*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
This vulnerability is potentially used
```
org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
-> org.owasp.esapi.waf.internal.InterceptingHTTPServletRequest (Extension)
-> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
-> org.apache.commons.fileupload.FileUploadBase (Extension)
-> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl$FileItemStreamImpl (Extension)
-> ❌ org.apache.commons.fileupload.MultipartStream (Vulnerable Component)
```
### Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
This vulnerability is potentially used
```
org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
-> org.apache.catalina.connector.Request (Extension)
-> org.apache.catalina.core.ApplicationFilterChain (Extension)
-> org.apache.xerces.dom.DocumentImpl (Extension)
...
-> org.apache.xerces.impl.dtd.XMLDTDLoader (Extension)
-> org.apache.xerces.impl.dtd.DTDGrammar (Extension)
-> ❌ org.apache.xerces.impl.dtd.DTDGrammar$QNameHashtable (Vulnerable Component)
```
### Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
This vulnerability is potentially used
```
org.t246osslab.easybuggy4sb.InitializationListener (Application)
-> org.owasp.esapi.ESAPI (Extension)
-> org.owasp.esapi.reference.DefaultValidator (Extension)
-> org.owasp.validator.css.ExternalCssScanner (Extension)
...
-> org.apache.commons.httpclient.SimpleHttpConnectionManager (Extension)
-> org.apache.commons.httpclient.protocol.Protocol (Extension)
-> ❌ org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory (Vulnerable Component)
```
### Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
This vulnerability is potentially used
```
org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
-> org.apache.xerces.jaxp.SAXParserImpl (Extension)
-> org.apache.xerces.impl.xs.XMLSchemaValidator (Extension)
-> org.apache.xerces.impl.xs.XMLSchemaLoader (Extension)
...
-> org.apache.xerces.impl.xs.opti.SchemaParsingConfig (Extension)
-> org.apache.xerces.impl.XMLDTDScannerImpl (Extension)
-> ❌ org.apache.xerces.impl.XMLScanner (Vulnerable Component)
```
### Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
This vulnerability is potentially used
```
org.t246osslab.easybuggy4sb.core.filters.SecurityFilter (Application)
-> org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter (Extension)
-> org.apache.log4j.xml.DOMConfigurator (Extension)
-> ❌ org.apache.log4j.net.SMTPAppender (Vulnerable Component)
```
### Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - esapi-2.1.0.1.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-1000031
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application) -> org.springframework.web.multipart.commons.CommonsMultipartFile (Extension) -> ❌ org.apache.commons.fileupload.FileItem (Vulnerable Component) ```
### Vulnerability DetailsApache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution: 1.3.3
CVE-2019-17571
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsIncluded in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
Release Date: 2019-12-20
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0-alpha1
CVE-2022-23302
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsJMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2016-2510
### Vulnerable Library - bsh-core-2.0b4.jarBeanShell core
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **bsh-core-2.0b4.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsBeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Publish Date: 2016-04-07
URL: CVE-2016-2510
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2510
Release Date: 2016-04-07
Fix Resolution: 2.0b6
CVE-2016-3092
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application) -> org.owasp.esapi.waf.internal.InterceptingHTTPServletRequest (Extension) -> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension) -> org.apache.commons.fileupload.FileUploadBase (Extension) -> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl$FileItemStreamImpl (Extension) -> ❌ org.apache.commons.fileupload.MultipartStream (Vulnerable Component) ```
### Vulnerability DetailsThe MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2
CVE-2014-0114
### Vulnerable Library - commons-beanutils-core-1.8.3.jarPath to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **commons-beanutils-core-1.8.3.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsApache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
### CVSS 2 Score Details (7.5)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
CVE-2023-26464
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability Details** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
CVE-2012-0881
### Vulnerable Library - xercesImpl-2.8.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - xom-1.2.5.jar - :x: **xercesImpl-2.8.0.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application) -> org.apache.catalina.connector.Request (Extension) -> org.apache.catalina.core.ApplicationFilterChain (Extension) -> org.apache.xerces.dom.DocumentImpl (Extension) ... -> org.apache.xerces.impl.dtd.XMLDTDLoader (Extension) -> org.apache.xerces.impl.dtd.DTDGrammar (Extension) -> ❌ org.apache.xerces.impl.dtd.DTDGrammar$QNameHashtable (Vulnerable Component) ```
### Vulnerability DetailsApache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: 2.12.0
WS-2014-0034
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application) -> org.owasp.esapi.waf.internal.InterceptingHTTPServletRequest (Extension) -> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension) -> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component) ```
### Vulnerability DetailsThe class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-09-26
Fix Resolution: 1.4
CVE-2019-10086
### Vulnerable Library - commons-beanutils-core-1.8.3.jarPath to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **commons-beanutils-core-1.8.3.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsIn Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
Release Date: 2019-08-20
Fix Resolution: 1.9.4
CVE-2017-14735
### Vulnerable Library - antisamy-1.5.3.jarThe OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **antisamy-1.5.3.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.InitializationListener (Application) -> org.owasp.esapi.ESAPI (Extension) -> org.owasp.esapi.reference.DefaultValidator (Extension) -> org.owasp.esapi.reference.validation.HTMLValidationRule (Extension) -> ❌ org.owasp.validator.html.Policy (Vulnerable Component) ```
### Vulnerability DetailsOWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
Publish Date: 2017-09-25
URL: CVE-2017-14735
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
Release Date: 2017-09-25
Fix Resolution: 1.5.7
CVE-2012-5783
### Vulnerable Library - commons-httpclient-3.1.jarThe HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - antisamy-1.5.3.jar - :x: **commons-httpclient-3.1.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.InitializationListener (Application) -> org.owasp.esapi.ESAPI (Extension) -> org.owasp.esapi.reference.DefaultValidator (Extension) -> org.owasp.validator.css.ExternalCssScanner (Extension) ... -> org.apache.commons.httpclient.SimpleHttpConnectionManager (Extension) -> org.apache.commons.httpclient.protocol.Protocol (Extension) -> ❌ org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory (Vulnerable Component) ```
### Vulnerability DetailsApache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
### CVSS 2 Score Details (5.8)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
Fix Resolution: Apply the appropriate patch for your system. See References.
CVE-2009-2625
### Vulnerable Library - xercesImpl-2.8.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - xom-1.2.5.jar - :x: **xercesImpl-2.8.0.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application) -> org.apache.xerces.jaxp.SAXParserImpl (Extension) -> org.apache.xerces.impl.xs.XMLSchemaValidator (Extension) -> org.apache.xerces.impl.xs.XMLSchemaLoader (Extension) ... -> org.apache.xerces.impl.xs.opti.SchemaParsingConfig (Extension) -> org.apache.xerces.impl.XMLDTDScannerImpl (Extension) -> ❌ org.apache.xerces.impl.XMLScanner (Vulnerable Component) ```
### Vulnerability DetailsXMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: xerces:xercesImpl:2.12.0
CVE-2020-9488
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy4sb.core.filters.SecurityFilter (Application) -> org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter (Extension) -> org.apache.log4j.xml.DOMConfigurator (Extension) -> ❌ org.apache.log4j.net.SMTPAppender (Vulnerable Component) ```
### Vulnerability DetailsImproper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Publish Date: 2020-04-27
URL: CVE-2020-9488
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/LOG4J2-2819
Release Date: 2020-04-27
Fix Resolution: org.apache.logging.log4j:log4j-core:2.13.2