - } +import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; - /** - * @return the startLineNr - */ - public int getStartLineNr() { - return startLineNr; - } +public class NPMDependency extends SoftwareDependency { - /** - * @return the endLineNr - */ - public int getEndLineNr() { - return endLineNr; + public NPMDependency(@NonNull String name, @Nullable String version) { + super(name, version); } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependencyLocation.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependencyLocation.java new file mode 100644 index 00000000..e4340974 --- /dev/null +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/NPMDependencyLocation.java @@ -0,0 +1,54 @@ +/* + * Dependency-Check Plugin for SonarQube + * Copyright (C) 2015-2021 dependency-check + * philipp.dallig@gmail.com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.dependencycheck.reason.npm; + +import org.sonar.dependencycheck.reason.SoftwareDependency; + +public class NPMDependencyLocation extends SoftwareDependency{ + + private final int startLineNr; + private final int endLineNr; + + /** + * @param name + * @param version + * @param startLineNr + * @param endLineNr + */ + public NPMDependencyLocation(String name, String version, int startLineNr, int endLineNr) { + super(name, version); + this.startLineNr = startLineNr; + this.endLineNr = endLineNr; + } + + /** + * @return the startLineNr + */ + public int getStartLineNr() { + return startLineNr; + } + + /** + * @return the endLineNr + */ + public int getEndLineNr() { + return endLineNr; + } +} diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/PackageLockModel.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/PackageLockModel.java index 014e5643..2e0553d2 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/PackageLockModel.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/npm/PackageLockModel.java @@ -35,18 +35,18 @@ @JsonIgnoreProperties(ignoreUnknown = true) public class PackageLockModel { - private final List dependencies; + private final List dependencies; /** * @param dependencies */ @JsonCreator - public PackageLockModel(@JsonProperty(value = "dependencies") @JsonDeserialize(using = PackageLockDependencyDeserializer.class ) @Nullable List dependencies) { + public PackageLockModel(@JsonProperty(value = "dependencies") @JsonDeserialize(using = PackageLockDependencyDeserializer.class ) @Nullable List dependencies) { this.dependencies = dependencies == null ? Collections.emptyList() : dependencies; } @NonNull - public List getDependencies() { + public List getDependencies() { return dependencies; } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/DependencyCheckSensorTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/DependencyCheckSensorTest.java index fbb3365f..51f1e8e8 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/DependencyCheckSensorTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/DependencyCheckSensorTest.java @@ -100,7 +100,7 @@ void shouldAnalyse() { when(pathResolver.relativeFile(Mockito.any(File.class), Mockito.eq(config.get(DependencyCheckConstants.JSON_REPORT_PATH_PROPERTY).orElse(DependencyCheckConstants.JSON_REPORT_PATH_DEFAULT)))).thenReturn(sampleJsonReport); sensor.execute(context); - assertEquals(45, context.allIssues().size()); + assertEquals(40, context.allIssues().size()); } @Test @@ -128,7 +128,7 @@ void shouldAddAnIssueForAVulnerability() { when(pathResolver.relativeFile(Mockito.any(File.class), Mockito.eq(config.get(DependencyCheckConstants.JSON_REPORT_PATH_PROPERTY).orElse(DependencyCheckConstants.JSON_REPORT_PATH_DEFAULT)))).thenReturn(sampleJsonReport); sensor.execute(context); - assertEquals(45, context.allIssues().size()); + assertEquals(40, context.allIssues().size()); for (Issue issue : context.allIssues()) { assertEquals(DependencyCheckConstants.RULE_KEY, issue.ruleKey().rule()); } @@ -190,7 +190,7 @@ void shouldPersistSummarizeIssues() { when(pathResolver.relativeFile(Mockito.any(File.class), Mockito.eq(config.get(DependencyCheckConstants.JSON_REPORT_PATH_PROPERTY).orElse(DependencyCheckConstants.JSON_REPORT_PATH_DEFAULT)))).thenReturn(sampleJsonReport); sensor.execute(context); - assertEquals(7, context.allIssues().size()); + assertEquals(8, context.allIssues().size()); } @Test @@ -246,7 +246,7 @@ void shouldAddSecurityHotspots() { .orElse(DependencyCheckConstants.JSON_REPORT_PATH_DEFAULT)))) .thenReturn(sampleJsonReport); sensor.execute(context); - assertEquals(45, context.allIssues().size()); + assertEquals(40, context.allIssues().size()); for (Issue issue : context.allIssues()) { assertEquals(DependencyCheckConstants.RULE_KEY_WITH_SECURITY_HOTSPOT, issue.ruleKey().rule()); } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/base/DependencyCheckUtilsTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/base/DependencyCheckUtilsTest.java index 4c21e161..21250627 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/base/DependencyCheckUtilsTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/base/DependencyCheckUtilsTest.java @@ -21,6 +21,8 @@ import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -34,6 +36,7 @@ import java.util.Collection; import java.util.Collections; import java.util.List; +import java.util.Optional; import java.util.stream.Stream; import org.junit.jupiter.api.Test; @@ -50,6 +53,8 @@ import org.sonar.dependencycheck.reason.GradleDependencyReason; import org.sonar.dependencycheck.reason.MavenDependencyReason; import org.sonar.dependencycheck.reason.NPMDependencyReason; +import org.sonar.dependencycheck.reason.SoftwareDependency; +import org.sonar.dependencycheck.reason.maven.MavenDependency; class DependencyCheckUtilsTest { @@ -274,10 +279,47 @@ void testBestDependencyReasonSubModule() throws IOException { Vulnerability vulnerability1 = new Vulnerability("Test name", "NVD", "MyDescription", null, cvssV2, null, null); List vulnerabilities1 = new ArrayList<>(); vulnerabilities1.add(vulnerability1); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(), vulnerabilities1, packageidentifiers1, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(), vulnerabilities1, packageidentifiers1, Collections.emptyList(), null); // then assertEquals(submodulepomReason, DependencyCheckUtils.getBestDependencyReason(dependency, Arrays.asList(pomReason, submodulepomReason)).get()); assertEquals(submodulepomReason, DependencyCheckUtils.getBestDependencyReason(dependency, Arrays.asList(submodulepomReason, pomReason)).get()); } + + @Test + void testMaven() { + Optional dep = DependencyCheckUtils.convertToSoftwareDependency("pkg:maven/struts/struts@1.2.8"); + assertTrue(DependencyCheckUtils.isMavenDependency(dep.get())); + assertFalse(DependencyCheckUtils.isNPMDependency(dep.get())); + assertEquals("struts", ((MavenDependency)dep.get()).getGroupId()); + assertEquals("struts", ((MavenDependency)dep.get()).getArtifactId()); + assertEquals("1.2.8", ((MavenDependency)dep.get()).getVersion().get()); + } + + @Test + void testNode() { + Optional dep = DependencyCheckUtils.convertToSoftwareDependency("pkg:npm/braces@1.8.5"); + assertFalse(DependencyCheckUtils.isMavenDependency(dep.get())); + assertTrue(DependencyCheckUtils.isNPMDependency(dep.get())); + assertEquals("braces", dep.get().getName()); + assertEquals("1.8.5", dep.get().getVersion().get()); + } + + @Test + void testNodeWithOutVersion() { + Optional dep = DependencyCheckUtils.convertToSoftwareDependency("pkg:npm/mime"); + assertFalse(DependencyCheckUtils.isMavenDependency(dep.get())); + assertTrue(DependencyCheckUtils.isNPMDependency(dep.get())); + assertEquals("mime", dep.get().getName()); + assertFalse(dep.get().getVersion().isPresent()); + } + + @Test + void testJavaScript() { + Optional dep = DependencyCheckUtils.convertToSoftwareDependency("pkg:javascript/jquery@2.2.0"); + assertFalse(DependencyCheckUtils.isMavenDependency(dep.get())); + assertTrue(DependencyCheckUtils.isNPMDependency(dep.get())); + assertEquals("jquery", dep.get().getName()); + assertEquals("2.2.0", dep.get().getVersion().get()); + } } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/page/DependencyCheckReportPageTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/page/DependencyCheckReportPageTest.java index 93b7cbe1..c5b88789 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/page/DependencyCheckReportPageTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/page/DependencyCheckReportPageTest.java @@ -33,7 +33,6 @@ void testPage() { DependencyCheckReportPage reportPage = new DependencyCheckReportPage(); Context context = new Context(); reportPage.define(context); - System.out.println(context.getPages().size()); Page report_page = context.getPages().iterator().next(); assertEquals("Dependency-Check", report_page.getName()); assertEquals("dependencycheck/report_page", report_page.getKey()); diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/NPMParserHelperTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/NPMParserHelperTest.java index 7454cb40..5d3ba3f1 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/NPMParserHelperTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/NPMParserHelperTest.java @@ -30,7 +30,7 @@ import java.io.InputStream; import org.junit.jupiter.api.Test; -import org.sonar.dependencycheck.reason.npm.NPMDependency; +import org.sonar.dependencycheck.reason.npm.NPMDependencyLocation; import org.sonar.dependencycheck.reason.npm.PackageLockModel; import com.fasterxml.jackson.core.JsonParseException; @@ -53,10 +53,10 @@ void parsePackageLock() throws Exception { private void checkNPMDependency(PackageLockModel packageLockModel, String name, String version, int startLineNr, int endLineNr) { boolean found = false; - for (NPMDependency npmDependency : packageLockModel.getDependencies()) { + for (NPMDependencyLocation npmDependency : packageLockModel.getDependencies()) { if (name.equals(npmDependency.getName())) { found = true; - assertEquals(version, npmDependency.getVersion()); + assertEquals(version, npmDependency.getVersion().get()); assertEquals(startLineNr, npmDependency.getStartLineNr()); assertEquals(endLineNr, npmDependency.getEndLineNr()); } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/PomParserHelperTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/PomParserHelperTest.java index b69216a5..dea75018 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/PomParserHelperTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/PomParserHelperTest.java @@ -30,7 +30,7 @@ import java.io.InputStream; import org.junit.jupiter.api.Test; -import org.sonar.dependencycheck.reason.maven.MavenDependency; +import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation; import org.sonar.dependencycheck.reason.maven.MavenPomModel; class PomParserHelperTest { @@ -41,20 +41,21 @@ void parsePom() throws Exception { MavenPomModel pomModel = PomParserHelper.parse(pom); assertNotNull(pomModel); // check some dependencies - checkMavenDependency(pomModel, "struts", "struts", 46, 50); - checkMavenDependency(pomModel, "javax.mail", "com.sun.mail", 51, 55); - checkMavenDependency(pomModel, "spring", "org.springframework", 56, 60); - checkMavenDependency(pomModel, "commons-io", "commons-io", 61, 65); + checkMavenDependency(pomModel, "struts", "struts", "1.2.8", 46, 50); + checkMavenDependency(pomModel, "com.sun.mail", "javax.mail", "1.4.4", 51, 55); + checkMavenDependency(pomModel, "org.springframework", "spring", "2.0.8", 56, 60); + checkMavenDependency(pomModel, "commons-io", "commons-io", "2.4", 61, 65); // check parent - checkMavenParent(pomModel, "dummy-parent", 18, 21); + checkMavenParent(pomModel, "dummy-parent", "dummy-parent-artifact", "1.0", 18, 21); } - private void checkMavenDependency(MavenPomModel pomModel, String artifactId, String groupId, int startLineNr, int endLineNr) { + private void checkMavenDependency(MavenPomModel pomModel, String groupId, String artifactId, String version, int startLineNr, int endLineNr) { boolean found = false; - for (MavenDependency mavenDependency : pomModel.getDependencies()) { + for (MavenDependencyLocation mavenDependency : pomModel.getDependencies()) { if (artifactId.equals(mavenDependency.getArtifactId())) { found = true; assertEquals(groupId, mavenDependency.getGroupId()); + assertEquals(version, mavenDependency.getVersion().get()); assertEquals(startLineNr, mavenDependency.getStartLineNr()); assertEquals(endLineNr, mavenDependency.getEndLineNr()); } @@ -62,8 +63,10 @@ private void checkMavenDependency(MavenPomModel pomModel, String artifactId, Str assertTrue(found, "We haven't found dependency " + artifactId); } - private void checkMavenParent(MavenPomModel pomModel, String groupId, int startLineNr, int endLineNr) { + private void checkMavenParent(MavenPomModel pomModel, String groupId, String artifactId, String version, int startLineNr, int endLineNr) { assertEquals(groupId, pomModel.getParent().get().getGroupId()); + assertEquals(artifactId, pomModel.getParent().get().getArtifactId()); + assertEquals(version, pomModel.getParent().get().getVersion().get()); assertEquals(startLineNr, pomModel.getParent().get().getStartLineNr()); assertEquals(endLineNr, pomModel.getParent().get().getEndLineNr()); } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/ReportParserTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/ReportParserTest.java index 33254009..c0befcb7 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/ReportParserTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/ReportParserTest.java @@ -47,9 +47,9 @@ abstract class ReportParserTest { void parseReportMultiModuleMavenExample() throws Exception { Analysis analysis = parseReport("reportMultiModuleMavenExample"); - assertEquals("6.0.0", analysis.getScanInfo().getEngineVersion()); + assertEquals("8.0.2", analysis.getScanInfo().getEngineVersion()); assertEquals("Multi-Module Maven Example", analysis.getProjectInfo().get().getName()); - assertEquals("2020-09-10T07:54:20.103848Z", analysis.getProjectInfo().get().getReportDate()); + assertEquals("2023-02-02T15:59:49.067Z", analysis.getProjectInfo().get().getReportDate()); Collection dependencies = analysis.getDependencies(); assertEquals(34, dependencies.size()); @@ -61,51 +61,51 @@ void parseReportMultiModuleMavenExample() throws Exception { assertEquals("8af31c3a406cfbfd991a6946102d583a", dependency.getMd5Hash().get()); assertEquals("5919caff42c3f42fb251fd82a58af4a7880826dd", dependency.getSha1Hash().get()); - checkEvidence(dependency.getEvidenceCollected(), 14, 13, 3); + checkEvidence(dependency.getEvidenceCollected(), 63, 61, 3); Collection vulnerabilities = dependency.getVulnerabilities(); - assertEquals(24, vulnerabilities.size()); + assertEquals(8, vulnerabilities.size()); Iterator vulnIterator = vulnerabilities.iterator(); Vulnerability vulnerability = vulnIterator.next(); - assertEquals("CVE-2006-1546", vulnerability.getName()); + assertEquals("CVE-2016-1182", vulnerability.getName()); assertEquals("NVD", vulnerability.getSource()); - assertEquals(7.5f, vulnerability.getCvssScore(null), 0.0f); + assertEquals(8.2f, vulnerability.getCvssScore(null), 0.0f); assertEquals("HIGH", vulnerability.getSeverity()); assertTrue(vulnerability.getCwes().isPresent()); - assertEquals("NVD-CWE-Other", vulnerability.getCwes().get()[0]); + assertEquals("CWE-20", vulnerability.getCwes().get()[0]); assertEquals(1, vulnerability.getCwes().get().length); assertEquals( - "Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.", + "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.", vulnerability.getDescription()); vulnerability = vulnIterator.next(); - assertEquals("CVE-2006-1547", vulnerability.getName()); + assertEquals("CVE-2016-1181", vulnerability.getName()); assertEquals("NVD", vulnerability.getSource()); - assertEquals(7.8f, vulnerability.getCvssScore(null), 0.0f); + assertEquals(8.1f, vulnerability.getCvssScore(null), 0.0f); assertEquals("HIGH", vulnerability.getSeverity()); assertTrue(vulnerability.getCwes().isPresent()); - assertEquals("NVD-CWE-Other", vulnerability.getCwes().get()[0]); + assertEquals("NVD-CWE-noinfo", vulnerability.getCwes().get()[0]); assertEquals(1, vulnerability.getCwes().get().length); assertEquals( - "ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.", + "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.", vulnerability.getDescription()); // commons-beanutils-1.7.0.jar dependency = findDependency(dependencies, "commons-beanutils-1.7.0.jar"); assertNotNull(dependency); - checkEvidence(dependency.getEvidenceCollected(), 9, 9, 2); + checkEvidence(dependency.getEvidenceCollected(), 10, 9, 2); assertEquals(2, dependency.getVulnerabilities().size()); // commons-digester-1.6.jar dependency = findDependency(dependencies, "commons-digester-1.6.jar"); assertNotNull(dependency); - checkEvidence(dependency.getEvidenceCollected(), 9, 9, 2); + checkEvidence(dependency.getEvidenceCollected(), 10, 9, 2); assertTrue(dependency.getVulnerabilities().isEmpty()); // commons-collections-2.1.jar dependency = findDependency(dependencies, "commons-collections-2.1.jar"); assertNotNull(dependency); - checkEvidence(dependency.getEvidenceCollected(), 10, 8, 3); - assertEquals(3, dependency.getVulnerabilities().size()); + checkEvidence(dependency.getEvidenceCollected(), 17, 14, 3); + assertEquals(1, dependency.getVulnerabilities().size()); assertEquals(1, dependency.getPackages().get().size()); assertEquals(1, dependency.getVulnerabilityIds().get().size()); assertEquals(1, dependency.getVulnerabilityIds().get().size()); @@ -114,7 +114,7 @@ void parseReportMultiModuleMavenExample() throws Exception { assertEquals(Confidence.HIGH, identifier.getConfidence().get()); assertEquals("pkg:maven/commons-collections/commons-collections@2.1", identifier.getId()); vulnerabilities = dependency.getVulnerabilities(); - assertEquals(3, vulnerabilities.size()); + assertEquals(1, vulnerabilities.size()); vulnIterator = vulnerabilities.iterator(); vulnerability = vulnIterator.next(); assertEquals("CVE-2015-6420", vulnerability.getName()); @@ -124,7 +124,7 @@ void parseReportMultiModuleMavenExample() throws Exception { // xml-apis-1.0.b2.jar dependency = findDependency(dependencies, "xml-apis-1.0.b2.jar"); assertNotNull(dependency); - checkEvidence(dependency.getEvidenceCollected(), 18, 26, 3); + checkEvidence(dependency.getEvidenceCollected(), 19, 26, 3); assertTrue(dependency.getVulnerabilities().isEmpty()); } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java deleted file mode 100644 index c91f0dee..00000000 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Dependency-Check Plugin for SonarQube - * Copyright (C) 2015-2021 dependency-check - * philipp.dallig@gmail.com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -package org.sonar.dependencycheck.parser.element; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import org.junit.jupiter.api.Test; - -class IdentifierTest { - - @Test - void testMaven() { - Identifier a = new Identifier("pkg:maven/struts/struts@1.2.8", Confidence.HIGH); - assertTrue(Identifier.isMavenPackage(a)); - assertFalse(Identifier.isNPMPackage(a)); - assertFalse(Identifier.isJavaScriptPackage(a)); - assertEquals("struts/struts@1.2.8", Identifier.getPackageArtifact(a).get()); - assertEquals("maven", Identifier.getPackageType(a).get()); - } - - @Test - void testNode() { - Identifier a = new Identifier("pkg:npm/braces@1.8.5", Confidence.HIGHEST); - assertFalse(Identifier.isMavenPackage(a)); - assertTrue(Identifier.isNPMPackage(a)); - assertFalse(Identifier.isJavaScriptPackage(a)); - assertEquals("braces@1.8.5", Identifier.getPackageArtifact(a).get()); - assertEquals("npm", Identifier.getPackageType(a).get()); - } - - @Test - void testNodeWithOutVersion() { - Identifier a = new Identifier("pkg:npm/mime", Confidence.HIGHEST); - assertFalse(Identifier.isMavenPackage(a)); - assertTrue(Identifier.isNPMPackage(a)); - assertFalse(Identifier.isJavaScriptPackage(a)); - assertEquals("mime", Identifier.getPackageArtifact(a).get()); - assertEquals("npm", Identifier.getPackageType(a).get()); - } - - @Test - void testJavaScript() { - Identifier a = new Identifier("pkg:javascript/jquery@2.2.0", Confidence.HIGHEST); - assertFalse(Identifier.isMavenPackage(a)); - assertFalse(Identifier.isNPMPackage(a)); - assertTrue(Identifier.isJavaScriptPackage(a)); - assertEquals("jquery@2.2.0", Identifier.getPackageArtifact(a).get()); - assertEquals("javascript", Identifier.getPackageType(a).get()); - } -} diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/DependencyReasonSearcherTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/DependencyReasonSearcherTest.java index 4c90d901..e3b1a7f4 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/DependencyReasonSearcherTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/DependencyReasonSearcherTest.java @@ -100,7 +100,7 @@ void checkForDependencyReasonsMaven() throws IOException { Vulnerability vulnerability1 = new Vulnerability("Test name", "NVD", "MyDescription", null, cvssV2, null, null); List vulnerabilities1 = new ArrayList<>(); vulnerabilities1.add(vulnerability1); - Dependency dependency1 = new Dependency(null, null, null, null, Collections.emptyMap(), vulnerabilities1, packageidentifiers1, Collections.emptyList()); + Dependency dependency1 = new Dependency(null, null, null, null, Collections.emptyMap(), vulnerabilities1, packageidentifiers1, Collections.emptyList(), null); // Second Identifier Identifier identifier2 = new Identifier("pkg:maven/org.springframework/spring@2.0.8", Confidence.HIGHEST); Collection packageidentifiers2 = new ArrayList<>(); @@ -108,7 +108,7 @@ void checkForDependencyReasonsMaven() throws IOException { Vulnerability vulnerability2 = new Vulnerability("Test name", "NVD", "MyDescription", null, cvssV2, null, null); List vulnerabilities2 = new ArrayList<>(); vulnerabilities2.add(vulnerability2); - Dependency dependency2 = new Dependency(null, null, null, null, Collections.emptyMap(), vulnerabilities1, packageidentifiers2, Collections.emptyList()); + Dependency dependency2 = new Dependency(null, null, null, null, Collections.emptyMap(), vulnerabilities1, packageidentifiers2, Collections.emptyList(), null); // Add dependencies dependencies.add(dependency1); @@ -156,7 +156,7 @@ public SensorContextTester checkForDependencyReasonsGradleAbstract(InputFile inp Vulnerability vulnerability = new Vulnerability("Test name", "NVD", "MyDescription", null, cvssV2, null, null); List vulnerabilities = new ArrayList<>(); vulnerabilities.add(vulnerability); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),vulnerabilities, packageidentifiers, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),vulnerabilities, packageidentifiers, Collections.emptyList(), null); // Add dependencies dependencies.add(dependency); diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java index 210b509b..23cf8088 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java @@ -30,6 +30,7 @@ import java.io.IOException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -38,6 +39,7 @@ import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; import org.sonar.dependencycheck.parser.element.Identifier; +import org.sonar.dependencycheck.parser.element.IncludedBy; class GradleDependencyReasonTest extends DependencyReasonTestHelper { @@ -73,10 +75,10 @@ void foundDependency() throws IOException { Identifier identifier = new Identifier("pkg:maven/org.springframework/spring@2.0", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency); assertNotNull(textRangeConfidence); - assertEquals(Confidence.MEDIUM, textRangeConfidence.getConfidence()); + assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); assertEquals(24, textRangeConfidence.getTextRange().start().line()); assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(24, textRangeConfidence.getTextRange().end().line()); @@ -85,6 +87,27 @@ void foundDependency() throws IOException { assertEquals(gradle.getBestTextRange(dependency), gradle.getBestTextRange(dependency)); } + @Test + void foundDependencyWithIncludedBy() throws IOException { + GradleDependencyReason gradle = new GradleDependencyReason(inputFile("build.gradle")); + // Create Dependency + Identifier identifier = new Identifier("pkg:maven/custom.groupId/exampleArtifact@2.3", Confidence.HIGH); + Collection identifiersCollected = new ArrayList<>(); + identifiersCollected.add(identifier); + IncludedBy includedBy = new IncludedBy(); + includedBy.put(IncludedBy.REFERENCE_KEYWORD, "pkg:maven/org.owasp/dependency-check-gradle@3.3.4"); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(), Collections.emptyList(), identifiersCollected, Collections.emptyList(), Arrays.asList(includedBy)); + TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency); + assertNotNull(textRangeConfidence); + assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); + assertEquals(23, textRangeConfidence.getTextRange().start().line()); + assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); + assertEquals(23, textRangeConfidence.getTextRange().end().line()); + assertEquals(53, textRangeConfidence.getTextRange().end().lineOffset()); + // verify that same dependency points to the same TextRange, use of HashMap + assertEquals(gradle.getBestTextRange(dependency), gradle.getBestTextRange(dependency)); + } + @Test void foundNoDependency() throws IOException { GradleDependencyReason gradle = new GradleDependencyReason(inputFile("build.gradle")); @@ -92,7 +115,7 @@ void foundNoDependency() throws IOException { Identifier identifier = new Identifier("pkg:maven/myvendor/myartifact@2.0", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency); assertNotNull(textRangeConfidence); assertEquals(LINE_NOT_FOUND, textRangeConfidence.getTextRange().start().line()); diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java index 91d19171..f2d6ab0d 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java @@ -30,6 +30,7 @@ import java.io.IOException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -38,6 +39,7 @@ import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; import org.sonar.dependencycheck.parser.element.Identifier; +import org.sonar.dependencycheck.parser.element.IncludedBy; class MavenDependencyReasonTest extends DependencyReasonTestHelper { @@ -73,7 +75,7 @@ void foundDependency() throws IOException { Identifier identifier1 = new Identifier("pkg:maven/struts/struts@1.2.8", Confidence.HIGHEST); Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); @@ -86,6 +88,28 @@ void foundDependency() throws IOException { assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); } + @Test + void foundDependencyWithIncludedBy() throws IOException { + MavenDependencyReason maven = new MavenDependencyReason(inputFile("pom.xml")); + // Create Dependency + Identifier identifier1 = new Identifier("pkg:maven/custom.groupId/exampleArtifact@2.3", Confidence.HIGH); + Collection packageidentifiers1 = new ArrayList<>(); + packageidentifiers1.add(identifier1); + IncludedBy includedBy = new IncludedBy(); + includedBy.put(IncludedBy.REFERENCE_KEYWORD, "pkg:maven/com.sun.mail/javax.mail@1.4.4"); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(), Collections.emptyList(), packageidentifiers1, Collections.emptyList(), Arrays.asList(includedBy)); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + assertTrue(maven.isReasonable()); + assertNotNull(textRangeConfidence); + assertEquals(51, textRangeConfidence.getTextRange().start().line()); + assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); + assertEquals(55, textRangeConfidence.getTextRange().end().line()); + assertEquals(21, textRangeConfidence.getTextRange().end().lineOffset()); + assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); + // verify that same dependency points to the same TextRange, use of HashMap + assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + } + @Test void foundDependencyOnlyWithArtifactID() throws IOException { MavenDependencyReason maven = new MavenDependencyReason(inputFile("pom.xml")); @@ -93,7 +117,7 @@ void foundDependencyOnlyWithArtifactID() throws IOException { Identifier identifier1 = new Identifier("pkg:maven/dummy/struts@1.2.8", Confidence.HIGHEST); Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); @@ -101,7 +125,7 @@ void foundDependencyOnlyWithArtifactID() throws IOException { assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(50, textRangeConfidence.getTextRange().end().line()); assertEquals(21, textRangeConfidence.getTextRange().end().lineOffset()); - assertEquals(Confidence.HIGH, textRangeConfidence.getConfidence()); + assertEquals(Confidence.MEDIUM, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); } @@ -113,7 +137,7 @@ void foundDependencyOnlyWithGroupID() throws IOException { Identifier identifier1 = new Identifier("pkg:maven/struts/dummy@1.2.8", Confidence.HIGHEST); Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); @@ -133,7 +157,7 @@ void foundParent() throws IOException { Identifier identifier1 = new Identifier("pkg:maven/dummy-parent/fake-artifact@1.0.0", Confidence.HIGHEST); Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); @@ -154,7 +178,7 @@ void foundNoDependency() throws IOException { Identifier identifier1 = new Identifier("pkg:maven/myvendor/myartifact@1.2.8", Confidence.HIGHEST); Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); // Check for default location, first line in file with low confidence assertNotNull(textRangeConfidence); diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java index 61be7bd0..eb7958a4 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java @@ -73,7 +73,7 @@ void foundDependencyJavascript() throws IOException { Identifier identifier = new Identifier("pkg:javascript/jquery@2.2.0", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); @@ -93,7 +93,7 @@ void foundDependencyNPM() throws IOException { Identifier identifier = new Identifier("pkg:npm/arr-flatten@1.1.0", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); @@ -113,7 +113,7 @@ void foundDependencyNPMOnlyWithName() throws IOException { Identifier identifier = new Identifier("pkg:npm/arr-flatten@9.9.9", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); @@ -133,7 +133,7 @@ void foundDependencyNPMWithoutVersion() throws IOException { Identifier identifier = new Identifier("pkg:npm/arr-flatten", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); @@ -153,7 +153,7 @@ void foundNoDependency() throws IOException { Identifier identifier = new Identifier("pkg:javascript/dummyname@2.2.0", Confidence.HIGHEST); Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); - Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList()); + Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); diff --git a/sonar-dependency-check-plugin/src/test/resources/reason/build.gradle b/sonar-dependency-check-plugin/src/test/resources/reason/build.gradle index b2f1daa5..c5562d3e 100644 --- a/sonar-dependency-check-plugin/src/test/resources/reason/build.gradle +++ b/sonar-dependency-check-plugin/src/test/resources/reason/build.gradle @@ -3,7 +3,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'org.owasp:dependency-check-gradle:3.3.4' + classpath 'org.owasp:dependency-check-gradle:3.3.5' } } diff --git a/sonar-dependency-check-plugin/src/test/resources/reportMultiModuleMavenExample/dependency-check-report.json b/sonar-dependency-check-plugin/src/test/resources/reportMultiModuleMavenExample/dependency-check-report.json index ed0fbd3f..d8566679 100644 --- a/sonar-dependency-check-plugin/src/test/resources/reportMultiModuleMavenExample/dependency-check-report.json +++ b/sonar-dependency-check-plugin/src/test/resources/reportMultiModuleMavenExample/dependency-check-report.json @@ -1,19 +1,23 @@ { "reportSchema": "1.1", "scanInfo": { - "engineVersion": "6.0.0", + "engineVersion": "8.0.2", "dataSource": [ { "name": "NVD CVE Checked", - "timestamp": "2020-09-10T09:54:10" + "timestamp": "2023-02-02T16:59:31" }, { "name": "NVD CVE Modified", - "timestamp": "2020-09-10T07:01:12" + "timestamp": "2023-02-02T16:00:02" }, { "name": "VersionCheckOn", - "timestamp": "2020-09-10T09:54:10" + "timestamp": "2023-02-02T11:52:54" + }, + { + "name": "kev.checked", + "timestamp": "1675335175" } ] }, @@ -22,9 +26,10 @@ "groupID": "com.example", "artifactID": "maven-multi-module-parent", "version": "1.0.0", - "reportDate": "2020-09-10T07:54:20.103848Z", + "reportDate": "2023-02-02T15:59:49.067Z", "credits": { "NVD": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov", + "CISA": "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "NPM": "This report may contain data retrieved from the NPM Public Advisories: https://www.npmjs.com/advisories", "RETIREJS": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/", "OSSINDEX": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org" @@ -43,14 +48,19 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/com.sun.mail/javax.mail@1.4.4" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", "confidence": "HIGH", - "source": "pom", + "source": "file", "name": "name", - "value": "JavaBeans Activation Framework (JAF)" + "value": "activation" }, { "type": "vendor", @@ -61,10 +71,24 @@ }, { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", - "value": "activation" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "javax" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "sun" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar (hint)", + "name": "package name", + "value": "oracle" }, { "type": "vendor", @@ -76,16 +100,9 @@ { "type": "vendor", "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "activation" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar (hint)", - "name": "package name", - "value": "oracle" + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "Sun Microsystems, Inc." }, { "type": "vendor", @@ -94,19 +111,26 @@ "name": "Implementation-Vendor-Id", "value": "com.sun" }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "Sun Microsystems, Inc." + }, { "type": "vendor", "confidence": "HIGHEST", "source": "pom", - "name": "url", - "value": "http://java.sun.com/products/javabeans/jaf/index.jsp" + "name": "artifactid", + "value": "activation" }, { "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "Sun Microsystems, Inc." + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "activation" }, { "type": "vendor", @@ -117,33 +141,47 @@ }, { "type": "vendor", - "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "Sun Microsystems, Inc." + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "JavaBeans Activation Framework (JAF)" }, { "type": "vendor", "confidence": "HIGHEST", + "source": "pom", + "name": "url", + "value": "http://java.sun.com/products/javabeans/jaf/index.jsp" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "activation" + }, + { + "type": "product", + "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "sun" + "value": "activation" }, { - "type": "vendor", + "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", "value": "javax" - } - ], - "productEvidence": [ + }, { "type": "product", - "confidence": "HIGH", - "source": "pom", - "name": "name", - "value": "JavaBeans Activation Framework (JAF)" + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "javax.activation" }, { "type": "product", @@ -152,13 +190,6 @@ "name": "specification-title", "value": "JavaBeans(TM) Activation Framework Specification" }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "activation" - }, { "type": "product", "confidence": "HIGHEST", @@ -173,19 +204,12 @@ "name": "groupid", "value": "javax.activation" }, - { - "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "javax.activation" - }, { "type": "product", "confidence": "HIGH", - "source": "file", + "source": "pom", "name": "name", - "value": "activation" + "value": "JavaBeans Activation Framework (JAF)" }, { "type": "product", @@ -193,13 +217,6 @@ "source": "pom", "name": "url", "value": "http://java.sun.com/products/javabeans/jaf/index.jsp" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "javax" } ], "versionEvidence": [ @@ -212,16 +229,16 @@ }, { "type": "version", - "confidence": "HIGHEST", - "source": "pom", - "name": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", "value": "1.1" }, { "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", "value": "1.1" } ] @@ -230,7 +247,7 @@ { "id": "pkg:maven/javax.activation/activation@1.1", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/javax.activation/activation@1.1" + "url": "https://ossindex.sonatype.org/component/pkg:maven/javax.activation/activation@1.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -244,13 +261,18 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "antlr" }, { @@ -267,6 +289,13 @@ "name": "package name", "value": "antlr" }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "antlr" + }, { "type": "vendor", "confidence": "LOW", @@ -276,18 +305,18 @@ }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", "value": "antlr" } ], "productEvidence": [ { "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "antlr" }, { @@ -306,9 +335,9 @@ }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", "value": "antlr" } ], @@ -333,7 +362,7 @@ { "id": "pkg:maven/antlr/antlr@2.7.2", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/antlr/antlr@2.7.2" + "url": "https://ossindex.sonatype.org/component/pkg:maven/antlr/antlr@2.7.2?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -347,21 +376,26 @@ "projectReferences": [ "module2:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/org.springframework/spring@2.0.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "avalon-framework" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "avalon-framework" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "vendor", @@ -377,6 +411,13 @@ "name": "package name", "value": "framework" }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "avalon-framework" + }, { "type": "vendor", "confidence": "HIGH", @@ -386,14 +427,14 @@ }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "avalon-framework" + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "Apache Software Foundation" }, { "type": "vendor", - "confidence": "LOW", + "confidence": "HIGHEST", "source": "pom", "name": "artifactid", "value": "avalon-framework" @@ -401,38 +442,24 @@ { "type": "vendor", "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "Apache Software Foundation" + "source": "pom", + "name": "artifactid", + "value": "avalon-framework" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - } - ], - "productEvidence": [ - { - "type": "product", - "confidence": "HIGHEST", "source": "pom", "name": "groupid", "value": "avalon-framework" - }, - { - "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "avalon-framework" - }, + } + ], + "productEvidence": [ { "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "avalon-framework" }, { @@ -451,22 +478,36 @@ }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", "value": "avalon-framework" - } - ], - "versionEvidence": [ - { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "4.1.3" }, { - "type": "version", + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "avalon-framework" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "avalon-framework" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "4.1.3" + }, + { + "type": "version", "confidence": "HIGH", "source": "Manifest", "name": "Implementation-Version", @@ -485,7 +526,7 @@ { "id": "pkg:maven/avalon-framework/avalon-framework@4.1.3", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/avalon-framework/avalon-framework@4.1.3" + "url": "https://ossindex.sonatype.org/component/pkg:maven/avalon-framework/avalon-framework@4.1.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -499,42 +540,54 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], "evidenceCollected": { "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-beanutils" + }, { "type": "vendor", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "beanutils" + "value": "apache" }, { "type": "vendor", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "commons" + "value": "beanutils" }, { "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" }, { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", - "value": "commons-beanutils" + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.beanutils" }, { "type": "vendor", "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-beanutils" + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" }, { "type": "vendor", @@ -547,45 +600,45 @@ "type": "vendor", "confidence": "HIGHEST", "source": "pom", - "name": "groupid", + "name": "artifactid", "value": "commons-beanutils" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.beanutils" + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "commons-beanutils" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "source": "pom", + "name": "groupid", + "value": "commons-beanutils" } ], "productEvidence": [ { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "beanutils" + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-beanutils" }, { "type": "product", "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "commons-beanutils" + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "specification-title", - "value": "Jakarta Commons Beanutils" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "beanutils" }, { "type": "product", @@ -594,13 +647,6 @@ "name": "package name", "value": "commons" }, - { - "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-beanutils" - }, { "type": "product", "confidence": "MEDIUM", @@ -608,13 +654,6 @@ "name": "extension-name", "value": "org.apache.commons.beanutils" }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - }, { "type": "product", "confidence": "HIGH", @@ -622,6 +661,20 @@ "name": "Implementation-Title", "value": "org.apache.commons.beanutils" }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "specification-title", + "value": "Jakarta Commons Beanutils" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-beanutils" + }, { "type": "product", "confidence": "HIGHEST", @@ -633,15 +686,15 @@ "versionEvidence": [ { "type": "version", - "confidence": "HIGHEST", - "source": "pom", + "confidence": "HIGH", + "source": "file", "name": "version", "value": "1.7.0" }, { "type": "version", - "confidence": "HIGH", - "source": "file", + "confidence": "HIGHEST", + "source": "pom", "name": "version", "value": "1.7.0" } @@ -651,7 +704,7 @@ { "id": "pkg:maven/commons-beanutils/commons-beanutils@1.7.0", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-beanutils/commons-beanutils@1.7.0" + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-beanutils/commons-beanutils@1.7.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ], "vulnerabilityIds": [ @@ -685,6 +738,11 @@ "description": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", "notes": "", "references": [ + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477@%3Ccommits.dolphinscheduler.apache.org%3E", + "name": "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on issue #4506: There is a vulnerability in beanutils 1.7.0,upgrade recommended" + }, { "source": "MISC", "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E", @@ -745,31 +803,31 @@ "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", "name": "FEDORA-2014-9380" }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59245", - "name": "59245" - }, { "source": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59245", + "name": "59245" + }, { "source": "MLIST", "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E", "name": "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE" }, - { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2014/dsa-2940", - "name": "DSA-2940" - }, { "source": "CONFIRM", "url": "https://access.redhat.com/solutions/869353", "name": "https://access.redhat.com/solutions/869353" }, + { + "source": "DEBIAN", + "url": "http://www.debian.org/security/2014/dsa-2940", + "name": "DSA-2940" + }, { "source": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", @@ -947,13 +1005,13 @@ }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" }, { "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" + "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" }, { "source": "MLIST", @@ -1031,9 +1089,9 @@ "name": "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/cc1835c0-63c3-4b0a-baa5-a3891271bf60?component-type=maven&component-name=commons-beanutils.commons-beanutils", - "name": "[CVE-2014-0114] Improper Input Validation" + "source": "OSSIndex", + "url": "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader", + "name": "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader" }, { "source": "SECUNIA", @@ -1060,6 +1118,11 @@ "url": "http://secunia.com/advisories/59014", "name": "59014" }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2014-0114?component-type=maven&component-name=commons-beanutils%2Fcommons-beanutils&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2014-0114] CWE-20: Improper Input Validation" + }, { "source": "MISC", "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E", @@ -1110,16 +1173,16 @@ "url": "http://secunia.com/advisories/60703", "name": "60703" }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/58947", - "name": "58947" - }, { "source": "CONFIRM", "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/58947", + "name": "58947" + }, { "source": "SECUNIA", "url": "http://secunia.com/advisories/59118", @@ -1135,6 +1198,11 @@ "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E", + "name": "[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1" + }, { "source": "SECUNIA", "url": "http://secunia.com/advisories/59464", @@ -1150,11 +1218,6 @@ "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", "name": "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." }, - { - "source": "CONFIRM", - "url": "http://www.ibm.com/support/docview.wss?uid=swg21675496", - "name": "http://www.ibm.com/support/docview.wss?uid=swg21675496" - }, { "source": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", @@ -1162,14 +1225,19 @@ }, { "source": "CONFIRM", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", - "name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + "url": "http://www.ibm.com/support/docview.wss?uid=swg21675496", + "name": "http://www.ibm.com/support/docview.wss?uid=swg21675496" }, { "source": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" }, + { + "source": "CONFIRM", + "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, { "source": "MISC", "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E", @@ -1195,6 +1263,11 @@ "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", "name": "MDVSA-2014:095" }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114" + }, { "source": "SECUNIA", "url": "http://secunia.com/advisories/58710", @@ -1255,16 +1328,16 @@ "url": "http://openwall.com/lists/oss-security/2014/06/15/10", "name": "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" }, - { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" - }, { "source": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2669", "name": "RHSA-2018:2669" }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, { "source": "MLIST", "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E", @@ -1274,99 +1347,104 @@ "source": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + }, + { + "source": "OSSIndex", + "url": "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name": "https://issues.apache.org/jira/browse/BEANUTILS-463" } ], "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.9.1" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "1.9.1" + "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" } } ] @@ -1401,7 +1479,7 @@ "baseSeverity": "HIGH", "exploitabilityScore": "3.9", "impactScore": "3.4", - "version": "3.0" + "version": "3.1" }, "cwes": [ "CWE-502" @@ -1410,8 +1488,113 @@ "notes": "", "references": [ { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2020:0811", + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E", + "name": "[nifi-commits] 20210907 [nifi] branch main updated: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 NIFI-9170 Add two more 1.9.4 references to close out the few things identified by the Maven dependency plugin." + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2021.html", + "name": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/", + "name": "FEDORA-2019-79b5790566" + }, + { + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2020:0805", + "name": "RHSA-2020:0805" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name": "N/A" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201022 [jira] [Created] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210907 [GitHub] [nifi] asfgit closed pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E", + "name": "[shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + }, + { + "source": "MLIST", + "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e", + "name": "[www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E", + "name": "[shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201022 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", + "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201026 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210827 [GitHub] [nifi] naddym opened a new pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, + { + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2020:0811", "name": "RHSA-2020:0811" }, { @@ -1419,15 +1602,20 @@ "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2022.html", + "name": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { "source": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html", "name": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/9dd388b6-e51b-4261-9a0d-76f9aeb4f153?component-type=maven&component-name=commons-beanutils.commons-beanutils", - "name": "[CVE-2019-10086] In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added wh..." + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210907 [jira] [Commented] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" }, { "source": "SUSE", @@ -1444,21 +1632,36 @@ "url": "https://access.redhat.com/errata/RHSA-2020:0804", "name": "RHSA-2020:0804" }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E", + "name": "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] lgcareer commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils" + }, { "source": "MLIST", "url": "https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E", "name": "[commons-issues] 20190925 [GitHub] [commons-validator] jeff-schram opened a new pull request #18: Update pom.xml" }, { - "source": "FEDORA", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/", - "name": "FEDORA-2019-79b5790566" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E", + "name": "[rocketmq-dev] 20201223 [GitHub] [rocketmq] crazywen opened a new pull request #2515: Update pom.xml" }, { "source": "MLIST", "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", "name": "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E", + "name": "[atlas-commits] 20201023 [atlas] 01/05: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201023 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { "source": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0806", @@ -1469,14 +1672,9 @@ "url": "https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E", "name": "[shiro-dev] 20191001 [jira] [Commented] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" }, - { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2020:0805", - "name": "RHSA-2020:0805" - }, { "source": "N/A", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", + "url": "https://www.oracle.com//security-alerts/cpujul2021.html", "name": "N/A" }, { @@ -1494,6 +1692,16 @@ "url": "https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E", "name": "[tinkerpop-commits] 20190829 [tinkerpop] branch master updated: Bump commons-beanutils to 1.9.4 for CVE-2019-10086 - CTR" }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210915 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { "source": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0194", @@ -1501,28 +1709,28 @@ }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E", - "name": "[shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + "url": "https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E", + "name": "[shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E", - "name": "[shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + "url": "https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E", + "name": "[atlas-dev] 20201023 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + "url": "https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210827 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" }, { "source": "MLIST", - "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e", - "name": "[www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + "url": "https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E", + "name": "[nifi-issues] 20210908 [GitHub] [nifi] naddym commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E", - "name": "[shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + "url": "https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E", + "name": "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils" }, { "source": "MLIST", @@ -1535,9 +1743,9 @@ "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", - "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "REDHAT", @@ -1560,513 +1768,1333 @@ "software": { "id": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", "vulnerabilityIdMatched": "true", + "versionStartIncluding": "1.0", "versionEndIncluding": "1.9.3" } - } - ] - } - ] - }, - { - "isVirtual": false, - "fileName": "commons-collections-2.1.jar", - "filePath": "/to/path/commons-collections/commons-collections/2.1/commons-collections-2.1.jar", - "md5": "fffa9d12511eb1bf3aa8dd8393b51845", - "sha1": "8e10f94f30ea064eee3cb94f864dc9c31e30e8af", - "sha256": "443c2f6379ea2d9300af4733a3ad561032139c5a7890b5876c0b33212dd478f5", - "description": "Commons Collections", - "projectReferences": [ - "module1:compile" - ], - "evidenceCollected": { - "vendorEvidence": [ - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "commons-collections" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" - }, - { - "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-collections" - }, - { - "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", - "value": "commons-collections" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "collections" - }, - { - "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" - }, - { - "type": "vendor", - "confidence": "HIGH", - "source": "pom", - "name": "name", - "value": "Collections" - }, - { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.collections" - }, - { - "type": "vendor", - "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "Apache Software Foundation" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - } - ], - "productEvidence": [ - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "commons-collections" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "commons-collections" - }, - { - "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-collections" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "collections" - }, - { - "type": "product", - "confidence": "HIGH", - "source": "pom", - "name": "name", - "value": "Collections" - }, - { - "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.collections" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - } - ], - "versionEvidence": [ - { - "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", - "value": "2.1" - }, - { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "2.1" - }, - { - "type": "version", - "confidence": "HIGHEST", - "source": "pom", - "name": "version", - "value": "2.1" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/commons-collections/commons-collections@2.1", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@2.1" - } - ], - "vulnerabilityIds": [ - { - "id": "cpe:2.3:a:apache:commons_collections:2.1:*:*:*:*:*:*:*", - "confidence": "HIGHEST", - "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_collections&cpe_version=cpe%3A%2F%3Aapache%3Acommons_collections%3A2.1" - } - ], - "vulnerabilities": [ - { - "source": "NVD", - "name": "CVE-2015-6420", - "severity": "HIGH", - "cvssv2": { - "score": 7.5, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.4" - }, - "cwes": [ - "CWE-502" - ], - "description": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", - "notes": "", - "references": [ + }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + "software": { + "id": "cpe:2.3:a:apache:nifi:1.14.0:*:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/78872", - "name": "78872" + "software": { + "id": "cpe:2.3:a:apache:nifi:1.15.0:*:*:*:*:*:*:*" + } }, { - "source": "CISCO", - "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization", - "name": "20151209 Vulnerability in Java Deserialization Affecting Cisco Products" + "software": { + "id": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "software": { + "id": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + "software": { + "id": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.tenable.com/security/research/tra-2017-14", - "name": "https://www.tenable.com/security/research/tra-2017-14" + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:e-business_suite:*:*" + } }, { - "source": "CERT-VN", - "url": "https://www.kb.cert.org/vuls/id/581311", - "name": "VU#581311" + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:sap:*:*" + } }, { - "source": "MISC", - "url": "https://www.kb.cert.org/vuls/id/576313", - "name": "https://www.kb.cert.org/vuls/id/576313" + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*" + } }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/ac157388-2d0e-4c78-b3f4-033572d19286?component-type=maven&component-name=commons-collections.commons-collections", - "name": "[CVE-2015-6420] Serialized-object interfaces in certain Cisco Collaboration and Social Media; En..." + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:sap:*:*" + } }, { - "source": "MISC", - "url": "https://www.tenable.com/security/research/tra-2017-23", - "name": "https://www.tenable.com/security/research/tra-2017-23" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.2.1" + "id": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2017-15708", - "severity": "CRITICAL", - "cvssv2": { - "score": 7.5, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.4" - }, - "cvssv3": { - "baseScore": 9.8, - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "HIGH", - "baseSeverity": "CRITICAL", - "exploitabilityScore": "3.9", - "impactScore": "5.9", - "version": "3.0" - }, - "cwes": [ - "CWE-74" - ], - "description": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.", - "notes": "", - "references": [ + }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E", - "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability" + "software": { + "id": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", + "versionEndExcluding": "21.1.2" + } }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/9b28a5d2-9be7-4414-a59b-98e25e4c608a?component-type=maven&component-name=commons-collections.commons-collections", - "name": "[CVE-2017-15708] In Apache Synapse, by default no authentication is required for Java Remote Meth..." + "software": { + "id": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/102154", - "name": "102154" + "software": { + "id": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html", - "name": "https://www.oracle.com/security-alerts/cpujan2020.html" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.6.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.2.1" + "id": "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "OSSINDEX", - "name": "Remote code execution", - "unscored": "true", - "severity": "Unknown", - "cwes": [], - "description": "> It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable.\n> \n> -- [redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=1279330)", - "notes": "", - "references": [ + }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/ed5505cd-2b5b-4ca6-ab51-28ca91263b4e?component-type=maven&component-name=commons-collections.commons-collections", - "name": "Remote code execution" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:commons-collections:commons-collections:2.1:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*" } - } - ] - } - ] - }, - { - "isVirtual": false, - "fileName": "commons-digester-1.6.jar", - "filePath": "/to/path/commons-digester/commons-digester/1.6/commons-digester-1.6.jar", - "md5": "67ec4399342d5da2fd3b0288698664ca", - "sha1": "e2822f655f2c182681c2cf27f224a425ccb2983d", - "sha256": "4040c63d0dba10ce048ec02bcaf67092f58ac5662ae1ba7b050f77cf86265249", - "projectReferences": [ - "module1:compile" - ], - "evidenceCollected": { - "vendorEvidence": [ - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "commons-digester" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "digester" - }, + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.4.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.9:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:7.1.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:7.3.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:8.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_data_gateway:1.0.2.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", + "versionEndExcluding": "9.2.5.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.5.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding": "9.2.5.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.2.0", + "versionEndIncluding": "16.2.11" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "17.12.0", + "versionEndIncluding": "17.12.6" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:real-time_decisions_solutions:3.2.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_merchandising_system:5.0.3.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_price_management:14.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_price_management:14.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:service_bus:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:solaris_cluster:4.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:time_and_labor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "12.2.6", + "versionEndIncluding": "12.2.11" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "4.3.0.1.0", + "versionEndIncluding": "4.3.0.6.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*" + } + } + ] + } + ] + }, + { + "isVirtual": false, + "fileName": "commons-collections-2.1.jar", + "filePath": "/to/path/commons-collections/commons-collections/2.1/commons-collections-2.1.jar", + "md5": "fffa9d12511eb1bf3aa8dd8393b51845", + "sha1": "8e10f94f30ea064eee3cb94f864dc9c31e30e8af", + "sha256": "443c2f6379ea2d9300af4733a3ad561032139c5a7890b5876c0b33212dd478f5", + "description": "Commons Collections", + "projectReferences": [ + "module1:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-collections" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "collections" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.collections" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-collections" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "commons-collections" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "rwaldof" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Craig McClanahan" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "David Weinrich" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Geir Magnusson" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Morgan Delagrange" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Rodney Waldoff" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-collections" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Collections" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-collections" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "collections" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.collections" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-collections" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rwaldof" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Craig McClanahan" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "David Weinrich" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Geir Magnusson" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Morgan Delagrange" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Rodney Waldoff" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-collections" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Collections" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "2.1" + }, + { + "type": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", + "value": "2.1" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", + "value": "2.1" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/commons-collections/commons-collections@2.1", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@2.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ], + "vulnerabilityIds": [ + { + "id": "cpe:2.3:a:apache:commons_collections:2.1:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_collections&cpe_version=cpe%3A%2F%3Aapache%3Acommons_collections%3A2.1" + } + ], + "vulnerabilities": [ + { + "source": "NVD", + "name": "CVE-2015-6420", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" + }, + "cwes": [ + "CWE-502" + ], + "description": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", + "notes": "", + "references": [ + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/78872", + "name": "78872" + }, + { + "source": "CISCO", + "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization", + "name": "20151209 Vulnerability in Java Deserialization Affecting Cisco Products" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + }, + { + "source": "MISC", + "url": "https://www.tenable.com/security/research/tra-2017-14", + "name": "https://www.tenable.com/security/research/tra-2017-14" + }, + { + "source": "CERT-VN", + "url": "https://www.kb.cert.org/vuls/id/581311", + "name": "VU#581311" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E", + "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes" + }, + { + "source": "MISC", + "url": "https://www.tenable.com/security/research/tra-2017-23", + "name": "https://www.tenable.com/security/research/tra-2017-23" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "3.2.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*" + } + } + ] + } + ] + }, + { + "isVirtual": false, + "fileName": "commons-digester-1.6.jar", + "filePath": "/to/path/commons-digester/commons-digester/1.6/commons-digester-1.6.jar", + "md5": "67ec4399342d5da2fd3b0288698664ca", + "sha1": "e2822f655f2c182681c2cf27f224a425ccb2983d", + "sha256": "4040c63d0dba10ce048ec02bcaf67092f58ac5662ae1ba7b050f77cf86265249", + "projectReferences": [ + "module1:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-digester" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "digester" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.digester" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "\"Apache Software Foundation\"" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "\"Apache Software Foundation\"" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-digester" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "commons-digester" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-digester" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-digester" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "digester" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.digester" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Title", + "value": "\"org.apache.commons.digester\"" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "specification-title", + "value": "\"Jakarta Commons Digester\"" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-digester" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-digester" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "1.6" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", + "value": "1.6" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/commons-digester/commons-digester@1.6", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-digester/commons-digester@1.6?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ] + }, + { + "isVirtual": false, + "fileName": "commons-fileupload-1.0.jar", + "filePath": "/to/path/commons-fileupload/commons-fileupload/1.0/commons-fileupload-1.0.jar", + "md5": "1112fc5e1e8be8d9c76c2bbe995eacc6", + "sha1": "2366159e25523d99e96d05211a2fa5399c938735", + "sha256": "5263c9d60a380e53d0d4a9598f7109141e5683cb08fe86fa3f48b03493716af6", + "description": "The FileUpload component provides a simple yet flexible means of adding\n support for multipart file upload functionality to servlets and web\n applications.", + "projectReferences": [ + "module1:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-fileupload" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "fileupload" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "commons-fileupload" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" + }, { "type": "vendor", "confidence": "MEDIUM", "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.digester" + "name": "Implementation-Vendor-Id", + "value": "" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-digester" + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "Apache Software Foundation" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "source": "pom", + "name": "artifactid", + "value": "commons-fileupload" }, { "type": "vendor", "confidence": "LOW", "source": "pom", "name": "artifactid", - "value": "commons-digester" + "value": "commons-fileupload" }, { "type": "vendor", "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "\"Apache Software Foundation\"" + "source": "pom", + "name": "developer email", + "value": "dion@apache.org" }, { "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "\"Apache Software Foundation\"" - } - ], - "productEvidence": [ + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dlr@finemaltcoding.com" + }, { - "type": "product", + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jason@zenplex.com" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jmcnally@collab.net" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "martinc@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rdonkin@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sean |at| seansullivan |dot| com" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "dion" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "dlr" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jmcnally" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jvanzyl" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "martinc" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "rdonkin" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "sullis" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Daniel Rall" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "dIon Gillard" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Jason van Zyl" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "John McNally" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Martin Cooper" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Robert Burrell Donkin" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Sean C. Sullivan" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer org", + "value": "CollabNet" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer org", + "value": "Multitask Consulting" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer org", + "value": "Tumbleweed Communications" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer org", + "value": "Zenplex" + }, + { + "type": "vendor", "confidence": "HIGHEST", "source": "pom", "name": "groupid", - "value": "commons-digester" + "value": "commons-fileupload" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "FileUpload" }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "url", + "value": "http://jakarta.apache.org/commons/fileupload/" + } + ], + "productEvidence": [ { "type": "product", "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Title", - "value": "\"org.apache.commons.digester\"" + "source": "file", + "name": "name", + "value": "commons-fileupload" }, { "type": "product", @@ -2080,216 +3108,203 @@ "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "digester" + "value": "fileupload" }, { "type": "product", "confidence": "MEDIUM", "source": "Manifest", - "name": "specification-title", - "value": "\"Jakarta Commons Digester\"" + "name": "extension-name", + "value": "commons-fileupload" }, { "type": "product", "confidence": "MEDIUM", "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.digester" + "name": "specification-title", + "value": "File upload component for Java servlets" }, { "type": "product", "confidence": "HIGHEST", "source": "pom", "name": "artifactid", - "value": "commons-digester" + "value": "commons-fileupload" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-digester" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dion@apache.org" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - } - ], - "versionEvidence": [ + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dlr@finemaltcoding.com" + }, { - "type": "version", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "version", - "value": "1.6" + "name": "developer email", + "value": "jason@zenplex.com" }, { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "1.6" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/commons-digester/commons-digester@1.6", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-digester/commons-digester@1.6" - } - ] - }, - { - "isVirtual": false, - "fileName": "commons-fileupload-1.0.jar", - "filePath": "/to/path/commons-fileupload/commons-fileupload/1.0/commons-fileupload-1.0.jar", - "md5": "1112fc5e1e8be8d9c76c2bbe995eacc6", - "sha1": "2366159e25523d99e96d05211a2fa5399c938735", - "sha256": "5263c9d60a380e53d0d4a9598f7109141e5683cb08fe86fa3f48b03493716af6", - "description": "The FileUpload component provides a simple yet flexible means of adding\n support for multipart file upload functionality to servlets and web\n applications.", - "projectReferences": [ - "module1:compile" - ], - "evidenceCollected": { - "vendorEvidence": [ + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jmcnally@collab.net" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "martinc@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rdonkin@apache.org" + }, { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "fileupload" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sean |at| seansullivan |dot| com" }, { - "type": "vendor", - "confidence": "HIGH", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "FileUpload" + "name": "developer id", + "value": "dion" }, { - "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-fileupload" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "dlr" }, { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jmcnally" }, { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "commons-fileupload" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jvanzyl" }, { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "martinc" }, { - "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rdonkin" }, { - "type": "vendor", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "url", - "value": "http://jakarta.apache.org/commons/fileupload/" + "name": "developer id", + "value": "sullis" }, { - "type": "vendor", + "type": "product", "confidence": "LOW", "source": "pom", - "name": "artifactid", - "value": "commons-fileupload" + "name": "developer name", + "value": "Daniel Rall" }, { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "Implementation-Vendor-Id", - "value": "" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "dIon Gillard" }, { - "type": "vendor", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "groupid", - "value": "commons-fileupload" + "name": "developer name", + "value": "Jason van Zyl" }, { - "type": "vendor", + "type": "product", "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "Apache Software Foundation" - } - ], - "productEvidence": [ + "source": "pom", + "name": "developer name", + "value": "John McNally" + }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "fileupload" + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Martin Cooper" }, { "type": "product", - "confidence": "HIGH", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "FileUpload" + "name": "developer name", + "value": "Robert Burrell Donkin" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-fileupload" + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Sean C. Sullivan" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "CollabNet" }, { "type": "product", - "confidence": "MEDIUM", + "confidence": "LOW", "source": "pom", - "name": "url", - "value": "http://jakarta.apache.org/commons/fileupload/" + "name": "developer org", + "value": "Multitask Consulting" }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "specification-title", - "value": "File upload component for Java servlets" + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "Tumbleweed Communications" }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "commons-fileupload" + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "Zenplex" }, { "type": "product", @@ -2300,10 +3315,17 @@ }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "HIGH", "source": "pom", - "name": "artifactid", - "value": "commons-fileupload" + "name": "name", + "value": "FileUpload" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "pom", + "name": "url", + "value": "http://jakarta.apache.org/commons/fileupload/" } ], "versionEvidence": [ @@ -2334,7 +3356,7 @@ { "id": "pkg:maven/commons-fileupload/commons-fileupload@1.0", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-fileupload/commons-fileupload@1.0" + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-fileupload/commons-fileupload@1.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ], "vulnerabilityIds": [ @@ -2346,707 +3368,1777 @@ ], "vulnerabilities": [ { - "source": "OSSINDEX", - "name": "Arbitrary file upload via deserialization", - "unscored": "true", - "severity": "Unknown", - "cwes": [], - "description": "> The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.\n> \n> -- [redhat.com](https://access.redhat.com/security/cve/CVE-2013-2186)", + "source": "NVD", + "name": "CVE-2016-1000031", + "severity": "CRITICAL", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4", + "acInsufInfo": "true" + }, + "cvssv3": { + "baseScore": 9.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "CRITICAL", + "exploitabilityScore": "3.9", + "impactScore": "5.9", + "version": "3.0" + }, + "cwes": [ + "CWE-284" + ], + "description": "Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution", + "notes": "", + "references": [ + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20190212-0001/", + "name": "https://security.netapp.com/advisory/ntap-20190212-0001/" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", + "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" + }, + { + "source": "SUSE", + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00036.html", + "name": "openSUSE-SU-2019:1399" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E", + "name": "[announce] 20181105 [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/93604", + "name": "93604" + }, + { + "source": "MISC", + "url": "https://www.tenable.com/security/research/tra-2016-30", + "name": "https://www.tenable.com/security/research/tra-2016-30" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, + { + "source": "CONFIRM", + "url": "https://issues.apache.org/jira/browse/FILEUPLOAD-279", + "name": "https://issues.apache.org/jira/browse/FILEUPLOAD-279" + }, + { + "source": "CONFIRM", + "url": "https://issues.apache.org/jira/browse/WW-4812", + "name": "https://issues.apache.org/jira/browse/WW-4812" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2021.html", + "name": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, + { + "source": "MISC", + "url": "https://www.tenable.com/security/research/tra-2016-23", + "name": "https://www.tenable.com/security/research/tra-2016-23" + }, + { + "source": "MISC", + "url": "https://www.tenable.com/security/research/tra-2016-12", + "name": "https://www.tenable.com/security/research/tra-2016-12" + }, + { + "source": "CONFIRM", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, + { + "source": "MISC", + "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-570/", + "name": "http://www.zerodayinitiative.com/advisories/ZDI-16-570/" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2020.html", + "name": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name": "N/A" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.3.2" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2014-0050", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" + }, + "cwes": [ + "CWE-264" + ], + "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.", "notes": "", "references": [ { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/fb810cbf-d8fb-4f30-b79b-82652ae7192a?component-type=maven&component-name=commons-fileupload.commons-fileupload", - "name": "Arbitrary file upload via deserialization" - } - ], - "vulnerableSoftware": [ + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0252.html", + "name": "RHSA-2014:0252" + }, + { + "source": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2014/Dec/23", + "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59500", + "name": "59500" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/58075", + "name": "58075" + }, + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, + { + "source": "JVN", + "url": "http://jvn.jp/en/jp/JVN14876762/index.html", + "name": "JVN#14876762" + }, + { + "source": "CONFIRM", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1062337" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59232", + "name": "59232" + }, + { + "source": "CONFIRM", + "url": "http://tomcat.apache.org/security-7.html", + "name": "http://tomcat.apache.org/security-7.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677724", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677724" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59399", + "name": "59399" + }, + { + "source": "CONFIRM", + "url": "http://www.vmware.com/security/advisories/VMSA-2014-0007.html", + "name": "http://www.vmware.com/security/advisories/VMSA-2014-0007.html" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2014-0050?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2014-0050] CWE-264: Permissions, Privileges, and Access Controls" + }, + { + "source": "CONFIRM", + "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html", + "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676092", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676092" + }, + { + "source": "OSSIndex", + "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "name": "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59185", + "name": "59185" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59187", + "name": "59187" + }, + { + "source": "DEBIAN", + "url": "http://www.debian.org/security/2014/dsa-2856", + "name": "DSA-2856" + }, + { + "source": "UBUNTU", + "url": "http://www.ubuntu.com/usn/USN-2130-1", + "name": "USN-2130-1" + }, + { + "source": "MISC", + "url": "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html", + "name": "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669554", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21669554" + }, + { + "source": "MISC", + "url": "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", + "name": "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59183", + "name": "59183" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676853", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676853" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html" + }, + { + "source": "HP", + "url": "http://marc.info/?l=bugtraq&m=143136844732487&w=2", + "name": "HPSBGN03329" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59039", + "name": "59039" + }, + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/65400", + "name": "65400" + }, + { + "source": "CONFIRM", + "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html", + "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681214", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21681214" + }, + { + "source": "CONFIRM", + "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676410", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676410" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/60475", + "name": "60475" + }, + { + "source": "OSSIndex", + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/", + "name": "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0253.html", + "name": "RHSA-2014:0253" + }, + { + "source": "MLIST", + "url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "name": "[commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "name": "RHSA-2014:0400" + }, + { + "source": "CONFIRM", + "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, + { + "source": "CONFIRM", + "url": "http://tomcat.apache.org/security-8.html", + "name": "http://tomcat.apache.org/security-8.html" + }, + { + "source": "OSSIndex", + "url": "http://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos", + "name": "http://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/58976", + "name": "58976" + }, + { + "source": "CONFIRM", + "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html", + "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html" + }, + { + "source": "MANDRIVA", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084", + "name": "MDVSA-2015:084" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" + }, + { + "source": "GENTOO", + "url": "https://security.gentoo.org/glsa/202107-39", + "name": "GLSA-202107-39" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59184", + "name": "59184" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59041", + "name": "59041" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/57915", + "name": "57915" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676405", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676405" + }, + { + "source": "CONFIRM", + "url": "http://advisories.mageia.org/MGASA-2014-0110.html", + "name": "http://advisories.mageia.org/MGASA-2014-0110.html" + }, + { + "source": "JVNDB", + "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017", + "name": "JVNDB-2014-000017" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59492", + "name": "59492" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675432", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675432" + }, + { + "source": "BUGTRAQ", + "url": "http://www.securityfocus.com/archive/1/532549/100/0/threaded", + "name": "20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + }, + { + "source": "BUGTRAQ", + "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677691", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677691" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676401", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676401" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/60753", + "name": "60753" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, + { + "source": "CONFIRM", + "url": "http://svn.apache.org/r1565143", + "name": "http://svn.apache.org/r1565143" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59725", + "name": "59725" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676656", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676656" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676403", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676403" + }, + { + "source": "CONFIRM", + "url": "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm", + "name": "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:commons-fileupload:commons-fileupload:1.0:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2013-0248", - "severity": "LOW", - "cvssv2": { - "score": 3.3, - "accessVector": "LOCAL", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "LOW", - "version": "2.0", - "exploitabilityScore": "3.4", - "impactScore": "4.9" - }, - "cwes": [ - "CWE-264" - ], - "description": "The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.", - "notes": "", - "references": [ + }, { - "source": "HP", - "url": "http://marc.info/?l=bugtraq&m=144050155601375&w=2", - "name": "HPSBMU03409" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + } }, { - "source": "OSVDB", - "url": "http://www.osvdb.org/90906", - "name": "90906" + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" + } }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/88c767c5-36d0-4f1f-afe8-4a595454c436?component-type=maven&component-name=commons-fileupload.commons-fileupload", - "name": "[CVE-2013-0248] Permissions, Privileges, and Access Controls" + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" + } }, { - "source": "BUGTRAQ", - "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html", - "name": "20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples" + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + "software": { + "id": "cpe:2.3:a:oracle:retail_applications:12.0:*:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/58326", - "name": "58326" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:retail_applications:12.0in:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:oracle:retail_applications:13.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_applications:13.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_applications:13.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_applications:13.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_applications:13.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_applications:14.0:*:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2014-0050", + "name": "CVE-2016-3092", "severity": "HIGH", "cvssv2": { - "score": 7.5, + "score": 7.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", + "confidentialImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "COMPLETE", "severity": "HIGH", "version": "2.0", "exploitabilityScore": "10.0", - "impactScore": "6.4" + "impactScore": "6.9" + }, + "cvssv3": { + "baseScore": 7.5, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseSeverity": "HIGH", + "exploitabilityScore": "3.9", + "impactScore": "3.6", + "version": "3.0" }, "cwes": [ - "CWE-264" + "CWE-20" ], - "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. The previous CVSS assessment ( Base Score: 5.0 - AV:N/AC:L/AU:N/C:N/I:N/A:P) was provided at the time of initial analysis based on the best available published information at that time. The score has been updated to reflect the impact to Oracle products per Oracle Critical Patch Update Advisory - October 2015 . Other products listed as vulnerable may or may not be similarly impacted.", + "description": "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.", "notes": "", "references": [ + { + "source": "DEBIAN", + "url": "http://www.debian.org/security/2016/dsa-3609", + "name": "DSA-3609" + }, + { + "source": "JVN", + "url": "http://jvn.jp/en/jp/JVN89379547/index.html", + "name": "JVN#89379547" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2071.html", + "name": "RHSA-2016:2071" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20190212-0001/", + "name": "https://security.netapp.com/advisory/ntap-20190212-0001/" + }, + { + "source": "CONFIRM", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468" + }, + { + "source": "CONFIRM", + "url": "http://svn.apache.org/viewvc?view=revision&revision=1743738", + "name": "http://svn.apache.org/viewvc?view=revision&revision=1743738" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + }, + { + "source": "UBUNTU", + "url": "http://www.ubuntu.com/usn/USN-3024-1", + "name": "USN-3024-1" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, + { + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2017:0455", + "name": "RHSA-2017:0455" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", + "name": "RHSA-2016:2808" + }, + { + "source": "MLIST", + "url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E", + "name": "[dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1036427", + "name": "1036427" + }, + { + "source": "OSSIndex", + "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E", + "name": "http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E" + }, + { + "source": "GENTOO", + "url": "https://security.gentoo.org/glsa/201705-09", + "name": "GLSA-201705-09" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1037029", + "name": "1037029" + }, + { + "source": "CONFIRM", + "url": "http://tomcat.apache.org/security-7.html", + "name": "http://tomcat.apache.org/security-7.html" + }, + { + "source": "DEBIAN", + "url": "http://www.debian.org/security/2016/dsa-3614", + "name": "DSA-3614" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2016-3092?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2016-3092] CWE-20: Improper Input Validation" + }, + { + "source": "CONFIRM", + "url": "http://tomcat.apache.org/security-9.html", + "name": "http://tomcat.apache.org/security-9.html" + }, + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2069.html", + "name": "RHSA-2016:2069" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1036900", + "name": "1036900" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name": "N/A" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", + "name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2072.html", + "name": "RHSA-2016:2072" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1039606", + "name": "1039606" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html", + "name": "RHSA-2016:2599" + }, + { + "source": "UBUNTU", + "url": "http://www.ubuntu.com/usn/USN-3027-1", + "name": "USN-3027-1" + }, + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840" + }, + { + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2017:0456", + "name": "RHSA-2017:0456" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2068.html", + "name": "RHSA-2016:2068" + }, + { + "source": "CONFIRM", + "url": "http://svn.apache.org/viewvc?view=revision&revision=1743480", + "name": "http://svn.apache.org/viewvc?view=revision&revision=1743480" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", + "name": "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", + "name": "RHSA-2017:0457" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html" + }, { "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0252.html", - "name": "RHSA-2014:0252" + "url": "http://rhn.redhat.com/errata/RHSA-2016-2070.html", + "name": "RHSA-2016:2070" }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { - "source": "FULLDISC", - "url": "http://seclists.org/fulldisclosure/2014/Dec/23", - "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + "source": "CONFIRM", + "url": "http://tomcat.apache.org/security-8.html", + "name": "http://tomcat.apache.org/security-8.html" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59500", - "name": "59500" + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/58075", - "name": "58075" + "source": "BID", + "url": "http://www.securityfocus.com/bid/91453", + "name": "91453" }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + "source": "SUSE", + "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html", + "name": "openSUSE-SU-2016:2252" }, { - "source": "JVN", - "url": "http://jvn.jp/en/jp/JVN14876762/index.html", - "name": "JVN#14876762" + "source": "GENTOO", + "url": "https://security.gentoo.org/glsa/202107-39", + "name": "GLSA-202107-39" }, { "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1062337" + "url": "http://svn.apache.org/viewvc?view=revision&revision=1743722", + "name": "http://svn.apache.org/viewvc?view=revision&revision=1743722" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59232", - "name": "59232" + "source": "JVNDB", + "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121", + "name": "JVNDB-2016-000121" }, { "source": "CONFIRM", - "url": "http://tomcat.apache.org/security-7.html", - "name": "http://tomcat.apache.org/security-7.html" + "url": "http://svn.apache.org/viewvc?view=revision&revision=1743742", + "name": "http://svn.apache.org/viewvc?view=revision&revision=1743742" }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677724", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677724" + "source": "DEBIAN", + "url": "http://www.debian.org/security/2016/dsa-3611", + "name": "DSA-3611" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59399", - "name": "59399" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", + "name": "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/" }, { - "source": "CONFIRM", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0007.html", - "name": "http://www.vmware.com/security/advisories/VMSA-2014-0007.html" + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", + "name": "RHSA-2016:2807" }, { "source": "CONFIRM", - "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html", - "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html" + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.3.1" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676092", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676092" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59185", - "name": "59185" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59187", - "name": "59187" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + } }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2014/dsa-2856", - "name": "DSA-2856" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + } }, { - "source": "UBUNTU", - "url": "http://www.ubuntu.com/usn/USN-2130-1", - "name": "USN-2130-1" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html", - "name": "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669554", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21669554" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", - "name": "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59183", - "name": "59183" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676853", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676853" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + } }, { - "source": "HP", - "url": "http://marc.info/?l=bugtraq&m=143136844732487&w=2", - "name": "HPSBGN03329" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59039", - "name": "59039" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html", - "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/65400", - "name": "65400" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681214", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21681214" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", - "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676410", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676410" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/60475", - "name": "60475" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0253.html", - "name": "RHSA-2014:0253" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E", - "name": "[commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html", - "name": "RHSA-2014:0400" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", - "name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + } }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/43e6c5a5-b586-4b31-9244-b62b6e36f2d0?component-type=maven&component-name=commons-fileupload.commons-fileupload", - "name": "[CVE-2014-0050] Permissions, Privileges, and Access Controls" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://tomcat.apache.org/security-8.html", - "name": "http://tomcat.apache.org/security-8.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/58976", - "name": "58976" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html", - "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + } }, { - "source": "MANDRIVA", - "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084", - "name": "MDVSA-2015:084" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59184", - "name": "59184" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59041", - "name": "59041" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/57915", - "name": "57915" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://advisories.mageia.org/MGASA-2014-0110.html", - "name": "http://advisories.mageia.org/MGASA-2014-0110.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676405", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676405" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + } }, { - "source": "JVNDB", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017", - "name": "JVNDB-2014-000017" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59492", - "name": "59492" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675432", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675432" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*" + } }, { - "source": "BUGTRAQ", - "url": "http://www.securityfocus.com/archive/1/532549/100/0/threaded", - "name": "20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*" + } }, { - "source": "BUGTRAQ", - "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded", - "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677691", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677691" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676401", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676401" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/60753", - "name": "60753" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://svn.apache.org/r1565143", - "name": "http://svn.apache.org/r1565143" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59725", - "name": "59725" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676656", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676656" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm", - "name": "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + "software": { + "id": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676403", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676403" + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_applications:13.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", - "versionEndIncluding": "1.3" + "id": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_applications:13.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*" } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2013-0248", + "severity": "LOW", + "cvssv2": { + "score": 3.3, + "accessVector": "LOCAL", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "LOW", + "version": "2.0", + "exploitabilityScore": "3.4", + "impactScore": "4.9" + }, + "cwes": [ + "CWE-264" + ], + "description": "The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.", + "notes": "", + "references": [ + { + "source": "OSVDB", + "url": "http://www.osvdb.org/90906", + "name": "90906" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" - } + "source": "HP", + "url": "http://marc.info/?l=bugtraq&m=144050155601375&w=2", + "name": "HPSBMU03409" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://securitytracker.com/id/1028252", + "name": "http://securitytracker.com/id/1028252" }, { - "software": { - "id": "cpe:2.3:a:oracle:retail_applications:12.0in:*:*:*:*:*:*:*" - } + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2013-0248?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2013-0248] CWE-264: Permissions, Privileges, and Access Controls" }, { - "software": { - "id": "cpe:2.3:a:oracle:retail_applications:13.0:*:*:*:*:*:*:*" - } + "source": "BUGTRAQ", + "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html", + "name": "20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples" }, { - "software": { - "id": "cpe:2.3:a:oracle:retail_applications:13.2:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html", + "name": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" - } + "source": "BID", + "url": "http://www.securityfocus.com/bid/58326", + "name": "58326" }, { - "software": { - "id": "cpe:2.3:a:oracle:retail_applications:13.1:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" - } - }, + "source": "GENTOO", + "url": "https://security.gentoo.org/glsa/202107-39", + "name": "GLSA-202107-39" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" } }, { @@ -3056,1036 +5148,1822 @@ }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" } - }, + } + ] + } + ] + }, + { + "isVirtual": false, + "fileName": "commons-io-2.4.jar", + "filePath": "/to/path/commons-io/commons-io/2.4/commons-io-2.4.jar", + "md5": "7f97854dc04c119d461fed14f5d8bb96", + "sha1": "b1b6ea3b7e4aa4f492509a4952029cd8e48019ad", + "sha256": "cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581", + "description": "\nThe Commons IO library contains utility classes, stream implementations, file filters, \nfile comparators, endian transformation classes, and much more.\n ", + "license": "http://www.apache.org/licenses/LICENSE-2.0.txt", + "projectReferences": [ + "module3:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/com.example/module3@1.0.0" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-io" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "io" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "bundle-docurl", + "value": "http://commons.apache.org/io/" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "bundle-symbolicname", + "value": "org.apache.commons.io" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "implementation-build", + "value": "tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "The Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "Implementation-Vendor-Id", + "value": "org.apache" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "The Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-io" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "commons-io" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "bayard@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dion@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "ggregory@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jeremias@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jochen.wiedmann@gmail.com" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "martinc@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "matth@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "nicolaken@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "roxspring@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sanders@apache.org" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "bayard" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "dion" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "ggregory" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jeremias" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jochen" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jukka" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "martinc" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "matth" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "niallp" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "nicolaken" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "roxspring" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "sanders" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "scolebourne" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "dIon Gillard" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Gary Gregory" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Henri Yandell" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Jeremias Maerki" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Jochen Wiedmann" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Jukka Zitting" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Martin Cooper" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Matthew Hawthorne" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Niall Pemberton" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Nicola Ken Barozzi" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Rob Oxspring" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Scott Sanders" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Stephen Colebourne" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-io" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Commons IO" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "parent-artifactid", + "value": "commons-parent" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "parent-groupid", + "value": "org.apache.commons" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "url", + "value": "http://commons.apache.org/io/" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-io" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "io" + }, + { + "type": "product", + "confidence": "LOW", + "source": "Manifest", + "name": "bundle-docurl", + "value": "http://commons.apache.org/io/" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "Bundle-Name", + "value": "Commons IO" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "bundle-symbolicname", + "value": "org.apache.commons.io" + }, + { + "type": "product", + "confidence": "LOW", + "source": "Manifest", + "name": "implementation-build", + "value": "tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Title", + "value": "Commons IO" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "specification-title", + "value": "Commons IO" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-io" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "bayard@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dion@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "ggregory@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jeremias@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jochen.wiedmann@gmail.com" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "martinc@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "matth@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "nicolaken@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "roxspring@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sanders@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "bayard" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "dion" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "ggregory" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jeremias" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jochen" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jukka" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "martinc" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "matth" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "niallp" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "nicolaken" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "roxspring" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "sanders" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "scolebourne" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "dIon Gillard" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Gary Gregory" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Henri Yandell" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Jeremias Maerki" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Jochen Wiedmann" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Jukka Zitting" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Martin Cooper" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Matthew Hawthorne" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Niall Pemberton" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Nicola Ken Barozzi" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Rob Oxspring" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Scott Sanders" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Stephen Colebourne" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-io" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Commons IO" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "pom", + "name": "parent-artifactid", + "value": "commons-parent" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "pom", + "name": "parent-groupid", + "value": "org.apache.commons" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "pom", + "name": "url", + "value": "http://commons.apache.org/io/" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "2.4" + }, + { + "type": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", + "value": "2.4" + }, + { + "type": "version", + "confidence": "LOW", + "source": "pom", + "name": "parent-version", + "value": "2.4" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", + "value": "2.4" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/commons-io/commons-io@2.4", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.4?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ], + "vulnerabilityIds": [ + { + "id": "cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_io&cpe_version=cpe%3A%2F%3Aapache%3Acommons_io%3A2.4" + } + ], + "vulnerabilities": [ + { + "source": "NVD", + "name": "CVE-2021-29425", + "severity": "MEDIUM", + "cvssv2": { + "score": 5.8, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "4.9" + }, + "cvssv3": { + "baseScore": 4.8, + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "2.2", + "impactScore": "2.5", + "version": "3.1" + }, + "cwes": [ + "CWE-22" + ], + "description": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.", + "notes": "", + "references": [ { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" }, { - "software": { - "id": "cpe:2.3:a:oracle:retail_applications:12.0:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425" }, { - "software": { - "id": "cpe:2.3:a:oracle:retail_applications:14.0:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E", + "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E", + "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425" }, { - "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "https://github.com/apache/commons-io/pull/52", + "name": "https://github.com/apache/commons-io/pull/52" }, { - "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E", + "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220210-0004/", + "name": "https://security.netapp.com/advisory/ntap-20220210-0004/" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" - } + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html", + "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", + "name": "[kafka-users] 20210617 vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "https://issues.apache.org/jira/browse/IO-556", + "name": "https://issues.apache.org/jira/browse/IO-556" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)" }, { - "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2016-1000031", - "severity": "CRITICAL", - "cvssv2": { - "score": 7.5, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.4", - "acInsufInfo": "true" - }, - "cvssv3": { - "baseScore": 9.8, - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "HIGH", - "baseSeverity": "CRITICAL", - "exploitabilityScore": "3.9", - "impactScore": "5.9", - "version": "3.0" - }, - "cwes": [ - "CWE-284" - ], - "description": "Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution Per Apache: \"Having reviewed your report we have concluded that it does not represent a valid vulnerability in Apache Commons File Upload. If an application deserializes data from an untrusted source without filtering and/or validation that is an application vulnerability not a vulnerability in the library a potential attacker might leverage.\"", - "notes": "", - "references": [ + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", - "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" + "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" }, { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20190212-0001/", - "name": "https://security.netapp.com/advisory/ntap-20190212-0001/" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E", + "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425" }, { - "source": "SUSE", - "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00036.html", - "name": "openSUSE-SU-2019:1399" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2022.html", + "name": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E", - "name": "[announce] 20181105 [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior" + "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E", + "name": "[commons-user] 20210709 commons-fileupload dependency and CVE" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/93604", - "name": "93604" + "source": "MISC", + "url": "https://issues.apache.org/jira/browse/IO-556", + "name": "https://issues.apache.org/jira/browse/IO-556" }, { "source": "MISC", - "url": "https://www.tenable.com/security/research/tra-2016-30", - "name": "https://www.tenable.com/security/research/tra-2016-30" + "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "source": "CONFIRM", - "url": "https://issues.apache.org/jira/browse/FILEUPLOAD-279", - "name": "https://issues.apache.org/jira/browse/FILEUPLOAD-279" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E", + "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425" }, { - "source": "CONFIRM", - "url": "https://issues.apache.org/jira/browse/WW-4812", - "name": "https://issues.apache.org/jira/browse/WW-4812" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E", + "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz" }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425" }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/3d5968a4-4e14-4a98-8816-a4e847bc1426?component-type=maven&component-name=commons-fileupload.commons-fileupload", - "name": "[CVE-2016-1000031] Improper Access Control" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425" }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E", + "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE" }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/sonatype-2018-0705?component-type=maven&component-name=commons-io%2Fcommons-io&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[sonatype-2018-0705] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "source": "OSSIndex", + "url": "https://issues.apache.org/jira/browse/IO-559", + "name": "https://issues.apache.org/jira/browse/IO-559" }, { - "source": "CONFIRM", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" }, { - "source": "MISC", - "url": "https://www.tenable.com/security/research/tra-2016-12", - "name": "https://www.tenable.com/security/research/tra-2016-12" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E", + "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix" }, { - "source": "MISC", - "url": "https://www.tenable.com/security/research/tra-2016-23", - "name": "https://www.tenable.com/security/research/tra-2016-23" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" }, { - "source": "MISC", - "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-570/", - "name": "http://www.zerodayinitiative.com/advisories/ZDI-16-570/" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425" }, { - "source": "N/A", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", - "name": "N/A" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425" }, { "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html", - "name": "https://www.oracle.com/security-alerts/cpujan2020.html" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "1.3.2" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2016-3092", - "severity": "HIGH", - "cvssv2": { - "score": 7.8, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "NONE", - "availabilityImpact": "COMPLETE", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.9" - }, - "cvssv3": { - "baseScore": 7.5, - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "NONE", - "integrityImpact": "NONE", - "availabilityImpact": "HIGH", - "baseSeverity": "HIGH", - "exploitabilityScore": "3.9", - "impactScore": "3.6", - "version": "3.0" - }, - "cwes": [ - "CWE-20" - ], - "description": "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.", - "notes": "", - "references": [ + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2016/dsa-3609", - "name": "DSA-3609" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)" }, { - "source": "JVN", - "url": "http://jvn.jp/en/jp/JVN89379547/index.html", - "name": "JVN#89379547" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E", + "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425" }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2071.html", - "name": "RHSA-2016:2071" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:commons_io:2.2:-:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20190212-0001/", - "name": "https://security.netapp.com/advisory/ntap-20190212-0001/" + "software": { + "id": "cpe:2.3:a:apache:commons_io:2.3:-:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468" + "software": { + "id": "cpe:2.3:a:apache:commons_io:2.4:-:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" + } }, { - "source": "CONFIRM", - "url": "http://svn.apache.org/viewvc?view=revision&revision=1743738", - "name": "http://svn.apache.org/viewvc?view=revision&revision=1743738" + "software": { + "id": "cpe:2.3:a:apache:commons_io:2.5:-:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + "software": { + "id": "cpe:2.3:a:apache:commons_io:2.6:-:*:*:*:*:*:*" + } }, { - "source": "UBUNTU", - "url": "http://www.ubuntu.com/usn/USN-3024-1", - "name": "USN-3024-1" + "software": { + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + "software": { + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", - "name": "RHSA-2016:2808" + "software": { + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2017:0455", - "name": "RHSA-2017:0455" + "software": { + "id": "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E", - "name": "[dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability" + "software": { + "id": "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1036427", - "name": "1036427" + "software": { + "id": "cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/39d74cc8-457a-4e57-89ef-a258420138c5?component-type=maven&component-name=commons-fileupload.commons-fileupload", - "name": "[CVE-2016-3092] Improper Input Validation" + "software": { + "id": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*" + } }, { - "source": "GENTOO", - "url": "https://security.gentoo.org/glsa/201705-09", - "name": "GLSA-201705-09" + "software": { + "id": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1037029", - "name": "1037029" + "software": { + "id": "cpe:2.3:a:oracle:application_performance_management:13.4.1.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://tomcat.apache.org/security-7.html", - "name": "http://tomcat.apache.org/security-7.html" + "software": { + "id": "cpe:2.3:a:oracle:application_performance_management:13.5.1.0:*:*:*:*:*:*:*" + } }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2016/dsa-3614", - "name": "DSA-3614" + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://tomcat.apache.org/security-9.html", - "name": "http://tomcat.apache.org/security-9.html" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:18.1:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:18.2:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2069.html", - "name": "RHSA-2016:2069" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1036900", - "name": "1036900" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*" + } }, { - "source": "N/A", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", - "name": "N/A" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", - "name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2072.html", - "name": "RHSA-2016:2072" + "software": { + "id": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1039606", - "name": "1039606" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:17.2:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html", - "name": "RHSA-2016:2599" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*" + } }, { - "source": "UBUNTU", - "url": "http://www.ubuntu.com/usn/USN-3027-1", - "name": "USN-3027-1" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2017:0456", - "name": "RHSA-2017:0456" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2068.html", - "name": "RHSA-2016:2068" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://svn.apache.org/viewvc?view=revision&revision=1743480", - "name": "http://svn.apache.org/viewvc?view=revision&revision=1743480" + "software": { + "id": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", - "name": "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/" + "software": { + "id": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", - "name": "RHSA-2017:0457" + "software": { + "id": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html" + "software": { + "id": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2070.html", - "name": "RHSA-2016:2070" + "software": { + "id": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "software": { + "id": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://tomcat.apache.org/security-8.html", - "name": "http://tomcat.apache.org/security-8.html" + "software": { + "id": "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*", + "versionStartIncluding": "2.3.0", + "versionEndIncluding": "2.4.0" + } }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371" + "software": { + "id": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*" + } }, { - "source": "SUSE", - "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html", - "name": "openSUSE-SU-2016:2252" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*", + "versionStartIncluding": "2.3.0", + "versionEndIncluding": "2.4.1" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/91453", - "name": "91453" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://svn.apache.org/viewvc?view=revision&revision=1743722", - "name": "http://svn.apache.org/viewvc?view=revision&revision=1743722" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*" + } }, { - "source": "JVNDB", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121", - "name": "JVNDB-2016-000121" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://svn.apache.org/viewvc?view=revision&revision=1743742", - "name": "http://svn.apache.org/viewvc?view=revision&revision=1743742" + "software": { + "id": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", + "versionEndExcluding": "21.1.2" + } }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2016/dsa-3611", - "name": "DSA-3611" + "software": { + "id": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", - "name": "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/" + "software": { + "id": "cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", - "name": "RHSA-2016:2807" + "software": { + "id": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.6.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:*:*:*:*:*:*:*:*", + "versionStartIncluding": "7.4.0", + "versionEndIncluding": "7.4.2" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.0.0", + "versionEndIncluding": "8.1.0" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.2.0", + "versionEndIncluding": "8.2.3" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_order_and_service_management:7.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_order_and_service_management:7.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_policy_management:12.5.0.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_service_broker:6.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_communications_broker:3.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.0.7", + "versionEndIncluding": "8.1.1" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.0.8", + "versionEndIncluding": "8.1.1" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:*", + "versionStartIncluding": "11.6.0", + "versionEndIncluding": "11.8.0" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*", + "versionStartIncluding": "3.0.1", + "versionEndIncluding": "3.0.4" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:helidon:1.4.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:helidon:2.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.2.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.12.42" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*", + "versionStartIncluding": "17.7", + "versionEndIncluding": "17.12" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*", + "versionEndExcluding": "21.2" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:rest_data_services:21.3:*:*:*:-:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.0.1", + "versionEndIncluding": "16.0.3" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:19.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_pricing:19.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.0.1", + "versionEndIncluding": "16.0.3" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:19.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:solaris_cluster:4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "1.3.1" + "id": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" } } ] @@ -4094,31 +6972,671 @@ }, { "isVirtual": false, - "fileName": "commons-io-2.4.jar", - "filePath": "/to/path/commons-io/commons-io/2.4/commons-io-2.4.jar", - "md5": "7f97854dc04c119d461fed14f5d8bb96", - "sha1": "b1b6ea3b7e4aa4f492509a4952029cd8e48019ad", - "sha256": "cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581", - "description": "\nThe Commons IO library contains utility classes, stream implementations, file filters, \nfile comparators, endian transformation classes, and much more.\n ", - "license": "http://www.apache.org/licenses/LICENSE-2.0.txt", + "fileName": "commons-logging-1.0.4.jar", + "filePath": "/to/path/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar", + "md5": "8a507817b28077e0478add944c64586a", + "sha1": "f029a2aefe2b3e1517573c580f948caac31b1056", + "sha256": "e94af49749384c11f5aa50e8d0f5fe679be771295b52030338d32843c980351e", + "description": "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.", + "license": "The Apache Software License, Version 2.0: /LICENSE.txt", + "projectReferences": [ + "module1:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-logging" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "logging" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.logging" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-logging" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "commons-logging" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "baliuka@apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "costin at apache dot org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "craigmcc at apache org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "donaldp at apache dot org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "morgand at apache dot org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rdonkin at apache dot org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rsitze at apache dot org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rwaldhoff at apache org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sanders at apache dot org" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "baliuka" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "costin" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "craigmcc" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "donaldp" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "morgand" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "rdonkin" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "rsitze" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "rwaldhoff" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "sanders" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Costin Manolache" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Craig McClanahan" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Juozas Baliuka" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Morgan Delagrange" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Peter Donald" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Richard Sitze" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Robert Burrell Donkin" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Rodney Waldhoff" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Scott Sanders" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer org", + "value": "Apache" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer org", + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-logging" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Logging" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "pom", + "name": "organization name", + "value": "The Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "organization url", + "value": "http://jakarta.apache.org" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "url", + "value": "http://jakarta.apache.org/commons/logging/" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-logging" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "logging" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.logging" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-logging" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "baliuka@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "costin at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "craigmcc at apache org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "donaldp at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "morgand at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rdonkin at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rsitze at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rwaldhoff at apache org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sanders at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "baliuka" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "costin" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "craigmcc" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "donaldp" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "morgand" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rdonkin" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rsitze" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rwaldhoff" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "sanders" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Costin Manolache" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Craig McClanahan" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Juozas Baliuka" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Morgan Delagrange" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Peter Donald" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Richard Sitze" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Robert Burrell Donkin" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Rodney Waldhoff" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Scott Sanders" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "Apache" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "Apache Software Foundation" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-logging" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Logging" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "organization name", + "value": "The Apache Software Foundation" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "organization url", + "value": "http://jakarta.apache.org" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "pom", + "name": "url", + "value": "http://jakarta.apache.org/commons/logging/" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "1.0.4" + }, + { + "type": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", + "value": "1.0.4" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", + "value": "1.0.4" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/commons-logging/commons-logging@1.0.4", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.0.4?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ] + }, + { + "isVirtual": false, + "fileName": "commons-logging-1.1.jar", + "filePath": "/to/path/commons-logging/commons-logging/1.1/commons-logging-1.1.jar", + "md5": "6b62417e77b000a87de66ee3935edbf5", + "sha1": "ba24d5de831911b684c92cd289ed5ff826271824", + "sha256": "9e8d01f172301b966f1f404aa6fc0bdbec478ae9197256ad95bfcad1ef927601", + "description": "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.", + "license": "The Apache Software License, Version 2.0: /LICENSE.txt", "projectReferences": [ - "module3:compile" + "module2:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/org.springframework/spring@2.0.8" + } ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "commons-io" + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-logging" }, { "type": "vendor", - "confidence": "LOW", - "source": "Manifest", - "name": "implementation-build", - "value": "tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "vendor", @@ -4130,317 +7648,317 @@ { "type": "vendor", "confidence": "HIGHEST", - "source": "pom", - "name": "url", - "value": "http://commons.apache.org/io/" + "source": "jar", + "name": "package name", + "value": "logging" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-io" + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "org.apache.commons.logging" }, { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "parent-artifactid", - "value": "commons-parent" + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" }, { "type": "vendor", - "confidence": "HIGH", + "confidence": "MEDIUM", "source": "Manifest", - "name": "Implementation-Vendor", - "value": "The Apache Software Foundation" + "name": "Implementation-Vendor-Id", + "value": "org.apache" }, { "type": "vendor", "confidence": "LOW", "source": "Manifest", "name": "specification-vendor", - "value": "The Apache Software Foundation" + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "commons-logging" }, { "type": "vendor", "confidence": "LOW", "source": "pom", "name": "artifactid", - "value": "commons-io" + "value": "commons-logging" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "baliuka@apache.org" }, { "type": "vendor", - "confidence": "MEDIUM", + "confidence": "LOW", "source": "pom", - "name": "parent-groupid", - "value": "org.apache.commons" + "name": "developer email", + "value": "costin at apache dot org" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "Implementation-Vendor-Id", - "value": "org.apache" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "craigmcc at apache org" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "io" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dennisl@apache.org" }, { "type": "vendor", "confidence": "LOW", - "source": "Manifest", - "name": "bundle-docurl", - "value": "http://commons.apache.org/io/" + "source": "pom", + "name": "developer email", + "value": "donaldp at apache dot org" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "bundle-symbolicname", - "value": "org.apache.commons.io" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "morgand at apache dot org" }, { "type": "vendor", - "confidence": "HIGH", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "Commons IO" - } - ], - "productEvidence": [ + "name": "developer email", + "value": "rdonkin at apache dot org" + }, { - "type": "product", - "confidence": "HIGHEST", + "type": "vendor", + "confidence": "LOW", "source": "pom", - "name": "groupid", - "value": "commons-io" + "name": "developer email", + "value": "rsitze at apache dot org" }, { - "type": "product", + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rwaldhoff at apache org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sanders at apache dot org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "skitching@apache.org" + }, + { + "type": "vendor", "confidence": "MEDIUM", "source": "pom", - "name": "parent-artifactid", - "value": "commons-parent" + "name": "developer id", + "value": "baliuka" }, { - "type": "product", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Title", - "value": "Commons IO" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "bstansberry" }, { - "type": "product", + "type": "vendor", "confidence": "MEDIUM", "source": "pom", - "name": "url", - "value": "http://commons.apache.org/io/" + "name": "developer id", + "value": "costin" }, { - "type": "product", - "confidence": "LOW", - "source": "Manifest", - "name": "implementation-build", - "value": "tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "craigmcc" }, { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "dennisl" }, { - "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-io" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "donaldp" }, { - "type": "product", + "type": "vendor", "confidence": "MEDIUM", - "source": "Manifest", - "name": "specification-title", - "value": "Commons IO" + "source": "pom", + "name": "developer id", + "value": "morgand" }, { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "rdonkin" }, { - "type": "product", + "type": "vendor", "confidence": "MEDIUM", "source": "pom", - "name": "parent-groupid", - "value": "org.apache.commons" + "name": "developer id", + "value": "rsitze" }, { - "type": "product", + "type": "vendor", "confidence": "MEDIUM", - "source": "Manifest", - "name": "Bundle-Name", - "value": "Commons IO" + "source": "pom", + "name": "developer id", + "value": "rwaldhoff" }, { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "io" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "sanders" }, { - "type": "product", - "confidence": "LOW", - "source": "Manifest", - "name": "bundle-docurl", - "value": "http://commons.apache.org/io/" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "skitching" }, { - "type": "product", + "type": "vendor", "confidence": "MEDIUM", - "source": "Manifest", - "name": "bundle-symbolicname", - "value": "org.apache.commons.io" + "source": "pom", + "name": "developer name", + "value": "Brian Stansberry" }, { - "type": "product", - "confidence": "HIGHEST", + "type": "vendor", + "confidence": "MEDIUM", "source": "pom", - "name": "artifactid", - "value": "commons-io" + "name": "developer name", + "value": "Costin Manolache" }, { - "type": "product", - "confidence": "HIGH", + "type": "vendor", + "confidence": "MEDIUM", "source": "pom", - "name": "name", - "value": "Commons IO" - } - ], - "versionEvidence": [ + "name": "developer name", + "value": "Craig McClanahan" + }, { - "type": "version", - "confidence": "HIGHEST", + "type": "vendor", + "confidence": "MEDIUM", "source": "pom", - "name": "version", - "value": "2.4" + "name": "developer name", + "value": "Dennis Lundberg" }, { - "type": "version", - "confidence": "LOW", + "type": "vendor", + "confidence": "MEDIUM", "source": "pom", - "name": "parent-version", - "value": "2.4" + "name": "developer name", + "value": "Juozas Baliuka" }, { - "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", - "value": "2.4" + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Morgan Delagrange" }, { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "2.4" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/commons-io/commons-io@2.4", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.4" - } - ] - }, - { - "isVirtual": false, - "fileName": "commons-logging-1.0.4.jar", - "filePath": "/to/path/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar", - "md5": "8a507817b28077e0478add944c64586a", - "sha1": "f029a2aefe2b3e1517573c580f948caac31b1056", - "sha256": "e94af49749384c11f5aa50e8d0f5fe679be771295b52030338d32843c980351e", - "description": "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.", - "license": "The Apache Software License, Version 2.0: /LICENSE.txt", - "projectReferences": [ - "module1:compile" - ], - "evidenceCollected": { - "vendorEvidence": [ + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Peter Donald" + }, { "type": "vendor", "confidence": "MEDIUM", "source": "pom", - "name": "organization url", - "value": "http://jakarta.apache.org" + "name": "developer name", + "value": "Richard Sitze" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Robert Burrell Donkin" }, { "type": "vendor", - "confidence": "LOW", + "confidence": "MEDIUM", "source": "pom", - "name": "artifactid", - "value": "commons-logging" + "name": "developer name", + "value": "Rodney Waldhoff" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-logging" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Scott Sanders" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Simon Kitching" }, { "type": "vendor", - "confidence": "HIGH", + "confidence": "MEDIUM", "source": "pom", - "name": "organization name", - "value": "The Apache Software Foundation" + "name": "developer org", + "value": "Apache" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.logging" + "source": "pom", + "name": "developer org", + "value": "Apache Software Foundation" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "logging" + "source": "pom", + "name": "groupid", + "value": "commons-logging" }, { "type": "vendor", @@ -4451,54 +7969,54 @@ }, { "type": "vendor", - "confidence": "HIGHEST", + "confidence": "HIGH", "source": "pom", - "name": "groupid", - "value": "commons-logging" + "name": "organization name", + "value": "The Apache Software Foundation" }, { "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "confidence": "MEDIUM", + "source": "pom", + "name": "organization url", + "value": "http://jakarta.apache.org" }, { "type": "vendor", "confidence": "HIGHEST", "source": "pom", "name": "url", - "value": "http://jakarta.apache.org/commons/logging/" - }, - { - "type": "vendor", - "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "Apache Software Foundation" + "value": "http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/" } ], "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "commons-logging" + }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "commons" + "value": "apache" }, { "type": "product", - "confidence": "LOW", - "source": "pom", - "name": "organization name", - "value": "The Apache Software Foundation" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" }, { "type": "product", - "confidence": "MEDIUM", - "source": "pom", - "name": "url", - "value": "http://jakarta.apache.org/commons/logging/" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "logging" }, { "type": "product", @@ -4507,271 +8025,292 @@ "name": "extension-name", "value": "org.apache.commons.logging" }, + { + "type": "product", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Title", + "value": "Jakarta Commons Logging" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "specification-title", + "value": "Jakarta Commons Logging" + }, { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "logging" + "source": "pom", + "name": "artifactid", + "value": "commons-logging" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "baliuka@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "costin at apache dot org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "craigmcc at apache org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dennisl@apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "donaldp at apache dot org" }, { "type": "product", - "confidence": "HIGH", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "Logging" + "name": "developer email", + "value": "morgand at apache dot org" }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "pom", - "name": "groupid", - "value": "commons-logging" + "name": "developer email", + "value": "rdonkin at apache dot org" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-logging" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rsitze at apache dot org" }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "pom", - "name": "artifactid", - "value": "commons-logging" + "name": "developer email", + "value": "rwaldhoff at apache org" }, { "type": "product", "confidence": "LOW", "source": "pom", - "name": "organization url", - "value": "http://jakarta.apache.org" + "name": "developer email", + "value": "sanders at apache dot org" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - } - ], - "versionEvidence": [ + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "skitching@apache.org" + }, { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "1.0.4" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "baliuka" }, { - "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", - "value": "1.0.4" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "bstansberry" }, { - "type": "version", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "version", - "value": "1.0.4" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/commons-logging/commons-logging@1.0.4", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.0.4" - } - ] - }, - { - "isVirtual": false, - "fileName": "commons-logging-1.1.jar", - "filePath": "/to/path/commons-logging/commons-logging/1.1/commons-logging-1.1.jar", - "md5": "6b62417e77b000a87de66ee3935edbf5", - "sha1": "ba24d5de831911b684c92cd289ed5ff826271824", - "sha256": "9e8d01f172301b966f1f404aa6fc0bdbec478ae9197256ad95bfcad1ef927601", - "description": "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.", - "license": "The Apache Software License, Version 2.0: /LICENSE.txt", - "projectReferences": [ - "module2:compile" - ], - "evidenceCollected": { - "vendorEvidence": [ + "name": "developer id", + "value": "costin" + }, { - "type": "vendor", - "confidence": "MEDIUM", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "organization url", - "value": "http://jakarta.apache.org" + "name": "developer id", + "value": "craigmcc" }, { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "dennisl" }, { - "type": "vendor", + "type": "product", "confidence": "LOW", "source": "pom", - "name": "artifactid", - "value": "commons-logging" + "name": "developer id", + "value": "donaldp" }, { - "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-logging" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "morgand" }, { - "type": "vendor", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "url", - "value": "http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/" + "name": "developer id", + "value": "rdonkin" }, { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rsitze" }, { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "Implementation-Vendor-Id", - "value": "org.apache" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rwaldhoff" }, { - "type": "vendor", - "confidence": "HIGH", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "organization name", - "value": "The Apache Software Foundation" + "name": "developer id", + "value": "sanders" }, { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.logging" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "skitching" }, { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "logging" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Brian Stansberry" }, { - "type": "vendor", - "confidence": "HIGH", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "Logging" + "name": "developer name", + "value": "Costin Manolache" }, { - "type": "vendor", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "groupid", - "value": "commons-logging" + "name": "developer name", + "value": "Craig McClanahan" }, { - "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Dennis Lundberg" }, { - "type": "vendor", + "type": "product", "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "Apache Software Foundation" - } - ], - "productEvidence": [ + "source": "pom", + "name": "developer name", + "value": "Juozas Baliuka" + }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "specification-title", - "value": "Jakarta Commons Logging" + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Morgan Delagrange" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "commons" + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Peter Donald" }, { "type": "product", "confidence": "LOW", "source": "pom", - "name": "organization name", - "value": "The Apache Software Foundation" + "name": "developer name", + "value": "Richard Sitze" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-logging" + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Robert Burrell Donkin" }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "pom", - "name": "artifactid", - "value": "commons-logging" + "name": "developer name", + "value": "Rodney Waldhoff" }, { "type": "product", "confidence": "LOW", "source": "pom", - "name": "organization url", - "value": "http://jakarta.apache.org" + "name": "developer name", + "value": "Scott Sanders" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Simon Kitching" }, { "type": "product", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Title", - "value": "Jakarta Commons Logging" + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "Apache" }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "org.apache.commons.logging" + "confidence": "LOW", + "source": "pom", + "name": "developer org", + "value": "Apache Software Foundation" }, { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "logging" + "source": "pom", + "name": "groupid", + "value": "commons-logging" }, { "type": "product", @@ -4782,10 +8321,17 @@ }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "pom", - "name": "groupid", - "value": "commons-logging" + "name": "organization name", + "value": "The Apache Software Foundation" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "organization url", + "value": "http://jakarta.apache.org" }, { "type": "product", @@ -4805,16 +8351,16 @@ }, { "type": "version", - "confidence": "HIGHEST", - "source": "pom", - "name": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", "value": "1.1" }, { "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", "value": "1.1" } ] @@ -4823,7 +8369,7 @@ { "id": "pkg:maven/commons-logging/commons-logging@1.1", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.1" + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -4837,15 +8383,27 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "commons-validator" }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, { "type": "vendor", "confidence": "HIGHEST", @@ -4855,60 +8413,60 @@ }, { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", - "value": "commons-validator" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "validator" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", "value": "commons-validator" }, { "type": "vendor", - "confidence": "LOW", + "confidence": "HIGH", "source": "Manifest", - "name": "specification-vendor", + "name": "Implementation-Vendor", "value": "The Apache Software Foundation" }, { "type": "vendor", - "confidence": "HIGH", + "confidence": "LOW", "source": "Manifest", - "name": "Implementation-Vendor", + "name": "specification-vendor", "value": "The Apache Software Foundation" }, { "type": "vendor", "confidence": "HIGHEST", "source": "pom", - "name": "groupid", + "name": "artifactid", "value": "commons-validator" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "validator" + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "commons-validator" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "source": "pom", + "name": "groupid", + "value": "commons-validator" } ], "productEvidence": [ { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "commons-validator" }, { @@ -4916,21 +8474,14 @@ "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "commons" - }, - { - "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "commons-validator" + "value": "apache" }, { "type": "product", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Title", - "value": "org.apache.commons.validator" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "commons" }, { "type": "product", @@ -4941,17 +8492,24 @@ }, { "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", "value": "commons-validator" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Title", + "value": "org.apache.commons.validator" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "specification-title", + "value": "Commons Validator" }, { "type": "product", @@ -4962,31 +8520,31 @@ }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "specification-title", - "value": "Commons Validator" + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "commons-validator" } ], "versionEvidence": [ { "type": "version", "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", + "source": "file", + "name": "version", "value": "1.1.4" }, { "type": "version", - "confidence": "HIGHEST", - "source": "pom", - "name": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", "value": "1.1.4" }, { "type": "version", - "confidence": "HIGH", - "source": "file", + "confidence": "HIGHEST", + "source": "pom", "name": "version", "value": "1.1.4" } @@ -4996,7 +8554,7 @@ { "id": "pkg:maven/commons-validator/commons-validator@1.1.4", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-validator/commons-validator@1.1.4" + "url": "https://ossindex.sonatype.org/component/pkg:maven/commons-validator/commons-validator@1.1.4?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -5236,42 +8794,47 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/com.example/module1@1.0.0" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "javax.mail" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "probe-provider-xml-file-names", - "value": "META-INF/gfprobe-provider.xml" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "javax" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "javax.mail" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "mail" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "javax.mail" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "provider" }, { "type": "vendor", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "provider" + "value": "sun" }, { "type": "vendor", @@ -5280,6 +8843,27 @@ "name": "package name", "value": "oracle" }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "bundle-docurl", + "value": "http://www.oracle.com" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "bundle-symbolicname", + "value": "com.sun.mail.javax.mail" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "javax.mail" + }, { "type": "vendor", "confidence": "HIGH", @@ -5296,10 +8880,10 @@ }, { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "parent-artifactid", - "value": "all" + "confidence": "MEDIUM", + "source": "Manifest", + "name": "probe-provider-xml-file-names", + "value": "META-INF/gfprobe-provider.xml" }, { "type": "vendor", @@ -5308,119 +8892,140 @@ "name": "specification-vendor", "value": "Oracle" }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest (hint)", + "name": "Implementation-Vendor", + "value": "sun" + }, { "type": "vendor", "confidence": "LOW", - "source": "Manifest", - "name": "bundle-docurl", - "value": "http://www.oracle.com" + "source": "Manifest (hint)", + "name": "specification-vendor", + "value": "sun" }, { "type": "vendor", "confidence": "HIGHEST", "source": "pom", - "name": "groupid", - "value": "sun.mail" + "name": "artifactid", + "value": "javax.mail" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "mail" + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "javax.mail" }, { "type": "vendor", - "confidence": "HIGH", - "source": "Manifest (hint)", - "name": "Implementation-Vendor", - "value": "sun" + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "com.sun.mail" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "sun" + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "JavaMail API" }, { "type": "vendor", "confidence": "LOW", - "source": "Manifest (hint)", - "name": "specification-vendor", - "value": "sun" + "source": "pom", + "name": "parent-artifactid", + "value": "all" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "javax.mail" }, { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "bundle-symbolicname", - "value": "com.sun.mail.javax.mail" + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "javax" }, { - "type": "vendor", - "confidence": "MEDIUM", - "source": "pom", - "name": "parent-groupid", - "value": "com.sun.mail" + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "mail" }, { - "type": "vendor", + "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "javax" + "value": "provider" }, { - "type": "vendor", + "type": "product", "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "com.sun.mail" + "source": "jar", + "name": "package name", + "value": "sun" }, { - "type": "vendor", - "confidence": "HIGH", - "source": "pom", - "name": "name", + "type": "product", + "confidence": "LOW", + "source": "Manifest", + "name": "bundle-docurl", + "value": "http://www.oracle.com" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "Bundle-Name", "value": "JavaMail API" - } - ], - "productEvidence": [ + }, { "type": "product", "confidence": "MEDIUM", "source": "Manifest", - "name": "probe-provider-xml-file-names", - "value": "META-INF/gfprobe-provider.xml" + "name": "bundle-symbolicname", + "value": "com.sun.mail.javax.mail" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", "value": "javax.mail" }, { "type": "product", - "confidence": "MEDIUM", + "confidence": "HIGH", "source": "Manifest", - "name": "Bundle-Name", - "value": "JavaMail API" + "name": "Implementation-Title", + "value": "javax.mail" }, { "type": "product", "confidence": "MEDIUM", - "source": "pom", - "name": "parent-artifactid", - "value": "all" + "source": "Manifest", + "name": "probe-provider-xml-file-names", + "value": "META-INF/gfprobe-provider.xml" }, { "type": "product", "confidence": "MEDIUM", "source": "Manifest", - "name": "extension-name", - "value": "javax.mail" + "name": "specification-title", + "value": "JavaMail(TM) API Design Specification" }, { "type": "product", @@ -5432,826 +9037,1942 @@ { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "provider" + "source": "pom", + "name": "groupid", + "value": "com.sun.mail" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "JavaMail API" }, { "type": "product", "confidence": "MEDIUM", + "source": "pom", + "name": "parent-artifactid", + "value": "all" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "1.4.4" + }, + { + "type": "version", + "confidence": "HIGH", "source": "Manifest", - "name": "specification-title", - "value": "JavaMail(TM) API Design Specification" + "name": "Bundle-Version", + "value": "1.4.4" }, { - "type": "product", - "confidence": "LOW", + "type": "version", + "confidence": "HIGH", "source": "Manifest", - "name": "bundle-docurl", - "value": "http://www.oracle.com" + "name": "Implementation-Version", + "value": "1.4.4" }, { - "type": "product", + "type": "version", "confidence": "HIGHEST", "source": "pom", - "name": "groupid", - "value": "sun.mail" + "name": "version", + "value": "1.4.4" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/com.sun.mail/javax.mail@1.4.4", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/com.sun.mail/javax.mail@1.4.4?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ] + }, + { + "isVirtual": false, + "fileName": "log4j-1.2.12.jar", + "filePath": "/to/path/log4j/log4j/1.2.12/log4j-1.2.12.jar", + "md5": "223504f742addd3f631ed8bdf689f1c9", + "sha1": "057b8740427ee6d7b0b60792751356cad17dc0d9", + "sha256": "dc67378cf428c06408e7959e83bdc1518dd22ccd313e7c28a986612d65c276c7", + "projectReferences": [ + "module2:compile" + ], + "includedBy": [ + { + "reference": "pkg:maven/org.springframework/spring@2.0.8" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "log4j" }, { - "type": "product", + "type": "vendor", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "mail" + "value": "apache" }, { - "type": "product", + "type": "vendor", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "sun" + "value": "log4j" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "manifest: org/apache/log4j/", + "name": "Implementation-Vendor", + "value": "\"Apache Software Foundation\"" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "log4j" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "log4j" }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "log4j" + } + ], + "productEvidence": [ { "type": "product", "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Title", - "value": "javax.mail" + "source": "file", + "name": "name", + "value": "log4j" }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "bundle-symbolicname", - "value": "com.sun.mail.javax.mail" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "log4j" }, { "type": "product", "confidence": "MEDIUM", - "source": "pom", - "name": "parent-groupid", - "value": "com.sun.mail" + "source": "manifest: org/apache/log4j/", + "name": "Implementation-Title", + "value": "log4j" }, { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "javax" + "source": "pom", + "name": "artifactid", + "value": "log4j" }, { "type": "product", - "confidence": "HIGH", + "confidence": "HIGHEST", "source": "pom", - "name": "name", - "value": "JavaMail API" + "name": "groupid", + "value": "log4j" } ], "versionEvidence": [ { "type": "version", - "confidence": "HIGHEST", - "source": "pom", + "confidence": "HIGH", + "source": "file", "name": "version", - "value": "1.4.4" + "value": "1.2.12" }, { "type": "version", - "confidence": "HIGH", - "source": "file", + "confidence": "MEDIUM", + "source": "manifest: org/apache/log4j/", + "name": "Implementation-Version", + "value": "1.2.12" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", "name": "version", - "value": "1.4.4" + "value": "1.2.12" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/log4j/log4j@1.2.12", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.12?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ], + "vulnerabilityIds": [ + { + "id": "cpe:2.3:a:apache:log4j:1.2.12:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A1.2.12" + } + ], + "vulnerabilities": [ + { + "source": "NVD", + "name": "CVE-2019-17571", + "severity": "CRITICAL", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" }, - { - "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Bundle-Version", - "value": "1.4.4" + "cvssv3": { + "baseScore": 9.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "CRITICAL", + "exploitabilityScore": "3.9", + "impactScore": "5.9", + "version": "3.1" }, - { - "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", - "value": "1.4.4" - } - ] - }, - "packages": [ + "cwes": [ + "CWE-502" + ], + "description": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.", + "notes": "", + "references": [ + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b@%3Cpluto-dev.portals.apache.org%3E", + "name": "[portals-pluto-dev] 20210629 [jira] [Updated] (PLUTO-787) Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200514 [GitHub] [kafka] jeffhuang26 commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47@%3Cdev.tinkerpop.apache.org%3E", + "name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2534) Log4j flagged as critical security violation" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200105 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E", + "name": "[zookeeper-dev] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", + "name": "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211006 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211018 [GitHub] [bookkeeper] RaulGracia commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200129 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211017 [GitHub] [bookkeeper] zymap commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data" + }, + { + "source": "CONFIRM", + "url": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", + "name": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd@%3Cdev.kafka.apache.org%3E", + "name": "[kafka-dev] 20210611 Re: [DISCUSS] KIP-719: Add Log4J2 Appender" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211006 [GitHub] [bookkeeper] RaulGracia opened a new pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200108 [jira] [Assigned] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1@%3Cdev.zookeeper.apache.org%3E", + "name": "[zookeeper-dev] 20201103 [jira] [Created] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E", + "name": "[bookkeeper-commits] 20211014 [bookkeeper] branch master updated: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571 (#2816)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200529 [GitHub] [kafka] ijuma commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad@%3Cusers.activemq.apache.org%3E", + "name": "[activemq-users] 20210427 Re: Release date for ActiveMQ v5.16.2 to fix CVEs" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E", + "name": "[activemq-users] 20210830 Security issues" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E", + "name": "[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20210211 [GitHub] [kafka] ch4rl353y commented on pull request #7898: KAFKA-9366: Change log4j dependency into log4j2" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E", + "name": "[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200118 [jira] [Resolved] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211017 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "OSSIndex", + "url": "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", + "name": "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Assigned] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211013 [GitHub] [bookkeeper] eolivelli commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20201103 [jira] [Created] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, + { + "source": "OSSIndex", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200108 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200625 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html", + "name": "[debian-lts-announce] 20200112 [SECURITY] [DLA 2065-1] apache-log4j1.2 security update" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", + "name": "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20200108 [GitHub] [zookeeper] eolivelli opened a new pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E", + "name": "[zookeeper-user] 20200201 Re: Zookeeper 3.5.6 supports log4j 2.x?" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f@%3Cpluto-dev.portals.apache.org%3E", + "name": "[portals-pluto-dev] 20210629 [jira] [Closed] (PLUTO-787) Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", + "name": "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", + "name": "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E", + "name": "[kafka-users] 20210210 Security: CVE-2019-17571 (log4j)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name": "N/A" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", + "name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211007 [GitHub] [bookkeeper] RaulGracia commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, + { + "source": "UBUNTU", + "url": "https://usn.ubuntu.com/4495-1/", + "name": "USN-4495-1" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", + "name": "[kafka-users] 20210617 vulnerabilities" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200106 [jira] [Commented] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200108 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200107 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "source": "OSSIndex", + "url": "https://issues.apache.org/jira/browse/LOG4J2-1863", + "name": "https://issues.apache.org/jira/browse/LOG4J2-1863" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E", + "name": "[zookeeper-dev] 20200118 Build failed in Jenkins: zookeeper-master-maven-owasp #329" + }, + { + "source": "DEBIAN", + "url": "https://www.debian.org/security/2020/dsa-4686", + "name": "DSA-4686" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20201103 [jira] [Resolved] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E", + "name": "[activemq-users] 20210831 RE: Security issues" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E", + "name": "[zookeeper-notifications] 20200118 [GitHub] [zookeeper] asfgit closed pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211006 [GitHub] [bookkeeper] RaulGracia opened a new issue #2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "SUSE", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html", + "name": "openSUSE-SU-2020:0051" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211007 [GitHub] [bookkeeper] RaulGracia commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211007 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E", + "name": "[kafka-dev] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E", + "name": "[jena-dev] 20200318 Re: Logging (JENA-1005)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80@%3Cpluto-dev.portals.apache.org%3E", + "name": "[portals-pluto-dev] 20210629 [jira] [Updated] (PLUTO-787) Migrate from Log4J and SLF4J dependencies due to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E", + "name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200624 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E", + "name": "[zookeeper-issues] 20200107 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E", + "name": "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E", + "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc@%3Cissues.bookkeeper.apache.org%3E", + "name": "[bookkeeper-issues] 20211016 [GitHub] [bookkeeper] pkumar-singh commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E", + "name": "[logging-log4j-user] 20200224 Apache Log4j - Migration activity to 2.12.1 version - Request to support for the queries posted" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200106 [jira] [Assigned] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E", + "name": "[portals-pluto-scm] 20210629 [portals-pluto] branch master updated: PLUTO-787 Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20200110-0001/", + "name": "https://security.netapp.com/advisory/ntap-20200110-0001/" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E", + "name": "[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E", + "name": "[kafka-jira] 20200602 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*", + "versionEndExcluding": "4.14.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.2.17" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*", + "versionStartIncluding": "3.0", + "versionEndIncluding": "3.1.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", + "versionStartIncluding": "7.3.2", + "versionEndIncluding": "7.3.6" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*", + "versionStartIncluding": "14.1.0", + "versionEndIncluding": "14.8.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "8.0.29" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.2", + "versionEndIncluding": "16.2.11" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "17.12.0", + "versionEndIncluding": "17.12.7" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + } + ] + }, { - "id": "pkg:maven/com.sun.mail/javax.mail@1.4.4", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/com.sun.mail/javax.mail@1.4.4" - } - ] - }, - { - "isVirtual": false, - "fileName": "log4j-1.2.12.jar", - "filePath": "/to/path/log4j/log4j/1.2.12/log4j-1.2.12.jar", - "md5": "223504f742addd3f631ed8bdf689f1c9", - "sha1": "057b8740427ee6d7b0b60792751356cad17dc0d9", - "sha256": "dc67378cf428c06408e7959e83bdc1518dd22ccd313e7c28a986612d65c276c7", - "projectReferences": [ - "module2:compile" - ], - "evidenceCollected": { - "vendorEvidence": [ - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "log4j" - }, - { - "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "log4j" - }, - { - "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/apache/log4j/", - "name": "Implementation-Vendor", - "value": "\"Apache Software Foundation\"" - }, - { - "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", - "value": "log4j" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "log4j" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - } - ], - "productEvidence": [ - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "log4j" - }, - { - "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "log4j" - }, - { - "type": "product", - "confidence": "MEDIUM", - "source": "manifest: org/apache/log4j/", - "name": "Implementation-Title", - "value": "log4j" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "log4j" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "log4j" - } - ], - "versionEvidence": [ - { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "1.2.12" + "source": "NVD", + "name": "CVE-2020-9493", + "severity": "CRITICAL", + "cvssv2": { + "score": 6.8, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "6.4" }, - { - "type": "version", - "confidence": "HIGHEST", - "source": "pom", - "name": "version", - "value": "1.2.12" + "cvssv3": { + "baseScore": 9.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "CRITICAL", + "exploitabilityScore": "3.9", + "impactScore": "5.9", + "version": "3.1" }, - { - "type": "version", - "confidence": "MEDIUM", - "source": "manifest: org/apache/log4j/", - "name": "Implementation-Version", - "value": "1.2.12" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/log4j/log4j@1.2.12", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.12" - } - ], - "vulnerabilityIds": [ + "cwes": [ + "CWE-502" + ], + "description": "A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.", + "notes": "", + "references": [ + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/5", + "name": "[oss-security] 20220118 CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution." + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2021/06/16/1", + "name": "[oss-security] 20210615 CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r50d389c613ba6062a26aa57e163c09bfee4ff2d95d67331d75265b83@%3Cannounce.apache.org%3E", + "name": "[announce] 20210615 CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw" + }, + { + "source": "MISC", + "url": "https://www.openwall.com/lists/oss-security/2021/06/16/1", + "name": "https://www.openwall.com/lists/oss-security/2021/06/16/1" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.1.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionStartIncluding": "1.2", + "versionEndExcluding": "2.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding": "1.2.18.1" + } + } + ] + }, { - "id": "cpe:2.3:a:apache:log4j:1.2.12:*:*:*:*:*:*:*", - "confidence": "HIGHEST", - "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A1.2.12" - } - ], - "vulnerabilities": [ + "source": "NVD", + "name": "CVE-2022-23305", + "severity": "CRITICAL", + "cvssv2": { + "score": 6.8, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "6.4" + }, + "cvssv3": { + "baseScore": 9.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "CRITICAL", + "exploitabilityScore": "3.9", + "impactScore": "5.9", + "version": "3.1" + }, + "cwes": [ + "CWE-89" + ], + "description": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", + "notes": "", + "references": [ + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4", + "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "source": "MISC", + "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", + "name": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" + }, + { + "source": "OSSIndex", + "url": "https://logging.apache.org/log4j/1.2/index.html", + "name": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + }, + { + "source": "OSSIndex", + "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", + "name": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" + }, + { + "source": "OSSIndex", + "url": "https://logging.apache.org/log4j/2.x/security.html", + "name": "https://logging.apache.org/log4j/2.x/security.html" + }, + { + "source": "MISC", + "url": "https://logging.apache.org/log4j/1.2/index.html", + "name": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220217-0007/", + "name": "https://security.netapp.com/advisory/ntap-20220217-0007/" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionStartIncluding": "1.2", + "versionEndIncluding": "1.2.17" + } + }, + { + "software": { + "id": "cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.2.1.1.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", + "versionEndExcluding": "11.2.8.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", + "versionEndExcluding": "11.2.8.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "8.0.29" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding": "1.2.18.2" + } + } + ] + }, { "source": "NVD", - "name": "CVE-2019-17571", - "severity": "CRITICAL", + "name": "CVE-2022-23302", + "severity": "HIGH", "cvssv2": { - "score": 7.5, + "score": 6.0, "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", + "accessComplexity": "MEDIUM", + "authenticationr": "SINGLE", "confidentialImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", - "severity": "HIGH", + "severity": "MEDIUM", "version": "2.0", - "exploitabilityScore": "10.0", + "exploitabilityScore": "6.8", "impactScore": "6.4" }, "cvssv3": { - "baseScore": 9.8, + "baseScore": 8.8, "attackVector": "NETWORK", "attackComplexity": "LOW", - "privilegesRequired": "NONE", + "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", - "baseSeverity": "CRITICAL", - "exploitabilityScore": "3.9", + "baseSeverity": "HIGH", + "exploitabilityScore": "2.8", "impactScore": "5.9", "version": "3.1" }, "cwes": [ "CWE-502" ], - "description": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.", + "description": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "notes": "", "references": [ { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200514 [GitHub] [kafka] jeffhuang26 commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200105 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "source": "MISC", + "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", + "name": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E", - "name": "[zookeeper-dev] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220217-0006/", + "name": "https://security.netapp.com/advisory/ntap-20220217-0006/" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200129 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "source": "OSSIndex", + "url": "https://logging.apache.org/log4j/1.2/index.html", + "name": "https://logging.apache.org/log4j/1.2/index.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302" }, { - "source": "CONFIRM", - "url": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", - "name": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E" + "source": "OSSIndex", + "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", + "name": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "source": "MISC", + "url": "https://logging.apache.org/log4j/1.2/index.html", + "name": "https://logging.apache.org/log4j/1.2/index.html" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" - }, + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3", + "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x" + } + ], + "vulnerableSoftware": [ { - "source": "N/A", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html", - "name": "N/A" + "software": { + "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionStartIncluding": "1.0.1", + "versionEndIncluding": "1.2.17" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "software": { + "id": "cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "software": { + "id": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "software": { + "id": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200106 [jira] [Commented] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200108 [jira] [Assigned] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200108 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200107 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E", - "name": "[zookeeper-dev] 20200118 Build failed in Jenkins: zookeeper-master-maven-owasp #329" + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.2.1.1.1" + } }, { - "source": "DEBIAN", - "url": "https://www.debian.org/security/2020/dsa-4686", - "name": "DSA-4686" + "software": { + "id": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200529 [GitHub] [kafka] ijuma commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", - "name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image" + "software": { + "id": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", + "versionEndExcluding": "11.2.8.0" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", + "versionEndExcluding": "11.2.8.0" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E", - "name": "[zookeeper-notifications] 20200118 [GitHub] [zookeeper] asfgit closed pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E", - "name": "[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization" + "software": { + "id": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + "software": { + "id": "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*" + } }, { - "source": "SUSE", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html", - "name": "openSUSE-SU-2020:0051" + "software": { + "id": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E", - "name": "[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "8.0.29" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200118 [jira] [Resolved] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding": "1.2.18.1" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2022-23307", + "severity": "HIGH", + "cvssv2": { + "score": 9.0, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "SINGLE", + "confidentialImpact": "COMPLETE", + "integrityImpact": "COMPLETE", + "availabilityImpact": "COMPLETE", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "8.0", + "impactScore": "10.0" + }, + "cvssv3": { + "baseScore": 8.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "HIGH", + "exploitabilityScore": "2.8", + "impactScore": "5.9", + "version": "3.1" + }, + "cwes": [ + "CWE-502" + ], + "description": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", + "notes": "", + "references": [ + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Assigned] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + "source": "OSSIndex", + "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", + "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + "source": "OSSIndex", + "url": "https://logging.apache.org/log4j/1.2/index.html", + "name": "https://logging.apache.org/log4j/1.2/index.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + "source": "OSSIndex", + "url": "https://logging.apache.org/log4j/2.x/security.html", + "name": "https://logging.apache.org/log4j/2.x/security.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200108 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "source": "MISC", + "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", + "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E", - "name": "[kafka-dev] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "source": "MISC", + "url": "https://logging.apache.org/log4j/1.2/index.html", + "name": "https://logging.apache.org/log4j/1.2/index.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E", - "name": "[jena-dev] 20200318 Re: Logging (JENA-1005)" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.1.0" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionStartIncluding": "1.2", + "versionEndExcluding": "2.0" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200624 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200107 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200625 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E", - "name": "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html", - "name": "[debian-lts-announce] 20200112 [SECURITY] [DLA 2065-1] apache-log4j1.2 security update" + "software": { + "id": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E", - "name": "[logging-log4j-user] 20200224 Apache Log4j - Migration activity to 2.12.1 version - Request to support for the queries posted" + "software": { + "id": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200106 [jira] [Assigned] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + "software": { + "id": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E", - "name": "[zookeeper-notifications] 20200108 [GitHub] [zookeeper] eolivelli opened a new pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + "software": { + "id": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20200110-0001/", - "name": "https://security.netapp.com/advisory/ntap-20200110-0001/" + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E", - "name": "[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E", - "name": "[zookeeper-user] 20200201 Re: Zookeeper 3.5.6 supports log4j 2.x?" + "software": { + "id": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.2.1.1.1" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200602 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionStartIncluding": "1.2", - "versionEndIncluding": "1.2.17" + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2020-9488", - "severity": "LOW", - "cvssv2": { - "score": 4.3, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "2.9" - }, - "cvssv3": { - "baseScore": 3.7, - "attackVector": "NETWORK", - "attackComplexity": "HIGH", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "LOW", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "baseSeverity": "LOW", - "exploitabilityScore": "2.2", - "impactScore": "1.4", - "version": "3.1" - }, - "cwes": [ - "CWE-295" - ], - "description": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.", - "notes": "", - "references": [ + }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6@%3Cdev.zookeeper.apache.org%3E", - "name": "[zookeeper-dev] 20200504 [jira] [Created] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200504 [jira] [Updated] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701@%3Cnotifications.zookeeper.apache.org%3E", - "name": "[zookeeper-notifications] 20200504 [GitHub] [zookeeper] symat commented on pull request #1346: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "software": { + "id": "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200504 [jira] [Resolved] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", + "versionEndExcluding": "11.2.8.0" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20@%3Cdev.kafka.apache.org%3E", - "name": "[kafka-dev] 20200514 [jira] [Created] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", + "versionEndExcluding": "11.2.8.0" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4@%3Ctorque-dev.db.apache.org%3E", - "name": "[db-torque-dev] 20200715 Build failed in Jenkins: Torque4-trunk #685" + "software": { + "id": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5@%3Cnotifications.zookeeper.apache.org%3E", - "name": "[zookeeper-notifications] 20200504 [GitHub] [zookeeper] symat opened a new pull request #1346: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://issues.apache.org/jira/browse/LOG4J2-2819", - "name": "https://issues.apache.org/jira/browse/LOG4J2-2819" + "software": { + "id": "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200504 [jira] [Assigned] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200504 [jira] [Commented] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E", - "name": "[kafka-dev] 20200514 [jira] [Created] (KAFKA-9996) upgrade zookeeper to 3.5.8 to address security vulnerabilities" + "software": { + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "8.0.29" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846@%3Cissues.zookeeper.apache.org%3E", - "name": "[zookeeper-issues] 20200504 [jira] [Created] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200514 [jira] [Created] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E", - "name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489" + "software": { + "id": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200515 [jira] [Commented] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488" - }, + "software": { + "id": "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding": "1.2.18.1" + } + } + ] + }, + { + "source": "OSSINDEX", + "name": "CVE-2021-4104", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "N", + "accessComplexity": "H", + "authenticationr": "$enc.json($vuln.cvssV2.authentication)", + "confidentialImpact": "H", + "integrityImpact": "H", + "availabilityImpact": "H", + "severity": "HIGH" + }, + "cwes": [ + "CWE-502" + ], + "description": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\n\nSonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-4104 for details", + "notes": "", + "references": [ { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20200504-0003/", - "name": "https://security.netapp.com/advisory/ntap-20200504-0003/" + "source": "OSSIndex", + "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", + "name": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05@%3Cdev.zookeeper.apache.org%3E", - "name": "[zookeeper-dev] 20200504 log4j SmtpAppender related CVE" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E", - "name": "[kafka-jira] 20200514 [jira] [Created] (KAFKA-9996) upgrade zookeeper to 3.5.8 to address security vulnerabilities" + "source": "OSSIndex", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E", - "name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data" } ], "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndExcluding": "2.13.2" + "id": "cpe:2.3:a:log4j:log4j:1.2.12:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } } ] @@ -6268,6 +10989,11 @@ "projectReferences": [ "module2:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/org.springframework/spring@2.0.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { @@ -6301,6 +11027,13 @@ { "type": "vendor", "confidence": "LOW", + "source": "jar", + "name": "package name", + "value": "output" + }, + { + "type": "vendor", + "confidence": "HIGHEST", "source": "pom", "name": "artifactid", "value": "logkit" @@ -6308,9 +11041,9 @@ { "type": "vendor", "confidence": "LOW", - "source": "jar", - "name": "package name", - "value": "output" + "source": "pom", + "name": "artifactid", + "value": "logkit" }, { "type": "vendor", @@ -6328,13 +11061,6 @@ "name": "name", "value": "logkit" }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "logkit" - }, { "type": "product", "confidence": "LOW", @@ -6356,6 +11082,13 @@ "name": "package name", "value": "output" }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "logkit" + }, { "type": "product", "confidence": "HIGHEST", @@ -6367,15 +11100,15 @@ "versionEvidence": [ { "type": "version", - "confidence": "HIGHEST", - "source": "pom", + "confidence": "HIGH", + "source": "file", "name": "version", "value": "1.0.1" }, { "type": "version", - "confidence": "HIGH", - "source": "file", + "confidence": "HIGHEST", + "source": "pom", "name": "version", "value": "1.0.1" } @@ -6385,7 +11118,7 @@ { "id": "pkg:maven/logkit/logkit@1.0.1", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/logkit/logkit@1.0.1" + "url": "https://ossindex.sonatype.org/component/pkg:maven/logkit/logkit@1.0.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -6399,21 +11132,26 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "oro" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/apache/oro", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "vendor", @@ -6424,9 +11162,16 @@ }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "MEDIUM", + "source": "manifest: org/apache/oro", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", "value": "oro" }, { @@ -6439,25 +11184,25 @@ { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "source": "pom", + "name": "groupid", + "value": "oro" } ], "productEvidence": [ { "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "oro" }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: org/apache/oro", - "name": "Specification-Title", - "value": "Jakarta ORO" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "product", @@ -6475,10 +11220,10 @@ }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "oro" + "confidence": "MEDIUM", + "source": "manifest: org/apache/oro", + "name": "Specification-Title", + "value": "Jakarta ORO" }, { "type": "product", @@ -6490,9 +11235,9 @@ { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "source": "pom", + "name": "groupid", + "value": "oro" } ], "versionEvidence": [ @@ -6516,7 +11261,7 @@ { "id": "pkg:maven/oro/oro@2.0.7", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/oro/oro@2.0.7" + "url": "https://ossindex.sonatype.org/component/pkg:maven/oro/oro@2.0.7?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -6530,14 +11275,26 @@ "projectReferences": [ "module2:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/org.springframework/spring@2.0.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "LOW", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "servlet-api" + }, + { + "type": "vendor", + "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "servlet" + "value": "javax" }, { "type": "vendor", @@ -6549,47 +11306,40 @@ { "type": "vendor", "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "javax.servlet" + "source": "jar", + "name": "package name", + "value": "servlet" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "servlet-api" + "confidence": "LOW", + "source": "jar", + "name": "package name", + "value": "servlet" }, { "type": "vendor", - "confidence": "LOW", + "confidence": "HIGHEST", "source": "pom", "name": "artifactid", "value": "servlet-api" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "javax" + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "servlet-api" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "servlet" + "source": "pom", + "name": "groupid", + "value": "javax.servlet" } ], "productEvidence": [ - { - "type": "product", - "confidence": "LOW", - "source": "jar", - "name": "package name", - "value": "servlet" - }, { "type": "product", "confidence": "HIGH", @@ -6600,44 +11350,51 @@ { "type": "product", "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "javax.servlet" + "source": "jar", + "name": "package name", + "value": "javax" }, { "type": "product", "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "servlet-api" + "source": "jar", + "name": "package name", + "value": "servlet" }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "jar", "name": "package name", - "value": "javax" + "value": "servlet" }, { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "servlet" + "source": "pom", + "name": "artifactid", + "value": "servlet-api" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "javax.servlet" } ], "versionEvidence": [ { "type": "version", - "confidence": "HIGHEST", - "source": "pom", + "confidence": "HIGH", + "source": "file", "name": "version", "value": "2.3" }, { "type": "version", - "confidence": "HIGH", - "source": "file", + "confidence": "HIGHEST", + "source": "pom", "name": "version", "value": "2.3" } @@ -6647,7 +11404,7 @@ { "id": "pkg:maven/javax.servlet/servlet-api@2.3", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/servlet-api@2.3" + "url": "https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/servlet-api@2.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }, @@ -6663,35 +11420,40 @@ "projectReferences": [ "module2:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/com.example/module2@1.0.0" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", "confidence": "HIGH", - "source": "pom", - "name": "organization name", - "value": "Spring Framework" + "source": "file", + "name": "name", + "value": "spring" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "springframework" + "source": "hint analyzer", + "name": "vendor", + "value": "pivotal software" }, { "type": "vendor", - "confidence": "HIGH", - "source": "pom", - "name": "name", - "value": "Spring Framework" + "confidence": "HIGHEST", + "source": "hint analyzer", + "name": "vendor", + "value": "SpringSource" }, { "type": "vendor", "confidence": "HIGHEST", "source": "hint analyzer", "name": "vendor", - "value": "pivotal software" + "value": "vmware" }, { "type": "vendor", @@ -6702,9 +11464,16 @@ }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "springframework" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", "value": "spring" }, { @@ -6718,22 +11487,22 @@ "type": "vendor", "confidence": "HIGHEST", "source": "pom", - "name": "url", - "value": "http://www.springframework.org" + "name": "groupid", + "value": "org.springframework" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "hint analyzer", - "name": "vendor", - "value": "vmware" + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "Spring Framework" }, { "type": "vendor", - "confidence": "HIGHEST", + "confidence": "HIGH", "source": "pom", - "name": "groupid", - "value": "org.springframework" + "name": "organization name", + "value": "Spring Framework" }, { "type": "vendor", @@ -6745,32 +11514,39 @@ { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "springframework" + "source": "pom", + "name": "url", + "value": "http://www.springframework.org" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "spring" }, { - "type": "vendor", + "type": "product", "confidence": "HIGHEST", "source": "hint analyzer", - "name": "vendor", - "value": "SpringSource" - } - ], - "productEvidence": [ + "name": "product", + "value": "springsource_spring_framework" + }, { "type": "product", - "confidence": "LOW", - "source": "pom", - "name": "organization url", - "value": "http://www.springframework.org/" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "framework" }, { "type": "product", "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "spring" + "source": "jar", + "name": "package name", + "value": "springframework" }, { "type": "product", @@ -6779,12 +11555,19 @@ "name": "Implementation-Title", "value": "Spring Framework" }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "spring" + }, { "type": "product", "confidence": "HIGHEST", "source": "pom", "name": "groupid", - "value": "springframework" + "value": "org.springframework" }, { "type": "product", @@ -6795,24 +11578,17 @@ }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "framework" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "springframework" + "confidence": "LOW", + "source": "pom", + "name": "organization name", + "value": "Spring Framework" }, { "type": "product", "confidence": "LOW", "source": "pom", - "name": "organization name", - "value": "Spring Framework" + "name": "organization url", + "value": "http://www.springframework.org/" }, { "type": "product", @@ -6820,23 +11596,16 @@ "source": "pom", "name": "url", "value": "http://www.springframework.org" - }, + } + ], + "versionEvidence": [ { - "type": "product", + "type": "version", "confidence": "HIGH", "source": "file", - "name": "name", - "value": "spring" + "name": "version", + "value": "2.0.8" }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "hint analyzer", - "name": "product", - "value": "springsource_spring_framework" - } - ], - "versionEvidence": [ { "type": "version", "confidence": "HIGH", @@ -6844,495 +11613,1730 @@ "name": "Implementation-Version", "value": "2.0.8" }, - { - "type": "version", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "spring-version", - "value": "2.0.8" + { + "type": "version", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "spring-version", + "value": "2.0.8" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", + "value": "2.0.8" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/org.springframework/spring@2.0.8", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring@2.0.8?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ], + "vulnerabilityIds": [ + { + "id": "cpe:2.3:a:pivotal_software:spring_framework:2.0.8:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Apivotal_software&cpe_product=cpe%3A%2F%3Apivotal_software%3Aspring_framework&cpe_version=cpe%3A%2F%3Apivotal_software%3Aspring_framework%3A2.0.8" + }, + { + "id": "cpe:2.3:a:springsource:spring_framework:2.0.8:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aspringsource&cpe_product=cpe%3A%2F%3Aspringsource%3Aspring_framework&cpe_version=cpe%3A%2F%3Aspringsource%3Aspring_framework%3A2.0.8" + }, + { + "id": "cpe:2.3:a:vmware:spring_framework:2.0.8:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Avmware&cpe_product=cpe%3A%2F%3Avmware%3Aspring_framework&cpe_version=cpe%3A%2F%3Avmware%3Aspring_framework%3A2.0.8" + } + ], + "vulnerabilities": [ + { + "source": "NVD", + "name": "CVE-2018-1270", + "severity": "CRITICAL", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" + }, + "cvssv3": { + "baseScore": 9.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "CRITICAL", + "exploitabilityScore": "3.9", + "impactScore": "5.9", + "version": "3.1" + }, + "cwes": [ + "CWE-94" + ], + "description": "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.", + "notes": "", + "references": [ + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/103696", + "name": "103696" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", + "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries." + }, + { + "source": "EXPLOIT-DB", + "url": "https://www.exploit-db.com/exploits/44796/", + "name": "44796" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2018:2939", + "name": "RHSA-2018:2939" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, + { + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", + "name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update" + }, + { + "source": "CONFIRM", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, + { + "source": "CONFIRM", + "url": "https://pivotal.io/security/cve-2018-1270", + "name": "https://pivotal.io/security/cve-2018-1270" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", + "versionEndExcluding": "7.0.0.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", + "versionEndExcluding": "8.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", + "versionEndExcluding": "10.2.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", + "versionEndExcluding": "6.1.0.4.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "4.3.16" + } + }, + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.0.0", + "versionEndExcluding": "5.0.5" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2022-22965", + "knownExploitedVulnerability": { + "VendorProject": "VMware", + "Product": "Spring Framework", + "Name": "Spring Framework JDK 9+ Remote Code Execution Vulnerability", + "DateAdded": "2022-04-04", + "Description": "Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.", + "RequiredAction": "Apply updates per vendor instructions.", + "DueDate": "2022-04-25", + "Notes": "" + }, + "severity": "CRITICAL", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" }, - { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "2.0.8" + "cvssv3": { + "baseScore": 9.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "CRITICAL", + "exploitabilityScore": "3.9", + "impactScore": "5.9", + "version": "3.1" }, - { - "type": "version", - "confidence": "HIGHEST", - "source": "pom", - "name": "version", - "value": "2.0.8" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/org.springframework/spring@2.0.8", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring@2.0.8" - } - ], - "vulnerabilityIds": [ - { - "id": "cpe:2.3:a:pivotal_software:spring_framework:2.0.8:*:*:*:*:*:*:*", - "confidence": "HIGHEST", - "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Apivotal_software&cpe_product=cpe%3A%2F%3Apivotal_software%3Aspring_framework&cpe_version=cpe%3A%2F%3Apivotal_software%3Aspring_framework%3A2.0.8" + "cwes": [ + "CWE-94" + ], + "description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", + "notes": "", + "references": [ + { + "source": "MISC", + "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html", + "name": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "source": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22965", + "name": "https://tanzu.vmware.com/security/cve-2022-22965" + }, + { + "source": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf", + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf" + }, + { + "source": "CISCO", + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67", + "name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022" + }, + { + "source": "MISC", + "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", + "name": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" + }, + { + "source": "CONFIRM", + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", + "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:cisco:cx_cloud_agent:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.1.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndExcluding": "8.0.29" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.0.4" + } + }, + { + "software": { + "id": "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:access_appliance:7.4.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:access_appliance:7.4.3.100:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:access_appliance:7.4.3.200:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:flex_appliance:1.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:flex_appliance:2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:flex_appliance:2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:flex_appliance:2.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:flex_appliance:2.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:netbackup_flex_scale_appliance:2.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:veritas:netbackup_flex_scale_appliance:3.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "5.2.20" + } + }, + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.3.0", + "versionEndExcluding": "5.3.18" + } + } + ] }, { - "id": "cpe:2.3:a:springsource:spring_framework:2.0.8:*:*:*:*:*:*:*", - "confidence": "HIGHEST", - "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aspringsource&cpe_product=cpe%3A%2F%3Aspringsource%3Aspring_framework&cpe_version=cpe%3A%2F%3Aspringsource%3Aspring_framework%3A2.0.8" + "source": "NVD", + "name": "CVE-2011-2730", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" + }, + "cwes": [ + "CWE-16" + ], + "description": "VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka \"Expression Language Injection.\"", + "notes": "", + "references": [ + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html", + "name": "RHSA-2013:0195" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html", + "name": "RHSA-2013:0197" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html", + "name": "RHSA-2013:0221" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html", + "name": "RHSA-2013:0192" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2730", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2730" + }, + { + "source": "OSSIndex", + "url": "http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/", + "name": "http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html", + "name": "RHSA-2013:0198" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/55155", + "name": "55155" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1029151", + "name": "1029151" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html", + "name": "RHSA-2013:0533" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html", + "name": "RHSA-2013:0191" + }, + { + "source": "MISC", + "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814", + "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/52054", + "name": "52054" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html", + "name": "RHSA-2013:0196" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html", + "name": "RHSA-2013:0194" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/51984", + "name": "51984" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html", + "name": "RHSA-2013:0193" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2011-2730?component-type=maven&component-name=org.springframework%2Fspring&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2011-2730] CWE-16" + }, + { + "source": "DEBIAN", + "url": "http://www.debian.org/security/2012/dsa-2504", + "name": "DSA-2504" + }, + { + "source": "OSSIndex", + "url": "http://support.springsource.com/security/cve-2011-2730", + "name": "http://support.springsource.com/security/cve-2011-2730" + }, + { + "source": "MISC", + "url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit", + "name": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit" + }, + { + "source": "CONFIRM", + "url": "http://support.springsource.com/security/cve-2011-2730", + "name": "http://support.springsource.com/security/cve-2011-2730" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "2.5.7_sr01" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", + "versionEndIncluding": "3.0.5" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc1:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc2:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" + } + } + ] }, - { - "id": "cpe:2.3:a:vmware:springsource_spring_framework:2.0.8:*:*:*:*:*:*:*", - "confidence": "LOW" - } - ], - "vulnerabilities": [ { "source": "NVD", - "name": "CVE-2011-2730", + "name": "CVE-2016-9878", "severity": "HIGH", "cvssv2": { - "score": 7.5, + "score": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authenticationr": "NONE", "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "severity": "MEDIUM", "version": "2.0", "exploitabilityScore": "10.0", - "impactScore": "6.4" + "impactScore": "2.9", + "acInsufInfo": "true" + }, + "cvssv3": { + "baseScore": 7.5, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseSeverity": "HIGH", + "exploitabilityScore": "3.9", + "impactScore": "3.6", + "version": "3.0" }, "cwes": [ - "CWE-16" + "CWE-22" ], - "description": "VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka \"Expression Language Injection.\" Per update to Hyperlink Record 1199655 (http://support.springsource.com/security/cve-2011-2730), the score has been adjusted based on remote code execution Per update to http://support.springsource.com/security/cve-2011-2730", + "description": "An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.", "notes": "", "references": [ { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html", - "name": "RHSA-2013:0195" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2016-9878?component-type=maven&component-name=org.springframework%2Fspring&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2016-9878] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html", - "name": "RHSA-2013:0197" + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html", - "name": "RHSA-2013:0192" + "source": "OSSIndex", + "url": "https://pivotal.io/security/cve-2016-9878", + "name": "https://pivotal.io/security/cve-2016-9878" + }, + { + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", + "name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1040698", + "name": "1040698" + }, + { + "source": "CONFIRM", + "url": "https://pivotal.io/security/cve-2016-9878", + "name": "https://pivotal.io/security/cve-2016-9878" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/95072", + "name": "95072" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20180419-0002/", + "name": "https://security.netapp.com/advisory/ntap-20180419-0002/" }, { "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html", - "name": "RHSA-2013:0221" + "url": "https://access.redhat.com/errata/RHSA-2017:3115", + "name": "RHSA-2017:3115" }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9878", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9878" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "3.2.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.0:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html", - "name": "RHSA-2013:0198" + "software": { + "id": "cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html", - "name": "RHSA-2013:0533" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/55155", - "name": "55155" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1029151", - "name": "1029151" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html", - "name": "RHSA-2013:0191" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814", - "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/52054", - "name": "52054" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html", - "name": "RHSA-2013:0196" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html", - "name": "RHSA-2013:0194" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/51984", - "name": "51984" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html", - "name": "RHSA-2013:0193" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*" + } }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2012/dsa-2504", - "name": "DSA-2504" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit", - "name": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit" + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*" + } }, - { - "source": "CONFIRM", - "url": "http://support.springsource.com/security/cve-2011-2730", - "name": "http://support.springsource.com/security/cve-2011-2730" - } - ], - "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.15:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.16:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.17:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.0.5" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc2:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", - "versionEndIncluding": "2.5.7_sr01" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.2.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.3.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.3.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.3.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.3.4:*:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2013-4152", - "severity": "MEDIUM", + "name": "CVE-2018-11040", + "severity": "HIGH", "cvssv2": { - "score": 6.8, + "score": 4.3, "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authenticationr": "NONE", "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", "severity": "MEDIUM", "version": "2.0", "exploitabilityScore": "8.6", - "impactScore": "6.4" + "impactScore": "2.9" + }, + "cvssv3": { + "baseScore": 7.5, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseSeverity": "HIGH", + "exploitabilityScore": "3.9", + "impactScore": "3.6", + "version": "3.1" }, "cwes": [ - "CWE-264" + "CWE-829" ], - "description": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", + "description": "Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the \"jsonp\" and \"callback\" JSONP parameters, enabling cross-domain requests.", "notes": "", "references": [ { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html", - "name": "RHSA-2014:0212" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/57915", - "name": "57915" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/61951", - "name": "61951" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/56247", - "name": "56247" + "source": "CONFIRM", + "url": "https://pivotal.io/security/cve-2018-11040", + "name": "https://pivotal.io/security/cve-2018-11040" }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html", - "name": "RHSA-2014:0245" + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2014/dsa-2842", - "name": "DSA-2842" + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", + "name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update" }, { "source": "CONFIRM", - "url": "https://jira.springsource.org/browse/SPR-10806", - "name": "https://jira.springsource.org/browse/SPR-10806" + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { - "source": "CONFIRM", - "url": "https://github.com/spring-projects/spring-framework/pull/317/files", - "name": "https://github.com/spring-projects/spring-framework/pull/317/files" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html", - "name": "RHSA-2014:0400" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2020.html", + "name": "https://www.oracle.com/security-alerts/cpujan2020.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", + "versionStartIncluding": "7.3.2", + "versionEndIncluding": "7.3.6" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", + "versionEndExcluding": "6.1.0.4.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager:13.2:*:*:*:*:mysql:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html", - "name": "RHSA-2014:0254" + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.gopivotal.com/security/cve-2013-4152", - "name": "http://www.gopivotal.com/security/cve-2013-4152" + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*" + } }, { - "source": "BUGTRAQ", - "url": "http://seclists.org/bugtraq/2013/Aug/154", - "name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework" + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*" + } }, - { - "source": "FULLDISC", - "url": "http://seclists.org/fulldisclosure/2013/Nov/14", - "name": "20131102 XXE Injection in Spring Framework" - } - ], - "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*", + "versionStartIncluding": "11.0.0", + "versionEndIncluding": "11.3.1" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "3.4.9.4237" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "3.4.10", + "versionEndIncluding": "4.0.6.5281" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "4.0.7", + "versionEndIncluding": "8.0.2.8191" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:product_lifecycle_management:9.3.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.100:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.2.3" + "id": "cpe:2.3:a:oracle:retail_service_backbone:16.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "4.3.18" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.0.0", + "versionEndExcluding": "5.0.7" } } ] }, { "source": "NVD", - "name": "CVE-2013-7315", + "name": "CVE-2013-4152", "severity": "MEDIUM", "cvssv2": { "score": 6.8, @@ -7350,9 +13354,34 @@ "cwes": [ "CWE-264" ], - "description": "The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.", + "description": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", "notes": "", "references": [ + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html", + "name": "RHSA-2014:0212" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/57915", + "name": "57915" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/61951", + "name": "61951" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/56247", + "name": "56247" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html", + "name": "RHSA-2014:0245" + }, { "source": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2842", @@ -7364,15 +13393,25 @@ "name": "https://jira.springsource.org/browse/SPR-10806" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/77998", - "name": "77998" + "source": "CONFIRM", + "url": "https://github.com/spring-projects/spring-framework/pull/317/files", + "name": "https://github.com/spring-projects/spring-framework/pull/317/files" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "name": "RHSA-2014:0400" }, { "source": "CONFIRM", "url": "http://www.gopivotal.com/security/cve-2013-4152", "name": "http://www.gopivotal.com/security/cve-2013-4152" }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html", + "name": "RHSA-2014:0254" + }, { "source": "BUGTRAQ", "url": "http://seclists.org/bugtraq/2013/Aug/154", @@ -7387,32 +13426,32 @@ "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*" } }, { @@ -7422,17 +13461,17 @@ }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:m2:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*" } }, { @@ -7442,96 +13481,91 @@ }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "3.2.3" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.2.3" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2014-0054", + "name": "CVE-2013-7315", "severity": "MEDIUM", "cvssv2": { "score": 6.8, @@ -7544,72 +13578,69 @@ "severity": "MEDIUM", "version": "2.0", "exploitabilityScore": "8.6", - "impactScore": "6.4", - "userInteractionRequired": "true" + "impactScore": "6.4" }, "cwes": [ - "CWE-352" + "CWE-264" ], - "description": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", + "description": "The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.", "notes": "", "references": [ { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/57915", - "name": "57915" + "source": "DEBIAN", + "url": "http://www.debian.org/security/2014/dsa-2842", + "name": "DSA-2842" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/66148", - "name": "66148" + "source": "CONFIRM", + "url": "https://jira.springsource.org/browse/SPR-10806", + "name": "https://jira.springsource.org/browse/SPR-10806" }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html", - "name": "RHSA-2014:0400" + "source": "BID", + "url": "http://www.securityfocus.com/bid/77998", + "name": "77998" }, { "source": "CONFIRM", - "url": "https://jira.spring.io/browse/SPR-11376", - "name": "https://jira.spring.io/browse/SPR-11376" + "url": "http://www.gopivotal.com/security/cve-2013-4152", + "name": "http://www.gopivotal.com/security/cve-2013-4152" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + "source": "BUGTRAQ", + "url": "http://seclists.org/bugtraq/2013/Aug/154", + "name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework" + }, + { + "source": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2013/Nov/14", + "name": "20131102 XXE Injection in Spring Framework" } ], "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.2.7" - } - }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*" } }, { @@ -7617,16 +13648,6 @@ "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*" } }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.2:*:*:*:*:*:*:*" - } - }, { "software": { "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*" @@ -7634,17 +13655,17 @@ }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:m2:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*" } }, { @@ -7654,22 +13675,7 @@ }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.4:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" } }, { @@ -7679,383 +13685,360 @@ }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "3.2.3" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:springsource:spring_framework:3.2.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2016-9878", - "severity": "HIGH", + "name": "CVE-2014-0054", + "severity": "MEDIUM", "cvssv2": { - "score": 5.0, + "score": 6.8, "accessVector": "NETWORK", - "accessComplexity": "LOW", + "accessComplexity": "MEDIUM", "authenticationr": "NONE", "confidentialImpact": "PARTIAL", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "2.9", - "acInsufInfo": "true" - }, - "cvssv3": { - "baseScore": 7.5, - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "baseSeverity": "HIGH", - "exploitabilityScore": "3.9", - "impactScore": "3.6", - "version": "3.0" + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "6.4", + "userInteractionRequired": "true" }, "cwes": [ - "CWE-22" + "CWE-352" ], - "description": "An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.", + "description": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", "notes": "", "references": [ { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/57915", + "name": "57915" }, { "source": "BID", - "url": "http://www.securityfocus.com/bid/95072", - "name": "95072" - }, - { - "source": "MLIST", - "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", - "name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update" - }, - { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20180419-0002/", - "name": "https://security.netapp.com/advisory/ntap-20180419-0002/" - }, - { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" - }, - { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1040698", - "name": "1040698" + "url": "http://www.securityfocus.com/bid/66148", + "name": "66148" }, { "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2017:3115", - "name": "RHSA-2017:3115" + "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "name": "RHSA-2014:0400" }, { "source": "CONFIRM", - "url": "https://pivotal.io/security/cve-2016-9878", - "name": "https://pivotal.io/security/cve-2016-9878" + "url": "https://jira.spring.io/browse/SPR-11376", + "name": "https://jira.spring.io/browse/SPR-11376" }, { "source": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" - }, - { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" } ], "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.9:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.16:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.13:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.15:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.17:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.14:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.3.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.3.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "3.2.7" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.10:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.3.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "3.2.0" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.12:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.11:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.3.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:4.2.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:3.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2018-1270", - "severity": "CRITICAL", + "name": "CVE-2018-1257", + "severity": "MEDIUM", "cvssv2": { - "score": 7.5, + "score": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", + "authenticationr": "SINGLE", + "confidentialImpact": "NONE", + "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", - "severity": "HIGH", + "severity": "MEDIUM", "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.4" + "exploitabilityScore": "8.0", + "impactScore": "2.9" }, "cvssv3": { - "baseScore": 9.8, + "baseScore": 6.5, "attackVector": "NETWORK", "attackComplexity": "LOW", - "privilegesRequired": "NONE", + "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", "availabilityImpact": "HIGH", - "baseSeverity": "CRITICAL", - "exploitabilityScore": "3.9", - "impactScore": "5.9", - "version": "3.0" + "baseSeverity": "MEDIUM", + "exploitabilityScore": "2.8", + "impactScore": "3.6", + "version": "3.1" }, "cwes": [ - "CWE-358" + "NVD-CWE-noinfo" ], - "description": "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.", + "description": "Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.", "notes": "", "references": [ { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "source": "BID", + "url": "http://www.securityfocus.com/bid/104260", + "name": "104260" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "source": "MISC", @@ -8063,19 +14046,29 @@ "name": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/103696", - "name": "103696" + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2018:1809", + "name": "RHSA-2018:1809" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)" + "source": "CONFIRM", + "url": "https://pivotal.io/security/cve-2018-1257", + "name": "https://pivotal.io/security/cve-2018-1257" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", - "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12" + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, + { + "source": "CONFIRM", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, + { + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2018:3768", + "name": "RHSA-2018:3768" }, { "source": "MISC", @@ -8083,179 +14076,239 @@ "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries." + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2020.html", + "name": "https://www.oracle.com/security-alerts/cpujan2020.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*" + } }, { - "source": "EXPLOIT-DB", - "url": "https://www.exploit-db.com/exploits/44796/", - "name": "44796" + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:2939", - "name": "RHSA-2018:2939" + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "software": { + "id": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://pivotal.io/security/cve-2018-1270", - "name": "https://pivotal.io/security/cve-2018-1270" + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", + "versionEndExcluding": "7.0.0.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", + "versionEndExcluding": "8.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", + "versionEndExcluding": "10.2.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", + "versionEndExcluding": "6.1.0.4.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "versionStartIncluding": "5.0", - "versionEndExcluding": "5.0.5" + "id": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "4.2.9" + "id": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*" } }, { @@ -8265,624 +14318,927 @@ }, { "software": { - "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", - "versionEndExcluding": "6.1.0.4.0" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "versionStartIncluding": "4.3.0", - "versionEndIncluding": "4.3.15" + "id": "cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", - "versionEndExcluding": "8.3" + "id": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:redhat:openshift:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "4.3.17" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.0.0", + "versionEndExcluding": "5.0.6" } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2020-5421", + "severity": "MEDIUM", + "cvssv2": { + "score": 3.6, + "accessVector": "NETWORK", + "accessComplexity": "HIGH", + "authenticationr": "SINGLE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE", + "severity": "LOW", + "version": "2.0", + "exploitabilityScore": "3.9", + "impactScore": "4.9", + "userInteractionRequired": "true" + }, + "cvssv3": { + "baseScore": 6.5, + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "1.3", + "impactScore": "4.7", + "version": "3.1" + }, + "cwes": [ + "NVD-CWE-noinfo" + ], + "description": "In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.", + "notes": "", + "references": [ + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r3589ed0d18edeb79028615080d5a0e8878856436bb91774a3196d9eb@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421" }, { - "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r503e64b43a57fd68229cac4a869d1a9a2eac9e75f8719cad3a840211@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rd462a8b0dfab4c15e67c0672cd3c211ecd0e4f018f824082ed54f665@%3Cissues.hive.apache.org%3E", + "name": "[hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2022.html", + "name": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20210513-0009/", + "name": "https://security.netapp.com/advisory/ntap-20210513-0009/" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rc9efaf6db98bee19db1bc911d0fa442287dac5cb229d4aaa08b6a13d@%3Cissues.hive.apache.org%3E", + "name": "[hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r918caad55dcc640a16753b00d8d6acb90b4e36de4b6156d0867246ec@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b315445978254442163@%3Ccommits.ambari.apache.org%3E", + "name": "[ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246)" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r7e6a213eea7f04fc6d9e3bd6eb8d68c4df92a22e956e95cb2c482865@%3Cissues.hive.apache.org%3E", + "name": "[hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59dd4cca9b5b2d7a@%3Cissues.ambari.apache.org%3E", + "name": "[ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2021.html", + "name": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ra889d95141059c6cbe77dd80249bb488ae53b274b5f3abad09d9511d@%3Cuser.ignite.apache.org%3E", + "name": "[ignite-user] 20201119 Re: Query on CVE-2020-5421" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f84fa5baf7ae33a@%3Cdev.ambari.apache.org%3E", + "name": "[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/raf7ca57033e537e4f9d7df7f192fa6968c1e49409b2348e08d807ccb@%3Cuser.ignite.apache.org%3E", + "name": "[ignite-user] 20201117 Query on CVE-2020-5421" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74502dd35ede81e1@%3Cdev.ambari.apache.org%3E", + "name": "[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/re014a49d77f038ba70e5e9934d400af6653e8c9ac110d32b1254127e@%3Cdev.ranger.apache.org%3E", + "name": "[ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e9457cfbe8b729ac5@%3Cissues.ambari.apache.org%3E", + "name": "[ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421" + }, + { + "source": "CONFIRM", + "url": "https://tanzu.vmware.com/security/cve-2020-5421", + "name": "https://tanzu.vmware.com/security/cve-2020-5421" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rb18ed999153ef0f0cb7af03efe0046c42c7242fd77fbd884a75ecfdc@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421" + }, + { + "source": "N/A", + "url": "https://www.oracle.com//security-alerts/cpujul2021.html", + "name": "N/A" }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf00d8f4101a1c1ea4de6ea1e09ddf7472cfd306745c90d6da87ae074@%3Cdev.hive.apache.org%3E", + "name": "[hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", - "versionEndExcluding": "7.0.0.1" + "id": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_brm:11.3.0.9:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_brm:12.0.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", - "versionEndExcluding": "10.2.1" + "id": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.2.1", + "versionEndIncluding": "8.2.2.1" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2018-1271", - "severity": "MEDIUM", - "cvssv2": { - "score": 4.3, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "2.9" - }, - "cvssv3": { - "baseScore": 5.9, - "attackVector": "NETWORK", - "attackComplexity": "HIGH", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "baseSeverity": "MEDIUM", - "exploitabilityScore": "2.2", - "impactScore": "3.6", - "version": "3.0" - }, - "cwes": [ - "CWE-22" - ], - "description": "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.", - "notes": "", - "references": [ + }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:1320", - "name": "RHSA-2018:1320" + "software": { + "id": "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:2939", - "name": "RHSA-2018:2939" + "software": { + "id": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.0.6", + "versionEndIncluding": "8.1.0" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "software": { + "id": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "software": { + "id": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:2669", - "name": "RHSA-2018:2669" + "software": { + "id": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://pivotal.io/security/cve-2018-1271", - "name": "https://pivotal.io/security/cve-2018-1271" + "software": { + "id": "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + "software": { + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2.5:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "software": { + "id": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/103699", - "name": "103699" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*", + "versionStartIncluding": "11.1.0", + "versionEndIncluding": "11.3.0" + } + }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:10.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*", + "versionStartIncluding": "11.1.0", + "versionEndIncluding": "11.3.0" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "8.0.22" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.2.0", + "versionEndIncluding": "16.2.11" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "17.12.0", + "versionEndIncluding": "17.12.9" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "18.8.0", + "versionEndIncluding": "18.8.10" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding": "19.12.0", + "versionEndIncluding": "19.12.10" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.1.0", + "versionEndIncluding": "16.2.20" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "versionStartIncluding": "5.0", - "versionEndExcluding": "5.0.5" + "id": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", + "versionStartIncluding": "17.1.0", + "versionEndIncluding": "17.12.19" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", + "versionStartIncluding": "18.1.0", + "versionEndIncluding": "18.8.21" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", + "versionStartIncluding": "19.12.0", + "versionEndIncluding": "19.12.10" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "4.2.9" + "id": "cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_engagement:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.0", + "versionEndIncluding": "19.0" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.0", + "versionEndIncluding": "19.0" } }, { "software": { - "id": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:14.1.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:15.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "versionStartIncluding": "4.3.0", - "versionEndExcluding": "4.3.15" + "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_invoice_matching:14.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_invoice_matching:14.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:15.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", - "versionEndExcluding": "6.1.0.4.0" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", - "versionEndExcluding": "8.3" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "4.3.29" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.0.0", + "versionEndExcluding": "5.0.19" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.1.0", + "versionEndExcluding": "5.1.18" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.2.0", + "versionEndExcluding": "5.2.9" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2022-22950", + "severity": "MEDIUM", + "cvssv2": { + "score": 4.0, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "SINGLE", + "confidentialImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "PARTIAL", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.0", + "impactScore": "2.9" + }, + "cvssv3": { + "baseScore": 6.5, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "2.8", + "impactScore": "3.6", + "version": "3.1" + }, + "cwes": [ + "CWE-770" + ], + "description": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.", + "notes": "", + "references": [ + { + "source": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22950", + "name": "https://tanzu.vmware.com/security/cve-2022-22950" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "5.2.20" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.3.0", + "versionEndExcluding": "5.3.17" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2018-11039", + "severity": "MEDIUM", + "cvssv2": { + "score": 4.3, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "2.9" + }, + "cvssv3": { + "baseScore": 5.9, + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "2.2", + "impactScore": "3.6", + "version": "3.1" + }, + "cwes": [ + "NVD-CWE-noinfo" + ], + "description": "Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.", + "notes": "", + "references": [ + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/107984", + "name": "107984" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, + { + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", + "name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update" + }, + { + "source": "CONFIRM", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, + { + "source": "CONFIRM", + "url": "https://pivotal.io/security/cve-2018-11039", + "name": "https://pivotal.io/security/cve-2018-11039" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2020.html", + "name": "https://www.oracle.com/security-alerts/cpujan2020.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", - "versionEndExcluding": "7.0.0.1" + "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", + "versionEndExcluding": "8.3" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", + "versionStartIncluding": "7.3.2", + "versionEndIncluding": "7.3.6" } }, { "software": { - "id": "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*" } }, { @@ -8893,459 +15249,549 @@ }, { "software": { - "id": "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", + "versionEndExcluding": "6.1.0.4.0" } }, { "software": { - "id": "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2018-1272", - "severity": "HIGH", - "cvssv2": { - "score": 6.0, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "SINGLE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "6.8", - "impactScore": "6.4" - }, - "cvssv3": { - "baseScore": 7.5, - "attackVector": "NETWORK", - "attackComplexity": "HIGH", - "privilegesRequired": "LOW", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "HIGH", - "baseSeverity": "HIGH", - "exploitabilityScore": "1.6", - "impactScore": "5.9", - "version": "3.0" - }, - "cwes": [ - "NVD-CWE-noinfo" - ], - "description": "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.", - "notes": "", - "references": [ - { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:1320", - "name": "RHSA-2018:1320" - }, - { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" - }, - { - "source": "CONFIRM", - "url": "https://pivotal.io/security/cve-2018-1272", - "name": "https://pivotal.io/security/cve-2018-1272" }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "software": { + "id": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/103697", - "name": "103697" + "software": { + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "software": { + "id": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:2669", - "name": "RHSA-2018:2669" + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + "software": { + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*" + } }, - { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" - } - ], - "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*", + "versionStartIncluding": "11.0.0", + "versionEndIncluding": "11.3.1" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "3.4.9.4237" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "versionStartIncluding": "5.0", - "versionEndExcluding": "5.0.5" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "4.0.0", + "versionEndIncluding": "4.0.6.5281" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "8.0.0", + "versionEndIncluding": "8.0.2.8191" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "4.2.9" + "id": "cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", - "versionStartIncluding": "4.3.0", - "versionEndExcluding": "4.3.15" + "id": "cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_point-of-sale:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.0.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", - "versionEndExcluding": "6.1.0.4.0" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "4.3.18" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.0.0", + "versionEndExcluding": "5.0.7" } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2022-22968", + "severity": "MEDIUM", + "cvssv2": { + "score": 5.0, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "2.9" + }, + "cvssv3": { + "baseScore": 5.3, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "3.9", + "impactScore": "1.4", + "version": "3.1" + }, + "cwes": [ + "CWE-178" + ], + "description": "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.", + "notes": "", + "references": [ + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220602-0004/", + "name": "https://security.netapp.com/advisory/ntap-20220602-0004/" + }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" }, + { + "source": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22968", + "name": "https://tanzu.vmware.com/security/cve-2022-22968" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:metrocluster_tiebreaker:-:*:*:*:*:clustered_data_ontap:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", - "versionEndExcluding": "8.3" + "id": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:16.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "8.0.29" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "5.2.0" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.2.0", + "versionEndIncluding": "5.2.20" } }, { "software": { - "id": "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.3.0", + "versionEndIncluding": "5.3.18" } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2022-22970", + "severity": "MEDIUM", + "cvssv2": { + "score": 3.5, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "SINGLE", + "confidentialImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "PARTIAL", + "severity": "LOW", + "version": "2.0", + "exploitabilityScore": "6.8", + "impactScore": "2.9" + }, + "cvssv3": { + "baseScore": 5.3, + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "1.6", + "impactScore": "3.6", + "version": "3.1" + }, + "cwes": [ + "CWE-770" + ], + "description": "In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.", + "notes": "", + "references": [ + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220616-0006/", + "name": "https://security.netapp.com/advisory/ntap-20220616-0006/" }, + { + "source": "N/A", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "N/A" + }, + { + "source": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22970", + "name": "https://tanzu.vmware.com/security/cve-2022-22970" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", - "versionEndExcluding": "7.0.0.1" + "id": "cpe:2.3:a:netapp:brocade_san_navigator:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "5.2.21" } }, { "software": { - "id": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", - "versionEndExcluding": "10.2.1" + "id": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding": "5.3.0", + "versionEndIncluding": "5.3.19" } - }, + } + ] + }, + { + "source": "OSSINDEX", + "name": "CVE-2009-1190", + "severity": "MEDIUM", + "cvssv2": { + "score": 5.0, + "accessVector": "N", + "accessComplexity": "L", + "authenticationr": "N", + "confidentialImpact": "N", + "integrityImpact": "N", + "availabilityImpact": "P", + "severity": "MEDIUM" + }, + "cwes": [ + "CWE-399" + ], + "description": "Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.", + "notes": "", + "references": [ { - "software": { - "id": "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://support.springsource.com/node/107", + "name": "http://support.springsource.com/node/107" }, { - "software": { - "id": "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1190", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1190" }, { - "software": { - "id": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*" - } - }, + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2009-1190?component-type=maven&component-name=org.springframework%2Fspring&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2009-1190] CWE-399" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:org.springframework:spring:2.0.8:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } } ] @@ -9363,90 +15809,424 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/com.example/module1@1.0.0" + } + ], "evidenceCollected": { "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "struts" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "controller" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "struts" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "extension-name", + "value": "Struts Framework" + }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Vendor", + "value": "The Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "Implementation-Vendor-Id", + "value": "org.apache" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "Manifest", + "name": "specification-vendor", + "value": "The Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "struts" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "struts" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "arron at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "cedric.dumoulin at lifl.fr" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "craigmcc at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dgraham at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dmkarr at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "ekbush at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "germuska at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "husted at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jholmes at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jmitchell at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "martinc at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "mrdon at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "niallp at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rleland at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sraeburn at apache.org" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "turner at blackbear.com" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "arron" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "cedric" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "craigmcc" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "dgraham" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "dmkarr" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "ekbush" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "germuska" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "husted" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jholmes" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "jmitchell" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "martinc" + }, { "type": "vendor", "confidence": "MEDIUM", - "source": "Manifest", - "name": "extension-name", - "value": "Struts Framework" + "source": "pom", + "name": "developer id", + "value": "mrdon" }, { "type": "vendor", - "confidence": "HIGHEST", + "confidence": "MEDIUM", "source": "pom", - "name": "url", - "value": "http://struts.apache.org/" + "name": "developer id", + "value": "niallp" }, { "type": "vendor", - "confidence": "HIGHEST", + "confidence": "MEDIUM", "source": "pom", - "name": "groupid", - "value": "struts" + "name": "developer id", + "value": "rleland" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "struts" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "sraeburn" }, { "type": "vendor", - "confidence": "LOW", - "source": "Manifest", - "name": "specification-vendor", - "value": "The Apache Software Foundation" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer id", + "value": "turner" }, { "type": "vendor", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Vendor", - "value": "The Apache Software Foundation" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Arron Bates" }, { "type": "vendor", "confidence": "MEDIUM", "source": "pom", - "name": "organization url", - "value": "http://struts.apache.org/" + "name": "developer name", + "value": "Cedric Dumoulin" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Craig R. McClanahan" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "Manifest", - "name": "Implementation-Vendor-Id", - "value": "org.apache" + "source": "pom", + "name": "developer name", + "value": "David Graham" }, { "type": "vendor", - "confidence": "HIGH", + "confidence": "MEDIUM", "source": "pom", - "name": "organization name", - "value": "The Apache Software Foundation" + "name": "developer name", + "value": "David M. Karr" }, { "type": "vendor", - "confidence": "LOW", + "confidence": "MEDIUM", "source": "pom", - "name": "artifactid", - "value": "struts" + "name": "developer name", + "value": "Don Brown" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Eddie Bush" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "James Holmes" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "James Mitchell" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "James Turner" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Joe Germuska" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Martin Cooper" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Niall Pemberton" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Rob Leland" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Steve Raeburn" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "developer name", + "value": "Ted Husted" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", + "source": "pom", + "name": "groupid", "value": "struts" }, { @@ -9456,15 +16236,57 @@ "name": "name", "value": "struts" }, + { + "type": "vendor", + "confidence": "HIGH", + "source": "pom", + "name": "organization name", + "value": "The Apache Software Foundation" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "pom", + "name": "organization url", + "value": "http://struts.apache.org/" + }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "controller" + "source": "pom", + "name": "url", + "value": "http://struts.apache.org/" } ], "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "struts" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "controller" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "struts" + }, { "type": "product", "confidence": "MEDIUM", @@ -9474,2401 +16296,1763 @@ }, { "type": "product", - "confidence": "MEDIUM", - "source": "pom", - "name": "url", - "value": "http://struts.apache.org/" + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Title", + "value": "Struts Framework" }, { "type": "product", - "confidence": "HIGH", + "confidence": "MEDIUM", "source": "Manifest", - "name": "Implementation-Title", + "name": "specification-title", "value": "Struts Framework" }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "struts" + }, { "type": "product", "confidence": "LOW", "source": "pom", - "name": "organization name", - "value": "The Apache Software Foundation" + "name": "developer email", + "value": "arron at apache.org" }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "pom", - "name": "groupid", - "value": "struts" + "name": "developer email", + "value": "cedric.dumoulin at lifl.fr" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "struts" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "craigmcc at apache.org" }, { "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "specification-title", - "value": "Struts Framework" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "dgraham at apache.org" }, { "type": "product", - "confidence": "HIGHEST", + "confidence": "LOW", "source": "pom", - "name": "artifactid", - "value": "struts" + "name": "developer email", + "value": "dmkarr at apache.org" }, { "type": "product", "confidence": "LOW", "source": "pom", - "name": "organization url", - "value": "http://struts.apache.org/" + "name": "developer email", + "value": "ekbush at apache.org" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "germuska at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "husted at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jholmes at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "jmitchell at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "martinc at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "mrdon at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "niallp at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "rleland at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "sraeburn at apache.org" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer email", + "value": "turner at blackbear.com" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "arron" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "cedric" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "struts" + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "craigmcc" }, { "type": "product", - "confidence": "HIGH", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "struts" + "name": "developer id", + "value": "dgraham" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "controller" - } - ], - "versionEvidence": [ - { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "1.2.8" + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "dmkarr" }, { - "type": "version", - "confidence": "HIGHEST", + "type": "product", + "confidence": "LOW", "source": "pom", - "name": "version", - "value": "1.2.8" + "name": "developer id", + "value": "ekbush" }, { - "type": "version", - "confidence": "HIGH", - "source": "Manifest", - "name": "Implementation-Version", - "value": "1.2.8" - } - ] - }, - "packages": [ - { - "id": "pkg:maven/struts/struts@1.2.8", - "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/struts/struts@1.2.8" - } - ], - "vulnerabilityIds": [ - { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", - "confidence": "HIGHEST", - "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Astruts&cpe_version=cpe%3A%2F%3Aapache%3Astruts%3A1.2.8" - } - ], - "vulnerabilities": [ - { - "source": "NVD", - "name": "CVE-2006-1546", - "severity": "HIGH", - "cvssv2": { - "score": 7.5, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.4", - "obtainOtherPrivilege": "true" - }, - "cwes": [ - "NVD-CWE-Other" - ], - "description": "Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.", - "notes": "", - "references": [ - { - "source": "CONFIRM", - "url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html", - "name": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html" - }, - { - "source": "VUPEN", - "url": "http://www.vupen.com/english/advisories/2006/1205", - "name": "ADV-2006-1205" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/20117", - "name": "20117" - }, - { - "source": "SUSE", - "url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html", - "name": "SUSE-SR:2006:010" - }, - { - "source": "MLIST", - "url": "http://mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail@web32607.mail.mud.yahoo.com%3e", - "name": "[struts-user] 20060121 Validation Security Hole?" - }, - { - "source": "BID", - "url": "http://www.securityfocus.com/bid/17342", - "name": "17342" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/19493", - "name": "19493" - }, - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/220ef8a8-7542-4419-9786-30f7a979f194?component-type=maven&component-name=struts.struts", - "name": "[CVE-2006-1546] Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to ..." - }, - { - "source": "MLIST", - "url": "http://mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r$623$2@sea.gmane.org%3e", - "name": "[struts-devel] 20060122 Re: Validation Security Hole?" - }, - { - "source": "SECTRACK", - "url": "http://securitytracker.com/id?1015856", - "name": "1015856" - }, - { - "source": "XF", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25612", - "name": "struts-iscancelled-security-bypass(25612)" - }, - { - "source": "CONFIRM", - "url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38374", - "name": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38374" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "1.2.8" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2006-1547", - "severity": "HIGH", - "cvssv2": { - "score": 7.8, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "NONE", - "availabilityImpact": "COMPLETE", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.9" + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "germuska" }, - "cwes": [ - "NVD-CWE-Other" - ], - "description": "ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.", - "notes": "", - "references": [ - { - "source": "CONFIRM", - "url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html", - "name": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html" - }, - { - "source": "VUPEN", - "url": "http://www.vupen.com/english/advisories/2006/1205", - "name": "ADV-2006-1205" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/20117", - "name": "20117" - }, - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/3cef7efe-b2fe-4887-b94a-9e7ce0b03cb9?component-type=maven&component-name=struts.struts", - "name": "[CVE-2006-1547] ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtil..." - }, - { - "source": "SUSE", - "url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html", - "name": "SUSE-SR:2006:010" - }, - { - "source": "BID", - "url": "http://www.securityfocus.com/bid/17342", - "name": "17342" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/19493", - "name": "19493" - }, - { - "source": "CONFIRM", - "url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38534", - "name": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38534" - }, - { - "source": "XF", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25613", - "name": "struts-actionform-dos(25613)" - }, - { - "source": "SECTRACK", - "url": "http://securitytracker.com/id?1015856", - "name": "1015856" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "1.2.8" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2006-1548", - "severity": "MEDIUM", - "cvssv2": { - "score": 4.3, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "PARTIAL", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "2.9" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "husted" }, - "cwes": [ - "NVD-CWE-Other" - ], - "description": "Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.", - "notes": "", - "references": [ - { - "source": "CONFIRM", - "url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html", - "name": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html" - }, - { - "source": "CONFIRM", - "url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38749", - "name": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38749" - }, - { - "source": "VUPEN", - "url": "http://www.vupen.com/english/advisories/2006/1205", - "name": "ADV-2006-1205" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/20117", - "name": "20117" - }, - { - "source": "SUSE", - "url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html", - "name": "SUSE-SR:2006:010" - }, - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/e3642fdf-1832-49f4-b88f-1c9fdf14c88f?component-type=maven&component-name=struts.struts", - "name": "[CVE-2006-1548] Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibl..." - }, - { - "source": "BID", - "url": "http://www.securityfocus.com/bid/17342", - "name": "17342" - }, - { - "source": "XF", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25614", - "name": "struts-lookupmap-xss(25614)" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/19493", - "name": "19493" - }, - { - "source": "CONFIRM", - "url": "https://issues.apache.org/struts/browse/STR-2781", - "name": "https://issues.apache.org/struts/browse/STR-2781" - }, - { - "source": "SECTRACK", - "url": "http://securitytracker.com/id?1015856", - "name": "1015856" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "1.2.8" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2008-2025", - "severity": "MEDIUM", - "cvssv2": { - "score": 4.3, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "PARTIAL", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "2.9", - "userInteractionRequired": "true" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jholmes" }, - "cwes": [ - "CWE-79" - ], - "description": "Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to \"insufficient quoting of parameters.\"", - "notes": "", - "references": [ - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/34567", - "name": "34567" - }, - { - "source": "CONFIRM", - "url": "http://support.novell.com/security/cve/CVE-2008-2025.html", - "name": "http://support.novell.com/security/cve/CVE-2008-2025.html" - }, - { - "source": "MISC", - "url": "https://bugzilla.novell.com/show_bug.cgi?id=385273", - "name": "https://bugzilla.novell.com/show_bug.cgi?id=385273" - }, - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/8f1213f7-b238-4c01-9538-5311a6ef0552?component-type=maven&component-name=struts.struts", - "name": "[CVE-2008-2025] Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")" - }, - { - "source": "CONFIRM", - "url": "http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml", - "name": "http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/34642", - "name": "34642" - }, - { - "source": "SUSE", - "url": "http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html", - "name": "SUSE-SR:2009:008" - }, - { - "source": "MISC", - "url": "https://launchpad.net/bugs/cve/2008-2025", - "name": "https://launchpad.net/bugs/cve/2008-2025" - }, - { - "source": "OSVDB", - "url": "http://osvdb.org/53380", - "name": "53380" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2011-5057", - "severity": "MEDIUM", - "cvssv2": { - "score": 5.0, - "accessVector": "N", - "accessComplexity": "L", - "authenticationr": "N", - "confidentialImpact": "N", - "integrityImpact": "P", - "availabilityImpact": "N", - "severity": "MEDIUM" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "jmitchell" }, - "cwes": [], - "description": "Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an \"easy work-around in existing apps by configuring the interceptor.\"", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/53dc946d-e590-4bab-909b-80313525e408?component-type=maven&component-name=struts.struts", - "name": "[CVE-2011-5057] Permissions, Privileges, and Access Controls" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2012-0391", - "severity": "HIGH", - "cvssv2": { - "score": 9.3, - "accessVector": "N", - "accessComplexity": "M", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "martinc" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "mrdon" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "niallp" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "rleland" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "sraeburn" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer id", + "value": "turner" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Arron Bates" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Cedric Dumoulin" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Craig R. McClanahan" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "David Graham" }, - "cwes": [], - "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/59d508b0-5439-48ce-b68c-884f84d4c6e7?component-type=maven&component-name=struts.struts", - "name": "[CVE-2012-0391] Improper Input Validation" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2012-0392", - "severity": "HIGH", - "cvssv2": { - "score": 9.3, - "accessVector": "N", - "accessComplexity": "M", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "David M. Karr" }, - "cwes": [], - "description": "The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/79adf5cc-c0b2-4733-af17-e6379798687d?component-type=maven&component-name=struts.struts", - "name": "[CVE-2012-0392] Permissions, Privileges, and Access Controls" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2012-0393", - "severity": "MEDIUM", - "cvssv2": { - "score": 6.4, - "accessVector": "N", - "accessComplexity": "L", - "authenticationr": "N", - "confidentialImpact": "N", - "integrityImpact": "P", - "availabilityImpact": "P", - "severity": "MEDIUM" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Don Brown" }, - "cwes": [], - "description": "The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/6240f443-fddd-477d-b620-86f8c74f773c?component-type=maven&component-name=struts.struts", - "name": "[CVE-2012-0393] Permissions, Privileges, and Access Controls" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2012-0394", - "severity": "MEDIUM", - "cvssv2": { - "score": 6.8, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "6.4" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Eddie Bush" }, - "cwes": [ - "CWE-94" - ], - "description": "** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself.\"", - "notes": "", - "references": [ - { - "source": "EXPLOIT-DB", - "url": "http://www.exploit-db.com/exploits/18329", - "name": "18329" - }, - { - "source": "BUGTRAQ", - "url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html", - "name": "20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2" - }, - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/27f74926-9c22-4e6e-8677-073e708508d1?component-type=maven&component-name=struts.struts", - "name": "[CVE-2012-0394] Improper Control of Generation of Code (\"Code Injection\")" - }, - { - "source": "MISC", - "url": "http://struts.apache.org/2.x/docs/s2-008.html", - "name": "http://struts.apache.org/2.x/docs/s2-008.html" - }, - { - "source": "EXPLOIT-DB", - "url": "http://www.exploit-db.com/exploits/31434", - "name": "31434" - }, - { - "source": "OSVDB", - "url": "http://www.osvdb.org/78276", - "name": "78276" - }, - { - "source": "MISC", - "url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt", - "name": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt" - }, - { - "source": "MISC", - "url": "http://struts.apache.org/2.x/docs/version-notes-2311.html", - "name": "http://struts.apache.org/2.x/docs/version-notes-2311.html" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "2.2.3" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2012-0838", - "severity": "HIGH", - "cvssv2": { - "score": 10.0, - "accessVector": "N", - "accessComplexity": "L", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "James Holmes" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "James Mitchell" }, - "cwes": [], - "description": "Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/2acafe03-9968-4568-8574-31876a99612f?component-type=maven&component-name=struts.struts", - "name": "[CVE-2012-0838] Improper Input Validation" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2013-1965", - "severity": "HIGH", - "cvssv2": { - "score": 9.3, - "accessVector": "N", - "accessComplexity": "M", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "James Turner" }, - "cwes": [], - "description": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.1, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/7aa02cd2-5370-4f43-b202-d30665527d05?component-type=maven&component-name=struts.struts", - "name": "[CVE-2013-1965] Improper Control of Generation of Code (\"Code Injection\")" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2013-1966", - "severity": "HIGH", - "cvssv2": { - "score": 9.3, - "accessVector": "N", - "accessComplexity": "M", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Joe Germuska" }, - "cwes": [], - "description": "Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/64959e54-560d-4c85-b1ba-bae91251f948?component-type=maven&component-name=struts.struts", - "name": "[CVE-2013-1966] Improper Control of Generation of Code (\"Code Injection\")" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Martin Cooper" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Niall Pemberton" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Rob Leland" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Steve Raeburn" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "developer name", + "value": "Ted Husted" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "struts" + }, + { + "type": "product", + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "struts" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "organization name", + "value": "The Apache Software Foundation" + }, + { + "type": "product", + "confidence": "LOW", + "source": "pom", + "name": "organization url", + "value": "http://struts.apache.org/" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "pom", + "name": "url", + "value": "http://struts.apache.org/" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "1.2.8" + }, + { + "type": "version", + "confidence": "HIGH", + "source": "Manifest", + "name": "Implementation-Version", + "value": "1.2.8" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "pom", + "name": "version", + "value": "1.2.8" + } + ] + }, + "packages": [ + { + "id": "pkg:maven/struts/struts@1.2.8", + "confidence": "HIGH", + "url": "https://ossindex.sonatype.org/component/pkg:maven/struts/struts@1.2.8?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" + } + ], + "vulnerabilityIds": [ + { + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", + "confidence": "HIGHEST", + "url": "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Astruts&cpe_version=cpe%3A%2F%3Aapache%3Astruts%3A1.2.8" + } + ], + "vulnerabilities": [ { "source": "NVD", - "name": "CVE-2013-2115", + "name": "CVE-2016-1182", "severity": "HIGH", "cvssv2": { - "score": 9.3, + "score": 6.4, "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", + "accessComplexity": "LOW", "authenticationr": "NONE", - "confidentialImpact": "COMPLETE", - "integrityImpact": "COMPLETE", - "availabilityImpact": "COMPLETE", - "severity": "HIGH", + "confidentialImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "MEDIUM", "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "10.0" + "exploitabilityScore": "10.0", + "impactScore": "4.9" + }, + "cvssv3": { + "baseScore": 8.2, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "availabilityImpact": "HIGH", + "baseSeverity": "HIGH", + "exploitabilityScore": "3.9", + "impactScore": "4.2", + "version": "3.0" }, "cwes": [ - "CWE-94" + "CWE-20" ], - "description": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.", + "description": "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.", "notes": "", "references": [ { "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/a902e7ce-8d2b-4de9-a3a4-e717c9ebea3e?component-type=maven&component-name=struts.struts", - "name": "[CVE-2013-2115] Improper Control of Generation of Code (\"Code Injection\")" + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2016-1182?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2016-1182] CWE-20: Improper Input Validation" }, { - "source": "MISC", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=967656", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=967656" + "source": "CONFIRM", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343540", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1343540" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/60167", - "name": "60167" + "source": "OSSIndex", + "url": "http://jvn.jp/en/jp/JVN65044642/index.html", + "name": "http://jvn.jp/en/jp/JVN65044642/index.html" }, { "source": "CONFIRM", - "url": "http://struts.apache.org/development/2.x/docs/s2-014.html", - "name": "http://struts.apache.org/development/2.x/docs/s2-014.html" + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "source": "MISC", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-014", - "name": "https://cwiki.apache.org/confluence/display/WW/S2-014" - } - ], - "vulnerableSoftware": [ + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8", + "name": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*" - } + "source": "BID", + "url": "http://www.securityfocus.com/bid/91787", + "name": "91787" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*" - } + "source": "JVN", + "url": "http://jvn.jp/en/jp/JVN65044642/index.html", + "name": "JVN#65044642" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*" - } + "source": "JVNDB", + "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097", + "name": "JVNDB-2016-000097" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", + "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" + }, + { + "source": "OSSIndex", + "url": "https://security-tracker.debian.org/tracker/CVE-2016-1182", + "name": "https://security-tracker.debian.org/tracker/CVE-2016-1182" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*" - } + "source": "BID", + "url": "http://www.securityfocus.com/bid/91067", + "name": "91067" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*" - } + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1036056", + "name": "1036056" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://security-tracker.debian.org/tracker/CVE-2016-1182", + "name": "https://security-tracker.debian.org/tracker/CVE-2016-1182" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*" - } - }, + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2020.html", + "name": "https://www.oracle.com/security-alerts/cpujan2020.html" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndIncluding": "2.3.14.1" + "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2013-2134", - "severity": "HIGH", - "cvssv2": { - "score": 9.3, - "accessVector": "N", - "accessComplexity": "M", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" - }, - "cwes": [], - "description": "Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/5caecd83-b961-48ca-b29e-f39b8f302d08?component-type=maven&component-name=struts.struts", - "name": "[CVE-2013-2134] Improper Control of Generation of Code (\"Code Injection\")" - } - ], - "vulnerableSoftware": [ + }, { "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2013-2135", - "severity": "HIGH", - "cvssv2": { - "score": 9.3, - "accessVector": "N", - "accessComplexity": "M", - "authenticationr": "N", - "confidentialImpact": "C", - "integrityImpact": "C", - "availabilityImpact": "C", - "severity": "HIGH" - }, - "cwes": [], - "description": "Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both \"${}\" and \"%{}\" sequences, which causes the OGNL code to be evaluated twice.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/35c24ffb-ba83-44a8-95a7-008281c53ec9?component-type=maven&component-name=struts.struts", - "name": "[CVE-2013-2135] Improper Control of Generation of Code (\"Code Injection\")" - } - ], - "vulnerableSoftware": [ + }, { "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2014-0094", - "severity": "MEDIUM", - "cvssv2": { - "score": 5.0, - "accessVector": "N", - "accessComplexity": "L", - "authenticationr": "N", - "confidentialImpact": "N", - "integrityImpact": "P", - "availabilityImpact": "N", - "severity": "MEDIUM" - }, - "cwes": [], - "description": "The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/46502110-4592-408e-836b-331e9ee41e6b?component-type=maven&component-name=struts.struts", - "name": "[CVE-2014-0094] The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attacke..." - } - ], - "vulnerableSoftware": [ + }, { "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*" } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2014-0113", - "severity": "HIGH", - "cvssv2": { - "score": 7.5, - "accessVector": "N", - "accessComplexity": "L", - "authenticationr": "N", - "confidentialImpact": "P", - "integrityImpact": "P", - "availabilityImpact": "P", - "severity": "HIGH" - }, - "cwes": [], - "description": "CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.", - "notes": "", - "references": [ - { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/ff890408-a4b8-4e3f-a892-ee7e72b2c8e3?component-type=maven&component-name=struts.struts", - "name": "[CVE-2014-0113] Permissions, Privileges, and Access Controls" - } - ], - "vulnerableSoftware": [ + }, { "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2014-0114", + "name": "CVE-2016-1181", "severity": "HIGH", "cvssv2": { - "score": 7.5, + "score": 6.8, "accessVector": "NETWORK", - "accessComplexity": "LOW", + "accessComplexity": "MEDIUM", "authenticationr": "NONE", "confidentialImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", - "severity": "HIGH", + "severity": "MEDIUM", "version": "2.0", - "exploitabilityScore": "10.0", + "exploitabilityScore": "8.6", "impactScore": "6.4" }, + "cvssv3": { + "baseScore": 8.1, + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseSeverity": "HIGH", + "exploitabilityScore": "2.2", + "impactScore": "5.9", + "version": "3.0" + }, "cwes": [ - "CWE-20" + "NVD-CWE-noinfo" ], - "description": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", + "description": "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.", "notes": "", "references": [ { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E" + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { - "source": "MLIST", - "url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", - "name": "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2016-1181?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2016-1181] CWE-94: Improper Control of Generation of Code ('Code Injection')" }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2020.html", + "name": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E", - "name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)" + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "source": "CONFIRM", - "url": "http://advisories.mageia.org/MGASA-2014-0219.html", - "name": "http://advisories.mageia.org/MGASA-2014-0219.html" + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { - "source": "GENTOO", - "url": "https://security.gentoo.org/glsa/201607-09", - "name": "GLSA-201607-09" + "source": "BID", + "url": "http://www.securityfocus.com/bid/91068", + "name": "91068" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20190909 [jira] [Work logged] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114" + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", + "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59430", - "name": "59430" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972" + "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { - "source": "FEDORA", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", - "name": "FEDORA-2014-9380" + "source": "OSSIndex", + "url": "http://jvn.jp/en/jp/JVN03188560/index.html", + "name": "http://jvn.jp/en/jp/JVN03188560/index.html" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59245", - "name": "59245" + "source": "CONFIRM", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" + "url": "https://security-tracker.debian.org/tracker/CVE-2016-1181", + "name": "https://security-tracker.debian.org/tracker/CVE-2016-1181" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E", - "name": "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE" + "source": "JVN", + "url": "http://jvn.jp/en/jp/JVN03188560/index.html", + "name": "JVN#03188560" }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2014/dsa-2940", - "name": "DSA-2940" + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujan2020.html", + "name": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { - "source": "CONFIRM", - "url": "https://access.redhat.com/solutions/869353", - "name": "https://access.redhat.com/solutions/869353" + "source": "OSSIndex", + "url": "https://security-tracker.debian.org/tracker/CVE-2016-1181", + "name": "https://security-tracker.debian.org/tracker/CVE-2016-1181" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E", - "name": "[commons-commits] 20190906 [commons-configuration] branch master updated: [CONFIGURATION-755][CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343538", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1343538" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128" + "url": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8", + "name": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E", - "name": "[commons-dev] 20190605 Re: [beanutils] Towards 1.10" + "source": "JVNDB", + "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000096", + "name": "JVNDB-2016-000096" }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296" + "source": "BID", + "url": "http://www.securityfocus.com/bid/91787", + "name": "91787" }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387" + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1036056", + "name": "1036056" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59704", - "name": "59704" + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303" + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E" + "software": { + "id": "cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", - "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + "software": { + "id": "cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20191014 [jira] [Updated] (BEANUTILS-520) Mitigate CVE-2014-0114" + "software": { + "id": "cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59480", - "name": "59480" + "software": { + "id": "cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://issues.apache.org/jira/browse/BEANUTILS-463", - "name": "https://issues.apache.org/jira/browse/BEANUTILS-463" + "software": { + "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E" + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E", - "name": "[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities" + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", - "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59479", - "name": "59479" + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" + } }, { - "source": "HP", - "url": "http://marc.info/?l=bugtraq&m=141451023707502&w=2", - "name": "HPSBST03160" + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375" + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E", - "name": "[commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E", - "name": "[commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" + } }, { - "source": "HP", - "url": "http://marc.info/?l=bugtraq&m=140801096002766&w=2", - "name": "HPSBMU03090" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59228", - "name": "59228" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59246", - "name": "59246" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" + } }, { - "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "http://openwall.com/lists/oss-security/2014/07/08/1", - "name": "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" + "software": { + "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E" + "software": { + "id": "cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20140911-0001/", - "name": "https://security.netapp.com/advisory/ntap-20140911-0001/" + "software": { + "id": "cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/58851", - "name": "58851" + "software": { + "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59718", - "name": "59718" + "software": { + "id": "cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + "software": { + "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.3.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E", - "name": "[commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E", - "name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114." + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E" + "software": { + "id": "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E", - "name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75" - }, + "software": { + "id": "cpe:2.3:a:oracle:portal:11.1.1.6:*:*:*:*:*:*:*" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2006-1547", + "knownExploitedVulnerability": { + "VendorProject": "Apache", + "Product": "Struts 1", + "Name": "Apache Struts 1 ActionForm Denial-of-Service Vulnerability", + "DateAdded": "2022-01-21", + "Description": "ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability which allows for denial-of-service.", + "RequiredAction": "Apply updates per vendor instructions.", + "DueDate": "2022-07-21", + "Notes": "" + }, + "severity": "HIGH", + "cvssv2": { + "score": 7.8, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "COMPLETE", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.9" + }, + "cwes": [ + "NVD-CWE-Other" + ], + "description": "ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.", + "notes": "", + "references": [ { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + "url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html", + "name": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html" }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E" + "source": "VUPEN", + "url": "http://www.vupen.com/english/advisories/2006/1205", + "name": "ADV-2006-1205" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20200109 [jira] [Resolved] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1547", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1547" }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/20117", + "name": "20117" }, { - "source": "HP", - "url": "http://marc.info/?l=bugtraq&m=140119284401582&w=2", - "name": "HPSBGN03041" + "source": "SUSE", + "url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html", + "name": "SUSE-SR:2006:010" }, { - "source": "FULLDISC", - "url": "http://seclists.org/fulldisclosure/2014/Dec/23", - "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + "source": "BID", + "url": "http://www.securityfocus.com/bid/17342", + "name": "17342" }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/19493", + "name": "19493" }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38534", + "name": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38534" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/57477", - "name": "57477" + "source": "XF", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25613", + "name": "struts-actionform-dos(25613)" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "source": "SECTRACK", + "url": "http://securitytracker.com/id?1015856", + "name": "1015856" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E", - "name": "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + "source": "OSSIndex", + "url": "http://securitytracker.com/id?1015856", + "name": "http://securitytracker.com/id?1015856" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/60177", - "name": "60177" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2006-1547?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2006-1547] CWE-20: Improper Input Validation" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.2.8" + } }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E" + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2006-1546", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4", + "obtainOtherPrivilege": "true" + }, + "cwes": [ + "NVD-CWE-Other" + ], + "description": "Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.", + "notes": "", + "references": [ + { + "source": "VUPEN", + "url": "http://www.vupen.com/english/advisories/2006/1205", + "name": "ADV-2006-1205" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "source": "SUSE", + "url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html", + "name": "SUSE-SR:2006:010" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "url": "http://mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r$623$2@sea.gmane.org%3e", + "name": "[struts-devel] 20060122 Re: Validation Security Hole?" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59014", - "name": "59014" + "source": "OSSIndex", + "url": "http://securitytracker.com/id?1015856", + "name": "http://securitytracker.com/id?1015856" }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E" + "source": "CONFIRM", + "url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html", + "name": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html" }, { - "source": "CONFIRM", - "url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", - "name": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/20117", + "name": "20117" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2006-1546?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2006-1546] CWE-20: Improper Input Validation" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + "url": "http://mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail@web32607.mail.mud.yahoo.com%3e", + "name": "[struts-user] 20060121 Validation Security Hole?" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1546", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1546" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "source": "BID", + "url": "http://www.securityfocus.com/bid/17342", + "name": "17342" }, { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2019:2995", - "name": "RHSA-2019:2995" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/19493", + "name": "19493" }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E" + "source": "SECTRACK", + "url": "http://securitytracker.com/id?1015856", + "name": "1015856" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", - "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" + "source": "XF", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25612", + "name": "struts-iscancelled-security-bypass(25612)" }, + { + "source": "CONFIRM", + "url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38374", + "name": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38374" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.2.8" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2014-0114", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" + }, + "cwes": [ + "CWE-20" + ], + "description": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", + "notes": "", + "references": [ { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E", - "name": "[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities" + "url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477@%3Ccommits.dolphinscheduler.apache.org%3E", + "name": "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on issue #4506: There is a vulnerability in beanutils 1.7.0,upgrade recommended" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/60703", - "name": "60703" + "source": "MISC", + "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E" }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/58947", - "name": "58947" + "source": "MLIST", + "url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", + "name": "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114" }, { "source": "CONFIRM", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", - "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59118", - "name": "59118" + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" }, { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E", + "name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)" }, { "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", - "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" - }, - { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59464", - "name": "59464" + "url": "http://advisories.mageia.org/MGASA-2014-0219.html", + "name": "http://advisories.mageia.org/MGASA-2014-0219.html" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + "url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" }, { - "source": "CONFIRM", - "url": "http://www.ibm.com/support/docview.wss?uid=swg21675496", - "name": "http://www.ibm.com/support/docview.wss?uid=swg21675496" + "source": "GENTOO", + "url": "https://security.gentoo.org/glsa/201607-09", + "name": "GLSA-201607-09" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20190909 [jira] [Work logged] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114" }, { - "source": "CONFIRM", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", - "name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59430", + "name": "59430" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" - }, - { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" + "source": "FEDORA", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", + "name": "FEDORA-2014-9380" }, { "source": "CONFIRM", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - }, - { - "source": "MANDRIVA", - "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", - "name": "MDVSA-2014:095" + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" }, { "source": "SECUNIA", - "url": "http://secunia.com/advisories/58710", - "name": "58710" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E", - "name": "[activemq-issues] 20190904 [jira] [Created] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114" - }, - { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", - "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities" + "url": "http://secunia.com/advisories/59245", + "name": "59245" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E", - "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1" + "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E", + "name": "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/67121", - "name": "67121" + "source": "CONFIRM", + "url": "https://access.redhat.com/solutions/869353", + "name": "https://access.redhat.com/solutions/869353" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E", - "name": "[commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request" + "source": "DEBIAN", + "url": "http://www.debian.org/security/2014/dsa-2940", + "name": "DSA-2940" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E", - "name": "[commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812" }, { "source": "MLIST", - "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", - "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + "url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E", + "name": "[commons-commits] 20190906 [commons-configuration] branch master updated: [CONFIGURATION-755][CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931" - }, - { - "source": "BUGTRAQ", - "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded", - "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" - }, - { - "source": "MISC", - "url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E", - "name": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E" + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128" }, { "source": "MLIST", - "url": "http://openwall.com/lists/oss-security/2014/06/15/10", - "name": "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" + "url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E", + "name": "[commons-dev] 20190605 Re: [beanutils] Towards 1.10" }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" - }, - { - "source": "REDHAT", - "url": "https://access.redhat.com/errata/RHSA-2018:2669", - "name": "RHSA-2018:2669" + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296" }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E", - "name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74" + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387" }, { "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" - } + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" - } + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59704", + "name": "59704" }, { - "software": { - "id": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", - "versionEndIncluding": "1.9.1" - } + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", + "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20191014 [jira] [Updated] (BEANUTILS-520) Mitigate CVE-2014-0114" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" - } + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59480", + "name": "59480" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name": "https://issues.apache.org/jira/browse/BEANUTILS-463" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E", + "name": "[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", + "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" - } + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59479", + "name": "59479" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" - } + "source": "HP", + "url": "http://marc.info/?l=bugtraq&m=141451023707502&w=2", + "name": "HPSBST03160" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E", + "name": "[commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E", + "name": "[commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2015-0899", - "severity": "HIGH", - "cvssv2": { - "score": 5.0, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "PARTIAL", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "2.9", - "acInsufInfo": "true" - }, - "cvssv3": { - "baseScore": 7.5, - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "NONE", - "integrityImpact": "HIGH", - "availabilityImpact": "NONE", - "baseSeverity": "HIGH", - "exploitabilityScore": "3.9", - "impactScore": "3.6", - "version": "3.0" - }, - "cwes": [ - "CWE-20" - ], - "description": "The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.", - "notes": "", - "references": [ - { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", - "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" + "source": "HP", + "url": "http://marc.info/?l=bugtraq&m=140801096002766&w=2", + "name": "HPSBMU03090" }, { - "source": "JVNDB", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000042", - "name": "JVNDB-2015-000042" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59228", + "name": "59228" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/74423", - "name": "74423" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898" }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2016/dsa-3536", - "name": "DSA-3536" + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { - "source": "JVN", - "url": "http://jvn.jp/en/jp/JVN86448949/index.html", - "name": "JVN#86448949" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2014-0114?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2014-0114] CWE-20: Improper Input Validation" }, { - "source": "CONFIRM", - "url": "https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN", - "name": "https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN" - } - ], - "vulnerableSoftware": [ + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59246", + "name": "59246" + }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "http://openwall.com/lists/oss-security/2014/07/08/1", + "name": "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20140911-0001/", + "name": "https://security.netapp.com/advisory/ntap-20140911-0001/" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" - } + "source": "SECUNIA", + "url": "http://secunia.com/advisories/58851", + "name": "58851" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" - } + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59718", + "name": "59718" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E", + "name": "[commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E", + "name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114." }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E", + "name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20200109 [jira] [Resolved] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2015-2992", - "severity": "MEDIUM", - "cvssv2": { - "score": 4.3, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "NONE", - "integrityImpact": "PARTIAL", - "availabilityImpact": "NONE", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "2.9", - "userInteractionRequired": "true" - }, - "cvssv3": { - "baseScore": 6.1, - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "REQUIRED", - "scope": "CHANGED", - "confidentialityImpact": "LOW", - "integrityImpact": "LOW", - "availabilityImpact": "NONE", - "baseSeverity": "MEDIUM", - "exploitabilityScore": "2.8", - "impactScore": "2.7", - "version": "3.1" - }, - "cwes": [ - "CWE-79" - ], - "description": "Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.", - "notes": "", - "references": [ + "source": "HP", + "url": "http://marc.info/?l=bugtraq&m=140119284401582&w=2", + "name": "HPSBGN03041" + }, { - "source": "MISC", - "url": "http://jvn.jp/en/jp/JVN88408929/index.html", - "name": "http://jvn.jp/en/jp/JVN88408929/index.html" + "source": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2014/Dec/23", + "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" }, { "source": "MISC", - "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000124.html", - "name": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000124.html" + "url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E" }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/a3efaa36-6517-4ed4-b63a-6c7a1d8ce00f?component-type=maven&component-name=struts.struts", - "name": "[CVE-2015-2992] Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability." + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { - "source": "MISC", - "url": "http://www.securityfocus.com/bid/76624", - "name": "http://www.securityfocus.com/bid/76624" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/57477", + "name": "57477" }, { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20200330-0001/", - "name": "https://security.netapp.com/advisory/ntap-20200330-0001/" - } - ], - "vulnerableSoftware": [ + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + }, { - "software": { - "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndExcluding": "2.3.20" - } - } - ] - }, - { - "source": "OSSINDEX", - "name": "CVE-2016-0785", - "severity": "HIGH", - "cvssv3": { - "baseScore": 8.8, - "attackVector": "N", - "attackComplexity": "L", - "privilegesRequired": "L", - "userInteraction": "N", - "scope": "U", - "confidentialityImpact": "H", - "integrityImpact": "H", - "availabilityImpact": "H", - "baseSeverity": "HIGH" - }, - "cwes": [], - "description": "Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a \"%{}\" sequence in a tag attribute, aka forced double OGNL evaluation.", - "notes": "", - "references": [ + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E", + "name": "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/5684f0fd-6580-461f-a0f6-eda4176de9bb?component-type=maven&component-name=struts.struts", - "name": "[CVE-2016-0785] Improper Input Validation" - } - ], - "vulnerableSoftware": [ + "source": "OSSIndex", + "url": "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader", + "name": "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader" + }, { - "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } - } - ] - }, - { - "source": "NVD", - "name": "CVE-2016-1181", - "severity": "HIGH", - "cvssv2": { - "score": 6.8, - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "MEDIUM", - "version": "2.0", - "exploitabilityScore": "8.6", - "impactScore": "6.4" - }, - "cvssv3": { - "baseScore": 8.1, - "attackVector": "NETWORK", - "attackComplexity": "HIGH", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "HIGH", - "baseSeverity": "HIGH", - "exploitabilityScore": "2.2", - "impactScore": "5.9", - "version": "3.0" - }, - "cwes": [ - "NVD-CWE-noinfo" - ], - "description": "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.", - "notes": "", - "references": [ + "source": "SECUNIA", + "url": "http://secunia.com/advisories/60177", + "name": "60177" + }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "source": "MISC", + "url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59014", + "name": "59014" }, { "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E" }, { "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343538", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1343538" + "url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", + "name": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" }, { - "source": "CONFIRM", - "url": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8", - "name": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" }, { - "source": "JVNDB", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000096", - "name": "JVNDB-2016-000096" + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2019:2995", + "name": "RHSA-2019:2995" }, { "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/91787", - "name": "91787" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", + "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/91068", - "name": "91068" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E", + "name": "[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/60703", + "name": "60703" + }, + { + "source": "CONFIRM", + "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/58947", + "name": "58947" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59118", + "name": "59118" + }, + { + "source": "MISC", + "url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E" }, { "source": "CONFIRM", @@ -11876,29 +18060,54 @@ "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E", + "name": "[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1" }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59464", + "name": "59464" }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1036056", - "name": "1036056" + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" }, { "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "url": "http://www.ibm.com/support/docview.wss?uid=swg21675496", + "name": "http://www.ibm.com/support/docview.wss?uid=swg21675496" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" + }, + { + "source": "CONFIRM", + "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, + { + "source": "MISC", + "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" }, { "source": "CONFIRM", @@ -11911,297 +18120,264 @@ "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { - "source": "CONFIRM", - "url": "https://security-tracker.debian.org/tracker/CVE-2016-1181", - "name": "https://security-tracker.debian.org/tracker/CVE-2016-1181" + "source": "MANDRIVA", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", + "name": "MDVSA-2014:095" }, { - "source": "JVN", - "url": "http://jvn.jp/en/jp/JVN03188560/index.html", - "name": "JVN#03188560" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114" }, { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html", - "name": "https://www.oracle.com/security-alerts/cpujan2020.html" - } - ], - "vulnerableSoftware": [ + "source": "SECUNIA", + "url": "http://secunia.com/advisories/58710", + "name": "58710" + }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E", + "name": "[activemq-issues] 20190904 [jira] [Created] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", + "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E", + "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" - } + "source": "BID", + "url": "http://www.securityfocus.com/bid/67121", + "name": "67121" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E", + "name": "[commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E", + "name": "[commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", + "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" - } + "source": "BUGTRAQ", + "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" - } + "source": "MISC", + "url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E", + "name": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E" }, { - "software": { - "id": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "http://openwall.com/lists/oss-security/2014/06/15/10", + "name": "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*" - } + "source": "REDHAT", + "url": "https://access.redhat.com/errata/RHSA-2018:2669", + "name": "RHSA-2018:2669" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" - } + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E", + "name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" }, + { + "source": "OSSIndex", + "url": "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name": "https://issues.apache.org/jira/browse/BEANUTILS-463" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", + "versionEndIncluding": "1.9.1" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:portal:11.1.1.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } }, { "software": { - "id": "cpe:2.3:a:oracle:banking_platform:2.3.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" } } ] }, { "source": "NVD", - "name": "CVE-2016-1182", + "name": "CVE-2015-0899", "severity": "HIGH", "cvssv2": { - "score": 6.4, + "score": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authenticationr": "NONE", "confidentialImpact": "NONE", "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", + "availabilityImpact": "NONE", "severity": "MEDIUM", "version": "2.0", "exploitabilityScore": "10.0", - "impactScore": "4.9" + "impactScore": "2.9", + "acInsufInfo": "true" }, "cvssv3": { - "baseScore": 8.2, + "baseScore": 7.5, "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", - "integrityImpact": "LOW", - "availabilityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", "baseSeverity": "HIGH", "exploitabilityScore": "3.9", - "impactScore": "4.2", + "impactScore": "3.6", "version": "3.0" }, "cwes": [ "CWE-20" ], - "description": "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.", + "description": "The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.", "notes": "", "references": [ { "source": "CONFIRM", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343540", - "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1343540" - }, - { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" - }, - { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html", - "name": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" - }, - { - "source": "CONFIRM", - "url": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8", - "name": "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8" - }, - { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", + "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/91787", - "name": "91787" + "source": "OSSIndex", + "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html", + "name": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html" }, { - "source": "JVN", - "url": "http://jvn.jp/en/jp/JVN65044642/index.html", - "name": "JVN#65044642" + "source": "OSSIndex", + "url": "https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN", + "name": "https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN" }, { "source": "JVNDB", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097", - "name": "JVNDB-2016-000097" - }, - { - "source": "CONFIRM", - "url": "https://security.netapp.com/advisory/ntap-20180629-0006/", - "name": "https://security.netapp.com/advisory/ntap-20180629-0006/" - }, - { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" + "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000042", + "name": "JVNDB-2015-000042" }, { "source": "BID", - "url": "http://www.securityfocus.com/bid/91067", - "name": "91067" - }, - { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "url": "http://www.securityfocus.com/bid/74423", + "name": "74423" }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1036056", - "name": "1036056" + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899" }, { "source": "CONFIRM", @@ -12209,60 +18385,50 @@ "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2015-0899?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2015-0899] CWE-20: Improper Input Validation" }, { - "source": "CONFIRM", - "url": "https://security-tracker.debian.org/tracker/CVE-2016-1182", - "name": "https://security-tracker.debian.org/tracker/CVE-2016-1182" + "source": "DEBIAN", + "url": "http://www.debian.org/security/2016/dsa-3536", + "name": "DSA-3536" }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" + "source": "JVN", + "url": "http://jvn.jp/en/jp/JVN86448949/index.html", + "name": "JVN#86448949" }, { "source": "CONFIRM", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - }, - { - "source": "MISC", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html", - "name": "https://www.oracle.com/security-alerts/cpujan2020.html" + "url": "https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN", + "name": "https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN" } ], "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*" - } - }, - { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" } }, { @@ -12272,37 +18438,38 @@ }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } }, { @@ -12312,102 +18479,209 @@ }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2006-1548", + "severity": "MEDIUM", + "cvssv2": { + "score": 4.3, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "2.9" + }, + "cwes": [ + "NVD-CWE-Other" + ], + "description": "Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.", + "notes": "", + "references": [ + { + "source": "VUPEN", + "url": "http://www.vupen.com/english/advisories/2006/1205", + "name": "ADV-2006-1205" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*" - } + "source": "SUSE", + "url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html", + "name": "SUSE-SR:2006:010" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "https://issues.apache.org/struts/browse/STR-2781", + "name": "https://issues.apache.org/struts/browse/STR-2781" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" - } + "source": "OSSIndex", + "url": "http://securitytracker.com/id?1015856", + "name": "http://securitytracker.com/id?1015856" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" - } + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2006-1548?component-type=maven&component-name=struts%2Fstruts&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2006-1548] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html", + "name": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" - } + "source": "CONFIRM", + "url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38749", + "name": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38749" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" - } + "source": "SECUNIA", + "url": "http://secunia.com/advisories/20117", + "name": "20117" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" - } + "source": "BID", + "url": "http://www.securityfocus.com/bid/17342", + "name": "17342" }, { - "software": { - "id": "cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*" - } + "source": "XF", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25614", + "name": "struts-lookupmap-xss(25614)" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/19493", + "name": "19493" + }, + { + "source": "SECTRACK", + "url": "http://securitytracker.com/id?1015856", + "name": "1015856" }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1548", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1548" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "1.2.8" } } ] }, { - "source": "OSSINDEX", - "name": "CVE-2016-4003", + "source": "NVD", + "name": "CVE-2008-2025", "severity": "MEDIUM", - "cvssv3": { - "baseScore": 6.1, - "attackVector": "N", - "attackComplexity": "L", - "privilegesRequired": "N", - "userInteraction": "R", - "scope": "C", - "confidentialityImpact": "L", - "integrityImpact": "L", - "availabilityImpact": "N", - "baseSeverity": "MEDIUM" - }, - "cwes": [], - "description": "Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.", + "cvssv2": { + "score": 4.3, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authenticationr": "NONE", + "confidentialImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE", + "severity": "MEDIUM", + "version": "2.0", + "exploitabilityScore": "8.6", + "impactScore": "2.9", + "userInteractionRequired": "true" + }, + "cwes": [ + "CWE-79" + ], + "description": "Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to \"insufficient quoting of parameters.\"", "notes": "", "references": [ { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/0081c46d-8e5f-4553-9937-d25f3399d130?component-type=maven&component-name=struts.struts", - "name": "[CVE-2016-4003] Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")" + "source": "MISC", + "url": "https://bugzilla.novell.com/show_bug.cgi?id=385273", + "name": "https://bugzilla.novell.com/show_bug.cgi?id=385273" + }, + { + "source": "CONFIRM", + "url": "http://support.novell.com/security/cve/CVE-2008-2025.html", + "name": "http://support.novell.com/security/cve/CVE-2008-2025.html" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/34567", + "name": "34567" + }, + { + "source": "CONFIRM", + "url": "http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml", + "name": "http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/34642", + "name": "34642" + }, + { + "source": "SUSE", + "url": "http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html", + "name": "SUSE-SR:2009:008" + }, + { + "source": "MISC", + "url": "https://launchpad.net/bugs/cve/2008-2025", + "name": "https://launchpad.net/bugs/cve/2008-2025" + }, + { + "source": "OSVDB", + "url": "http://osvdb.org/53380", + "name": "53380" } ], "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:struts:struts:1.2.8:*:*:*:*:*:*:*", + "id": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", "vulnerabilityIdMatched": "true" } } @@ -12425,70 +18699,75 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", + "confidence": "HIGH", + "source": "file", + "name": "name", "value": "xalan" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/apache/xalan", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/apache/xpath", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "xalan" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "xalan" + "confidence": "MEDIUM", + "source": "manifest: java_cup", + "name": "Implementation-Vendor", + "value": "Princeton University" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: org/apache/xalan/xsltc", + "source": "manifest: JLex", "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "value": "Princeton University" }, { "type": "vendor", - "confidence": "LOW", - "source": "pom", - "name": "artifactid", - "value": "xalan" + "confidence": "MEDIUM", + "source": "manifest: org/apache/bcel", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "MEDIUM", + "source": "manifest: org/apache/regexp", + "name": "Implementation-Vendor", + "value": "Apache Software Foundation" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: org/apache/bcel", + "source": "manifest: org/apache/xalan", "name": "Implementation-Vendor", "value": "Apache Software Foundation" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: runtime", + "source": "manifest: org/apache/xalan/xsltc", "name": "Implementation-Vendor", - "value": "Princeton University" + "value": "Apache Software Foundation" }, { "type": "vendor", @@ -12500,46 +18779,67 @@ { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: JLex", + "source": "manifest: org/apache/xpath", "name": "Implementation-Vendor", - "value": "Princeton University" + "value": "Apache Software Foundation" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: java_cup", + "source": "manifest: runtime", "name": "Implementation-Vendor", "value": "Princeton University" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", + "source": "pom", + "name": "artifactid", "value": "xalan" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/apache/regexp", - "name": "Implementation-Vendor", - "value": "Apache Software Foundation" + "confidence": "LOW", + "source": "pom", + "name": "artifactid", + "value": "xalan" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "xalan" } ], "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "xalan" + }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "runtime" + "value": "apache" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "xpath" + "value": "bcel" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "code" }, { "type": "product", @@ -12550,122 +18850,115 @@ }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: org/apache/regexp", - "name": "Specification-Title", - "value": "Java Regular Expression package" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "java_cup" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "xalan" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "regexp" }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: JLex", - "name": "Specification-Title", - "value": "A Lexical Analyzer for Java" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "runtime" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "xsltc" + "value": "xalan" }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: org/apache/regexp", - "name": "Implementation-Title", - "value": "org.apache.regexp" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "xml" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "java_cup" + "value": "xpath" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "regexp" + "value": "xsltc" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/apache/bcel", + "source": "manifest: java_cup", "name": "Implementation-Title", - "value": "org.apache.bcel" + "value": "java_cup" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/apache/bcel", + "source": "manifest: java_cup", "name": "Specification-Title", - "value": "Byte Code Engineering Library" + "value": "Parser Generator for Java" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/apache/xalan/xsltc", + "source": "manifest: JLex", "name": "Implementation-Title", - "value": "org.apache.xalan.xsltc" + "value": "JLex" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "xalan" + "confidence": "MEDIUM", + "source": "manifest: JLex", + "name": "Specification-Title", + "value": "A Lexical Analyzer for Java" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: JLex", + "source": "manifest: org/apache/bcel", "name": "Implementation-Title", - "value": "JLex" + "value": "org.apache.bcel" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "xml" + "confidence": "MEDIUM", + "source": "manifest: org/apache/bcel", + "name": "Specification-Title", + "value": "Byte Code Engineering Library" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: java_cup", + "source": "manifest: org/apache/regexp", "name": "Implementation-Title", - "value": "java_cup" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "xalan" + "value": "org.apache.regexp" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/apache/xalan/xsltc", + "source": "manifest: org/apache/regexp", "name": "Specification-Title", - "value": "Java API for XML Processing" + "value": "Java Regular Expression package" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "code" + "confidence": "MEDIUM", + "source": "manifest: org/apache/xalan", + "name": "Implementation-Title", + "value": "org.apache.xalan" }, { "type": "product", @@ -12676,17 +18969,17 @@ }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "MEDIUM", + "source": "manifest: org/apache/xalan/xsltc", + "name": "Implementation-Title", + "value": "org.apache.xalan.xsltc" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/apache/xalan", - "name": "Implementation-Title", - "value": "org.apache.xalan" + "source": "manifest: org/apache/xalan/xsltc", + "name": "Specification-Title", + "value": "Java API for XML Processing" }, { "type": "product", @@ -12695,13 +18988,6 @@ "name": "Implementation-Title", "value": "org.apache.xml" }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "xalan" - }, { "type": "product", "confidence": "MEDIUM", @@ -12711,10 +18997,10 @@ }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "bcel" + "confidence": "MEDIUM", + "source": "manifest: runtime", + "name": "Implementation-Title", + "value": "runtime" }, { "type": "product", @@ -12725,59 +19011,59 @@ }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: java_cup", - "name": "Specification-Title", - "value": "Parser Generator for Java" + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", + "value": "xalan" }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: runtime", - "name": "Implementation-Title", - "value": "runtime" + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "xalan" } ], "versionEvidence": [ { "type": "version", - "confidence": "MEDIUM", - "source": "manifest: org/apache/bcel", - "name": "Implementation-Version", + "confidence": "HIGH", + "source": "file", + "name": "version", "value": "2.5.1" }, { "type": "version", "confidence": "MEDIUM", - "source": "manifest: org/apache/xalan", + "source": "manifest: java_cup", "name": "Implementation-Version", "value": "2.5.1" }, { "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", + "confidence": "MEDIUM", + "source": "manifest: JLex", + "name": "Implementation-Version", "value": "2.5.1" }, { "type": "version", "confidence": "MEDIUM", - "source": "manifest: org/apache/xml", + "source": "manifest: org/apache/bcel", "name": "Implementation-Version", "value": "2.5.1" }, { "type": "version", "confidence": "MEDIUM", - "source": "manifest: JLex", + "source": "manifest: org/apache/regexp", "name": "Implementation-Version", "value": "2.5.1" }, { "type": "version", "confidence": "MEDIUM", - "source": "manifest: org/apache/xpath", + "source": "manifest: org/apache/xalan", "name": "Implementation-Version", "value": "2.5.1" }, @@ -12791,14 +19077,14 @@ { "type": "version", "confidence": "MEDIUM", - "source": "manifest: java_cup", + "source": "manifest: org/apache/xml", "name": "Implementation-Version", "value": "2.5.1" }, { "type": "version", "confidence": "MEDIUM", - "source": "manifest: org/apache/regexp", + "source": "manifest: org/apache/xpath", "name": "Implementation-Version", "value": "2.5.1" }, @@ -12822,7 +19108,7 @@ { "id": "pkg:maven/xalan/xalan@2.5.1", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/xalan/xalan@2.5.1" + "url": "https://ossindex.sonatype.org/component/pkg:maven/xalan/xalan@2.5.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ], "vulnerabilityIds": [ @@ -12835,284 +19121,1313 @@ "vulnerabilities": [ { "source": "NVD", - "name": "CVE-2014-0107", + "name": "CVE-2014-0107", + "severity": "HIGH", + "cvssv2": { + "score": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authenticationr": "NONE", + "confidentialImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "severity": "HIGH", + "version": "2.0", + "exploitabilityScore": "10.0", + "impactScore": "6.4" + }, + "cwes": [ + "CWE-264" + ], + "description": "The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.", + "notes": "", + "references": [ + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59369", + "name": "59369" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59711", + "name": "59711" + }, + { + "source": "GENTOO", + "url": "https://security.gentoo.org/glsa/201604-02", + "name": "GLSA-201604-02" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E", + "name": "[tomcat-dev] 20210823 [Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107" + }, + { + "source": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2018-15", + "name": "https://www.tenable.com/security/tns-2018-15" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", + "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1034716", + "name": "1034716" + }, + { + "source": "OSSIndex", + "url": "https://issues.apache.org/jira/browse/XALANJ-2435", + "name": "https://issues.apache.org/jira/browse/XALANJ-2435" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59247", + "name": "59247" + }, + { + "source": "CONFIRM", + "url": "https://issues.apache.org/jira/browse/XALANJ-2435", + "name": "https://issues.apache.org/jira/browse/XALANJ-2435" + }, + { + "source": "CONFIRM", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680703", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21680703" + }, + { + "source": "DEBIAN", + "url": "http://www.debian.org/security/2014/dsa-2886", + "name": "DSA-2886" + }, + { + "source": "CONFIRM", + "url": "http://svn.apache.org/viewvc?view=revision&revision=1581058", + "name": "http://svn.apache.org/viewvc?view=revision&revision=1581058" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/57563", + "name": "57563" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html", + "name": "RHSA-2015:1888" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, + { + "source": "BID", + "url": "http://www.securityfocus.com/bid/66397", + "name": "66397" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59036", + "name": "59036" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-0348.html", + "name": "RHSA-2014:0348" + }, + { + "source": "N/A", + "url": "https://www.oracle.com//security-alerts/cpujul2021.html", + "name": "N/A" + }, + { + "source": "SECTRACK", + "url": "http://www.securitytracker.com/id/1034711", + "name": "1034711" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677145", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677145" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59151", + "name": "59151" + }, + { + "source": "MISC", + "url": "http://www.ocert.org/advisories/ocert-2014-002.html", + "name": "http://www.ocert.org/advisories/ocert-2014-002.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676093", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676093" + }, + { + "source": "CONFIRM", + "url": "http://www.ibm.com/support/docview.wss?uid=swg21677967", + "name": "http://www.ibm.com/support/docview.wss?uid=swg21677967" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674334", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674334" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59291", + "name": "59291" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2014-0107?component-type=maven&component-name=xalan%2Fxalan&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2014-0107] CWE-264: Permissions, Privileges, and Access Controls" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "source": "CONFIRM", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681933", + "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21681933" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59290", + "name": "59290" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", + "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/59515", + "name": "59515" + }, + { + "source": "MLIST", + "url": "https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E", + "name": "[tomcat-dev] 20210823 [Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107" + }, + { + "source": "XF", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92023", + "name": "apache-xalanjava-cve20140107-sec-bypass(92023)" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, + { + "source": "SECUNIA", + "url": "http://secunia.com/advisories/60502", + "name": "60502" + }, + { + "source": "REDHAT", + "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html", + "name": "RHSA-2014:1351" + }, + { + "source": "CONFIRM", + "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "name": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*", + "versionEndIncluding": "2.7.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:1.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.0.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.0.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.1.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.2.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.4.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.4.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.5.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.5.1:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.5.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.6.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:2.7.0:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:webcenter_sites:7.6.2:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2022-34169", "severity": "HIGH", - "cvssv2": { - "score": 7.5, - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authenticationr": "NONE", - "confidentialImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "severity": "HIGH", - "version": "2.0", - "exploitabilityScore": "10.0", - "impactScore": "6.4" + "cvssv3": { + "baseScore": 7.5, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseSeverity": "HIGH", + "exploitabilityScore": "3.9", + "impactScore": "3.6", + "version": "3.1" }, "cwes": [ - "CWE-264" + "CWE-681" ], - "description": "The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.", + "description": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.", "notes": "", "references": [ { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59369", - "name": "59369" + "source": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5188", + "name": "DSA-5188" + }, + { + "source": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5192", + "name": "DSA-5192" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/", + "name": "FEDORA-2022-e573851f56" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/", + "name": "FEDORA-2022-d26586b419" + }, + { + "source": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html", + "name": "[debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update" + }, + { + "source": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5256", + "name": "DSA-5256" + }, + { + "source": "MISC", + "url": "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw", + "name": "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw" + }, + { + "source": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "name": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/", + "name": "FEDORA-2022-19b6f21746" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/07/20/2", + "name": "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/11/07/2", + "name": "[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/07/20/3", + "name": "[oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, + { + "source": "MISC", + "url": "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html", + "name": "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/", + "name": "FEDORA-2022-80afe2304a" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/11/04/8", + "name": "[oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/", + "name": "FEDORA-2022-ae563934f7" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/07/19/5", + "name": "[oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/10/18/2", + "name": "[oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, + { + "source": "MISC", + "url": "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8", + "name": "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8" + }, + { + "source": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/07/19/6", + "name": "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, + { + "source": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220729-0009/", + "name": "https://security.netapp.com/advisory/ntap-20220729-0009/" + }, + { + "source": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/", + "name": "FEDORA-2022-b76ab52e73" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndIncluding": "2.7.2" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:6.49:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:7.55:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:7.56:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:8.63:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:8.64:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:11.57:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:11.58:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:13.49:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:13.50:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:15.41:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:15.42:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:17.35:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:17.36:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:azul:zulu:18.32:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jdk:18.0.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jre:1.7.0:update343:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jre:1.8.0:update333:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jre:11.0.15.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jre:17.0.3.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:jre:18.0.1.1:*:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding": "11", + "versionEndIncluding": "11.0.15" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding": "13", + "versionEndIncluding": "13.0.11" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding": "15", + "versionEndIncluding": "15.0.7" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding": "17", + "versionEndIncluding": "17.0.3" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update261:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update271:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update281:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update291:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update301:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update311:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update321:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone3:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone4:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone5:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone6:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone7:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone8:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:milestone9:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59711", - "name": "59711" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*" + } }, { - "source": "GENTOO", - "url": "https://security.gentoo.org/glsa/201604-02", - "name": "GLSA-201604-02" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*" + } }, { - "source": "OSSINDEX", - "url": "https://ossindex.sonatype.org/vuln/ffed5adf-971f-4f9b-bf72-1e8cd8d48352?component-type=maven&component-name=xalan.xalan", - "name": "[CVE-2014-0107] Permissions, Privileges, and Access Controls" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://www.tenable.com/security/tns-2018-15", - "name": "https://www.tenable.com/security/tns-2018-15" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", - "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1034716", - "name": "1034716" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59247", - "name": "59247" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://issues.apache.org/jira/browse/XALANJ-2435", - "name": "https://issues.apache.org/jira/browse/XALANJ-2435" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", - "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680703", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21680703" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*" + } }, { - "source": "DEBIAN", - "url": "http://www.debian.org/security/2014/dsa-2886", - "name": "DSA-2886" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://svn.apache.org/viewvc?view=revision&revision=1581058", - "name": "http://svn.apache.org/viewvc?view=revision&revision=1581058" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/57563", - "name": "57563" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html", - "name": "RHSA-2015:1888" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*" + } }, { - "source": "BID", - "url": "http://www.securityfocus.com/bid/66397", - "name": "66397" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0348.html", - "name": "RHSA-2014:0348" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59036", - "name": "59036" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*" + } }, { - "source": "SECTRACK", - "url": "http://www.securitytracker.com/id/1034711", - "name": "1034711" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59151", - "name": "59151" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677145", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677145" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*" + } }, { - "source": "MISC", - "url": "http://www.ocert.org/advisories/ocert-2014-002.html", - "name": "http://www.ocert.org/advisories/ocert-2014-002.html" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676093", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676093" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.ibm.com/support/docview.wss?uid=swg21677967", - "name": "http://www.ibm.com/support/docview.wss?uid=swg21677967" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update222:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59291", - "name": "59291" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674334", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674334" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update232:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59290", - "name": "59290" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681933", - "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21681933" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update242:*:*:*:*:*:*" + } }, { - "source": "MLIST", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", - "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/59515", - "name": "59515" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update252:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update262:*:*:*:*:*:*" + } }, { - "source": "XF", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92023", - "name": "apache-xalanjava-cve20140107-sec-bypass(92023)" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update271:*:*:*:*:*:*" + } }, { - "source": "REDHAT", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html", - "name": "RHSA-2014:1351" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update281:*:*:*:*:*:*" + } }, { - "source": "SECUNIA", - "url": "http://secunia.com/advisories/60502", - "name": "60502" + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update282:*:*:*:*:*:*" + } }, { - "source": "CONFIRM", - "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", - "name": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" - } - ], - "vulnerableSoftware": [ + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update291:*:*:*:*:*:*" + } + }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.5.1:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true" + "id": "cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:webcenter_sites:7.6.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update302:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.5.2:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update312:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.1.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update322:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.2.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update332:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.4.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.5.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.6.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*", - "versionEndIncluding": "2.7.1" + "id": "cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.4.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.0.1:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*" } }, { "software": { - "id": "cpe:2.3:a:apache:xalan-java:1.0.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*" + } + }, + { + "software": { + "id": "cpe:2.3:a:oracle:openjdk:18:*:*:*:*:*:*:*" } + } + ] + }, + { + "source": "OSSINDEX", + "name": "CVE-2003-1516", + "severity": "MEDIUM", + "cvssv2": { + "score": 6.8, + "accessVector": "N", + "accessComplexity": "M", + "authenticationr": "N", + "confidentialImpact": "P", + "integrityImpact": "P", + "availabilityImpact": "P", + "severity": "MEDIUM" + }, + "cwes": [ + "CWE-693" + ], + "description": "The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.", + "notes": "", + "references": [ + { + "source": "OSSIndex", + "url": "http://www.dslreports.com/forum/r8282466-Security-vulnerability-in-Sun-Java-JRE", + "name": "http://www.dslreports.com/forum/r8282466-Security-vulnerability-in-Sun-Java-JRE" + }, + { + "source": "OSSIndex", + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1516", + "name": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1516" + }, + { + "source": "OSSINDEX", + "url": "https://ossindex.sonatype.org/vulnerability/CVE-2003-1516?component-type=maven&component-name=xalan%2Fxalan&utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2", + "name": "[CVE-2003-1516] CWE-693: Protection Mechanism Failure" }, + { + "source": "OSSIndex", + "url": "http://www.securityfocus.com/bid/8857/exploit", + "name": "http://www.securityfocus.com/bid/8857/exploit" + } + ], + "vulnerableSoftware": [ { "software": { - "id": "cpe:2.3:a:apache:xalan-java:2.7.0:*:*:*:*:*:*:*" + "id": "cpe:2.3:a:xalan:xalan:2.5.1:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" } } ] @@ -13131,42 +20446,47 @@ "projectReferences": [ "module1:compile" ], + "includedBy": [ + { + "reference": "pkg:maven/struts/struts@1.2.8" + } + ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", "confidence": "HIGH", - "source": "pom", - "name": "organization name", - "value": "Apache Software Foundation" + "source": "file", + "name": "name", + "value": "xml-apis" }, { "type": "vendor", "confidence": "HIGHEST", - "source": "pom", - "name": "url", - "value": "http://xml.apache.org/commons/#external" + "source": "jar", + "name": "package name", + "value": "apache" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/xml/sax/", - "name": "Implementation-Vendor", - "value": "David Megginson" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "dom" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "pom", - "name": "organization url", - "value": "http://www.apache.org/" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "sax" }, { "type": "vendor", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "xml" + "value": "version" }, { "type": "vendor", @@ -13180,41 +20500,48 @@ "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "version" + "value": "xml" }, { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: org/w3c/dom/", + "source": "manifest: javax/xml/parsers/", "name": "Implementation-Vendor", - "value": "World Wide Web Consortium" + "value": "Sun Microsystems Inc." }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "pom", - "name": "groupid", - "value": "xml-apis" + "confidence": "MEDIUM", + "source": "manifest: javax/xml/transform/", + "name": "Implementation-Vendor", + "value": "Sun Microsystems Inc." }, { "type": "vendor", "confidence": "MEDIUM", - "source": "manifest: javax/xml/parsers/", + "source": "manifest: org/apache/xmlcommons/Version", "name": "Implementation-Vendor", - "value": "Sun Microsystems Inc." + "value": "Apache Software Foundation" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" + "confidence": "MEDIUM", + "source": "manifest: org/w3c/dom/", + "name": "Implementation-Vendor", + "value": "World Wide Web Consortium" }, { "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", + "confidence": "MEDIUM", + "source": "manifest: org/xml/sax/", + "name": "Implementation-Vendor", + "value": "David Megginson" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "pom", + "name": "artifactid", "value": "xml-apis" }, { @@ -13226,145 +20553,138 @@ }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: javax/xml/transform/", - "name": "Implementation-Vendor", - "value": "Sun Microsystems Inc." + "confidence": "HIGHEST", + "source": "pom", + "name": "groupid", + "value": "xml-apis" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "dom" + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "XML Commons External Components XML APIs" }, { "type": "vendor", - "confidence": "MEDIUM", - "source": "manifest: org/apache/xmlcommons/Version", - "name": "Implementation-Vendor", + "confidence": "HIGH", + "source": "pom", + "name": "organization name", "value": "Apache Software Foundation" }, { "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "sax" + "confidence": "MEDIUM", + "source": "pom", + "name": "organization url", + "value": "http://www.apache.org/" }, { "type": "vendor", - "confidence": "HIGH", + "confidence": "HIGHEST", "source": "pom", - "name": "name", - "value": "XML Commons External Components XML APIs" + "name": "url", + "value": "http://xml.apache.org/commons/#external" } ], "productEvidence": [ { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: javax/xml/transform/", - "name": "Implementation-Title", - "value": "javax.xml.transform" + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "xml-apis" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "w3c" + "value": "apache" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "version" + "value": "document" }, { "type": "product", - "confidence": "LOW", - "source": "pom", - "name": "organization url", - "value": "http://www.apache.org/" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "dom" }, { "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "xml-apis" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "javax" }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: javax/xml/parsers/", - "name": "Implementation-Title", - "value": "javax.xml.transform" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "sax" }, { "type": "product", - "confidence": "MEDIUM", - "source": "manifest: org/w3c/dom/", - "name": "Specification-Title", - "value": "Document Object Model, Level 2 Core" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "transform" }, { "type": "product", "confidence": "HIGHEST", - "source": "pom", - "name": "artifactid", - "value": "xml-apis" + "source": "jar", + "name": "package name", + "value": "version" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "sax" + "value": "w3c" }, { "type": "product", - "confidence": "MEDIUM", - "source": "pom", - "name": "url", - "value": "http://xml.apache.org/commons/#external" + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "xml" }, { "type": "product", "confidence": "HIGHEST", "source": "jar", "name": "package name", - "value": "javax" + "value": "xmlcommons" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/apache/xmlcommons/Version", + "source": "manifest: javax/xml/parsers/", "name": "Implementation-Title", - "value": "org.apache.xmlcommons.Version" + "value": "javax.xml.transform" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/xml/sax/", + "source": "manifest: javax/xml/parsers/", "name": "Specification-Title", - "value": "Simple API for XML" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "xml" + "value": "Java API for XML Processing" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "transform" + "confidence": "MEDIUM", + "source": "manifest: javax/xml/transform/", + "name": "Implementation-Title", + "value": "javax.xml.transform" }, { "type": "product", @@ -13375,10 +20695,24 @@ }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "document" + "confidence": "MEDIUM", + "source": "manifest: org/apache/xmlcommons/Version", + "name": "Implementation-Title", + "value": "org.apache.xmlcommons.Version" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "manifest: org/w3c/dom/", + "name": "Implementation-Title", + "value": "org.w3c.dom" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "manifest: org/w3c/dom/", + "name": "Specification-Title", + "value": "Document Object Model, Level 2 Core" }, { "type": "product", @@ -13390,37 +20724,30 @@ { "type": "product", "confidence": "MEDIUM", - "source": "manifest: javax/xml/parsers/", + "source": "manifest: org/xml/sax/", "name": "Specification-Title", - "value": "Java API for XML Processing" + "value": "Simple API for XML" }, { "type": "product", "confidence": "HIGHEST", "source": "pom", - "name": "groupid", + "name": "artifactid", "value": "xml-apis" }, { "type": "product", "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "apache" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "xmlcommons" + "source": "pom", + "name": "groupid", + "value": "xml-apis" }, { "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "dom" + "confidence": "HIGH", + "source": "pom", + "name": "name", + "value": "XML Commons External Components XML APIs" }, { "type": "product", @@ -13431,17 +20758,17 @@ }, { "type": "product", - "confidence": "HIGH", + "confidence": "LOW", "source": "pom", - "name": "name", - "value": "XML Commons External Components XML APIs" + "name": "organization url", + "value": "http://www.apache.org/" }, { "type": "product", "confidence": "MEDIUM", - "source": "manifest: org/w3c/dom/", - "name": "Implementation-Title", - "value": "org.w3c.dom" + "source": "pom", + "name": "url", + "value": "http://xml.apache.org/commons/#external" } ], "versionEvidence": [ @@ -13472,7 +20799,7 @@ { "id": "pkg:maven/xml-apis/xml-apis@1.0.b2", "confidence": "HIGH", - "url": "https://ossindex.sonatype.org/component/pkg:maven/xml-apis/xml-apis@1.0.b2" + "url": "https://ossindex.sonatype.org/component/pkg:maven/xml-apis/xml-apis@1.0.b2?utm_source=dependency-check&utm_medium=integration&utm_content=8.0.2" } ] }