Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: target\test-classes\activation-1.1.jar
MD5: 8AE38E87CD4F86059C0294A8FE3E0B18
SHA1: E6CB541461C2834BDEA3EB920F1884D1EB508B50
File Path: target\test-classes\annogen-0.1.0.jar
MD5: FF275C3491AC6715AD9F6C22A9660503
SHA1: A8DE34EA7AA93765D24DC16EC9C61AF5160BB899
File Path: target\test-classes\ant-1.7.0.jar
MD5: 133E8979E9C11450F557CA890177FE0A
SHA1: 9746AF1A485E50CF18DCB232489032A847067066
File Path: target\test-classes\ant-launcher-1.7.0.jar
MD5: E0C8B3F9390A5D784BBDB6A21F2ABD1D
SHA1: E7E30789211E074AA70EF3EAEA59BD5B22A7FA7A
File Path: target\test-classes\aopalliance-1.0.jar
MD5: 04177054E180D09E3998808EFA0401C7
SHA1: 0235BA8B489512805AC13A8F9EA77A1CA5EBE3E8
File Path: target\test-classes\aspectjrt-1.6.5.jar
MD5: 71D9982A11BF94AC21221E2F052F3869
SHA1: D35F32A63EB823DC2DFFC7EE6FDB8E00A680D114
File Path: target\test-classes\aspectjweaver-1.6.5.jar
MD5: 2FA7D0E921C46245D0E1B39F3AC365F5
SHA1: 3EAD0550DC9E2E0A5ABD0FDB3116E636B59E4DC4
Description: The Axiom API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\axiom-api-1.2.7.jar
Description: The Axiom DOM implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\axiom-dom-1.2.7.jar
Description: The Axiom default implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\axiom-impl-1.2.7.jar
File Path: target\test-classes\axis-1.4.jar
MD5: 03DCFDD88502505CC5A805A128BFDD8D
SHA1: 94A9CE681A42D0352B3AD22659F67835E560D107
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Core Parts of Axis 2.0. This includes Axis 2.0 engine, Client API, Addressing support, etc.,
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\axis2-kernel-1.4.1.jar
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-255 Credentials Management
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\backport-util-concurrent-3.1.jar
MD5: 748BB0CBF4780B2E3121DC9C12E10CD9
SHA1: 682F7AC17FED79E92F8E87D8455192B63376347B
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\commons-cli-1.2.jar
File Path: target\test-classes\commons-codec-1.2.jar
MD5: 2617B220009F952BB9542AF167D040CF
SHA1: 397F4731A9F9B6EB1907E224911C77EA3AA27A8B
Description:
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\commons-fileupload-1.2.1.jar
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\commons-httpclient-3.1.jar
MD5: 8AD8C9229EF2D59AB9F59F7050E846A5
SHA1: 964CD74171F427720480EFDEC40A7C7F6E58426A
Description: Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\commons-pool-1.5.3.jar
Description:
Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\commons-validator-1.4.0.jar
File Path: target\test-classes\daytrader-ear-2.1.7.ear
MD5: 9FA8C4E8072904589FC0D1A12E8EB291
SHA1: 61868609EB138C41C0298373C9F8C19713FEFA54
Description: Daytrader EJBs
File Path: target\test-classes\daytrader-ear-2.1.7.ear\dt-ejb.jar
MD5: 26E92DBACAD11C73F03EDE043B113653
SHA1: F2F7C05243EC8E5FB93EFB35F5908BBA88651BF3
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\daytrader-ear-2.1.7.ear\geronimo-jaxrpc_1.1_spec-2.0.0.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
CWE: CWE-287 Improper Authentication
SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-287 Improper Authentication
The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.
Vulnerable Software & Versions:
Description: Streamer Application for Day Trader
File Path: target\test-classes\daytrader-ear-2.1.7.ear\streamer.jar
MD5: 5BC6DE1A34935D20331EF777463FD28B
SHA1: EC631C926AB667182840B3E5E32BD3D2F8A808AC
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
File Path: target\test-classes\daytrader-ear-2.1.7.ear\web.war
MD5: 857655BB1DDB4204F09D63E5CA8C56BC
SHA1: 7A7455F5D78BB4E1B8E66CD3E6C1F964D18705F9
Description: Client demonstrating Web Services
File Path: target\test-classes\daytrader-ear-2.1.7.ear\wsappclient.jar
MD5: C343646C162FDD19156400FE83F41CE2
SHA1: ECE01974BE048BA75E2B344C39EFB176915A1C16
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
File Path: target\test-classes\dojo-war-1.3.0.war
MD5: CD00CB6BC15004638548148A21D799AA
SHA1: 36572B4E096421BECAB9346DA41BBC4EC1316A54
Severity:
High
CVSS Score: 10.0
CWE: CWE-16 Configuration
The default configuration of the build process in Dojo 0.4.x before 0.4.4, 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 has the copyTests=true and mini=false options, which makes it easier for remote attackers to have an unspecified impact via a request to a (1) test or (2) demo component.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon.js in Dojo Toolkit SDK before 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the theme parameter, as demonstrated by an attack against dijit/tests/form/test_Button.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, util/buildscripts/jslib/buildUtil.js, and util/doh/runner.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
The Dojo framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
Vulnerable Software & Versions:
Description: This is the ehcache core module. Pair it with other modules for added
functionality.
License:
The Apache Software License, Version 2.0: src/assemble/LICENSE.txtFile Path: target\test-classes\ehcache-core-2.2.0.jar
File Path: target\test-classes\FileHelpers.2.0.0.0.nupkg
MD5: 0BF948B505852A2AF8A597B8A129EF9A
SHA1: 30FB37D6163CF16E3BA740343BECDD14D5457619
File Path: target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\FileHelpers.dll
MD5: 4829FA768DE37C315A3A3B7BCA027B64
SHA1: A256F622A6209EC21A13D490443FFD6DBDA4F5B7
File Path: target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\FileHelpers.ExcelStorage.dll
MD5: D22AECA6EE71A2E6F5B3D296280BA98A
SHA1: E416350E2EE0E0711E2716CF7EFCE54168ACCC52
File Path: target\test-classes\FileHelpers.2.0.0.0.nupkg\FileHelpers.nuspec
MD5: 9E2287F0174BCD79CF7E2427D73A1197
SHA1: D14A722B66388D84AC3B57C4DE56E702AA5FEA96
File Path: target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\Interop.Excel.dll
MD5: 728FF3AEAE71CBD8D303F442E3843C4C
SHA1: CDAA993485F737951FD91C71F41C929CD06DFFA3
File Path: target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\Interop.Office.dll
MD5: 7B55E3BF19775B7A6FA5BF3C271E2C0C
SHA1: EEFCFE4B0C90B6F4232D07D588A08BC04FD32E84
File Path: target\test-classes\freemarker-2.3.12.jar
MD5: 719554BBC3D8A98582A8A93328134FE2
SHA1: 3501B670AA7E3822DDF7693082F621B1CD8CE086
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\geronimo-javamail_1.4_spec-1.2.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\geronimo-jms_1.1_spec-1.1.1.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Implementation of Sun JSR-317 JPA 2.0 Spec API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\geronimo-jpa_2.0_spec-1.1.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\geronimo-stax-api_1.0_spec-1.0.1.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Guice is a lightweight dependency injection framework for Java 5 and above
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\guice-3.0.jar
Description: Hazelcast In-Memory DataGrid
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\hazelcast-2.5.jar
File Path: target\test-classes\hibernate3.jar
MD5: B22BBAFA38341DB968033F1ACBFA8DD9
SHA1: 826DA9FC452E7009116DFFC2D348BA705FE2AA82
Description: C3P0-based implementation of the Hibernate ConnectionProvder contract
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-c3p0/pom.xml
MD5: 301251DB8497B5100B7D6E9EFB0AFC44
SHA1: 55119C84A43A9AF05482E077AB241CACD1910D93
Description: Common reflection code used in support of annotation processing
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-commons-annotations/pom.xml
Description: The core functionality of Hibernate
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-core/pom.xml
MD5: BD41ED501D7218DC30403320127372F2
SHA1: 7D8F09AA7D0100318D826625CB42DBC358E07ABD
Description: Integration of Hibernate with Ehcache
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-ehcache/pom.xml
MD5: 19610CC4510AE1067E83E910590CA011
SHA1: 9218F8CD87F3E28C49D4947361B4C6F66757CC25
Description: Hibernate Entity Manager
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-entitymanager/pom.xml
MD5: 68C7E92964DF6FAB1E9082D29A78D9C4
SHA1: 38D087E745FA330AD03FD5AB3E2D029845913DE7
Description: Support for entity auditing
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-envers/pom.xml
MD5: 897A79EC7B20D46002F0BBC441ED1CA9
SHA1: 02094FD8813C1B0B43B0E4D36DF791EA80CFCED1
Description: Integration of Hibernate with Infinispan
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-infinispan/pom.xml
MD5: 2CC34E9876B4C73C4D9876E784E78E5D
SHA1: BD2454348C57618C3E02B329A6822D5979D3C871
Description: Integration of Hibernate with JBossCache 3.x (though 2.x sould work as well)
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-jbosscache/pom.xml
MD5: 339D8AF2672ED9E1BEF0E04649A33F46
SHA1: EF975161E9C45B177283D9105220F791ED512AEA
Description: Integration of Hibernate with OSCache
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-oscache/pom.xml
MD5: 97443939F6F7E9C45375397AAC16E0B9
SHA1: 4AADCF3391317E2A62332E9FD801B8284C3D985C
Description: Proxool-based implementation of the Hibernate ConnectionProvder contract
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-proxool/pom.xml
MD5: D1749AFD6014C4465A13A87583429AF2
SHA1: 5A4AF64267474034F5D844E6A0AF599AEA7B746F
Description: Integration of Hibernate with SwarmCache
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-swarmcache/pom.xml
MD5: 6E1B739DE3E65236403D0EB82DB58243
SHA1: AA700E6E775C476182A1E1AD0F15C63CDB537FE0
Description: Hibernate JUnit test utilities
File Path: target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-testing/pom.xml
MD5: 6CAD956C9362F77504BF2D9AAF1731EE
SHA1: B8710FDE765268F33442497AACE2848F4FA986F4
Description:
HttpComponents Core (Java 1.3 compatible)
License:
Apache License: ../LICENSE.txtFile Path: target\test-classes\httpcore-4.0-beta1.jar
Description:
HttpComponents Core (NIO extensions)
License:
Apache License: ../LICENSE.txtFile Path: target\test-classes\httpcore-nio-4.0-beta1.jar
File Path: target\test-classes\javax.inject-1.jar
MD5: 289075E48B909E9E74E6C915B3631D2E
SHA1: 6975DA39A7040257BD51D21A231B76C915872D38
File Path: target\test-classes\jaxb-xercesImpl-1.5.jar
MD5: 8CD074364C830FC8FF40A8A19C0A74C8
SHA1: 73A51FAADB407DCCDBD77234E0D5A0A648665692
File Path: target\test-classes\jaxen-1.1.1.jar
MD5: 261D1AA59865842ECC32B3848B0C6538
SHA1: 9F5D3C5974DBE5CF69C2C2EC7D8A4EB6E0FCE7F9
File Path: target\test-classes\jetty-6.1.0.jar
MD5: 121A72B1DEA1A9ADF83079A44CA08E7B
SHA1: FB39EBC0CDCCEA6B54AD87D229A352A894EEBECC
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
Mort Bay Jetty 6.x and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\log4net.2.0.3.nuspec
MD5: D95207BFD2539C046BA7271B695B08F7
SHA1: B82102A0767F56525926698FBBA4B7C47E96D4AB
File Path: target\test-classes\log4net.dll
MD5: E873F47FF9ED73A7ED7054AAF4E7601A
SHA1: 44D7EE86C72BE615DA883A24F0B54FD0725AD298
File Path: target\test-classes\mail-1.4.jar
MD5: 2E64A3805D543BDB86E6E5EECA5529F8
SHA1: 1AA1579AE5ECD41920C4F355B0A9EF40B68315DD
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Description: The SCM API provides mechanisms to manage all SCM tools.
File Path: target\test-classes\maven-scm-api-1.8.1.jar
MD5: C409FC1A6C9BAF928CC37B2FFB852C83
SHA1: D72BCDC54A873E8BFBC53FDE6200E53911C3D9FE
Description: Common library for SCM CVS Provider.
File Path: target\test-classes\maven-scm-provider-cvs-commons-1.8.1.jar
MD5: 7D35F493A22226B821B5D5363E85765C
SHA1: 97411239D474ECAFCC2AB89FACAF2593EB0DE49B
Description: Executable implementation for SCM CVS Provider.
File Path: target\test-classes\maven-scm-provider-cvsexe-1.8.1.jar
MD5: 8900ABE1192B79B35AEDB0F683A8B412
SHA1: 5C7BF6D2C741885D2A6C17CB044FF8E2966F69CA
Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\neethi-2.0.4.jar
File Path: target\test-classes\ognl-2.6.11.jar
MD5: 1173EC5F8B1F6FB1473F4546D4B83BBA
SHA1: 0C3F31F4A65461C44E6697BF29070E638BEF09D8
Description: Apache OpenJPA implementation of JSR-317 JPA 2.0
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\openjpa-2.0.1.jar
Severity:
High
CVSS Score: 7.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\org.mortbay.jetty.jar
MD5: 8ABFD9EF03680C5B9B418ABD918CE525
SHA1: 7B11E767B884D5B872310CE390219B59FFD64A1E
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\org.mortbay.jmx.jar
MD5: 82D35B88A6CAECB9AD5CC8A0CA2C6C81
SHA1: 938031AFDF33D3C5FEE6077312FB44BE25A9725C
Description: A collection of various utility classes to ease working with strings, files, command lines, XML and more.
File Path: target\test-classes\plexus-utils-3.0.7.jar
MD5: C22B393490A46DA89D91DD6322446E40
SHA1: EB10E9CB2B2326FBF0CB68249B10A5C89E0642EF
File Path: target\test-classes\regexp-1.3.jar
MD5: 6DCDC325850E40B843CAC2A25FB2121E
SHA1: 973DF2B78B67BCD3144C3DBBB88DA691065A3F8D
Description: Serp is an open source framework for manipulating Java bytecode.
License:
BSD: LICENSE.txtFile Path: target\test-classes\serp-1.13.1.jar
File Path: target\test-classes\servlet-api-2.5.jar
MD5: 69CA51AF4E9A67A1027A7F95B52C3E8F
SHA1: 5959582D97D8B61F4D154CA9E495AAFD16726E34
Description: The slf4j API
File Path: target\test-classes\slf4j-api-1.5.11.jar
MD5: 30CB7BEE9B52FCB5F5B03D2A006E26E8
SHA1: D6A855B608971025B4FBB0970F829391CC6F727A
Description: Spring Framework
File Path: target\test-classes\spring-core-2.5.5.jar
MD5: 05432EF3BF4EFA1394B127563CB1DD8C
SHA1: 1B3B0FAD8E30EBB9560A81989F5B5BFB28915109
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\spring-core-3.0.0.RELEASE.jar
MD5: 2D52A505F093291E4A2C7E1A28F34557
SHA1: 4F268922155FF53FB7B28AECA24FB28D5A439D95
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\spring-security-core-3.0.0.RELEASE.jar
MD5: 740649FA36B65F4BFE7D2A57E2B2807E
SHA1: 23DD919891E86A1B74B9198BD67A4AE9F4849C28
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\commons-httpclient-2.0.jar
MD5: E0C0C1F887A8B1025A8BED9BFF6AB771
SHA1: 19F1CB5FFD50C37B7EE43B8BC7A185B421EA3E9C
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\commons-logging.jar
MD5: 5BC8BDD15B18018E84FD862993AACA42
SHA1: 760C711C71588BC273D3E56D196D720A7678CD93
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\dom4j.jar
MD5: 85E3E7DFD9D039DA0B8EA0A46129323F
SHA1: 8DECB7E2C04C9340375AAF7DD43A7A6A9B9A46B1
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\jgroups-all.jar
MD5: 06B44A40F4215AF9A534ACE65C51A2CA
SHA1: 15201A98948972D4E890A1D9BD6B728B917EF21C
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\log4j.jar
MD5: 91E6A0CD2788D69808C05FAE11D69679
SHA1: C28B336AA1547A885DDEF944AF6BFB7BFF25ABF0
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\mail.jar
MD5: 3AD3CDE613B7E9700FED08D979BCCCC7
SHA1: 6D16579C99EA9FD5CA5FD2DBE45A5144C2873681
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
** DISPUTED ** JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
Directory traversal vulnerability in the MimeBodyPart.getFileName method in JavaMail 1.3.2 allows remote attackers to write arbitrary files via a .. (dot dot) in the filename in the Content-Disposition header.
Vulnerable Software & Versions:
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\serializer.jar
MD5: 35AA6A56662458D9DC28A9B628F84847
SHA1: 85DDD38E4CDBC22FB6C518F3D35744336DA6FBFD
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xalan.jar
MD5: 126C0C876A6B9726CFDD43F052923660
SHA1: 10F170DA8DFBCDCC4098131BA773710F0BA7AEF1
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xmlsec-1.3.0.jar
MD5: ED82E8662F1823E70BA8F468F57EB11B
SHA1: 59C4B71E0A5871F26DB91EAAB236E5B9BF41122E
File Path: target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xss4j.jar
MD5: 3572AC321C3A854EC49D8594A17E3699
SHA1: D0F4126B39370C3FAD93163CA17FD3CAA3D29E97
File Path: target\test-classes\struts.jar
MD5: AA4AE098EC87FBCD6591402E5CBD781A
SHA1: F69E6119EB01F9AD064BD358ED0315618FB1CB5C
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.
Vulnerable Software & Versions:
Description: Apache Struts 2
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\struts2-core-2.1.2.jar
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-16 Configuration
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-20 Improper Input Validation
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.1, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-20 Improper Input Validation
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
CWE: CWE-264 Permissions, Privileges, and Access Controls
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-20 Improper Input Validation
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar
MD5: 634D5CC32238FC3D023941D265189DDD
SHA1: E9A3159254A01777F536D556BCDB539C7617B0E5
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
This project is a complete packaging of all the Guava libraries
into a single jar. Individual portions of Guava can be used
by downloading the appropriate module and its dependencies.
Guava (complete) has only one code dependency - javax.annotation,
per the JSR-305 spec.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.google.guava/guava/pom.xml
MD5: 76E749CC3E65C708116326959AF90F64
SHA1: B7F1E532B79C7E1C09849C89460798D9A7C59EAF
Description: Library for working with the Java 5 type system
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.googlecode.jtype/jtype/pom.xml
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.sun.jersey/jersey-core/pom.xml
MD5: FF77B5ACEAF6D73A121BCB471444F071
SHA1: E1C1339FA2C342AA5A24DCDD3658C00A2139263A
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.sun.jersey/jersey-server/pom.xml
MD5: 07A7BE16C32692944C7FE8DCC8685D3C
SHA1: BAFFE4CDC261E43B5E727D47A5F92691A473CA78
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.sun.jersey/jersey-servlet/pom.xml
MD5: ED005C0838DE5F8A6E0FE6EF31B827A0
SHA1: F1C4462E1F967AFE6C150B3955B72C71780E2916
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.dropwizard/dropwizard-core/pom.xml
MD5: 818FD048671BD58716CD687CDCD79BA4
SHA1: 905A71014BC2BA9E893107268BA8227528F31617
Description:
A dependency-less package of just the annotations used by other Metrics modules.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-annotation/pom.xml
MD5: FAC7425F6B8789EE45F7A7AD56711AF0
SHA1: F28C170C7FBFF96DE88602D1D11AFD9B618E6C59
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-core/pom.xml
MD5: 726812BD630CB75B3CADF40346C669E9
SHA1: C04A80A736AE29268265E22AA7E21DEA68C63D1B
Description:
A set of class providing Metrics integration for Jersey, the reference JAX-
implementation.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-jersey/pom.xml
MD5: 0B751B9E702FBD84C41644D71BA55862
SHA1: 8F90C99A87E2E1C67A1056C387BBE3FF1E92F2AA
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-jetty/pom.xml
MD5: 994485BF6DB4621A698290E213F0838E
SHA1: 3D4C7EE060F83CA829EE3EF22900E3AF49579F53
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-log4j/pom.xml
MD5: 72B71C62A25EC1C934D7B1463FE9790D
SHA1: 66C0601572C4EA1DF2AA24E69FF0A7C16A42623B
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-servlet/pom.xml
MD5: F71C2DA1DA38A5D505D892C2FE6022D2
SHA1: 838AAAE3F56141A6E35E87003D90F1C7132F839C
Description:
Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/commons-io/commons-io/pom.xml
MD5: 92BEB726A369CB3CE2503796F98E2F3B
SHA1: D30E29BEE45E6DA52A776266A460F10B51CECA98
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/commons-logging/commons-logging/pom.xml
MD5: 976D812430B8246DEEAF2EA54610F263
SHA1: 76672AFB562B9E903674AD3A544CDF2092F1FAA3
Description:
Bean Validation (JSR-303) API.
License:
Apache License, Version 2.0: license.txtFile Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/javax.validation/validation-api/pom.xml
Description: Apache Log4j 1.2
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/log4j/log4j/pom.xml
Description: Asynchronous API
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml
MD5: 74919244C9CA106D221F23A832E1076D
SHA1: B59985A1BA1B93FBBD5D90B6FF5ED9F44CC91AC7
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: F1B6DB43B8A499E66DDF58C8165714A5
SHA1: 885E6E766EC3452C085324A9759DE5AD8A1C8971
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 941C55F8AC0D6C14971D20BE7B60EC19
SHA1: F8F0907153F891113BDEE011063E540D7D57A496
Description: Jetty security infrastructure
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: 266A3467A1D03BCE12E34FDA16DFA615
SHA1: 53B54057B58AE7D3C4C12B520B048889A2C28AD8
Description: The core jetty server artifact.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: 55A7034666834BE8A62B8DB044AC8D70
SHA1: A9AE16CB473F1797940DD58ED3D5541C88B34396
Description: Jetty Servlet Container
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: E662A30EA722C442A57A83C478FD7D7E
SHA1: 4A2D357D991AFF1EE18E617B7C1076DBCFE89986
Description: Utility classes for Jetty
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: C147343FA7F11C15A5F99DDF8A830B20
SHA1: 9A86A0C493D3834471B7A03E174A9F4D469CBD98
Description:
Hibernate's Bean Validation (JSR-303) reference implementation.
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.hibernate/hibernate-validator/pom.xml
MD5: 80F5387C7495664FC4BA31138829B0B8
SHA1: 02AE7DAE4450B00F78D8BC458590221E7401EEE7
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.owasp.dependency-check/uber/pom.xml
MD5: 2C67A7108125EDE340218E9DEBA58E82
SHA1: 52FB11F0FC1666A343AA5C5EA0F756BA54934C1F
Description:
JUL to SLF4J bridge
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.slf4j/jul-to-slf4j/pom.xml
MD5: AE2B577066D99BEA42B1E1F2F0AAF45D
SHA1: BD08211DD5FA0AB44A0A3B04C1EC0C5F67348334
Description: The slf4j API
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.slf4j/slf4j-api/pom.xml
MD5: D000B772974FBE3AD9E1A68AD8F484E7
SHA1: 93C66C9AFD6CF7B91BD4ECF38A60CA48FC5F2078
Description:
The slf4j log4j-12 binding
File Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.slf4j/slf4j-log4j12/pom.xml
MD5: 228315739FC30A7EB2403BCC8AACA619
SHA1: AB93DFAA2FB9619D91FB31A64BB65802B56ED0FB
Description: YAML 1.1 parser and emitter for Java
License:
Apache License Version 2.0: LICENSE.txtFile Path: target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.yaml/snakeyaml/pom.xml
File Path: target\test-classes\velocity-1.7.jar
MD5: 3692DD72F8367CB35FB6280DC2916725
SHA1: 2CEB567B8F3F21118ECDEC129FE1271DBC09AA7A
File Path: target\test-classes\war-4.0.war
MD5: 54070E31AA8E6256EA8C850642A3C434
SHA1: EAEDE5596599912D70CB9B517CB87FFF336A8422
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\commons-fileupload-1.1.1.jar
MD5: ADB15D9A4DA4A30D77E88B32A45CBDDB
SHA1: D587A50727BA905AAD13DE9EA119081403BF6823
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\commons-io-1.3.1.jar
MD5: 2E55C05D3386889AF97CAAE4517AC9DF
SHA1: B90B6AC57CF27A2858EAA490D02BA7945D18CA7B
Description: Java.net - The Source for Java Technology Collaboration
License:
http://glassfish.java.net/nonav/public/CDDL+GPL.htmlFile Path: target\test-classes\war-4.0.war\WEB-INF\lib\console-core-4.0.jar
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\dojo-ajax-nodemo-0.4.1.jar
MD5: 91FDA9E8B3C95EEE6F566567CF790A9E
SHA1: 0E77D6BB7687A7084A1B92DA563DFDA6324BA83F
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\json-1.0.jar
MD5: A7AA9A187CB901EC6E299F65F583F140
SHA1: 0FE8CE55B9F83F16185192821A385916B0EEF38E
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\prototype-1.5.0.jar
MD5: 206BD786024ECA29E41A12E44C055C0A
SHA1: B02B002F0E9BB289B311DB49C561C58AFB8EB58C
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\webui-jsf-4.0.2.10.jar
MD5: 411E6E13BC190D58E10337E502371CFC
SHA1: 977A6FA7F65F8EA68101AA1252C05E8193DE97B5
File Path: target\test-classes\war-4.0.war\WEB-INF\extra\webui-jsf-suntheme-4.0.2.10.jar
MD5: 62A5F094E9832DCE2A7CE138DFEE3507
SHA1: 4EC663AE9AB37D9D6504DC5754E1E59D36D2CD9E
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\woden-api-1.0M8.jar
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\woden-impl-dom-1.0M8.jar
File Path: target\test-classes\wsdl4j-1.6.2.jar
MD5: 2608A8EA3F07B0C08DE8A7D3D0D3FC09
SHA1: DEC1669FB6801B7328E01AD72FC9E10B69EA06C1
File Path: target\test-classes\wstx-asl-3.2.4.jar
MD5: F3FAC27A7387452F1C4243C695FA0F0D
SHA1: AADA03A08AE547BEE92CAF3B1E0CD756134E9226
File Path: target\test-classes\xalan-2.7.0.jar
MD5: A018D032C21A873225E702B36B171A10
SHA1: A33C0097F1C70B20FA7DED220EA317EB3500515E
File Path: target\test-classes\xercesImpl-2.8.1.jar
MD5: E86F321C8191B37BD720FF5679F57288
SHA1: 25101E37EC0C907DB6F0612CBF106EE519C1AEF1
File Path: target\test-classes\xml-apis-1.3.04.jar
MD5: 9AE9C29E4497FC35A3EADE1E6DD0BBEB
SHA1: 90B215F48FE42776C8C7F6E3509EC54E84FD65EF
File Path: target\test-classes\xmlParserAPIs-2.6.0.jar
MD5: 2651F9F7C39E3524F3E2C394625AC63A
SHA1: 065ACEDE1E5305BD2B92213D7B5761328C6F4FD9
Description: Commons XMLSchema is a light weight schema object model that can be used to manipualte or
generate a schema. It has a clean, easy to use API and can easily be integrated into an existing project
since it has almost no dependancies on third party libraries.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: target\test-classes\XmlSchema-1.4.2.jar
Description:
XWork is an command-pattern framework that is used to power WebWork
as well as other applications. XWork provides an Inversion of Control
container, a powerful expression language, data type conversion,
validation, and pluggable configuration.
License:
The OpenSymphony Software License 1.1: src/etc/LICENSE.txtFile Path: target\test-classes\xwork-2.1.1.jar
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
File Path: target\test-classes\spring-security-core-3.0.0.RELEASE.jar
MD5: 740649FA36B65F4BFE7D2A57E2B2807E
SHA1: 23DD919891E86A1B74B9198BD67A4AE9F4849C28
CVE-2014-1904 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
CVE-2014-0054 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
CVE-2013-7315 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
CVE-2013-6429 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
CVE-2013-4152 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2011-2894 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Vulnerable Software & Versions: (show all)
CVE-2011-2730 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
CVE-2010-1622 suppressed
Severity:
Medium
CVSS Score: 5.1
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)