*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7658
### Vulnerable Library - jetty-http-9.4.5.v20170502.jar
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7657
### Vulnerable Library - jetty-http-9.4.5.v20170502.jar
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-5529
### Vulnerable Library - htmlunit-2.18.jar
A headless browser intended for use in testing web-based applications.
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-34169
### Vulnerable Library - xalan-2.7.2.jar
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-29546
### Vulnerable Library - nekohtml-1.9.22.jar
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-28366
### Vulnerable Library - nekohtml-1.9.22.jar
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-28165
### Vulnerable Library - jetty-io-9.4.5.v20170502.jar
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9735
### Vulnerable Library - jetty-util-9.4.5.v20170502.jar
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7656
### Vulnerable Library - jetty-http-9.4.5.v20170502.jar
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2012-0881
### Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23437
### Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-10241
### Vulnerable Library - jetty-util-9.4.5.v20170502.jar
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2013-4002
### Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-28169
### Vulnerable Library - jetty-http-9.4.5.v20170502.jar
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-14338
### Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2020-10-19
Fix Resolution: xerces:xercesImpl:2.12.0.SP3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-12536
### Vulnerable Library - jetty-util-9.4.5.v20170502.jar
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-29425
### Vulnerable Library - commons-io-2.4.jar
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-2047
### Vulnerable Libraries - jetty-client-9.4.5.v20170502.jar, jetty-http-9.4.5.v20170502.jar
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26119
### Vulnerable Library - htmlunit-2.18.jarA headless browser intended for use in testing web-based applications.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - :x: **htmlunit-2.18.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsVersions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Publish Date: 2023-04-03
URL: CVE-2023-26119
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26119
Release Date: 2023-04-03
Fix Resolution: net.sourceforge.htmlunit:htmlunit:3.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7658
### Vulnerable Library - jetty-http-9.4.5.v20170502.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - jetty-client-9.4.5.v20170502.jar - :x: **jetty-http-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Publish Date: 2018-06-26
URL: CVE-2017-7658
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
Release Date: 2018-06-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.11.v20180605
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7657
### Vulnerable Library - jetty-http-9.4.5.v20170502.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - jetty-client-9.4.5.v20170502.jar - :x: **jetty-http-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Release Date: 2018-06-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.11.v20180605
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-5529
### Vulnerable Library - htmlunit-2.18.jarA headless browser intended for use in testing web-based applications.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - :x: **htmlunit-2.18.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsHtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Publish Date: 2020-02-11
URL: CVE-2020-5529
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-02-11
Fix Resolution: net.sourceforge.htmlunit:htmlunit:2.37.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-34169
### Vulnerable Library - xalan-2.7.2.jarXalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.
Library home page: http://xml.apache.org/xalan-j/
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **xalan-2.7.2.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Publish Date: 2022-07-19
URL: CVE-2022-34169
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9339-86wc-4qgf
Release Date: 2022-07-19
Fix Resolution: xalan:xalan:2.7.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-29546
### Vulnerable Library - nekohtml-1.9.22.jarAn HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **nekohtml-1.9.22.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsHtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Publish Date: 2022-04-25
URL: CVE-2022-29546
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-04-25
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-28366
### Vulnerable Library - nekohtml-1.9.22.jarAn HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **nekohtml-1.9.22.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsCertain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Publish Date: 2022-04-21
URL: CVE-2022-28366
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-g9hh-vvx3-v37v
Release Date: 2022-04-21
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.27
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-28165
### Vulnerable Library - jetty-io-9.4.5.v20170502.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - :x: **jetty-io-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution (org.eclipse.jetty:jetty-io): 9.4.39.v20210325
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9735
### Vulnerable Library - jetty-util-9.4.5.v20170502.jarUtility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - :x: **jetty-util-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsJetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Publish Date: 2017-06-16
URL: CVE-2017-9735
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
Release Date: 2017-06-16
Fix Resolution (org.eclipse.jetty:jetty-util): 9.4.7.RC0
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7656
### Vulnerable Library - jetty-http-9.4.5.v20170502.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - jetty-client-9.4.5.v20170502.jar - :x: **jetty-http-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Publish Date: 2018-06-26
URL: CVE-2017-7656
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
Release Date: 2018-06-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.11.v20180605
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2012-0881
### Vulnerable Library - xercesImpl-2.11.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual. Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **xercesImpl-2.11.0.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsApache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: xerces:xercesImpl:2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23437
### Vulnerable Library - xercesImpl-2.11.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual. Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **xercesImpl-2.11.0.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsThere's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-10241
### Vulnerable Library - jetty-util-9.4.5.v20170502.jarUtility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - :x: **jetty-util-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Publish Date: 2019-04-22
URL: CVE-2019-10241
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241
Release Date: 2019-04-22
Fix Resolution (org.eclipse.jetty:jetty-util): 9.4.16.v20190411
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2013-4002
### Vulnerable Library - xercesImpl-2.11.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual. Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **xercesImpl-2.11.0.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsXMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-28169
### Vulnerable Library - jetty-http-9.4.5.v20170502.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - jetty-client-9.4.5.v20170502.jar - :x: **jetty-http-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-14338
### Vulnerable Library - xercesImpl-2.11.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual. Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **xercesImpl-2.11.0.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsA flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.
Publish Date: 2020-09-17
URL: CVE-2020-14338
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-19
Fix Resolution: xerces:xercesImpl:2.12.0.SP3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-12536
### Vulnerable Library - jetty-util-9.4.5.v20170502.jarUtility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - :x: **jetty-util-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Publish Date: 2018-06-27
URL: CVE-2018-12536
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-06-27
Fix Resolution (org.eclipse.jetty:jetty-util): 9.4.11.v20180605
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-29425
### Vulnerable Library - commons-io-2.4.jarUtility classes, stream implementations, file filters, file comparators and endian classes.
Library home page: http://commons.apache.org/io/
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - :x: **commons-io-2.4.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-2047
### Vulnerable Libraries - jetty-client-9.4.5.v20170502.jar, jetty-http-9.4.5.v20170502.jar### jetty-client-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - :x: **jetty-client-9.4.5.v20170502.jar** (Vulnerable Library) ### jetty-http-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /build.gradle
Dependency Hierarchy: - selenium-htmlunit-driver-2.47.1.jar (Root Library) - htmlunit-2.18.jar - websocket-client-9.4.5.v20170502.jar - jetty-client-9.4.5.v20170502.jar - :x: **jetty-http-9.4.5.v20170502.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Publish Date: 2022-07-07
URL: CVE-2022-2047
### CVSS 3 Score Details (2.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
Release Date: 2022-07-07
Fix Resolution (org.eclipse.jetty:jetty-client): 9.4.47.v20220610
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.47.v20220610
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-htmlunit-driver): 2.47.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)