mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #28
Closed mend-for-github-com[bot] closed 1 year ago
mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #28
mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #28
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.1/761ea405b9b37ced573d2df0d1e3a4e0f9edc668/commons-collections-3.2.1.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2019-13116
### Vulnerable Library - commons-collections-3.2.1.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.1/761ea405b9b37ced573d2df0d1e3a4e0f9edc668/commons-collections-3.2.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-collections-3.2.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-16
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2016-1000031
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsApache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.0.6
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2017-15708
### Vulnerable Library - commons-collections-3.2.1.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.1/761ea405b9b37ced573d2df0d1e3a4e0f9edc668/commons-collections-3.2.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-collections-3.2.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-10
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2015-7501
### Vulnerable Library - commons-collections-3.2.1.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.1/761ea405b9b37ced573d2df0d1e3a4e0f9edc668/commons-collections-3.2.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-collections-3.2.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsRed Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2016-3092
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.0.6
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2023-24998
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q1/108
Release Date: 2023-02-20
Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5
WS-2014-0034
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.4
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.0.6
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2015-4852
### Vulnerable Library - commons-collections-3.2.1.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.1/761ea405b9b37ced573d2df0d1e3a4e0f9edc668/commons-collections-3.2.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-collections-3.2.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2013-2186
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
Release Date: 2013-10-28
Fix Resolution (commons-fileupload:commons-fileupload): 1.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2014-0050
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsMultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-03-28
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.1
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2015-6420
### Vulnerable Library - commons-collections-3.2.1.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.1/761ea405b9b37ced573d2df0d1e3a4e0f9edc668/commons-collections-3.2.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-collections-3.2.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsSerialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2015-12-15
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2021-29425
### Vulnerable Library - commons-io-1.1.jarCommons-IO contains utility classes, stream implementations, file filters, and endian classes.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/1.1/5e986a7e4b0472aebe121154178dab2da26a8bf5/commons-io-1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - commons-fileupload-1.1.1.jar - :x: **commons-io-1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution (commons-io:commons-io): 2.7
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.0.6
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2013-0248
### Vulnerable Library - commons-fileupload-1.1.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.1.1/d587a50727ba905aad13de9ea119081403bf6823/commons-fileupload-1.1.1.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **commons-fileupload-1.1.1.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
### CVSS 3 Score Details (4.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution (commons-fileupload:commons-fileupload): 1.3
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2015-2944
### Vulnerable Library - org.apache.sling.api-2.0.4-incubator.jarThe Apache Sling API defines an extension to the Servlet API 2.4 to provide access to content and unified access to request parameters hiding the differences between the different methods of transferring parameters from client to server. Note that the Apache Sling API bundle does not include the Servlet API but instead requires the API to be provided by the Servlet container in which the Apache Sling framework is running or by another bundle.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sling/org.apache.sling.api/2.0.4-incubator/4e4a5fc2dcc148f146de279121eac1d6b6745b19/org.apache.sling.api-2.0.4-incubator.jar
Dependency Hierarchy: - org.apache.sling.engine-2.0.4-incubator.jar (Root Library) - :x: **org.apache.sling.api-2.0.4-incubator.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsMultiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
Publish Date: 2015-06-02
URL: CVE-2015-2944
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-2944
Release Date: 2015-06-02
Fix Resolution (org.apache.sling:org.apache.sling.api): 2.2.2
Direct dependency fix Resolution (org.apache.sling:org.apache.sling.engine): 2.1.0
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.