brightcove-services-5.6-SNAPSHOT.jar: 23 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - brightcove-services-5.6-SNAPSHOT.jar

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-23305	High	9.8	log4j-1.2.14.jar	Transitive	N/A	❌
CVE-2019-13116	High	9.8	commons-collections-3.2.jar	Transitive	N/A	❌
CVE-2019-17571	High	9.8	log4j-1.2.14.jar	Transitive	N/A	❌
CVE-2017-15708	High	9.8	commons-collections-3.2.jar	Transitive	N/A	❌
CVE-2020-9493	High	9.8	log4j-1.2.14.jar	Transitive	N/A	❌
CVE-2015-7501	High	9.8	commons-collections-3.2.jar	Transitive	N/A	❌
CVE-2022-23307	High	8.8	log4j-1.2.14.jar	Transitive	N/A	❌
CVE-2022-23302	High	8.8	log4j-1.2.14.jar	Transitive	N/A	❌
CVE-2020-13936	High	8.8	velocity-1.5.jar	Transitive	N/A	❌
CVE-2021-4104	High	7.5	log4j-1.2.14.jar	Transitive	N/A	❌
CVE-2015-4852	High	7.3	commons-collections-3.2.jar	Transitive	N/A	❌
CVE-2019-10086	High	7.3	commons-beanutils-1.7.0.jar	Transitive	N/A	❌
CVE-2014-0114	High	7.3	commons-beanutils-1.7.0.jar	Transitive	N/A	❌
CVE-2015-6420	High	7.3	commons-collections-3.2.jar	Transitive	N/A	❌
CVE-2022-23437	Medium	6.5	xercesImpl-2.8.1.jar	Transitive	N/A	❌
CVE-2013-4002	Medium	5.9	xercesImpl-2.8.1.jar	Transitive	N/A	❌
WS-2016-7057	Medium	5.9	plexus-utils-3.0.22.jar	Transitive	N/A	❌
CVE-2020-15250	Medium	5.5	junit-4.8.2.jar	Transitive	N/A	❌
WS-2016-7062	Medium	5.3	plexus-utils-3.0.22.jar	Transitive	N/A	❌
CVE-2009-2625	Medium	5.3	xercesImpl-2.8.1.jar	Transitive	N/A	❌
CVE-2012-0881	Medium	5.3	xercesImpl-2.8.1.jar	Transitive	N/A	❌
CVE-2012-5783	Medium	4.8	commons-httpclient-3.1.jar	Transitive	N/A	❌
CVE-2020-9488	Low	3.7	log4j-1.2.14.jar	Transitive	N/A	❌

Details

CVE-2022-23305

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2019-13116

### Vulnerable Library - commons-collections-3.2.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://jakarta.apache.org/commons/collections/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-site-renderer-1.1.2.jar - :x: **commons-collections-3.2.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections

Publish Date: 2019-10-16

URL: CVE-2019-13116

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116

Release Date: 2019-10-29

Fix Resolution: commons-collections:commons-collections:3.2.2

CVE-2019-17571

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

CVE-2017-15708

### Vulnerable Library - commons-collections-3.2.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://jakarta.apache.org/commons/collections/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-site-renderer-1.1.2.jar - :x: **commons-collections-3.2.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Publish Date: 2017-12-11

URL: CVE-2017-15708

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708

Release Date: 2017-12-11

Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2

CVE-2020-9493

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2015-7501

### Vulnerable Library - commons-collections-3.2.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://jakarta.apache.org/commons/collections/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-site-renderer-1.1.2.jar - :x: **commons-collections-3.2.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2017-11-09

URL: CVE-2015-7501

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330

Release Date: 2017-11-09

Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1

CVE-2022-23307

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-23302

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2020-13936

### Vulnerable Library - velocity-1.5.jar

Apache Velocity is a general purpose template engine.

Library home page: http://velocity.apache.org/engine/

Path to dependency file: /current/core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar,/home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-site-renderer-1.1.2.jar - :x: **velocity-1.5.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Publish Date: 2021-03-10

URL: CVE-2020-13936

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-03-10

Fix Resolution: org.apache.velocity:velocity-engine-core:2.3

CVE-2021-4104

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

CVE-2015-4852

### Vulnerable Library - commons-collections-3.2.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://jakarta.apache.org/commons/collections/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-site-renderer-1.1.2.jar - :x: **commons-collections-3.2.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Publish Date: 2015-11-18

URL: CVE-2015-4852

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19

Release Date: 2015-11-18

Fix Resolution: commons-collections:commons-collections:3.2.2

CVE-2019-10086

### Vulnerable Library - commons-beanutils-1.7.0.jar

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - commons-validator-1.2.0.jar - :x: **commons-beanutils-1.7.0.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4

CVE-2014-0114

### Vulnerable Library - commons-beanutils-1.7.0.jar

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - commons-validator-1.2.0.jar - :x: **commons-beanutils-1.7.0.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5

CVE-2015-6420

### Vulnerable Library - commons-collections-3.2.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://jakarta.apache.org/commons/collections/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-site-renderer-1.1.2.jar - :x: **commons-collections-3.2.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2015-12-15

URL: CVE-2015-6420

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2015-12-15

Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1

CVE-2022-23437

### Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-core-1.1.2.jar - :x: **xercesImpl-2.8.1.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Publish Date: 2022-01-24

URL: CVE-2022-23437

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h65f-jvqw-m9fj

Release Date: 2022-01-24

Fix Resolution: xerces:xercesImpl:2.12.2

CVE-2013-4002

### Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-core-1.1.2.jar - :x: **xercesImpl-2.8.1.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Publish Date: 2013-07-23

URL: CVE-2013-4002

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

Release Date: 2013-07-23

Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0

WS-2016-7057

### Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - :x: **plexus-utils-3.0.22.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2016-05-07

URL: WS-2016-7057

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution: 3.0.24

CVE-2020-15250

### Vulnerable Library - junit-4.8.2.jar

JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-project-2.2.1.jar - plexus-container-default-1.0-alpha-9-stable-1.jar - :x: **junit-4.8.2.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: junit:junit:4.13.1

WS-2016-7062

### Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - :x: **plexus-utils-3.0.22.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2016-05-07

URL: WS-2016-7062

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution: 3.0.24

CVE-2009-2625

### Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-core-1.1.2.jar - :x: **xercesImpl-2.8.1.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Publish Date: 2009-08-06

URL: CVE-2009-2625

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625

Release Date: 2009-08-06

Fix Resolution: xerces:xercesImpl:2.12.0

CVE-2012-0881

### Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-core-1.1.2.jar - :x: **xercesImpl-2.8.1.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

Release Date: 2017-10-30

Fix Resolution: xerces:xercesImpl:2.12.0

CVE-2012-5783

### Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to dependency file: /current/core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - jacoco-maven-plugin-0.7.9.jar - maven-reporting-impl-2.1.jar - doxia-core-1.1.2.jar - :x: **commons-httpclient-3.1.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783

Release Date: 2012-11-04

Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265

CVE-2020-9488

### Vulnerable Library - log4j-1.2.14.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /current/ui.apps/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar

Dependency Hierarchy: - brightcove-services-5.6-SNAPSHOT.jar (Root Library) - slf4j-log4j12-1.5.6.jar - :x: **log4j-1.2.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

### CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.