Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\activation-1.1.jar
MD5: 8AE38E87CD4F86059C0294A8FE3E0B18
SHA1: E6CB541461C2834BDEA3EB920F1884D1EB508B50
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\annogen-0.1.0.jar
MD5: FF275C3491AC6715AD9F6C22A9660503
SHA1: A8DE34EA7AA93765D24DC16EC9C61AF5160BB899
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\ant-1.7.0.jar
MD5: 133E8979E9C11450F557CA890177FE0A
SHA1: 9746AF1A485E50CF18DCB232489032A847067066
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\ant-launcher-1.7.0.jar
MD5: E0C8B3F9390A5D784BBDB6A21F2ABD1D
SHA1: E7E30789211E074AA70EF3EAEA59BD5B22A7FA7A
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\aopalliance-1.0.jar
MD5: 04177054E180D09E3998808EFA0401C7
SHA1: 0235BA8B489512805AC13A8F9EA77A1CA5EBE3E8
Description: The Axiom API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\axiom-api-1.2.7.jar
Description: The Axiom DOM implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\axiom-dom-1.2.7.jar
Description: The Axiom default implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\axiom-impl-1.2.7.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\axis-1.4.jar
MD5: 03DCFDD88502505CC5A805A128BFDD8D
SHA1: 94A9CE681A42D0352B3AD22659F67835E560D107
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Core Parts of Axis 2.0. This includes Axis 2.0 engine, Client API, Addressing support, etc.,
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\axis2-kernel-1.4.1.jar
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-255 Credentials Management
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\backport-util-concurrent-3.1.jar
MD5: 748BB0CBF4780B2E3121DC9C12E10CD9
SHA1: 682F7AC17FED79E92F8E87D8455192B63376347B
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\batik-util-1.7.jar
MD5: 99F99684B6DF6200E529575DCCCE9970
SHA1: 5C4DD0DD9A86A2FBA2C6EA26FB62B32B21B2A61E
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\bcprov-jdk14-140.jar
MD5: 794C26ABA4E5B65525894564B2F96BCB
SHA1: 57F4571D76FAEF80F06F63DC22DB1A1250B35394
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\commons-cli-1.2.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\commons-codec-1.2.jar
MD5: 2617B220009F952BB9542AF167D040CF
SHA1: 397F4731A9F9B6EB1907E224911C77EA3AA27A8B
Description:
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\commons-fileupload-1.2.1.jar
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\commons-httpclient-3.1.jar
MD5: 8AD8C9229EF2D59AB9F59F7050E846A5
SHA1: 964CD74171F427720480EFDEC40A7C7F6E58426A
Description: Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\commons-pool-1.5.3.jar
Description:
Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\commons-validator-1.4.0.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear
MD5: 9FA8C4E8072904589FC0D1A12E8EB291
SHA1: 61868609EB138C41C0298373C9F8C19713FEFA54
Description: Daytrader EJBs
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\dt-ejb.jar
MD5: 26E92DBACAD11C73F03EDE043B113653
SHA1: F2F7C05243EC8E5FB93EFB35F5908BBA88651BF3
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\geronimo-jaxrpc_1.1_spec-2.0.0.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
CWE: CWE-287 Improper Authentication
SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-287 Improper Authentication
The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.
Vulnerable Software & Versions:
Description: Streamer Application for Day Trader
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\streamer.jar
MD5: 5BC6DE1A34935D20331EF777463FD28B
SHA1: EC631C926AB667182840B3E5E32BD3D2F8A808AC
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\web.war
MD5: 857655BB1DDB4204F09D63E5CA8C56BC
SHA1: 7A7455F5D78BB4E1B8E66CD3E6C1F964D18705F9
Description: Client demonstrating Web Services
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\wsappclient.jar
MD5: C343646C162FDD19156400FE83F41CE2
SHA1: ECE01974BE048BA75E2B344C39EFB176915A1C16
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\dojo-war-1.3.0.war
MD5: CD00CB6BC15004638548148A21D799AA
SHA1: 36572B4E096421BECAB9346DA41BBC4EC1316A54
Severity:
High
CVSS Score: 10.0
CWE: CWE-16 Configuration
The default configuration of the build process in Dojo 0.4.x before 0.4.4, 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 has the copyTests=true and mini=false options, which makes it easier for remote attackers to have an unspecified impact via a request to a (1) test or (2) demo component.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon.js in Dojo Toolkit SDK before 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the theme parameter, as demonstrated by an attack against dijit/tests/form/test_Button.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, util/buildscripts/jslib/buildUtil.js, and util/doh/runner.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
The Dojo framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
Vulnerable Software & Versions:
Description: This is the ehcache core module. Pair it with other modules for added
functionality.
License:
The Apache Software License, Version 2.0: src/assemble/LICENSE.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\ehcache-core-2.2.0.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg
MD5: 0BF948B505852A2AF8A597B8A129EF9A
SHA1: 30FB37D6163CF16E3BA740343BECDD14D5457619
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\FileHelpers.dll
MD5: 4829FA768DE37C315A3A3B7BCA027B64
SHA1: A256F622A6209EC21A13D490443FFD6DBDA4F5B7
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\FileHelpers.ExcelStorage.dll
MD5: D22AECA6EE71A2E6F5B3D296280BA98A
SHA1: E416350E2EE0E0711E2716CF7EFCE54168ACCC52
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\FileHelpers.nuspec
MD5: 9E2287F0174BCD79CF7E2427D73A1197
SHA1: D14A722B66388D84AC3B57C4DE56E702AA5FEA96
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\Interop.Excel.dll
MD5: 728FF3AEAE71CBD8D303F442E3843C4C
SHA1: CDAA993485F737951FD91C71F41C929CD06DFFA3
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\Interop.Office.dll
MD5: 7B55E3BF19775B7A6FA5BF3C271E2C0C
SHA1: EEFCFE4B0C90B6F4232D07D588A08BC04FD32E84
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\freemarker-2.3.12.jar
MD5: 719554BBC3D8A98582A8A93328134FE2
SHA1: 3501B670AA7E3822DDF7693082F621B1CD8CE086
Description: POM created to enable maven dependency management for gcm-server
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\gcm-server-1.0.2.jar
MD5: 89CA4ABF365729306ED9AAF77DA69891
SHA1: FDE5261DF0B029DB4ABCB504E7FC882300285216
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-javamail_1.4_spec-1.2.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-jms_1.1_spec-1.1.1.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Implementation of Sun JSR-317 JPA 2.0 Spec API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-jpa_2.0_spec-1.1.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-stax-api_1.0_spec-1.0.1.jar
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Guice is a lightweight dependency injection framework for Java 5 and above
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\guice-3.0.jar
Description: Hazelcast In-Memory DataGrid
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\hazelcast-2.5.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar
MD5: B22BBAFA38341DB968033F1ACBFA8DD9
SHA1: 826DA9FC452E7009116DFFC2D348BA705FE2AA82
Description:
HttpComponents Core (Java 1.3 compatible)
License:
Apache License: ../LICENSE.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\httpcore-4.0-beta1.jar
Description:
HttpComponents Core (NIO extensions)
License:
Apache License: ../LICENSE.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\httpcore-nio-4.0-beta1.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\javax.inject-1.jar
MD5: 289075E48B909E9E74E6C915B3631D2E
SHA1: 6975DA39A7040257BD51D21A231B76C915872D38
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jaxb-xercesImpl-1.5.jar
MD5: 8CD074364C830FC8FF40A8A19C0A74C8
SHA1: 73A51FAADB407DCCDBD77234E0D5A0A648665692
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jaxen-1.1.1.jar
MD5: 261D1AA59865842ECC32B3848B0C6538
SHA1: 9F5D3C5974DBE5CF69C2C2EC7D8A4EB6E0FCE7F9
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jetty-6.1.0.jar
MD5: 121A72B1DEA1A9ADF83079A44CA08E7B
SHA1: FB39EBC0CDCCEA6B54AD87D229A352A894EEBECC
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
Mort Bay Jetty 6.x and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Vulnerable Software & Versions: (show all)
Description: JRuby 1.6.3 OSGi bundle
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-1.6.3.jar
MD5: E9218DFDE7EB6CF3DA6DB968A5397A1A
SHA1: 08499A7E4EC426F274ED81B47C35ECA8DB621E3E
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8
CWE: CWE-20 Improper Input Validation
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-1.6.3.jar\jni\i386-Windows\jffi-1.0.dll
MD5: 570F7CE3EAE96B92EB4AAB891C076B50
SHA1: C35B34B1CF7A20C0478D34BCFBDE3D75905A8B19
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-1.6.3.jar\jni\x86_64-Windows\jffi-1.0.dll
MD5: 63E4285E98616F329C88D741CA6F65E8
SHA1: 966259FEBD6C05D8287B7DD75BE57BFCD77FD400
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-1.6.3.jar\jline\jline32.dll
MD5: B3D9A08FF70440BA3638A325512F2CD8
SHA1: 67A55D8F8CA4937D784D4334E554770ADC2A1079
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-1.6.3.jar\jline\jline64.dll
MD5: D2F7B0DB1231AAC1846A857F5C0C4F2C
SHA1: E297E4E990CE820E64D41F3F27B9BE90283F3F96
Description: JRuby 1.7.4 OSGi bundle
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar
MD5: BE7116AD25E9535A09BBD1A49934AB30
SHA1: 74984D84846523BD7DA49064679ED1CCF199E1DB
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\bcpkix-jdk15on-147.jar
MD5: A4316D3710840F4B7152B7AC1C904679
SHA1: CD204E6F26D2BBF65FF3A30DE8831D3A1344E851
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\bcprov-jdk15on-147.jar
MD5: 7749DD7ECA4403FB968DDC484263736A
SHA1: B6F5D9926B0AFBDE9F4DBE3DB88C5247BE7794BB
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\1.9\json\ext\generator.jar
MD5: 071287692350840C3AF274E0E3DE1F6D
SHA1: DBF8269AAED5A870F6D4F52B210FA96F63C29D6C
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\native\windows64\jansi.dll
MD5: F4F883EAF7F7413A085D9868511AF8A9
SHA1: 5DA042BE27F3B6F0A8E6CFF07AD678C6975726A4
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\native\windows32\jansi.dll
MD5: 1F2E782F590FD99E3E8820565A5D5EFB
SHA1: DA125D2255050E13DB6A84325E40F5C20EAE81AF
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\jni\i386-Windows\jffi-1.2.dll
MD5: 841E60814ED6B2971A47B267AEF1C58A
SHA1: 07D30C6407FEFAD8DF4B6AFC4D85F83E547975CA
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\jni\x86_64-Windows\jffi-1.2.dll
MD5: 5D80B61C1F9E31860C17B3A410948E7E
SHA1: 5CA292116336EE4CEED00D10E756AFEA580E62CF
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\jopenssl.jar
MD5: AC1F8FCFE232A0FEB2DA920D64400EC0
SHA1: A49DDF324632E55A3E70CC9951948D6B415A9A97
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-310 Cryptographic Issues
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-310 Cryptographic Issues
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-189 Numeric Errors
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-399 Resource Management Errors
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-310 Cryptographic Issues
crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-310 Cryptographic Issues
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
CWE: CWE-310 Cryptographic Issues
The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-287 Improper Authentication
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-310 Cryptographic Issues
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-20 Improper Input Validation
The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-310 Cryptographic Issues
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-20 Improper Input Validation
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-189 Numeric Errors
OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.2
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\bin\jrubyw.exe
MD5: 7FAC7402FA849BEBB8ED0823F84C2177
SHA1: B752812D5570AC91FDFD85C548348D1AE1F6E1D4
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\kryptcore.jar
MD5: D824332166EEE8CC7D51E37CE21007BE
SHA1: 9CB457A24ABCF6451FB23F2F70603E0CED3E5592
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\kryptproviderjdk.jar
MD5: 282A7D8C57B3ECF27278C9489F4BE6D4
SHA1: 32B15C5BC9238035FC6E4F9CDEB1DA48E7268CCE
Description: JZlib is a re-implementation of zlib in pure Java
License:
Revised BSD: http://www.jcraft.com/jzlib/LICENSE.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF/maven/com.jcraft/jzlib/pom.xml
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\1.9\json\ext\parser.jar
MD5: 60062E853BC5ED39D157B3754487AD78
SHA1: 9E20A79BADF407B5A3AA18B58FECCDFA5C0CC2AF
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\json-simple-1.1.jar
MD5: EB342044FC56BE9BA49FBFC9789F1BB5
SHA1: 5E303A03D04E6788DDDFA3655272580AE0FC13BB
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jython-standalone-2.7-b1.jar
MD5: F67E0B6221E4BCEACF23B9F587877251
SHA1: 0BABA955380AFD3EE4617E286DEB4DDD7264C51C
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jython-standalone-2.7-b1.jar\Lib\distutils\command\wininst-6.0.exe
MD5: 7B112B1FB864C90EC5B65EAB21CB40B8
SHA1: E7B73361F722FC7CBB93EF98A8D26E34F4D49767
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jython-standalone-2.7-b1.jar\Lib\distutils\command\wininst-7.1.exe
MD5: AE6CE17005C63B7E9BF15A2A21ABB315
SHA1: 9B6BDFB9D648FA422F54EC07B8C8EA70389C09EB
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jython-standalone-2.7-b1.jar\Lib\distutils\command\wininst-8.0.exe
MD5: ED0FDE686788CAEC4F2CB1EC9C31680C
SHA1: 81AE63B87EAA9FA5637835D2122C50953AE19D34
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jython-standalone-2.7-b1.jar\Lib\distutils\command\wininst-9.0-amd64.exe
MD5: 5F1707646575D375C50155832477A437
SHA1: 9BCBA378189C2F1CB00F82C0539E0E9B8FF0B6C1
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\jython-standalone-2.7-b1.jar\Lib\distutils\command\wininst-9.0.exe
MD5: 8AA98031128EF0C81D34207E3C60D003
SHA1: 182164292E382455F00349625DD5FD1E41DCC0C8
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\log4net.2.0.3.nuspec
MD5: D95207BFD2539C046BA7271B695B08F7
SHA1: B82102A0767F56525926698FBBA4B7C47E96D4AB
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\log4net.dll
MD5: E873F47FF9ED73A7ED7054AAF4E7601A
SHA1: 44D7EE86C72BE615DA883A24F0B54FD0725AD298
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\mail-1.4.jar
MD5: 2E64A3805D543BDB86E6E5EECA5529F8
SHA1: 1AA1579AE5ECD41920C4F355B0A9EF40B68315DD
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Description: The SCM API provides mechanisms to manage all SCM tools.
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\maven-scm-api-1.8.1.jar
MD5: C409FC1A6C9BAF928CC37B2FFB852C83
SHA1: D72BCDC54A873E8BFBC53FDE6200E53911C3D9FE
Description: Common library for SCM CVS Provider.
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\maven-scm-provider-cvs-commons-1.8.1.jar
MD5: 7D35F493A22226B821B5D5363E85765C
SHA1: 97411239D474ECAFCC2AB89FACAF2593EB0DE49B
Description: Executable implementation for SCM CVS Provider.
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\maven-scm-provider-cvsexe-1.8.1.jar
MD5: 8900ABE1192B79B35AEDB0F683A8B412
SHA1: 5C7BF6D2C741885D2A6C17CB044FF8E2966F69CA
Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\neethi-2.0.4.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\ognl-2.6.11.jar
MD5: 1173EC5F8B1F6FB1473F4546D4B83BBA
SHA1: 0C3F31F4A65461C44E6697BF29070E638BEF09D8
Description: Apache OpenJPA implementation of JSR-317 JPA 2.0
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\openjpa-2.0.1.jar
Severity:
High
CVSS Score: 7.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\org.mortbay.jetty.jar
MD5: 8ABFD9EF03680C5B9B418ABD918CE525
SHA1: 7B11E767B884D5B872310CE390219B59FFD64A1E
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\org.mortbay.jmx.jar
MD5: 82D35B88A6CAECB9AD5CC8A0CA2C6C81
SHA1: 938031AFDF33D3C5FEE6077312FB44BE25A9725C
Description: A collection of various utility classes to ease working with strings, files, command lines, XML and more.
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\plexus-utils-3.0.7.jar
MD5: C22B393490A46DA89D91DD6322446E40
SHA1: EB10E9CB2B2326FBF0CB68249B10A5C89E0642EF
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\regexp-1.3.jar
MD5: 6DCDC325850E40B843CAC2A25FB2121E
SHA1: 973DF2B78B67BCD3144C3DBBB88DA691065A3F8D
Description: Serp is an open source framework for manipulating Java bytecode.
License:
BSD: LICENSE.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\serp-1.13.1.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\servlet-api-2.5.jar
MD5: 69CA51AF4E9A67A1027A7F95B52C3E8F
SHA1: 5959582D97D8B61F4D154CA9E495AAFD16726E34
Description: The slf4j API
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\slf4j-api-1.5.11.jar
MD5: 30CB7BEE9B52FCB5F5B03D2A006E26E8
SHA1: D6A855B608971025B4FBB0970F829391CC6F727A
Description: Spring Framework
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\spring-core-2.5.5.jar
MD5: 05432EF3BF4EFA1394B127563CB1DD8C
SHA1: 1B3B0FAD8E30EBB9560A81989F5B5BFB28915109
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\spring-core-3.0.0.RELEASE.jar
MD5: 2D52A505F093291E4A2C7E1A28F34557
SHA1: 4F268922155FF53FB7B28AECA24FB28D5A439D95
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\commons-httpclient-2.0.jar
MD5: E0C0C1F887A8B1025A8BED9BFF6AB771
SHA1: 19F1CB5FFD50C37B7EE43B8BC7A185B421EA3E9C
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\commons-logging.jar
MD5: 5BC8BDD15B18018E84FD862993AACA42
SHA1: 760C711C71588BC273D3E56D196D720A7678CD93
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\dom4j.jar
MD5: 85E3E7DFD9D039DA0B8EA0A46129323F
SHA1: 8DECB7E2C04C9340375AAF7DD43A7A6A9B9A46B1
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\jgroups-all.jar
MD5: 06B44A40F4215AF9A534ACE65C51A2CA
SHA1: 15201A98948972D4E890A1D9BD6B728B917EF21C
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\log4j.jar
MD5: 91E6A0CD2788D69808C05FAE11D69679
SHA1: C28B336AA1547A885DDEF944AF6BFB7BFF25ABF0
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\mail.jar
MD5: 3AD3CDE613B7E9700FED08D979BCCCC7
SHA1: 6D16579C99EA9FD5CA5FD2DBE45A5144C2873681
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
** DISPUTED ** JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
Directory traversal vulnerability in the MimeBodyPart.getFileName method in JavaMail 1.3.2 allows remote attackers to write arbitrary files via a .. (dot dot) in the filename in the Content-Disposition header.
Vulnerable Software & Versions:
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\serializer.jar
MD5: 35AA6A56662458D9DC28A9B628F84847
SHA1: 85DDD38E4CDBC22FB6C518F3D35744336DA6FBFD
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xalan.jar
MD5: 126C0C876A6B9726CFDD43F052923660
SHA1: 10F170DA8DFBCDCC4098131BA773710F0BA7AEF1
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xmlsec-1.3.0.jar
MD5: ED82E8662F1823E70BA8F468F57EB11B
SHA1: 59C4B71E0A5871F26DB91EAAB236E5B9BF41122E
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xss4j.jar
MD5: 3572AC321C3A854EC49D8594A17E3699
SHA1: D0F4126B39370C3FAD93163CA17FD3CAA3D29E97
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\struts.jar
MD5: AA4AE098EC87FBCD6591402E5CBD781A
SHA1: F69E6119EB01F9AD064BD358ED0315618FB1CB5C
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.
Vulnerable Software & Versions:
Description: Apache Struts 2
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\struts2-core-2.1.2.jar
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-16 Configuration
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-20 Improper Input Validation
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.1, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
CWE: CWE-20 Improper Input Validation
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
CWE: CWE-264 Permissions, Privileges, and Access Controls
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
CWE: CWE-20 Improper Input Validation
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar
MD5: 634D5CC32238FC3D023941D265189DDD
SHA1: E9A3159254A01777F536D556BCDB539C7617B0E5
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-jetty/pom.xml
MD5: 994485BF6DB4621A698290E213F0838E
SHA1: 3D4C7EE060F83CA829EE3EF22900E3AF49579F53
Description: Asynchronous API
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml
MD5: 74919244C9CA106D221F23A832E1076D
SHA1: B59985A1BA1B93FBBD5D90B6FF5ED9F44CC91AC7
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: F1B6DB43B8A499E66DDF58C8165714A5
SHA1: 885E6E766EC3452C085324A9759DE5AD8A1C8971
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 941C55F8AC0D6C14971D20BE7B60EC19
SHA1: F8F0907153F891113BDEE011063E540D7D57A496
Description: Jetty security infrastructure
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: 266A3467A1D03BCE12E34FDA16DFA615
SHA1: 53B54057B58AE7D3C4C12B520B048889A2C28AD8
Description: The core jetty server artifact.
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: 55A7034666834BE8A62B8DB044AC8D70
SHA1: A9AE16CB473F1797940DD58ED3D5541C88B34396
Description: Jetty Servlet Container
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: E662A30EA722C442A57A83C478FD7D7E
SHA1: 4A2D357D991AFF1EE18E617B7C1076DBCFE89986
Description: Utility classes for Jetty
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: C147343FA7F11C15A5F99DDF8A830B20
SHA1: 9A86A0C493D3834471B7A03E174A9F4D469CBD98
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\velocity-1.7.jar
MD5: 3692DD72F8367CB35FB6280DC2916725
SHA1: 2CEB567B8F3F21118ECDEC129FE1271DBC09AA7A
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war
MD5: 54070E31AA8E6256EA8C850642A3C434
SHA1: EAEDE5596599912D70CB9B517CB87FFF336A8422
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\commons-fileupload-1.1.1.jar
MD5: ADB15D9A4DA4A30D77E88B32A45CBDDB
SHA1: D587A50727BA905AAD13DE9EA119081403BF6823
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\commons-io-1.3.1.jar
MD5: 2E55C05D3386889AF97CAAE4517AC9DF
SHA1: B90B6AC57CF27A2858EAA490D02BA7945D18CA7B
Description: Java.net - The Source for Java Technology Collaboration
License:
http://glassfish.java.net/nonav/public/CDDL+GPL.htmlFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\lib\console-core-4.0.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\dojo-ajax-nodemo-0.4.1.jar
MD5: 91FDA9E8B3C95EEE6F566567CF790A9E
SHA1: 0E77D6BB7687A7084A1B92DA563DFDA6324BA83F
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\json-1.0.jar
MD5: A7AA9A187CB901EC6E299F65F583F140
SHA1: 0FE8CE55B9F83F16185192821A385916B0EEF38E
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\prototype-1.5.0.jar
MD5: 206BD786024ECA29E41A12E44C055C0A
SHA1: B02B002F0E9BB289B311DB49C561C58AFB8EB58C
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\webui-jsf-4.0.2.10.jar
MD5: 411E6E13BC190D58E10337E502371CFC
SHA1: 977A6FA7F65F8EA68101AA1252C05E8193DE97B5
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\webui-jsf-suntheme-4.0.2.10.jar
MD5: 62A5F094E9832DCE2A7CE138DFEE3507
SHA1: 4EC663AE9AB37D9D6504DC5754E1E59D36D2CD9E
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\woden-api-1.0M8.jar
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\woden-impl-dom-1.0M8.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\wsdl4j-1.6.2.jar
MD5: 2608A8EA3F07B0C08DE8A7D3D0D3FC09
SHA1: DEC1669FB6801B7328E01AD72FC9E10B69EA06C1
Description:
Apache WSS4J is an implementation of the Web Services Security
(WS-Security) being developed at OASIS Web Services Security TC.
WSS4J is a primarily a Java library that can be used to sign and
verify SOAP Messages with WS-Security information. WSS4J will
use Apache Axis and Apache XML-Security projects and will be
interoperable with JAX-RPC based server/clients and .NET
server/clients.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\wss4j-1.5.7.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\wstx-asl-3.2.4.jar
MD5: F3FAC27A7387452F1C4243C695FA0F0D
SHA1: AADA03A08AE547BEE92CAF3B1E0CD756134E9226
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xalan-2.7.0.jar
MD5: A018D032C21A873225E702B36B171A10
SHA1: A33C0097F1C70B20FA7DED220EA317EB3500515E
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xercesImpl-2.8.1.jar
MD5: E86F321C8191B37BD720FF5679F57288
SHA1: 25101E37EC0C907DB6F0612CBF106EE519C1AEF1
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xml-apis-1.3.04.jar
MD5: 9AE9C29E4497FC35A3EADE1E6DD0BBEB
SHA1: 90B215F48FE42776C8C7F6E3509EC54E84FD65EF
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xmlParserAPIs-2.6.0.jar
MD5: 2651F9F7C39E3524F3E2C394625AC63A
SHA1: 065ACEDE1E5305BD2B92213D7B5761328C6F4FD9
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xmlpull-1.1.3.1.jar
MD5: CC57DACC720ECA721A50E78934B822D2
SHA1: 2B8E230D2AB644E4ECAA94DB7CDEDBC40C805DFA
Description: Commons XMLSchema is a light weight schema object model that can be used to manipualte or
generate a schema. It has a clean, easy to use API and can easily be integrated into an existing project
since it has almost no dependancies on third party libraries.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\XmlSchema-1.4.2.jar
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xmlsec-1.4.2.jar
MD5: C1F469EA540408D0FC8025E9E2E6569C
SHA1: 72E2A0012F386FE0C7901D4311D60DF155E585B5
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xpp3_min-1.1.4c.jar
MD5: DCD95BCB84B09897B2B66D4684C040DA
SHA1: 19D4E90B43059058F6E056F794F0EA4030D60B86
File Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xstream-1.4.2.jar
MD5: 23947B036DD0D9CD23CB2F388C373181
SHA1: 97E5013F391487CCE4DE6B0EEBCDE21549E91872
Description:
XWork is an command-pattern framework that is used to power WebWork
as well as other applications. XWork provides an Inversion of Control
container, a powerful expression language, data type conversion,
validation, and pluggable configuration.
License:
The OpenSymphony Software License 1.1: src/etc/LICENSE.txtFile Path: C:\Users\jeremy\Documents\NetBeansProjects\DependencyCheck\dependency-check-core\target\test-classes\xwork-2.1.1.jar
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-200 Information Exposure
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)