Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)
production quality Reference Implementation for building
RESTful Web services.
Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar,/home/wss-scanner/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)
production quality Reference Implementation for building
RESTful Web services.
Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar,/home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar
CVE-2014-3643 - High Severity Vulnerability
Vulnerable Libraries - jersey-server-1.9.jar, jersey-core-1.9.jar
jersey-server-1.9.jar
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
Library home page: https://jersey.java.net/
Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar,/home/wss-scanner/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar
Dependency Hierarchy: - hadoop-common-2.6.0.jar (Root Library) - :x: **jersey-server-1.9.jar** (Vulnerable Library)
jersey-core-1.9.jar
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
Library home page: http://www.oracle.com/
Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar,/home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar
Dependency Hierarchy: - hadoop-common-2.6.0.jar (Root Library) - :x: **jersey-core-1.9.jar** (Vulnerable Library)
Found in HEAD commit: 1f65fd168afc52c040a47230bb3cb902f7223124
Found in base branch: master
Vulnerability Details
jersey: XXE via parameter entities not disabled by the jersey SAX parser
Publish Date: 2019-12-15
URL: CVE-2014-3643
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3643
Release Date: 2019-12-15
Fix Resolution: com.sun.jersey:jersey-core:1.13;com.sun.jersey:jersey-server:1.13
Step up your Open Source Security Game with Mend here