search

billmcchesney1 / foxtrot

A store abstraction and analytics system for real-time event data.
Apache License 2.0
0 stars 0 forks source link

CVE-2016-6796 (High) detected in jasper-compiler-5.5.23.jar #87

Open mend-for-github-com[bot] opened 3 years ago

mend-for-github-com[bot] commented 3 years ago

CVE-2016-6796 - High Severity Vulnerability

Vulnerable Library - jasper-compiler-5.5.23.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://tomcat.apache.org

Path to dependency file: /foxtrot-sql/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar,/home/wss-scanner/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar,/home/wss-scanner/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar,/home/wss-scanner/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar

Dependency Hierarchy: - hbase-server-1.2.1.jar (Root Library) - hbase-common-1.2.1.jar - hadoop-common-2.5.1.jar - :x: **jasper-compiler-5.5.23.jar** (Vulnerable Library)

Found in HEAD commit: ffb8a6014463ce8aac1bf6e7dc9a23fc4a2a8adc

Found in base branch: master

Vulnerability Details

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

Publish Date: 2016-10-27

URL: CVE-2016-6796

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796

Release Date: 2016-10-27

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-jasper:9.0.0.M10,8.5.5,8.0.37,7.0.72,org.apache.tomcat:tomcat-catalina:9.0.0.M10,8.5.5,8.0.37,7.0.72,org.apache.tomcat:tomcat-jasper:9.0.0.M10,8.5.5,8.0.37,7.0.72,org.apache.tomcat:catalina:6.0.47,org.apache.tomcat:jasper:6.0.47

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.