Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Simplicite Platform

com.simplicite:simplicite:4.0.P25

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
FastInfoset-1.2.16.jarpkg:maven/com.sun.xml.fastinfoset/FastInfoset@1.2.16 036
HikariCP-3.4.0.jarpkg:maven/com.zaxxer/HikariCP@3.4.0 037
JavaEWAH-1.1.6.jarpkg:maven/com.googlecode.javaewah/JavaEWAH@1.1.6 033
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 026
animal-sniffer-annotations-1.18.jarpkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.18 023
annotations-4.1.1.4.jarpkg:maven/com.google.android/annotations@4.1.1.4 020
ant-1.10.7.jarcpe:2.3:a:apache:ant:1.10.7:*:*:*:*:*:*:*pkg:maven/org.apache.ant/ant@1.10.7MEDIUM3Highest24
antlr-2.7.7.jarpkg:maven/antlr/antlr@2.7.7 024
antlr-runtime-3.5.2.jarcpe:2.3:a:temporal:temporal:3.5.2:*:*:*:*:*:*:*pkg:maven/org.antlr/antlr-runtime@3.5.2 0Low39
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 020
apache-mime4j-core-0.8.3.jarpkg:maven/org.apache.james/apache-mime4j-core@0.8.3 033
apache-mime4j-dom-0.8.3.jarpkg:maven/org.apache.james/apache-mime4j-dom@0.8.3 033
api-common-1.8.1.jarpkg:maven/com.google.api/api-common@1.8.1 029
asm-7.2-beta.jarpkg:maven/org.ow2.asm/asm@7.2-beta 052
auto-value-annotations-1.6.6.jarpkg:maven/com.google.auto.value/auto-value-annotations@1.6.6 028
autolink-0.10.0.jarpkg:maven/org.nibor.autolink/autolink@0.10.0 023
avalon-framework-impl-4.2.0.jarpkg:maven/avalon-framework/avalon-framework-impl@4.2.0 021
aws-s3-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.provider/aws-s3@2.2.0 0Highest33
azureblob-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.provider/azureblob@2.2.0 0Highest35
barcode4j-2.1.jarcpe:2.3:a:web_project:web:2.1:*:*:*:*:*:*:*pkg:maven/net.sf.barcode4j/barcode4j@2.1 0Low50
base64-2.3.8.jarpkg:maven/net.iharder/base64@2.3.8 034
bcmail-jdk15on-1.63.jarcpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcmail-jdk15on@1.63MEDIUM1Low52
bcpg-jdk15on-1.63.jarcpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcpg-jdk15on@1.63MEDIUM1Low54
bcpkix-jdk15on-1.63.jarcpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.63MEDIUM1Low66
bcprov-jdk15on-1.63.jarcpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.63:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.63:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.63:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.63:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcprov-jdk15on@1.63HIGH4Highest58
boilerpipe-1.1.0.jarpkg:maven/de.l3s.boilerpipe/boilerpipe@1.1.0 030
bson-3.11.0.jarcpe:2.3:a:mongodb:bson:3.11.0:*:*:*:*:*:*:*pkg:maven/org.mongodb/bson@3.11.0 0Highest28
bzip2-0.9.1.jarcpe:2.3:a:bzip2_project:bzip2:0.9.1:*:*:*:*:*:*:*pkg:maven/org.itadaki/bzip2@0.9.1 0Highest20
c3p0-0.9.5.4.jarcpe:2.3:a:mchange:c3p0:0.9.5.4:*:*:*:*:*:*:*pkg:maven/com.mchange/c3p0@0.9.5.4 0Highest31
cdm-4.5.5.jarpkg:maven/edu.ucar/cdm@4.5.5 028
checker-qual-2.11.0.jarpkg:maven/org.checkerframework/checker-qual@2.11.0 062
codemodel-2.3.2.jarpkg:maven/org.glassfish.jaxb/codemodel@2.3.2 024
commonmark-0.13.0.jarpkg:maven/com.atlassian.commonmark/commonmark@0.13.0 021
commonmark-ext-autolink-0.13.0.jarpkg:maven/com.atlassian.commonmark/commonmark-ext-autolink@0.13.0 021
commonmark-ext-gfm-strikethrough-0.13.0.jarpkg:maven/com.atlassian.commonmark/commonmark-ext-gfm-strikethrough@0.13.0 023
commonmark-ext-gfm-tables-0.13.0.jarpkg:maven/com.atlassian.commonmark/commonmark-ext-gfm-tables@0.13.0 023
commonmark-ext-heading-anchor-0.13.0.jarpkg:maven/com.atlassian.commonmark/commonmark-ext-heading-anchor@0.13.0 023
commonmark-ext-ins-0.13.0.jarpkg:maven/com.atlassian.commonmark/commonmark-ext-ins@0.13.0 021
commons-beanutils-1.9.4.jarcpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.4 0Highest170
commons-cli-1.4.jarpkg:maven/commons-cli/commons-cli@1.4 087
commons-codec-1.13.jarpkg:maven/commons-codec/commons-codec@1.13 0111
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest86
commons-collections4-4.4.jarcpe:2.3:a:apache:commons_collections:4.4:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-collections4@4.4 0Highest107
commons-compress-1.19.jarcpe:2.3:a:apache:commons_compress:1.19:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-compress@1.19HIGH4Highest97
commons-csv-1.7.jarpkg:maven/org.apache.commons/commons-csv@1.7 085
commons-discovery-0.5.jarcpe:2.3:a:spirit-project:spirit:0.5:*:*:*:*:*:*:*pkg:maven/commons-discovery/commons-discovery@0.5MEDIUM1Low86
commons-email-1.5.jarcpe:2.3:a:apache:commons_email:1.5:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-email@1.5 0Highest139
commons-exec-1.3.jarpkg:maven/org.apache.commons/commons-exec@1.3 061
commons-fileupload-1.4.jarcpe:2.3:a:apache:commons_fileupload:1.4:*:*:*:*:*:*:*pkg:maven/commons-fileupload/commons-fileupload@1.4HIGH1Highest117
commons-httpclient-3.1.jarcpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*		pkg:maven/commons-httpclient/commons-httpclient@3.1MEDIUM2Highest91
commons-io-2.6.jarcpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.6MEDIUM1Highest119
commons-lang-2.6.jarpkg:maven/commons-lang/commons-lang@2.6 0122
commons-lang3-3.9.jarpkg:maven/org.apache.commons/commons-lang3@3.9 0141
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 0117
commons-math3-3.6.1.jarpkg:maven/org.apache.commons/commons-math3@3.6.1 0137
commons-net-3.6.jarcpe:2.3:a:apache:commons_net:3.6:*:*:*:*:*:*:*pkg:maven/commons-net/commons-net@3.6MEDIUM1Highest97
commons-pool2-2.7.0.jarpkg:maven/org.apache.commons/commons-pool2@2.7.0 086
commons-vfs2-2.4.1.jarpkg:maven/org.apache.commons/commons-vfs2@2.4.1 042
core-3.0.1.jarpkg:maven/com.google.zxing/core@3.0.1 020
curvesapi-1.06.jarpkg:maven/com.github.virtuald/curvesapi@1.06 024
dec-0.1.2.jarpkg:maven/org.brotli/dec@0.1.2 023
diffutils-1.3.0.jarcpe:2.3:a:utils_project:utils:1.3.0:*:*:*:*:*:*:*pkg:maven/com.googlecode.java-diff-utils/diffutils@1.3.0MEDIUM1Highest19
docusign-esign-java-3.2.0.jarpkg:maven/com.docusign/docusign-esign-java@3.2.0 032
docx4j-ImportXHTML-8.0.0.jarpkg:maven/org.docx4j/docx4j-ImportXHTML@8.0.0 029
docx4j-JAXB-ReferenceImpl-11.1.3.jarpkg:maven/org.docx4j/docx4j-JAXB-ReferenceImpl@11.1.3 030
docx4j-core-11.1.3.jarpkg:maven/org.docx4j/docx4j-core@11.1.3 034
docx4j-openxml-objects-11.1.3.jarpkg:maven/org.docx4j/docx4j-openxml-objects@11.1.3 026
docx4j-openxml-objects-pml-11.1.3.jarpkg:maven/org.docx4j/docx4j-openxml-objects-pml@11.1.3 026
docx4j-openxml-objects-sml-11.1.3.jarpkg:maven/org.docx4j/docx4j-openxml-objects-sml@11.1.3 026
dtd-parser-1.4.1.jarpkg:maven/com.sun.xml.dtd-parser/dtd-parser@1.4.1 044
ehcache-core-2.6.2.jarpkg:maven/net.sf.ehcache/ehcache-core@2.6.2 022
ehcache-core-2.6.2.jar: sizeof-agent.jarpkg:maven/net.sf.ehcache/sizeof-agent@1.0.1 028
error_prone_annotations-2.3.2.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.3.2 024
failureaccess-1.0.1.jarpkg:maven/com.google.guava/failureaccess@1.0.1 030
fast-and-simple-minify-1.0.jarpkg:maven/ch.simschla/fast-and-simple-minify@1.0 028
firebase-admin-6.10.0.jarpkg:maven/com.google.firebase/firebase-admin@6.10.0 034
fontbox-2.0.16.jarpkg:maven/org.apache.pdfbox/fontbox@2.0.16 033
fuzzywuzzy-1.2.0.jar (shaded: me.xdrop:diffutils:1.3)pkg:maven/me.xdrop/diffutils@1.3 07
fuzzywuzzy-1.2.0.jar (shaded: me.xdrop:fuzzywuzzy-build:1.2.0)pkg:maven/me.xdrop/fuzzywuzzy-build@1.2.0 011
fuzzywuzzy-1.2.0.jarpkg:maven/me.xdrop/fuzzywuzzy@1.2.0 028
gax-1.48.1.jarpkg:maven/com.google.api/gax@1.48.1 034
gax-grpc-1.48.1.jarcpe:2.3:a:grpc:grpc:1.48.1:*:*:*:*:*:*:*pkg:maven/com.google.api/gax-grpc@1.48.1HIGH4Highest36
gax-httpjson-0.65.1.jarcpe:2.3:a:json-java_project:json-java:0.65.1:*:*:*:*:*:*:*pkg:maven/com.google.api/gax-httpjson@0.65.1HIGH2Low36
geoapi-3.0.1.jarpkg:maven/org.opengis/geoapi@3.0.1 039
google-api-client-1.30.3.jarpkg:maven/com.google.api-client/google-api-client@1.30.3 039
google-api-client-gson-1.30.3.jarcpe:2.3:a:json-java_project:json-java:1.30.3:*:*:*:*:*:*:*pkg:maven/com.google.api-client/google-api-client-gson@1.30.3HIGH2Low39
google-api-services-calendar-v3-rev20190910-1.30.1.jarpkg:maven/com.google.apis/google-api-services-calendar@v3-rev20190910-1.30.1 026
google-api-services-drive-v3-rev20190822-1.30.1.jarcpe:2.3:a:google:drive:v3.rev20190822.1.30.1:*:*:*:*:*:*:*pkg:maven/com.google.apis/google-api-services-drive@v3-rev20190822-1.30.1 0Highest26
google-api-services-gmail-v1-rev20190602-1.30.1.jarcpe:2.3:a:google:gmail:v1.rev20190602.1.30.1:*:*:*:*:*:*:*pkg:maven/com.google.apis/google-api-services-gmail@v1-rev20190602-1.30.1 0Highest26
google-api-services-plus-v1-rev20190328-1.30.1.jarpkg:maven/com.google.apis/google-api-services-plus@v1-rev20190328-1.30.1 026
google-api-services-sheets-v4-rev20190813-1.30.1.jarpkg:maven/com.google.apis/google-api-services-sheets@v4-rev20190813-1.30.1 026
google-api-services-storage-v1-rev20190624-1.30.1.jarpkg:maven/com.google.apis/google-api-services-storage@v1-rev20190624-1.30.1 026
google-api-services-translate-v2-rev20170525-1.30.1.jarpkg:maven/com.google.apis/google-api-services-translate@v2-rev20170525-1.30.1 026
google-api-services-youtube-v3-rev20190827-1.30.1.jarpkg:maven/com.google.apis/google-api-services-youtube@v3-rev20190827-1.30.1 026
google-auth-library-credentials-0.17.1.jarpkg:maven/com.google.auth/google-auth-library-credentials@0.17.1 023
google-auth-library-oauth2-http-0.17.1.jarpkg:maven/com.google.auth/google-auth-library-oauth2-http@0.17.1 025
google-cloud-core-1.90.0.jarpkg:maven/com.google.cloud/google-cloud-core@1.90.0 031
google-cloud-core-grpc-1.90.0.jarcpe:2.3:a:grpc:grpc:1.90.0:*:*:*:*:*:*:*pkg:maven/com.google.cloud/google-cloud-core-grpc@1.90.0 0Highest33
google-cloud-core-http-1.90.0.jarpkg:maven/com.google.cloud/google-cloud-core-http@1.90.0 033
google-cloud-firestore-1.9.0.jarpkg:maven/com.google.cloud/google-cloud-firestore@1.9.0 033
google-cloud-pubsub-1.91.0.jarpkg:maven/com.google.cloud/google-cloud-pubsub@1.91.0 033
google-cloud-storage-1.91.0.jarpkg:maven/com.google.cloud/google-cloud-storage@1.91.0 033
google-cloud-storage-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.provider/google-cloud-storage@2.2.0 0Highest29
google-http-client-1.32.0.jarpkg:maven/com.google.http-client/google-http-client@1.32.0 039
google-http-client-appengine-1.31.0.jarpkg:maven/com.google.http-client/google-http-client-appengine@1.31.0 021
google-http-client-gson-1.32.0.jarpkg:maven/com.google.http-client/google-http-client-gson@1.32.0 025
google-http-client-jackson-1.29.2.jarcpe:2.3:a:apache:httpclient:1.29.2:*:*:*:*:*:*:*pkg:maven/com.google.http-client/google-http-client-jackson@1.29.2MEDIUM1Low33
google-http-client-jackson2-1.32.0.jarcpe:2.3:a:json-java_project:json-java:1.32.0:*:*:*:*:*:*:*pkg:maven/com.google.http-client/google-http-client-jackson2@1.32.0HIGH2Low25
google-oauth-client-1.30.2.jarcpe:2.3:a:google:oauth_client_library_for_java:1.30.2:*:*:*:*:*:*:*pkg:maven/com.google.oauth-client/google-oauth-client@1.30.2CRITICAL2Low41
googlecloud-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.common/googlecloud@2.2.0 0Highest31
grib-4.5.5.jarpkg:maven/edu.ucar/grib@4.5.5 041
grpc-context-1.22.1.jarcpe:2.3:a:grpc:grpc:1.22.1:*:*:*:*:*:*:*pkg:maven/io.grpc/grpc-context@1.22.1HIGH3Highest35
grpc-core-1.23.0.jarcpe:2.3:a:grpc:grpc:1.23.0:*:*:*:*:*:*:*pkg:maven/io.grpc/grpc-core@1.23.0HIGH4Highest33
grpc-google-cloud-pubsub-v1-1.73.0.jarcpe:2.3:a:grpc:grpc:1.73.0:*:*:*:*:*:*:*pkg:maven/com.google.api.grpc/grpc-google-cloud-pubsub-v1@1.73.0 0Highest25
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec-http2:4.1.38.Final)cpe:2.3:a:netty:netty:4.1.38:*:*:*:*:*:*:*pkg:maven/io.netty/netty-codec-http2@4.1.38.FinalCRITICAL18Highest9
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec:4.1.38.Final)cpe:2.3:a:netty:netty:4.1.38:*:*:*:*:*:*:*pkg:maven/io.netty/netty-codec@4.1.38.FinalCRITICAL15Highest9
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.25.Final)pkg:maven/io.netty/netty-tcnative-boringssl-static@2.0.25.Final 09
grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-transport:4.1.38.Final)cpe:2.3:a:netty:netty:4.1.38:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport@4.1.38.FinalCRITICAL14Highest9
grpc-netty-shaded-1.23.0.jar (shaded: org.jctools:jctools-core:2.1.1)pkg:maven/org.jctools/jctools-core@2.1.1 09
grpc-netty-shaded-1.23.0.jar: io_grpc_netty_shaded_netty_tcnative_windows_x86_64.dll 02
grpc-protobuf-1.23.0.jarcpe:2.3:a:grpc:grpc:1.23.0:*:*:*:*:*:*:*
cpe:2.3:a:protobuf:protobuf:1.23.0:*:*:*:*:*:*:*		pkg:maven/io.grpc/grpc-protobuf@1.23.0HIGH4Highest35
gson-2.8.5.jarcpe:2.3:a:google:gson:2.8.5:*:*:*:*:*:*:*pkg:maven/com.google.code.gson/gson@2.8.5HIGH1Highest27
guava-28.1-jre.jarcpe:2.3:a:google:guava:28.1:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@28.1-jreHIGH2Highest25
guice-3.0.jarpkg:maven/com.google.inject/guice@3.0 029
guice-assistedinject-3.0.jarpkg:maven/com.google.inject.extensions/guice-assistedinject@3.0 028
guice-multibindings-3.0.jarpkg:maven/com.google.inject.extensions/guice-multibindings@3.0 028
h2-1.4.199.jarcpe:2.3:a:h2database:h2:1.4.199:*:*:*:*:*:*:*pkg:maven/com.h2database/h2@1.4.199CRITICAL5Highest44
h2-1.4.199.jar: data.zip: table.js 00
h2-1.4.199.jar: data.zip: tree.js 00
hamcrest-core-1.3.jarpkg:maven/org.hamcrest/hamcrest-core@1.3 024
hsqldb-2.5.0.jarcpe:2.3:a:hsqldb:hypersql_database:2.5.0:*:*:*:*:*:*:*pkg:maven/org.hsqldb/hsqldb@2.5.0CRITICAL1Low41
httpclient-4.5.10.jarcpe:2.3:a:apache:httpclient:4.5.10:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.10MEDIUM1Highest32
httpcore-4.4.12.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.12 032
httpmime-4.5.10.jarpkg:maven/org.apache.httpcomponents/httpmime@4.5.10 030
httpservices-4.5.5.jarpkg:maven/edu.ucar/httpservices@4.5.5 025
icu4j-64.2.jarcpe:2.3:a:icu-project:international_components_for_unicode:64.2:*:*:*:*:*:*:*
cpe:2.3:a:unicode:international_components_for_unicode:64.2:*:*:*:*:*:*:*		pkg:maven/com.ibm.icu/icu4j@64.2 0Low79
isoparser-1.1.22.jarpkg:maven/com.googlecode.mp4parser/isoparser@1.1.22 026
istack-commons-runtime-3.0.8.jarpkg:maven/com.sun.istack/istack-commons-runtime@3.0.8 028
istack-commons-tools-3.0.8.jarpkg:maven/com.sun.istack/istack-commons-tools@3.0.8 030
itext-2.1.7.jarpkg:maven/com.lowagie/itext@2.1.7HIGH146
itext-rtf-2.1.7.jarpkg:maven/com.lowagie/itext-rtf@2.1.7 046
j2objc-annotations-1.3.jarpkg:maven/com.google.j2objc/j2objc-annotations@1.3 024
jackcess-3.0.1.jarpkg:maven/com.healthmarketscience.jackcess/jackcess@3.0.1 045
jackcess-encrypt-3.0.0.jarpkg:maven/com.healthmarketscience.jackcess/jackcess-encrypt@3.0.0 038
jackson-annotations-2.10.5.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.10.5:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.10.5 0Low40
jackson-core-2.10.5.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.10.5:*:*:*:*:*:*:*
cpe:2.3:a:json-java_project:json-java:2.10.5:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-core@2.10.5HIGH2Low47
jackson-core-asl-1.9.13.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.13 038
jackson-databind-2.10.5.jarcpe:2.3:a:fasterxml:jackson-databind:2.10.5:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.10.5:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5HIGH6Highest41
jackson-dataformat-csv-2.10.5.jarcpe:2.3:a:fasterxml:jackson-dataformat-xml:2.10.5:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-csv@2.10.5 0Highest39
jackson-datatype-guava-2.10.5.jarpkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-guava@2.10.5 039
jackson-datatype-joda-2.10.5.jarpkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-joda@2.10.5 041
jackson-jaxrs-base-2.10.5.jarpkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base@2.10.5 037
jackson-jaxrs-json-provider-2.10.5.jarcpe:2.3:a:json-java_project:json-java:2.10.5:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider@2.10.5HIGH2Low37
jackson-jaxrs-xml-provider-2.10.5.jarpkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-xml-provider@2.10.5 037
jackson-module-jaxb-annotations-2.10.5.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.10.5 039
jai-imageio-core-1.4.0.jarpkg:maven/com.github.jai-imageio/jai-imageio-core@1.4.0 044
jakarta.activation-1.2.1.jarpkg:maven/com.sun.activation/jakarta.activation@1.2.1 035
jakarta.activation-api-1.2.1.jarpkg:maven/jakarta.activation/jakarta.activation-api@1.2.1 033
jakarta.xml.bind-api-2.3.2.jarpkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.2 030
java-jwt-3.10.2.jarpkg:maven/com.auth0/java-jwt@3.10.2 037
java-libpst-0.8.1.jarpkg:maven/com.pff/java-libpst@0.8.1 022
java-saml-2.5.0.jarpkg:maven/com.onelogin/java-saml@2.5.0 018
java-saml-core-2.5.0.jarpkg:maven/com.onelogin/java-saml-core@2.5.0 018
java-xmlbuilder-1.1.jarcpe:2.3:a:java-xmlbuilder_project:java-xmlbuilder:1.1:*:*:*:*:*:*:*
cpe:2.3:a:utils_project:utils:1.1:*:*:*:*:*:*:*		pkg:maven/com.jamesmurty.utils/java-xmlbuilder@1.1CRITICAL2Highest26
javase-3.0.1.jarpkg:maven/com.google.zxing/javase@3.0.1 023
javax.activation-api-1.2.0.jarpkg:maven/javax.activation/javax.activation-api@1.2.0 039
javax.annotation-api-1.3.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.3.2 046
javax.ejb-api-3.2.2.jarpkg:maven/javax.ejb/javax.ejb-api@3.2.2 044
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 020
javax.jms-api-2.0.1.jarcpe:2.3:a:oracle:projects:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.jms/javax.jms-api@2.0.1 0Low34
javax.mail-1.6.2.jarcpe:2.3:a:oracle:java_se:1.6.2:*:*:*:*:*:*:*pkg:maven/com.sun.mail/javax.mail@1.6.2 0Low45
javax.servlet-api-4.0.1.jarcpe:2.3:a:oracle:java_se:4.0.1:*:*:*:*:*:*:*pkg:maven/javax.servlet/javax.servlet-api@4.0.1 0Medium48
javax.servlet.jsp-api-2.3.3.jarcpe:2.3:a:oracle:java_se:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jsp:2.3.3:*:*:*:*:*:*:*		pkg:maven/javax.servlet.jsp/javax.servlet.jsp-api@2.3.3 0High46
javax.transaction-api-1.3.jarpkg:maven/javax.transaction/javax.transaction-api@1.3 046
javax.websocket-api-1.1.jarpkg:maven/javax.websocket/javax.websocket-api@1.1 030
javax.ws.rs-api-2.0.1.jarcpe:2.3:a:oracle:java_se:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 0Low59
jawk-1.02.jarpkg:maven/org.jawk/jawk@1.02 012
jaxb-api-2.3.1.jarpkg:maven/javax.xml.bind/jaxb-api@2.3.1 037
jaxb-runtime-2.3.2.jarpkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.2 032
jaxb-svg11-1.0.2.jarpkg:maven/org.plutext/jaxb-svg11@1.0.2 034
jaxb-xjc-2.3.2.jarpkg:maven/org.glassfish.jaxb/jaxb-xjc@2.3.2 034
jbig2-imageio-3.0.2.jarcpe:2.3:a:apache:pdfbox:3.0.2:*:*:*:*:*:*:*pkg:maven/org.apache.pdfbox/jbig2-imageio@3.0.2 0Highest128
jcip-annotations-1.0.jarpkg:maven/net.jcip/jcip-annotations@1.0 024
jcl-over-slf4j-1.7.30.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.30 031
jclouds-core-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds/jclouds-core@2.2.0 0Highest28
jclouds-log4j-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.2.0:*:*:*:*:*:*:*		pkg:maven/org.apache.jclouds.driver/jclouds-log4j@2.2.0CRITICAL6Highest33
jcommander-1.35.jarpkg:maven/com.beust/jcommander@1.35 022
jdom2-2.0.6.jarcpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom2@2.0.6HIGH1Highest65
jempbox-1.8.16.jarcpe:2.3:a:apache:pdfbox:1.8.16:*:*:*:*:*:*:*pkg:maven/org.apache.pdfbox/jempbox@1.8.16 0Highest33
jersey-core-1.19.1.jarcpe:2.3:a:jersey_project:jersey:1.19.1:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-core@1.19.1 0Highest30
jfreechart-1.5.0.jarcpe:2.3:a:time_project:time:1.5.0:*:*:*:*:*:*:*pkg:maven/org.jfree/jfreechart@1.5.0 0Low38
jhighlight-1.0.3.jarpkg:maven/org.codelibs/jhighlight@1.0.3 020
jjwt-0.4.jarcpe:2.3:a:json_web_token_project:json_web_token:0.4:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:0.4:*:*:*:*:*:*:*		pkg:maven/io.jsonwebtoken/jjwt@0.4 0High19
jlessc-1.8.jarpkg:maven/de.inetsoftware/jlessc@1.8 033
jlessc-ant-1.8.jarpkg:maven/com.simplicite.ant/jlessc-ant@1.8
pkg:maven/com.simplicite/jlessc-ant@1.8		 026
jmatio-1.5.jarpkg:maven/org.tallison/jmatio@1.5 026
jmustache-1.15.jarpkg:maven/com.samskivert/jmustache@1.15 030
jna-5.3.1.jarcpe:2.3:a:oracle:java_se:5.3.1:*:*:*:*:*:*:*pkg:maven/net.java.dev.jna/jna@5.3.1 0Low48
jna-5.3.1.jar: jnidispatch.dll 02
jna-5.3.1.jar: jnidispatch.dll 02
joda-time-2.10.3.jarpkg:maven/joda-time/joda-time@2.10.3 047
jsch-0.1.55.jarcpe:2.3:a:jcraft:jsch:0.1.55:*:*:*:*:*:*:*pkg:maven/com.jcraft/jsch@0.1.55 0Highest34
json-20190722.jarcpe:2.3:a:json-java_project:json-java:*:*:*:*:*:*:*:*pkg:maven/org.json/json@20190722HIGH2Highest32
json-simple-1.1.1.jarpkg:maven/com.googlecode.json-simple/json-simple@1.1.1 025
jsoup-1.12.1.jarcpe:2.3:a:jsoup:jsoup:1.12.1:*:*:*:*:*:*:*pkg:maven/org.jsoup/jsoup@1.12.1HIGH2Highest37
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
jsr311-api-1.1.1.jarcpe:2.3:a:web_project:web:1.1.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/jsr311-api@1.1.1 0Low36
jtidy-r938.jarcpe:2.3:a:jtidy_project:jtidy:r938:*:*:*:*:*:*:*pkg:maven/net.sf.jtidy/jtidy@r938HIGH1Highest53
jul-to-slf4j-1.7.30.jarpkg:maven/org.slf4j/jul-to-slf4j@1.7.30 026
junit-4.13.2.jarcpe:2.3:a:junit:junit4:4.13.2:*:*:*:*:*:*:*pkg:maven/junit/junit@4.13.2 0Low53
juniversalchardet-1.0.3.jarpkg:maven/com.googlecode.juniversalchardet/juniversalchardet@1.0.3 024
junrar-4.0.0.jarcpe:2.3:a:junrar_project:junrar:4.0.0:*:*:*:*:*:*:*pkg:maven/com.github.junrar/junrar@4.0.0HIGH1Highest25
jzlib-1.1.1.jarcpe:2.3:a:jcraft:jzlib:1.1.1:*:*:*:*:*:*:*pkg:maven/com.jcraft/jzlib@1.1.1 0Highest34
libphonenumber-8.12.6.jarpkg:maven/com.googlecode.libphonenumber/libphonenumber@8.12.6 022
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarpkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava 013
log4j-1.2.17.jarcpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*pkg:maven/log4j/log4j@1.2.17CRITICAL7Highest30
lucene-core-8.2.0.jarpkg:maven/org.apache.lucene/lucene-core@8.2.0 028
mbassador-1.3.2.jarpkg:maven/net.engio/mbassador@1.3.2 029
mchange-commons-java-0.2.15.jarpkg:maven/com.mchange/mchange-commons-java@0.2.15 029
metadata-extractor-2.11.0.jarcpe:2.3:a:metadata-extractor_project:metadata-extractor:2.11.0:*:*:*:*:*:*:*pkg:maven/com.drewnoakes/metadata-extractor@2.11.0HIGH3Highest32
migbase64-2.2.jarpkg:maven/com.brsanthu/migbase64@2.2 038
mimepull-1.9.3.jarpkg:maven/org.jvnet.mimepull/mimepull@1.9.3 048
mongodb-driver-core-3.11.0.jarcpe:2.3:a:mongodb:java_driver:3.11.0:*:*:*:*:*:*:*pkg:maven/org.mongodb/mongodb-driver-core@3.11.0MEDIUM1Low30
mssql-jdbc-12.2.0.jre8.jarcpe:2.3:a:www-sql_project:www-sql:12.2.0.jre8:*:*:*:*:*:*:*pkg:maven/com.microsoft.sqlserver/mssql-jdbc@12.2.0
pkg:maven/com.microsoft.sqlserver/mssql-jdbc@12.2.0.jre8		 0Highest37
mysql-connector-j-8.1.0.jarcpe:2.3:a:mysql:mysql:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_connector\/j:8.1.0:*:*:*:*:*:*:*		pkg:maven/com.mysql/mysql-connector-j@8.1.0HIGH1Highest52
netcdf4-4.5.5.jarpkg:maven/edu.ucar/netcdf4@4.5.5 025
netty-codec-4.1.49.Final.jarcpe:2.3:a:netty:netty:4.1.49:*:*:*:*:*:*:*pkg:maven/io.netty/netty-codec@4.1.49.FinalHIGH11Highest34
netty-codec-mqtt-4.1.49.Final.jarcpe:2.3:a:mqtt:mqtt:4.1.49:*:*:*:*:*:*:*
cpe:2.3:a:netty:netty:4.1.49:*:*:*:*:*:*:*		pkg:maven/io.netty/netty-codec-mqtt@4.1.49.FinalHIGH10Highest34
netty-common-4.1.49.Final.jar (shaded: org.jctools:jctools-core:3.0.0)pkg:maven/org.jctools/jctools-core@3.0.0 09
netty-transport-4.1.49.Final.jarcpe:2.3:a:netty:netty:4.1.49:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport@4.1.49.FinalHIGH10Highest32
netty-transport-native-kqueue-4.1.48.Final-osx-x86_64.jarcpe:2.3:a:netty:netty:4.1.48:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport-native-kqueue@4.1.48.FinalHIGH10Highest36
oauth-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.api/oauth@2.2.0 0Highest31
ojdbc8-23.3.0.23.09.jarcpe:2.3:a:oracle:jdbc:23.3.0.23.09:*:*:*:*:*:*:*pkg:maven/com.oracle.database.jdbc/ojdbc8@23.3.0.23.09 0Highest33
opencensus-api-0.24.0.jarpkg:maven/io.opencensus/opencensus-api@0.24.0 033
opencensus-contrib-grpc-metrics-0.21.0.jarpkg:maven/io.opencensus/opencensus-contrib-grpc-metrics@0.21.0 037
opencensus-contrib-grpc-util-0.21.0.jarpkg:maven/io.opencensus/opencensus-contrib-grpc-util@0.21.0 037
opencensus-contrib-http-util-0.24.0.jarpkg:maven/io.opencensus/opencensus-contrib-http-util@0.24.0 037
openjson-1.0.11.jarcpe:2.3:a:json-java_project:json-java:1.0.11:*:*:*:*:*:*:*pkg:maven/com.github.openjson/openjson@1.0.11HIGH2Low37
opennlp-tools-1.9.1.jarcpe:2.3:a:apache:opennlp:1.9.1:*:*:*:*:*:*:*pkg:maven/org.apache.opennlp/opennlp-tools@1.9.1 0Highest36
openstack-keystone-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:openstack:2.2.0:*:*:*:*:*:*:*		pkg:maven/org.apache.jclouds.api/openstack-keystone@2.2.0HIGH7Highest33
openstack-swift-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:openstack:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:swift:2.2.0:*:*:*:*:*:*:*		pkg:maven/org.apache.jclouds.api/openstack-swift@2.2.0CRITICAL7Highest33
org.apache.oltu.oauth2.client-1.0.2.jarpkg:maven/org.apache.oltu.oauth2/org.apache.oltu.oauth2.client@1.0.2 032
org.apache.oltu.oauth2.common-1.0.2.jarpkg:maven/org.apache.oltu.oauth2/org.apache.oltu.oauth2.common@1.0.2 032
org.eclipse.jgit.http.server-5.5.0.201909110433-r.jarcpe:2.3:a:eclipse:jgit:5.5.0:201909110433:*:*:*:*:*:*pkg:maven/org.eclipse.jgit/org.eclipse.jgit.http.server@5.5.0.201909110433-rHIGH1Highest40
org.eclipse.paho.client.mqttv3-1.2.1.jarcpe:2.3:a:eclipse:paho_java_client:1.2.1:*:*:*:*:*:*:*pkg:maven/org.eclipse.paho/org.eclipse.paho.client.mqttv3@1.2.1 0Low30
parso-2.0.11.jarcpe:2.3:a:parso_project:parso:2.0.11:*:*:*:*:*:*:*pkg:maven/com.epam/parso@2.0.11 0Highest34
pdfbox-2.0.16.jarcpe:2.3:a:apache:pdfbox:2.0.16:*:*:*:*:*:*:*pkg:maven/org.apache.pdfbox/pdfbox@2.0.16MEDIUM4Highest33
perfmark-api-0.17.0.jarpkg:maven/io.perfmark/perfmark-api@0.17.0 026
poi-4.1.0.jarcpe:2.3:a:apache:poi:4.1.0:*:*:*:*:*:*:*pkg:maven/org.apache.poi/poi@4.1.0MEDIUM2Highest29
postgresql-42.6.0.jarcpe:2.3:a:postgresql:postgresql_jdbc_driver:42.6.0:*:*:*:*:*:*:*pkg:maven/org.postgresql/postgresql@42.6.0 0Low71
proto-google-cloud-firestore-admin-v1-1.9.0.jarpkg:maven/com.google.api.grpc/proto-google-cloud-firestore-admin-v1@1.9.0 028
proto-google-cloud-firestore-v1-1.9.0.jarpkg:maven/com.google.api.grpc/proto-google-cloud-firestore-v1@1.9.0 025
proto-google-cloud-firestore-v1beta1-0.62.0.jarpkg:maven/com.google.api.grpc/proto-google-cloud-firestore-v1beta1@0.62.0 024
proto-google-cloud-pubsub-v1-1.73.0.jarpkg:maven/com.google.api.grpc/proto-google-cloud-pubsub-v1@1.73.0 025
proto-google-common-protos-1.16.0.jarpkg:maven/com.google.api.grpc/proto-google-common-protos@1.16.0 032
proto-google-iam-v1-0.12.0.jarpkg:maven/com.google.api.grpc/proto-google-iam-v1@0.12.0 068
protobuf-java-3.10.0.jarcpe:2.3:a:google:protobuf-java:3.10.0:*:*:*:*:*:*:*
cpe:2.3:a:protobuf:protobuf:3.10.0:*:*:*:*:*:*:*		pkg:maven/com.google.protobuf/protobuf-java@3.10.0HIGH4Highest27
protobuf-java-util-3.10.0.jarcpe:2.3:a:google:protobuf-java:3.10.0:*:*:*:*:*:*:*
cpe:2.3:a:protobuf:protobuf:3.10.0:*:*:*:*:*:*:*		pkg:maven/com.google.protobuf/protobuf-java-util@3.10.0HIGH2Highest29
proton-j-0.33.4.jarcpe:2.3:a:apache:qpid:0.33.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:qpid_proton:0.33.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:qpid_proton-j:0.33.4:*:*:*:*:*:*:*
cpe:2.3:a:proton_project:proton:0.33.4:*:*:*:*:*:*:*		pkg:maven/org.apache.qpid/proton-j@0.33.4 0Highest30
qpid-jms-client-0.51.0.jarcpe:2.3:a:apache:qpid:0.51.0:*:*:*:*:*:*:*pkg:maven/org.apache.qpid/qpid-jms-client@0.51.0 0Highest27
qrgen-1.4.jarpkg:maven/net.glxn/qrgen@1.4 030
quartz-2.3.1.jarcpe:2.3:a:softwareag:quartz:2.3.1:*:*:*:*:*:*:*pkg:maven/org.quartz-scheduler/quartz@2.3.1CRITICAL2Highest33
relaxng-datatype-2.3.2.jarpkg:maven/com.sun.xml.bind.external/relaxng-datatype@2.3.2 027
rhino-1.7.13.jarpkg:maven/org.mozilla/rhino@1.7.13 031
rhino-1.7.13.jar: test.js 00
rhino-js-engine-1.7.10.jarpkg:maven/cat.inspiracio/rhino-js-engine@1.7.10 032
rhino-js-engine-1.7.10.jar: toplevel.js 00
rngom-2.3.2.jarpkg:maven/com.sun.xml.bind.external/rngom@2.3.2 023
rome-1.12.1.jarpkg:maven/com.rometools/rome@1.12.1 035
rome-utils-1.12.1.jarcpe:2.3:a:utils_project:utils:1.12.1:*:*:*:*:*:*:*pkg:maven/com.rometools/rome-utils@1.12.1MEDIUM1Highest19
s3-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.api/s3@2.2.0 0Highest31
sentiment-analysis-parser-0.1.jarcpe:2.3:a:ini-parser_project:ini-parser:0.1:*:*:*:*:*:*:*pkg:maven/edu.usc.ir/sentiment-analysis-parser@0.1 0Low38
serializer-2.7.2.jarcpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*pkg:maven/xalan/serializer@2.7.2HIGH1Low32
sis-feature-0.8.jarpkg:maven/org.apache.sis.core/sis-feature@0.8 056
sis-metadata-0.8.jarpkg:maven/org.apache.sis.core/sis-metadata@0.8 054
sis-netcdf-0.8.jarpkg:maven/org.apache.sis.storage/sis-netcdf@0.8 056
sis-referencing-0.8.jarcpe:2.3:a:temporal:temporal:0.8:*:*:*:*:*:*:*pkg:maven/org.apache.sis.core/sis-referencing@0.8LOW1Low71
sis-storage-0.8.jarpkg:maven/org.apache.sis.storage/sis-storage@0.8 070
sis-utility-0.8.jarpkg:maven/org.apache.sis.core/sis-utility@0.8 058
slf4j-api-1.7.30.jarpkg:maven/org.slf4j/slf4j-api@1.7.30 027
slf4j-log4j12-1.7.30.jarpkg:maven/org.slf4j/slf4j-log4j12@1.7.30 027
snakeyaml-1.25.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.25:*:*:*:*:*:*:*pkg:maven/org.yaml/snakeyaml@1.25CRITICAL8Highest46
stax-ex-1.8.1.jarcpe:2.3:a:oracle:projects:1.8.1:*:*:*:*:*:*:*pkg:maven/org.jvnet.staxex/stax-ex@1.8.1 0Low46
stax2-api-4.2.jarcpe:2.3:a:fasterxml:woodstox:4.2:*:*:*:*:*:*:*pkg:maven/org.codehaus.woodstox/stax2-api@4.2HIGH1Highest54
stringtemplate-3.2.1.jarcpe:2.3:a:temporal:temporal:3.2.1:*:*:*:*:*:*:*pkg:maven/org.antlr/stringtemplate@3.2.1 0Low38
stripe-java-12.0.0.jarcpe:2.3:a:stripe:stripe:12.0.0:*:*:*:*:*:*:*pkg:maven/com.stripe/stripe-java@12.0.0 0Highest34
sts-2.2.0.jarcpe:2.3:a:apache:jclouds:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.jclouds.api/sts@2.2.0 0Highest31
swagger-annotations-1.5.8.jarpkg:maven/io.swagger/swagger-annotations@1.5.8 029
tagsoup-1.2.1.jarpkg:maven/org.ccil.cowan.tagsoup/tagsoup@1.2.1 024
threeten-extra-1.5.0.jarpkg:maven/org.threeten/threeten-extra@1.5.0 041
threetenbp-1.3.3.jarpkg:maven/org.threeten/threetenbp@1.3.3 039
tika-core-1.22.jarcpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*pkg:maven/org.apache.tika/tika-core@1.22MEDIUM7Highest42
tika-parsers-1.22.jarcpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*pkg:maven/org.apache.tika/tika-parsers@1.22MEDIUM8Highest41
twilio-7.42.0.jarpkg:maven/com.twilio.sdk/twilio@7.42.0 028
txw2-2.3.2.jarpkg:maven/org.glassfish.jaxb/txw2@2.3.2 034
udunits-4.5.5.jarpkg:maven/edu.ucar/udunits@4.5.5 029
unit-api-1.0.jarpkg:maven/javax.measure/unit-api@1.0 0128
vorbis-java-core-0.8.jarpkg:maven/org.gagravarr/vorbis-java-core@0.8 022
vorbis-java-tika-0.8.jarpkg:maven/org.gagravarr/vorbis-java-tika@0.8 022
wmf2svg-0.9.8.jarpkg:maven/net.arnx/wmf2svg@0.9.8 031
woodstox-core-6.2.0.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)cpe:2.3:a:xml_library_project:xml_library:*:*:*:*:*:rust:*:*pkg:maven/com.sun.xml.bind.jaxb/isorelax@20090621HIGH1Highest12
woodstox-core-6.2.0.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)cpe:2.3:a:xml_library_project:xml_library:2013.6.1:*:*:*:*:*:*:*pkg:maven/net.java.dev.msv/xsdlib@2013.6.1 0Low9
woodstox-core-6.2.0.jarcpe:2.3:a:fasterxml:woodstox:6.2.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.woodstox/woodstox-core@6.2.0HIGH1Highest47
xalan-2.7.2.jarcpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*pkg:maven/xalan/xalan@2.7.2HIGH1Low66
xalan-interpretive-11.0.0.jarpkg:maven/org.docx4j.org.apache/xalan-interpretive@11.0.0 042
xalan-serializer-11.0.0.jarpkg:maven/org.docx4j.org.apache/xalan-serializer@11.0.0 041
xercesImpl-2.12.0.jarcpe:2.3:a:apache:xerces-j:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:xerces2_java:2.12.0:*:*:*:*:*:*:*		pkg:maven/xerces/xercesImpl@2.12.0MEDIUM2Low86
xhtmlrenderer-3.0.0.jarpkg:maven/org.docx4j/xhtmlrenderer@3.0.0 036
xmlbeans-3.1.0.jarcpe:2.3:a:apache:xmlbeans:3.1.0:*:*:*:*:*:*:*pkg:maven/org.apache.xmlbeans/xmlbeans@3.1.0 0Highest58
xmlgraphics-commons-2.3.jarcpe:2.3:a:apache:xmlgraphics_commons:2.3:*:*:*:*:*:*:*pkg:maven/org.apache.xmlgraphics/xmlgraphics-commons@2.3HIGH1Highest29
xmlsec-2.1.4.jarcpe:2.3:a:apache:santuario_xml_security_for_java:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:xml_security_for_java:2.1.4:*:*:*:*:*:*:*		pkg:maven/org.apache.santuario/xmlsec@2.1.4HIGH2Low48
xmpcore-5.1.3.jarpkg:maven/com.adobe.xmp/xmpcore@5.1.3 037
xsom-2.3.2.jarcpe:2.3:a:eclipse:glassfish:2.3.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jaxb/xsom@2.3.2 0Medium27
xz-1.8.jarcpe:2.3:a:tukaani:xz:1.8:*:*:*:*:*:*:*pkg:maven/org.tukaani/xz@1.8 0Highest33

Dependencies

FastInfoset-1.2.16.jar

Description:

Open Source implementation of the Fast Infoset Standard for Binary XML (http://www.itu.int/ITU-T/asn1/).

License:

http://www.opensource.org/licenses/apache2.0.php, http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/com/sun/xml/fastinfoset/FastInfoset/1.2.16/FastInfoset-1.2.16.jar
MD5: f7f4be4695e2501a6d585beca305c74c
SHA1: 4eb6a0adad553bf759ffe86927df6f3b848c8bea
SHA256:056f3a1e144409f21ed16afc26805f58e9a21f3fce1543c42d400719d250c511
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

HikariCP-3.4.0.jar

Description:

Ultimate JDBC Connection Pool

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/zaxxer/HikariCP/3.4.0/HikariCP-3.4.0.jar
MD5: 60549ba87bf28ce69702302b62e527c5
SHA1: 6ce7ce51bd472b93a26bd26b41ad18e9b842ad41
SHA256:0bd769d01a0e64b1a61053206343364ec6bde30b84d819c29de163bcfb485852
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

JavaEWAH-1.1.6.jar

Description:

The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.
  JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.
  The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/googlecode/javaewah/JavaEWAH/1.1.6/JavaEWAH-1.1.6.jar
MD5: ad90237fa8e47defd9fdac73e68608fd
SHA1: 94ad16d728b374d65bd897625f3fbb3da223a2b6
SHA256:f78d44a1e3877f1ce748b4a85df5171e5e8e9a5c3c6f63bb9003db6f84cce952
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

activation-1.1.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /var/simplicite/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

animal-sniffer-annotations-1.18.jar

File Path: /var/simplicite/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.18/animal-sniffer-annotations-1.18.jar
MD5: f0a84f9b30590b3aa76edc893d6fe4ff
SHA1: f7aa683ea79dc6681ee9fb95756c999acbb62f5d
SHA256:47f05852b48ee9baefef80fa3d8cea60efa4753c0013121dd7fe5eef2e5c729d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

annotations-4.1.1.4.jar

Description:

A library jar that provides annotations for the Google Android Platform.

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/com/google/android/annotations/4.1.1.4/annotations-4.1.1.4.jar
MD5: c2cdd26a6ae577f24775e8ce75da1fdc
SHA1: a1678ba907bf92691d879fef34e1a187038f9259
SHA256:ba734e1e84c09d615af6a09d33034b4f0442f8772dec120efb376d86a565ae15
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

ant-1.10.7.jar

File Path: /var/simplicite/.m2/repository/org/apache/ant/ant/1.10.7/ant-1.10.7.jar
MD5: 66386ce040556ca4836fe829d0f1b293
SHA1: ebd23eb1f451de96e9a616f239408db88eedc1c2
SHA256:dab4d3b2e45b73aec95cb25ce5050a651ad060f50f74662bbc3c1cb406ec1d19
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-1945  

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (3.3)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36373  

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36374  

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

antlr-2.7.7.jar

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html
File Path: /var/simplicite/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

antlr-runtime-3.5.2.jar

Description:

A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /var/simplicite/.m2/repository/org/antlr/antlr-runtime/3.5.2/antlr-runtime-3.5.2.jar
MD5: 1fbbae2cb72530207c20b797bdabd029
SHA1: cd9cd41361c155f3af0f653009dcecb08d8b4afd
SHA256:ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

aopalliance-1.0.jar

Description:

AOP Alliance

License:

Public Domain
File Path: /var/simplicite/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

apache-mime4j-core-0.8.3.jar

Description:

Java stream based MIME message parser

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/james/apache-mime4j-core/0.8.3/apache-mime4j-core-0.8.3.jar
MD5: dc03793d8d9e208f4a21a36b78f922f0
SHA1: 1179b56c9919c1a8e20d3a528ee4c6cee19bcbe0
SHA256:910002bd8d2fc413220386cd656a33b32f0007850dd53c2c0f30f90801eba6c6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

apache-mime4j-dom-0.8.3.jar

Description:

Java MIME Document Object Model

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/james/apache-mime4j-dom/0.8.3/apache-mime4j-dom-0.8.3.jar
MD5: 13a1a7be7b85c9b03f6cba68e72d83c2
SHA1: e80733714eb6a70895bfc74a9528c658504c2c83
SHA256:b7f85517887b268d94fd16b13267d9e37a151440eff8acefab3a29ef30977435
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

api-common-1.8.1.jar

Description:

Common utilities for Google APIs in Java

License:

BSD: https://github.com/googleapis/api-common-java/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/google/api/api-common/1.8.1/api-common-1.8.1.jar
MD5: 839b9b829ff6a7172d640b33fbc2e1b3
SHA1: e89befb19b08ad84b262b2f226ab79aefcaa9d7f
SHA256:9840ed24fce0a96492e671853077be62edab802b6760e3b327362d6949943674
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

asm-7.2-beta.jar

Description:

ASM, a very small and fast Java bytecode manipulation framework

License:

BSD: http://asm.ow2.org/license.html
File Path: /var/simplicite/.m2/repository/org/ow2/asm/asm/7.2-beta/asm-7.2-beta.jar
MD5: 11be68755323a89d5d9cf33ee306416a
SHA1: 42e26c6613fc9cb3002b55897802ab605c92dc44
SHA256:00acf26a20b0c032b3d19ea0fbc079d6694b56de46e018ecf90e68cb7dd5caa2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

auto-value-annotations-1.6.6.jar

Description:

    Immutable value-type code generation for Java 1.6+.

File Path: /var/simplicite/.m2/repository/com/google/auto/value/auto-value-annotations/1.6.6/auto-value-annotations-1.6.6.jar
MD5: fc2c981dc803b953b9b45ace05a98d8f
SHA1: 9947ae63d8ec42ea159283baf2e5b9c0ff100909
SHA256:3bf4b9e74a6bf0f38ac70af571e0f8a9d85ccba4c0693a72fea9ea46def0d5a0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

autolink-0.10.0.jar

Description:

        Java library to extract links (URLs, email addresses) from plain text;
        fast, small and smart about recognizing where links end

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/org/nibor/autolink/autolink/0.10.0/autolink-0.10.0.jar
MD5: be771f6d4d82b9098596afa30b4f48ea
SHA1: 6579ea7079be461e5ffa99f33222a632711cc671
SHA256:302b30160968415ee6cd1907987138c7575a6315f9b6ef13b9fe3abc87367857
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

avalon-framework-impl-4.2.0.jar

File Path: /var/simplicite/.m2/repository/avalon-framework/avalon-framework-impl/4.2.0/avalon-framework-impl-4.2.0.jar
MD5: 5c1f8f5c8c6c043538fc4ea038c2aaf6
SHA1: 4da1db18947eb6950abb7ad79253011b9aec0e48
SHA256:ed42c573cab460ca634b5c64a3b40ed1d67d6ee47fe25f87947370bede6af814
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

aws-s3-2.2.0.jar

Description:

Simple Storage Service (S3) implementation targeted to Amazon Web Services

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/provider/aws-s3/2.2.0/aws-s3-2.2.0.jar
MD5: e0888fec8e07a0030b16eed4fb4c2014
SHA1: 09a357c4d48dc2cc1cfe52a09d15794f6c7c84dd
SHA256:fc971624321f1945574ba23e3dc1327c9d946c1f4c30a50588f75013795154e8
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

azureblob-2.2.0.jar

Description:

jclouds components to access Azure Blob Service

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/provider/azureblob/2.2.0/azureblob-2.2.0.jar
MD5: 6e496c24207ed776f9a933a558d878c6
SHA1: 724f1331e5124dc17621f5417df4c74ee1940be7
SHA256:17910ad862f1f61ed87875cd735b137c8a7cdeb69f9754448e0004592094f78f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

barcode4j-2.1.jar

Description:

Barcode4J is a flexible generator for barcodes written in Java.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/net/sf/barcode4j/barcode4j/2.1/barcode4j-2.1.jar
MD5: 4fc30cdb7b1abaf1ce08f26b0666e351
SHA1: 4b38b2219c0d522fcea8238493f2ea3e238ef529
SHA256:eb7252cc41a1539bcd018348e9f60e0942872bdaa49c58051e656a6be94969fb
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

base64-2.3.8.jar

Description:

A Java class providing very fast Base64 encoding and decoding 
               in the form of convenience methods and input/output streams.

License:

Public domain
File Path: /var/simplicite/.m2/repository/net/iharder/base64/2.3.8/base64-2.3.8.jar
MD5: 9a9828f0caa016a2f3e0c90fe3af771b
SHA1: 7d2e2cea90cc51169fd02a35888820ab07f6d02f
SHA256:bbf41fda22877a538f6bc2d5ad0aa372a7ddf4a756af3386aa09d3d4eea84f7f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

bcmail-jdk15on-1.63.jar

Description:

The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcmail-jdk15on/1.63/bcmail-jdk15on-1.63.jar
MD5: 2ff3d5ba2e923c1030401cd7e91dd2bd
SHA1: aa0f31cf8d4717aa213539d469478220d679357f
SHA256:6078638744a1b3ce842fd70330681c058ad9aa278696dc71c430b4d6449501c3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • pkg:maven/org.bouncycastle/bcmail-jdk15on@1.63  (Confidence:High)
  • cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2023-33202  

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

bcpg-jdk15on-1.63.jar

Description:

The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
Apache Software License, Version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcpg-jdk15on/1.63/bcpg-jdk15on-1.63.jar
MD5: c551097b29b7d81bc5ae1184a6bcc7c6
SHA1: a93a004e30ba70feb94213bd9adb3bb5295361ef
SHA256:dc4f51adfc46583c2543489c82708fef5660202bf264c7cd453f081a117ea536
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • pkg:maven/org.bouncycastle/bcpg-jdk15on@1.63  (Confidence:High)
  • cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2023-33202  

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

bcpkix-jdk15on-1.63.jar

Description:

The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.63/bcpkix-jdk15on-1.63.jar
MD5: c7dc9b66a0535f44dd088babea47b506
SHA1: 81e2a6d531213271dd936e4a94a041d49e4721e8
SHA256:e9e6a1a9c411681100dce967b6a8e66f4a0bbdc8ae18379a0044dd0e19b888b0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.63  (Confidence:High)
  • cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.63:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.63:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2023-33202  

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

bcprov-jdk15on-1.63.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /var/simplicite/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.63/bcprov-jdk15on-1.63.jar
MD5: d357114f1605c034ebcb99f3c9d36f7e
SHA1: c996f9c64dc0e94e2d2ae962cc7b7cad7744fcc8
SHA256:28155c8695934f666fabc235f992096e40d97ecb044d5b6b0902db6e15a0b72f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-17359  

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-15522  

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-0187 (OSSINDEX)  

In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:L/AC:L/Au:/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.63:*:*:*:*:*:*:*

CVE-2023-33201 (OSSINDEX)  

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/Au:/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.63:*:*:*:*:*:*:*

boilerpipe-1.1.0.jar

Description:

The boilerpipe library provides algorithms to detect and remove the surplus "clutter" (boilerplate, templates) around the main textual content of a web page.

The library already provides specific strategies for common tasks (for example: news article extraction) and may also be easily extended for individual problem settings.

Extracting content is very fast (milliseconds), just needs the input document (no global or site-level information required) and is usually quite accurate.

Boilerpipe is a Java library written by Christian Kohlschütter. It is released under the Apache License 2.0.

The algorithms used by the library are based on (and extending) some concepts of the paper "Boilerplate Detection using Shallow Text Features" by Christian Kohlschütter et al., presented at WSDM 2010 -- The Third ACM International Conference on Web Search and Data Mining New York City, NY USA.

License:

Apache License 2.0
File Path: /var/simplicite/.m2/repository/de/l3s/boilerpipe/boilerpipe/1.1.0/boilerpipe-1.1.0.jar
MD5: 0616568083786d0f49e2cb07a5d09fe4
SHA1: f62cb75ed52455a9e68d1d05b84c500673340eb2
SHA256:088203df4326c4dcc42cec1253a2b41e03dc8904984eae744543b48e2cc63846
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

bson-3.11.0.jar

Description:

The BSON library

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/mongodb/bson/3.11.0/bson-3.11.0.jar
MD5: fee103bbdf1b62541826f1fff8c75166
SHA1: 5f00c5a8f05b66a33239efd1131aaef5a49ba5b8
SHA256:87015c5e3d35ae0e1593a89adacaa744c265ba617a4e045252a0e67855998c4d
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

bzip2-0.9.1.jar

Description:

jbzip2 is a Java bzip2 compression/decompression library. It can be used as a replacement for the Apache CBZip2InputStream / CBZip2OutputStream classes.

License:

MIT License (MIT): http://opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/org/itadaki/bzip2/0.9.1/bzip2-0.9.1.jar
MD5: ddd5eb3a035655cbbb536e9b86907a00
SHA1: 47ca95f71e3ccae756c4a24354d48069c58f475c
SHA256:865a7a13dd33ef0388f675993adaf4c6f95632ba80d609d42e9d42e6343aae77
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

c3p0-0.9.5.4.jar

Description:

a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php
File Path: /var/simplicite/.m2/repository/com/mchange/c3p0/0.9.5.4/c3p0-0.9.5.4.jar
MD5: 45fd4a89c9fd671a0d1dc97c0ec77abe
SHA1: a21a1d37ae0b59efce99671544f51c34ed1e8def
SHA256:60cf2906cd6ad6771f514a3e848b74b3e3da99c1806f2a63c38e2dd8da5ef11f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

cdm-4.5.5.jar

Description:

    The NetCDF-Java Library is a Java interface to NetCDF files,
    as well as to many other types of scientific data formats.

File Path: /var/simplicite/.m2/repository/edu/ucar/cdm/4.5.5/cdm-4.5.5.jar
MD5: 7770c86aabbd0ec5e12ed1f0600d5492
SHA1: af1748a3d024069cb7fd3fc2591efe806c914589
SHA256:74ea183cda0f7aa06fae2f3cfa8c3c6c64d013ce8cb87bde4a06de6676eacfdb
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

checker-qual-2.11.0.jar

Description:

        Checker Qual is the set of annotations (qualifiers) and supporting classes
        used by the Checker Framework to type check Java source code.  Please
        see artifact:
        org.checkerframework:checker

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: /var/simplicite/.m2/repository/org/checkerframework/checker-qual/2.11.0/checker-qual-2.11.0.jar
MD5: 33a7c3e20614e973a80aa284e3782156
SHA1: 7de2908ee759b650dcddfd9913698e472cbe7272
SHA256:493ccb75b28a164c7dbe066bcfef0fd4091fdc1d384cef664ae9555ff397cd83
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

codemodel-2.3.2.jar

Description:

The core functionality of the CodeModel java source code generation library

File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/codemodel/2.3.2/codemodel-2.3.2.jar
MD5: 8651b4954656d27a3408ffc38f041060
SHA1: 143b70e564189b3f71a2e7f02d6bb8c6b16b5632
SHA256:8a89a76dffb491a3b2bcfcb6e8d9fb2e30ec0c36629a033f90c93182799af773
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commonmark-0.13.0.jar

Description:

Core of commonmark-java (implementation of CommonMark for parsing markdown and rendering to HTML)

File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark/0.13.0/commonmark-0.13.0.jar
MD5: 535b94d32fa44874a37824586ab5906b
SHA1: d233ad1436f35c7f88e3488ce6c1e65425c1a059
SHA256:fd38aecef680649894ffd7b434e10081fc609e260c63e16c4323a3eaa2a9f096
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commonmark-ext-autolink-0.13.0.jar

Description:

commonmark-java extension for turning plain URLs and email addresses into links

File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-autolink/0.13.0/commonmark-ext-autolink-0.13.0.jar
MD5: 3dc8ecec8ae20ad6211002d9d39ce47a
SHA1: 06c68a2bea2d1643024ab2533350f3317e46a066
SHA256:610a086274e7ccc9611d99de91d7a4c8ee9a429ede65eb2afd7691882f837bd5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commonmark-ext-gfm-strikethrough-0.13.0.jar

Description:

commonmark-java extension for GFM strikethrough using ~~ (GitHub Flavored Markdown)

File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-gfm-strikethrough/0.13.0/commonmark-ext-gfm-strikethrough-0.13.0.jar
MD5: 40a9c6854bf27aa785c979ada9ebac9c
SHA1: 60c7582b118a9c47e859544df04da88cf1282eaf
SHA256:5f3ad6d147eeab88f99b4f0f7be42969e1e876d4d3b851abd57a71b4af80ea6f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commonmark-ext-gfm-tables-0.13.0.jar

Description:

commonmark-java extension for GFM tables using "|" pipes (GitHub Flavored Markdown)

File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-gfm-tables/0.13.0/commonmark-ext-gfm-tables-0.13.0.jar
MD5: 7e660c78c296f6ae4aa1382193e83d80
SHA1: c3a5ba4217cacc7833c697e5081da42ae996655f
SHA256:b4709a5149cd3cbfb9762216955ba0576abc88b52973b30dd6f697a7a6290d15
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commonmark-ext-heading-anchor-0.13.0.jar

Description:

commonmark-java extension for adding unique id attributes to header tags

File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-heading-anchor/0.13.0/commonmark-ext-heading-anchor-0.13.0.jar
MD5: 6cad26a7747122569d835428b7486df3
SHA1: 37d5856e790aeb5244fe931111d9ab7e13955d51
SHA256:c1fbe40469f494c6f31f7870ea69f8db60d854b6c12bb0e2b615e08a55901c46
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commonmark-ext-ins-0.13.0.jar

Description:

commonmark-java extension for using ++

File Path: /var/simplicite/.m2/repository/com/atlassian/commonmark/commonmark-ext-ins/0.13.0/commonmark-ext-ins-0.13.0.jar
MD5: ded30f88bf404a24ba589e544eeaf378
SHA1: c61ce9b71905e0a83871511c9eeec2051212036e
SHA256:5c65a7191a40d7cd3a49655e8534229b286b121169ff69ffbbace009ecd63965
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-beanutils-1.9.4.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-cli-1.4.jar

Description:

    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar
MD5: c966d7e03507c834d5b09b848560174e
SHA1: c51c00206bb913cd8612b24abd9fa98ae89719b1
SHA256:fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-codec-1.13.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-codec/commons-codec/1.13/commons-codec-1.13.jar
MD5: 5085f186156822fa3a02e55bcd5584a8
SHA1: 3f18e1aa31031d89db6f01ba05d501258ce69d2c
SHA256:61f7a3079e92b9fdd605238d0295af5fd11ac411a0a0af48deace1f6c5ffa072
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-collections4-4.4.jar

Description:

The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar
MD5: 4a37023740719b391f10030362c86be6
SHA1: 62ebe7544cb7164d87e0637a2a6a2bdc981395e8
SHA256:1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-compress-1.19.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar
MD5: fe897bced43468450b785b66c1cff455
SHA1: 7e65777fb451ddab6a9c054beb879e521b7eab78
SHA256:ff2d59fad74e867630fbc7daab14c432654712ac624dbee468d220677b124dd5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-35515  

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35516  

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35517  

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36090  

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

commons-csv-1.7.jar

Description:

The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-csv/1.7/commons-csv-1.7.jar
MD5: 2565c6a73ddefd0ceb9e130063f9e51e
SHA1: cb5d05520f8fe1b409aaf29962e47dc5764f8f39
SHA256:25f5e7914729a3cb9cbb83918b5f1116625cca63ce38a50f0fe596f837b9a524
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-discovery-0.5.jar

Description:

The Apache Commons Discovery component is about discovering, or finding,
  implementations for pluggable interfaces.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-discovery/commons-discovery/0.5/commons-discovery-0.5.jar
MD5: b35120680c3a22cec7a037fce196cd97
SHA1: 3a8ac816bbe02d2f88523ef22cbf2c4abd71d6a8
SHA256:e5b7d58ae62e5b309d5c0ffa5a5b1d9d1e0f0c4c3cc18d1fe3103fd29f90149d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-0869  

Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

commons-email-1.5.jar

Description:

        Apache Commons Email aims to provide an API for sending email. It is built on top of
        the JavaMail API, which it aims to simplify.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-email/1.5/commons-email-1.5.jar
MD5: e72657496d31f152aa26d4122e0850d9
SHA1: e8e677c6362eba14ff3c476ba63ccb83132dbd52
SHA256:ee8479906abb2c355a46a0a9845cfa1803bcc3c520a34baea4a6cf4e1f0f0cc1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-exec-1.3.jar

Description:

Apache Commons Exec is a library to reliably execute external processes from within the JVM.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-exec/1.3/commons-exec-1.3.jar
MD5: 8bb8fa2edfd60d5c7ed6bf9923d14aa8
SHA1: 8dfb9facd0830a27b1b5f29f84593f0aeee7773b
SHA256:cb49812dc1bfb0ea4f20f398bcae1a88c6406e213e67f7524fb10d4f8ad9347b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-fileupload-1.4.jar

Description:

    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-fileupload/commons-fileupload/1.4/commons-fileupload-1.4.jar
MD5: 0c3b924dcaaa90c3fb93fe04ae96a35e
SHA1: f95188e3d372e20e7328706c37ef366e5d7859b0
SHA256:a4ec02336f49253ea50405698b79232b8c5cbf02cb60df3a674d77a749a1def7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-24998  

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.




Note that, like all of the file upload limits, the
          new configuration option (FileUploadBase#setFileCountMax) is not
          enabled by default and must be explicitly configured.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

commons-httpclient-3.1.jar

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2012-5783  

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-io-2.6.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
MD5: 467c2a1f64319c99b5faf03fc78572af
SHA1: 815893df5f31da2ece4040fe0a12fd44b577afaf
SHA256:f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang-2.6.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-lang3-3.9.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-lang3/3.9/commons-lang3-3.9.jar
MD5: fa752c3cb5474b05e14bf2ed7e242020
SHA1: 0122c7cee69b53ed4a7681c03d4ee4c0e2765da5
SHA256:de2e1dcdcf3ef917a8ce858661a06726a9a944f28e33ad7f9e08bea44dc3c230
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-math3-3.6.1.jar

Description:

The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
MD5: 5b730d97e4e6368069de1983937c508e
SHA1: e4ba98f1d4b3c80ec46392f25e094a6a2e58fcbf
SHA256:1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-net-3.6.jar

Description:

Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/commons-net/commons-net/3.6/commons-net-3.6.jar
MD5: b46661b01cc7aeec501f1cd3775509f1
SHA1: b71de00508dcb078d2b24b5fa7e538636de9b3da
SHA256:d3b3866c61a47ba3bf040ab98e60c3010d027da0e7a99e1755e407dd47bc2702
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-pool2-2.7.0.jar

Description:

The Apache Commons Object Pooling Library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-pool2/2.7.0/commons-pool2-2.7.0.jar
MD5: f4c036f0baf058b3320b35c0b04a7a29
SHA1: 7f9ccfaaf76b0ba8b4200480971a170364a9c361
SHA256:6b54c675c7387e157d28c7098873f2e772c223c7a35bc9b13717367c9753a1e4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

commons-vfs2-2.4.1.jar

Description:

Apache Commons VFS is a Virtual File System library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/commons/commons-vfs2/2.4.1/commons-vfs2-2.4.1.jar
MD5: 3689ad3e33c2455c033c7062f583c49f
SHA1: 2b041628c3cb436d8eee25f78603f04eb5e817a5
SHA256:1d518e883bb4e9a791c2bb48c76ed7b8879708b312ed955854e50b831e23ed35
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

core-3.0.1.jar

Description:

Core barcode encoding/decoding library

File Path: /var/simplicite/.m2/repository/com/google/zxing/core/3.0.1/core-3.0.1.jar
MD5: 0a0184c3f92492f721d8631d6f5237de
SHA1: 9ebf6cd580d67601fbf88fd007aab4703b19e4c2
SHA256:38c49045765281e4c170062fa3f48e4e988629bf985cab850c7497be5eaa72a1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

curvesapi-1.06.jar

Description:

Implementation of various mathematical curves that define themselves over a set of control points. The API is written in Java. The curves supported are: Bezier, B-Spline, Cardinal Spline, Catmull-Rom Spline, Lagrange, Natural Cubic Spline, and NURBS.

License:

BSD License: http://opensource.org/licenses/BSD-3-Clause
File Path: /var/simplicite/.m2/repository/com/github/virtuald/curvesapi/1.06/curvesapi-1.06.jar
MD5: 049221bdb7f8d8a2065c02000e854ed4
SHA1: 159dd2e8956459a4eb0a9a6ecda9004d8d289708
SHA256:38bb45c99e6153260c19b97b99b6a7370a067de63344de6d1ea11922acaed86b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

dec-0.1.2.jar

Description:

Brotli is a generic-purpose lossless compression algorithm.

License:

http://www.opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/org/brotli/dec/0.1.2/dec-0.1.2.jar
MD5: 4b1cd14cf29733941cc536b27e6aedfa
SHA1: 0c26a897ae0d524809eef1c786cc6183b4ddcc3b
SHA256:615c0c3efef990d77831104475fba6a1f7971388691d4bad1471ad84101f6d52
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

diffutils-1.3.0.jar

Description:

The DiffUtils library for computing diffs, applying patches, generationg side-by-side view in Java.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/googlecode/java-diff-utils/diffutils/1.3.0/diffutils-1.3.0.jar
MD5: 638158a6bca62926aa9986c92ccb15e0
SHA1: 7e060dd5b19431e6d198e91ff670644372f60fbd
SHA256:61ba4dc49adca95243beaa0569adc2a23aedb5292ae78aa01186fa782ebdc5c2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-4277  

A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.
CWE-330 Use of Insufficiently Random Values

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

docusign-esign-java-3.2.0.jar

Description:

The official DocuSign eSignature JAVA client is based on version 2 of the DocuSign REST API and provides libraries for JAVA application integration. It is recommended that you use this version of the library for new development.

License:

DocuSign Java Client License: https://raw.githubusercontent.com/docusign/docusign-java-client/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/docusign/docusign-esign-java/3.2.0/docusign-esign-java-3.2.0.jar
MD5: b8145b4608f4320fd468328a51e8fd1d
SHA1: 24d1d0e4eed2a62ee8df1b8cb1f59b113916aaaa
SHA256:5b63c9bd8b6054a909d38ca0fff961f19481edb980a8721fd8a835c6a4b2bd0f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

docx4j-ImportXHTML-8.0.0.jar

Description:

		docx4j-ImportXHTML converts XHTML to OpenXML WordML (docx) using docx4j

License:

LGPL v2.1: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-ImportXHTML/8.0.0/docx4j-ImportXHTML-8.0.0.jar
MD5: 24d6600cd4f8f594d64de4ed925bd417
SHA1: f90d3d0f0f1d4463a1172b1cb26f8cb02b16da09
SHA256:d89550699321099bc98c45b58abf608a03fba557668eaba1e3301cdb98e678f4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

docx4j-JAXB-ReferenceImpl-11.1.3.jar

Description:

config specifying that docx4j should use the JAXB reference impls

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-JAXB-ReferenceImpl/11.1.3/docx4j-JAXB-ReferenceImpl-11.1.3.jar
MD5: a16f24da44058c0420d291880212c4f2
SHA1: 809c0a0f30c2ed15749c423f331ec6e439a37c81
SHA256:5174a6f8547e4a222f0ec25b2afc5bbe9b89c40ee19029a47072271d0d7ebb3c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

docx4j-core-11.1.3.jar

Description:

docx4j is a library which helps you to work with the Office Open
		XML file format as used in docx
		documents, pptx presentations, and xlsx spreadsheets.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-core/11.1.3/docx4j-core-11.1.3.jar
MD5: ca67b72739567c19dc2220ac01aa25a0
SHA1: a27d3aa8d7b640555e8732a8ae64fc2fb47ed6fc
SHA256:7f3b9fd839047857ccee8658fd4d3452aa7b211befa137659113c158283c0d6f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

docx4j-openxml-objects-11.1.3.jar

Description:

Our JAXB representation of OpenXML, except for pml and sml (handled separately)

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-openxml-objects/11.1.3/docx4j-openxml-objects-11.1.3.jar
MD5: 62d7c2c9f18e0c0490f3b5a5c0791afd
SHA1: 8ce54d63a0c4fc2abf728bc84d61ec0ff53e9ff9
SHA256:6e1fa1de6dfc3c21cab674df0e4fb8d7c00ce8046d2e62dd809c234f46e243c5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

docx4j-openxml-objects-pml-11.1.3.jar

Description:

Our JAXB representation of OpenXML Presentation Markup Language (pml)

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-openxml-objects-pml/11.1.3/docx4j-openxml-objects-pml-11.1.3.jar
MD5: 52b5204c0ba4506c5e49f352e12cf8d4
SHA1: e0b2b913589e628a9fcc2807d82a189a828fb64d
SHA256:0fcc05e5faba64dcd9a176effdf64aea3679900a6dcec9ab84649a7038992f3f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

docx4j-openxml-objects-sml-11.1.3.jar

Description:

Our JAXB representation of OpenXML Spreadsheet Markup Language (sml)

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/docx4j-openxml-objects-sml/11.1.3/docx4j-openxml-objects-sml-11.1.3.jar
MD5: 3ae8a40a473a961d8fd202b45e0088df
SHA1: a3e09cd4b4f8a16c957f5120bdab2bb2dcf3fbd1
SHA256:20b73fade3c324698204aad0d6db4d23e771cfbdad80c8b66e1cf877f8c2bea5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

dtd-parser-1.4.1.jar

Description:

SAX-like API for parsing XML DTDs.

License:

Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/com/sun/xml/dtd-parser/dtd-parser/1.4.1/dtd-parser-1.4.1.jar
MD5: 888996ba7078ccac5d93b19b28605ca7
SHA1: c5957db3100f10d1604141ae1545e59e774da2e6
SHA256:7d02cf299162ed207df82a02079d1d9ac4569d34146b4c3ddc7f1de8f9711d46
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

ehcache-core-2.6.2.jar

Description:

This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /var/simplicite/.m2/repository/net/sf/ehcache/ehcache-core/2.6.2/ehcache-core-2.6.2.jar
MD5: b6abecd2c01070700a9001b33b94b3f4
SHA1: 3baecd92015a9f8fe4cf51c8b5d3a5bddcdd3e86
SHA256:df61f1a1724aa674d922dce21965b907df8f77e730679ae1abe92679390a2fd6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

ehcache-core-2.6.2.jar: sizeof-agent.jar

File Path: /var/simplicite/.m2/repository/net/sf/ehcache/ehcache-core/2.6.2/ehcache-core-2.6.2.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
SHA256:3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

error_prone_annotations-2.3.2.jar

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/errorprone/error_prone_annotations/2.3.2/error_prone_annotations-2.3.2.jar
MD5: 42c8312a7eb4b6ff612049c4f7b514a6
SHA1: d1a0c5032570e0f64be6b4d9c90cdeb103129029
SHA256:357cd6cfb067c969226c442451502aee13800a24e950fdfde77bcdb4565a668d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

failureaccess-1.0.1.jar

Description:

    Contains
    com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
    InternalFutures. Most users will never need to use this artifact. Its
    classes is conceptually a part of Guava, but they're in this separate
    artifact so that Android libraries can use them without pulling in all of
    Guava (just as they can use ListenableFuture by depending on the
    listenablefuture artifact).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
MD5: 091883993ef5bfa91da01dcc8fc52236
SHA1: 1dcf1de382a0bf95a3d8b0849546c88bac1292c9
SHA256:a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

fast-and-simple-minify-1.0.jar

Description:

fast-and-simple-minify is a combined java-port of the JSMin and CSSMin utility with some additional features

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/ch/simschla/fast-and-simple-minify/1.0/fast-and-simple-minify-1.0.jar
MD5: 762fd1d990bb4e97a7581d2cd3255fc1
SHA1: ade6ae013ee38869b79eeb0661203451ddc16f46
SHA256:86e94527a0705c1ac20ff2b80e7d673975cc92f988210cc440f5bd1bb44087b5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

firebase-admin-6.10.0.jar

Description:

        This is the official Firebase Admin Java SDK. Build extraordinary native JVM apps in
        minutes with Firebase. The Firebase platform can power your app’s backend, user
        authentication, static hosting, and more.

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/firebase/firebase-admin/6.10.0/firebase-admin-6.10.0.jar
MD5: 2e4f38074123d07a7b5ada38532bc1ef
SHA1: 67e5c43ca7e06f6d5c00f4c02aeabaaaed2efcaf
SHA256:74f681266b4e87d3b9c356d37773d0b6da6963f7c939eafc2622f2df7f2426cd
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

fontbox-2.0.16.jar

Description:

    The Apache FontBox library is an open source Java tool to obtain low level information
    from font files. FontBox is a subproject of Apache PDFBox.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/fontbox/2.0.16/fontbox-2.0.16.jar
MD5: 08bfafc724b3ac2682a8cac0dccedc5d
SHA1: 3f7819279a0b90a01b07a870d1d27dffd8de24db
SHA256:a0934197824808d612d494cac653256f2877665607cd63313ceecefb15479f9c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

fuzzywuzzy-1.2.0.jar (shaded: me.xdrop:diffutils:1.3)

File Path: /var/simplicite/.m2/repository/me/xdrop/fuzzywuzzy/1.2.0/fuzzywuzzy-1.2.0.jar/META-INF/maven/me.xdrop/diffutils/pom.xml
MD5: 9d75ff06b99ebf130bb19c8e085714b2
SHA1: edcb90cdd072a9291d9580eb01656c925a73cdad
SHA256:8f44a4acb88339f7d9d858d504a8f88d268e4fc6094d0e55f8918227b87709bf
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

fuzzywuzzy-1.2.0.jar (shaded: me.xdrop:fuzzywuzzy-build:1.2.0)

Description:

Fuzzy string matching algorithm for Java

License:

GPL 3: https://www.gnu.org/licenses/gpl-3.0.en.html
File Path: /var/simplicite/.m2/repository/me/xdrop/fuzzywuzzy/1.2.0/fuzzywuzzy-1.2.0.jar/META-INF/maven/me.xdrop/fuzzywuzzy-build/pom.xml
MD5: 2a5e2854f7988a80a8a330974aa5e902
SHA1: 891dbaecca3f458a52fce228b51c57484f59cfdd
SHA256:e753798e0432312938244be64770e03bef34e80a846b5b562169d03c60073f5f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

fuzzywuzzy-1.2.0.jar

Description:

Fuzzy string searching implementation of the well-known fuzzywuzzy algorithm in Java

License:

GPL 3: https://www.gnu.org/licenses/gpl-3.0.en.html
File Path: /var/simplicite/.m2/repository/me/xdrop/fuzzywuzzy/1.2.0/fuzzywuzzy-1.2.0.jar
MD5: 391d380c3bc51b5be6985f4ddf642863
SHA1: 34d50f9d23e37e713f30d9342e0a7285dc9c7df1
SHA256:57952aee71092345e41b7c047dd48eb1700c642afdc3fc7d57a583bc57fb43c6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

gax-1.48.1.jar

Description:

Google Api eXtensions for Java

License:

BSD: https://github.com/googleapis/gax-java/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/google/api/gax/1.48.1/gax-1.48.1.jar
MD5: a2c0b2ba35a3d01e5ac65f3342c59503
SHA1: 77d7d0173ba203c742198be87aeca88000b6572c
SHA256:57c73aef9d54a63e483274712f7aa3957bc8f42721695ef9d562a7e13ba1fc51
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

gax-grpc-1.48.1.jar

Description:

Google Api eXtensions for Java

License:

BSD: https://github.com/googleapis/gax-java/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/google/api/gax-grpc/1.48.1/gax-grpc-1.48.1.jar
MD5: 048f54857c12b4afc27595134fa5092b
SHA1: bd1208b661754c7d00774a7e180c7d32adbf177d
SHA256:b049f4c40807095d48936807ffe876df8c76dd9acbae530f428c2ddbfe1ed891
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-33953  

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-4785  

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-32732  

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions:

gax-httpjson-0.65.1.jar

Description:

Google Api eXtensions for Java

License:

BSD: https://github.com/googleapis/gax-java/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/google/api/gax-httpjson/0.65.1/gax-httpjson-0.65.1.jar
MD5: 3c31f1745d5e36df49b38a062407b4af
SHA1: b3b2ce027a50cef2057195876dcb1a577cfe37fa
SHA256:7b2aa4ccbc0a3691c36ad93c4e6dbc9080830d3c1322e5cccb4af85284dc76e2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

geoapi-3.0.1.jar

Description:


The development community in building GIS solutions is sustaining an enormous level
 of effort. The GeoAPI project aims to reduce duplication and increase interoperability
 by providing neutral, interface-only APIs derived from OGC/ISO Standards.

License:

https://raw.githubusercontent.com/opengeospatial/geoapi/master/LICENSE.txt
File Path: /var/simplicite/.m2/repository/org/opengis/geoapi/3.0.1/geoapi-3.0.1.jar
MD5: fa9a86892774b94b2bde0446ebbebd62
SHA1: a69b261841b0794b82b8d42fcd6e9a370eb62809
SHA256:ca1dfeba112d0dea575c7abba76a8ecd6ea7818e508de964302a9cfc4779b837
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-client-1.30.3.jar

Description:

The Google API Client Library for Java provides functionality common to all Google APIs; for example HTTP transport, error handling, authentication, JSON parsing, media download/upload, and batching.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/api-client/google-api-client/1.30.3/google-api-client-1.30.3.jar
MD5: 20c6528b490e6ff39013a71f5a2bd855
SHA1: 5eb3dab97d9cc6de9065f5d21e4513597336c04a
SHA256:da89326bd0eb9b8a355e5b87090bf201cb1eed4e734fc60cdb8cbab31904dd8c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-client-gson-1.30.3.jar

Description:

GSON extensions to the Google APIs Client Library for Java

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/api-client/google-api-client-gson/1.30.3/google-api-client-gson-1.30.3.jar
MD5: e8caae672593d93434fc2d2b0eb3b032
SHA1: cb5dbf9d006dabfb2c75693b3650a6f16c939556
SHA256:e9a5f6d4ae65bc8e93633904830eae39291b4f6f338377caad3534a6274536da
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

google-api-services-calendar-v3-rev20190910-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-calendar/v3-rev20190910-1.30.1/google-api-services-calendar-v3-rev20190910-1.30.1.jar
MD5: 4cd619cd192be6dbf2c2c5a1413235ca
SHA1: a4c3ee04b4423ffabd7eb6da5d5b81b6e7bda6e3
SHA256:ca48258f6091be3fee8b2714ab1a93c413a36668e1213dae6d2669971c6342e8
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-drive-v3-rev20190822-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-drive/v3-rev20190822-1.30.1/google-api-services-drive-v3-rev20190822-1.30.1.jar
MD5: 07819940f73a6147ab9952560ec66bbe
SHA1: a8511329b9f3b5be123913e8345d99ee700282bf
SHA256:835babe90799f91cfb735b037d14cfa3305c2fffc6d7f753fc6df7fb74f83bea
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-gmail-v1-rev20190602-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-gmail/v1-rev20190602-1.30.1/google-api-services-gmail-v1-rev20190602-1.30.1.jar
MD5: c1e0bfbf80ce1273f1c95ec91e7fe8c7
SHA1: cdb3ede72771778923f960146a2f2dad3f29e7f0
SHA256:3e50e9aa4a50d882912bd317993c0cbe9c4ef6fbc4e585d7ca2ddc2bc6aad0ab
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-plus-v1-rev20190328-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-plus/v1-rev20190328-1.30.1/google-api-services-plus-v1-rev20190328-1.30.1.jar
MD5: d190b6cd10aee91d96975ee633ad4101
SHA1: 5d37538b7be26f10dff011cfb30bbf3ab9d8f19f
SHA256:6609b0440916f3c66197ed795f7642ae481a81bfb9b1f81da29928cf85a49891
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-sheets-v4-rev20190813-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-sheets/v4-rev20190813-1.30.1/google-api-services-sheets-v4-rev20190813-1.30.1.jar
MD5: bda6f69acea39cf97f8ae87078c8ba50
SHA1: 0b753378dba91d8753a9948da270cb9c3d49501e
SHA256:8ebfd01900640228890d6db056b311e7e437490d127becd8ab9ca3bc64ec9db6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-storage-v1-rev20190624-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-storage/v1-rev20190624-1.30.1/google-api-services-storage-v1-rev20190624-1.30.1.jar
MD5: 64fc59d905430afb5ab42b670ff9fdd2
SHA1: 965c7c4f92f4a4058b6759505c6f520fb0033832
SHA256:3d3b56deab3b97ef75ea1360b3170aa5a3872566274938618a6dc0e86343bbe1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-translate-v2-rev20170525-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-translate/v2-rev20170525-1.30.1/google-api-services-translate-v2-rev20170525-1.30.1.jar
MD5: 49b810431970d3585119ebae4d372955
SHA1: d190fa670e88901a2e5247ea394f7ae2cc394c15
SHA256:ae3b32be4e5a9450a36f8fed26ea5f26bc624ec15fb4a0f1160c6c8cf0e35559
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-api-services-youtube-v3-rev20190827-1.30.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/apis/google-api-services-youtube/v3-rev20190827-1.30.1/google-api-services-youtube-v3-rev20190827-1.30.1.jar
MD5: de23af4810f28bc7e19a236704b5c35a
SHA1: f200641b91698b977a8fbf2c671711b73fadbc14
SHA256:5790dac99030ec79b164da72c1a6690f4724b8e2b19ee73cd4cadf78a5231e71
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-auth-library-credentials-0.17.1.jar

File Path: /var/simplicite/.m2/repository/com/google/auth/google-auth-library-credentials/0.17.1/google-auth-library-credentials-0.17.1.jar
MD5: 08a308ff0a817928c3e2b0d526174d52
SHA1: c4be8a5be14299801b346233be515fc9a5a87c83
SHA256:aaeea9333fff9b763715bca0174ec76c4f9551b5731c89a95f263cdc82b4b56e
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-auth-library-oauth2-http-0.17.1.jar

File Path: /var/simplicite/.m2/repository/com/google/auth/google-auth-library-oauth2-http/0.17.1/google-auth-library-oauth2-http-0.17.1.jar
MD5: 618b04b4e97c0b38557f1c2b53d4c674
SHA1: 740f5e93a9e934f7016d6b494c85cdaa3a436937
SHA256:fa9a1589c8bc279416988d437c2636967cd5e4eff70fbddc986b9c5a77b0231b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-core-1.90.0.jar

Description:

    Core module for the google-cloud.

File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-core/1.90.0/google-cloud-core-1.90.0.jar
MD5: 50e8e61b319970ad1618ed735bd671ef
SHA1: ebf5901e8c804ea436856211d066305a0ee1633c
SHA256:dddde94df91ec81ba492d7b105dbd1adb5efc798c9fff1e9bde37c75ec4ca374
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-core-grpc-1.90.0.jar

Description:

    Core gRPC module for the google-cloud.

File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-core-grpc/1.90.0/google-cloud-core-grpc-1.90.0.jar
MD5: 15da4e1c8fb6e637441199a972e93da0
SHA1: a254b7d693b9ec721600799ebabf679a71855ac7
SHA256:cd771d2c260336e1dd292600b2dd33949b0b1045fee9c8df5e9a8e94c35d3989
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-core-http-1.90.0.jar

Description:

    Core http module for the google-cloud.

File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-core-http/1.90.0/google-cloud-core-http-1.90.0.jar
MD5: 1a34150c8f95c83c515f3caaa0533c68
SHA1: 9098b197d4f84aa79346d7489c44a169066b3a0b
SHA256:865be501475bde92c41c938f0b100394034e0485ee8921c5e709377f01574731
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-firestore-1.9.0.jar

Description:

    Java idiomatic client for Google Cloud Firestore.

File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-firestore/1.9.0/google-cloud-firestore-1.9.0.jar
MD5: 3eb1110fb18baf2375dbfa6e20a80c87
SHA1: f6364bba713915d21b7eda43e3f65dab743b09bd
SHA256:0428ec9394c118b4736882723e7da83434446fe8447b31bef7e10928ff7aaa21
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-pubsub-1.91.0.jar

Description:

    Java idiomatic client for Google Cloud Pub/Sub.

File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-pubsub/1.91.0/google-cloud-pubsub-1.91.0.jar
MD5: ce6917c11376843f58ae833b9474e871
SHA1: e446bc05cc5c16b1a2e87b5ebd0c2505f7d5cf85
SHA256:af60e5dcc43a53314bce85d283fd7a92115cd98c4a5424f4454f08742e0e4d61
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-storage-1.91.0.jar

Description:

    Java idiomatic client for Google Cloud Storage.

File Path: /var/simplicite/.m2/repository/com/google/cloud/google-cloud-storage/1.91.0/google-cloud-storage-1.91.0.jar
MD5: 13b2e0b5ab6841d88e35e144836e30cc
SHA1: 73d7d28a8111ee318b5f4c62fcdb23f57a1066d3
SHA256:1710c51873f39b25210860f09cfd0c4c4824c1265b41cf136fe21266cf73faa4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-cloud-storage-2.2.0.jar

Description:

jclouds components to access Google Cloud Storage

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/provider/google-cloud-storage/2.2.0/google-cloud-storage-2.2.0.jar
MD5: a6e9c25c62e358de98c9b5baefcfc9c9
SHA1: edd29f3d986aa041c0181a88eda4011cb08c2500
SHA256:6d3af5f58f8a1eec40609dada045f21ecc63e22e30550ad153a366b53fbf1a6b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-http-client-1.32.0.jar

Description:

    Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
    including Java 7 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client/1.32.0/google-http-client-1.32.0.jar
MD5: 159df863621fa372f142eb49def7ea62
SHA1: 2b45a89cd795c70ccb203d5b20cc13b50105e71e
SHA256:6fd9e819d8d75bcedcb2ba9d8e08496b5160b3f855a50057f5d9f6850bbf0e4c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-http-client-appengine-1.31.0.jar

File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-appengine/1.31.0/google-http-client-appengine-1.31.0.jar
MD5: e98ce3f240ef969a94c0b46bd7398ceb
SHA1: 8e9f1aa1e843727351b14ffce2bda4416363b67a
SHA256:c3a96061666b43615919cfb4314c512b067c087efef1de4069d856ff43dc15cf
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-http-client-gson-1.32.0.jar

File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-gson/1.32.0/google-http-client-gson-1.32.0.jar
MD5: 836f19bb2f7b603363fca036e77694ab
SHA1: 64c62622f4071f2116e8f3e8c79e1902c6eb732f
SHA256:da0c814b3bebc0500b3603c81c54630d295694b3db3738be9747dd7230cad37a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

google-http-client-jackson-1.29.2.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-jackson/1.29.2/google-http-client-jackson-1.29.2.jar
MD5: 72ad680f4cd70758086ec12492544fcd
SHA1: 98ba3a73bbfcabbaa1105fc013305d319f6ebf32
SHA256:54478a70cc90eb7fd7e6ab89a447a41fb1f4f98201bf4d5418d4647751538552
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

google-http-client-jackson2-1.32.0.jar

File Path: /var/simplicite/.m2/repository/com/google/http-client/google-http-client-jackson2/1.32.0/google-http-client-jackson2-1.32.0.jar
MD5: b21303bba460a5525bd0f7219d1e6339
SHA1: fa975dca9d9896896b3e9d51961833f72965c55e
SHA256:4cc7c7b0cf0cf03cb7264763efbacee8af4621eb09a51a078331f3f717c09694
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

google-oauth-client-1.30.2.jar

Description:

    Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
    including Java 7 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/oauth-client/google-oauth-client/1.30.2/google-oauth-client-1.30.2.jar
MD5: bbf90ca5aeac05210461cb292e9b7027
SHA1: bc33df03b169de18386256adf23af6bc5f41cb28
SHA256:f97bd2674949d0ce59e198129edf46dbd7c5509f382a1f41ff25040046ff5178
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-7692  

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-22573  

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

googlecloud-2.2.0.jar

Description:

jclouds components common to Google Cloud products

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/common/googlecloud/2.2.0/googlecloud-2.2.0.jar
MD5: 20b180abf74f86ace4464018768d57a5
SHA1: d07a6d75dfe2d36036b42255403f907a901985c7
SHA256:80692d8e51eb19e85f5507124ed1b32012f2bd20b855083ea773dcf8c023f610
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

grib-4.5.5.jar

Description:

    Decoder for the GRIB format.

File Path: /var/simplicite/.m2/repository/edu/ucar/grib/4.5.5/grib-4.5.5.jar
MD5: 0cb80276d8ea89cacc1d5632dbf39fe9
SHA1: cfe552910e9a8d57ce71134796abb281a74ead16
SHA256:1e0492135f421f554c4651a95225f27f2a3230e993329f69348110f8521c32d9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

grpc-context-1.22.1.jar

Description:

gRPC: Context

License:

Apache 2.0: https://opensource.org/licenses/Apache-2.0
File Path: /var/simplicite/.m2/repository/io/grpc/grpc-context/1.22.1/grpc-context-1.22.1.jar
MD5: c114b573888704a725b5a86c04f817da
SHA1: 1a074f9cf6f367b99c25e70dc68589f142f82d11
SHA256:780a3937705b3c92e07292c97d065b2676fcbe031eae250f1622b026485f294e
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-33953  

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-32732  

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions:

grpc-core-1.23.0.jar

Description:

gRPC: Core

License:

Apache 2.0: https://opensource.org/licenses/Apache-2.0
File Path: /var/simplicite/.m2/repository/io/grpc/grpc-core/1.23.0/grpc-core-1.23.0.jar
MD5: d70312da590558ac0518886976de6b84
SHA1: 82d0c88d65acf92fb3d66a0ee800b5da85258c39
SHA256:ccb52503d051fca980ac7853fb9d8aaf3f00a6fadf16fffd574296b26b3d440b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-33953  

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-4785  

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-32732  

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions:

grpc-google-cloud-pubsub-v1-1.73.0.jar

Description:

GRPC library for grpc-google-cloud-pubsub-v1

File Path: /var/simplicite/.m2/repository/com/google/api/grpc/grpc-google-cloud-pubsub-v1/1.73.0/grpc-google-cloud-pubsub-v1-1.73.0.jar
MD5: 9b3a2decec756af86003548f774a2c67
SHA1: 0c4d29736d21922b05641d402a8afff91fb49eb6
SHA256:07c9e4928c355de591941cd65ab8f714123de76c64ecda3c21d89a5e921932c9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec-http2:4.1.38.Final)

File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-codec-http2/pom.xml
MD5: 4d185495e97a28fdc3ec0433e273f4c4
SHA1: a29512948602165fb6e0ebbfd2a55c23d1ad164c
SHA256:40f6d923fc56b303e286f67214d00a9501d853922344917be4c0b2a6919100b0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-9512 (OSSINDEX)  

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:*

CVE-2019-9514 (OSSINDEX)  

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:*

CVE-2019-9515 (OSSINDEX)  

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:*

CVE-2019-9518 (OSSINDEX)  

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-codec-http2:4.1.38.Final:*:*:*:*:*:*:*

CVE-2020-11612  

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-codec:4.1.38.Final)

File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-codec/pom.xml
MD5: f86cd9629ef9997dcdfaee79eaa738d9
SHA1: e12715d67d804245f7462124377f8c83e29ece8e
SHA256:eb31c27208618397c01481bb77cbb8ae21fddfde8db84ca6d3437d6469f81891
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11612  

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41915 (OSSINDEX)  

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41915 for details
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-codec:4.1.38.Final:*:*:*:*:*:*:*

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.25.Final)

Description:

    A Mavenized fork of Tomcat Native which incorporates various patches. This artifact is statically linked
    to BoringSSL and Apache APR.

File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-tcnative-boringssl-static/pom.xml
MD5: 601d7d7c7efa938fa3539002186b140d
SHA1: 8f2aaa5e42b4097ef4f6462b17a61a98a7a995b1
SHA256:aacb7d451c74c5234c82ce176aeb161818831d6d72dcb6eb19ab13f15e87ded6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

grpc-netty-shaded-1.23.0.jar (shaded: io.netty:netty-transport:4.1.38.Final)

File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/io.netty/netty-transport/pom.xml
MD5: 24c9ec380bfb08ee98a2670b9a3ea3ee
SHA1: 734d5091313d67ba6b5dc94e09920fa2453d01d7
SHA256:a92c9e8fcb2b6e8879796a103b080326b17acf821baf04cf11c64521f14289e0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11612  

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

grpc-netty-shaded-1.23.0.jar (shaded: org.jctools:jctools-core:2.1.1)

Description:

Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: d532029de01ef1c790266dea91b1ecdc
SHA1: f9571c65e428d21c795a34de2b217419dfc0e2f7
SHA256:db8f1cd5b23d38e3dcf7020d739e1c2f9559489051291d8a07095e62b8d7f750
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

grpc-netty-shaded-1.23.0.jar: io_grpc_netty_shaded_netty_tcnative_windows_x86_64.dll

File Path: /var/simplicite/.m2/repository/io/grpc/grpc-netty-shaded/1.23.0/grpc-netty-shaded-1.23.0.jar/META-INF/native/io_grpc_netty_shaded_netty_tcnative_windows_x86_64.dll
MD5: 3acf5856f6d7220d0df297d7561f6185
SHA1: a5b0d662ffbef4edf8d3a85a1d55b6ddeb5ce722
SHA256:40a5afc34fc237c1509c11faa3e39269c1ad73563a55fab076266468f945d514
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • None

grpc-protobuf-1.23.0.jar

Description:

gRPC: Protobuf

License:

Apache 2.0: https://opensource.org/licenses/Apache-2.0
File Path: /var/simplicite/.m2/repository/io/grpc/grpc-protobuf/1.23.0/grpc-protobuf-1.23.0.jar
MD5: 1728bcd7cf27ebaec2b18ee47fce3168
SHA1: 01428515d3aca8964dfdc4d4ba912d0fda0f41f2
SHA256:3d009822afa7b898c15a53e9d5d037a7dde9011eb3d523e59717391b5f5ae417
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-33953  

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
CWE-834 Excessive Iteration, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-4785  

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-32732  

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions:

gson-2.8.5.jar

Description:

Gson JSON library

File Path: /var/simplicite/.m2/repository/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar
MD5: 089104cb90d8b4e1aa00b1f5faef0742
SHA1: f645ed69d595b24d4cf8b3fbb64cc505bede8829
SHA256:233a0149fc365c9f6edbd683cfe266b19bdc773be98eabdaf6b3c924b48e7d81
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-25647  

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

guava-28.1-jre.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/guava/guava/28.1-jre/guava-28.1-jre.jar
MD5: 4faae794936faf441fcb7afb2c7db507
SHA1: b0e91dcb6a44ffb6221b5027e12a5cb34b841145
SHA256:30beb8b8527bd07c6e747e77f1a92122c2f29d57ce347461a4a55eb26e382da4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-2976  

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
CWE-552 Files or Directories Accessible to External Parties

CVSSv3:
  • Base Score: HIGH (7.1)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

guice-3.0.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/inject/guice/3.0/guice-3.0.jar
MD5: ca1c7ba366884cfcd2cfb48d2395c400
SHA1: 9d84f15fe35e2c716a02979fb62f50a29f38aefa
SHA256:1a59d0421ffd355cc0b70b42df1c2e9af744c8a2d0c92da379f5fca2f07f1d22
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

guice-assistedinject-3.0.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/inject/extensions/guice-assistedinject/3.0/guice-assistedinject-3.0.jar
MD5: 64341453ad4102f01761c62a22af0977
SHA1: 544449ddb19f088dcde44f055d30a08835a954a7
SHA256:29a0e823babf10e28c6d3c71b2f9d56a3be2c9696d016fb16258e3fb1d184cf1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

guice-multibindings-3.0.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/inject/extensions/guice-multibindings/3.0/guice-multibindings-3.0.jar
MD5: 4be1e91408e173eb10ed53a1a565a793
SHA1: 5e670615a927571234df68a8b1fe1a16272be555
SHA256:29dd9f7774314827319cca4f00b693f0685f9dc3248c50c1ec54acc4819d4306
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

h2-1.4.199.jar

Description:

H2 Database Engine

License:

MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html
File Path: /var/simplicite/.m2/repository/com/h2database/h2/1.4.199/h2-1.4.199.jar
MD5: f805f57d838de4b42ce01c7f85e46e1c
SHA1: 7bf08152984ed8859740ae3f97fae6c72771ae45
SHA256:3125a16743bc6b4cfbb61abba783203f1fb68230aa0fdc97898f796f99a5d42e
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

CVE-2021-42392  

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23221  

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
CWE-88 Argument Injection or Modification

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-23463  

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-45868  

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
CWE-312 Cleartext Storage of Sensitive Information

CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-14335 (OSSINDEX)  

h2database - Improper Link Resolution Before File Access

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:L/AC:L/Au:/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.h2database:h2:1.4.199:*:*:*:*:*:*:*

h2-1.4.199.jar: data.zip: table.js

File Path: /var/simplicite/.m2/repository/com/h2database/h2/1.4.199/h2-1.4.199.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: 289efd1154e2d82bd3fff47f88ba76f8
SHA1: 236891ee6a10b1af6f9824fb91be634474ab9ebe
SHA256:4cca2cf66410a065181050b98003ecf35291deb2c70b9484b0e3c79c7068f454
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

  • None

h2-1.4.199.jar: data.zip: tree.js

File Path: /var/simplicite/.m2/repository/com/h2database/h2/1.4.199/h2-1.4.199.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 01bfc955082b057fbef6b096569b98ea
SHA1: f6e97f37a8929ea4b6a2bfd08619888329e15160
SHA256:87605a4b4bec508664529e4700ebd08753e2d65a11e532ab15ebf996d3dd8805
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

  • None

hamcrest-core-1.3.jar

Description:

    This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.

File Path: /var/simplicite/.m2/repository/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

hsqldb-2.5.0.jar

Description:

HSQLDB - Lightweight 100% Java SQL Database Engine

License:

HSQLDB License, a BSD open source license: http://hsqldb.org/web/hsqlLicense.html
File Path: /var/simplicite/.m2/repository/org/hsqldb/hsqldb/2.5.0/hsqldb-2.5.0.jar
MD5: 0e1021ba547f94a472f3e76806747f7b
SHA1: 59298fcd77faf01e02b405def2f80cccbf582508
SHA256:acda459cc9d6a07b39b284364e93b5f29e11877d687e9544b91778d3554d2b38
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

CVE-2022-41853  

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

httpclient-4.5.10.jar

Description:

   Apache HttpComponents Client

File Path: /var/simplicite/.m2/repository/org/apache/httpcomponents/httpclient/4.5.10/httpclient-4.5.10.jar
MD5: 367221dde0ef94ea3507928ef40cbe75
SHA1: 7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5
SHA256:38b9f16f504928e4db736a433b9cd10968d9ec8d6f5d0e61a64889a689172134
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

httpcore-4.4.12.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /var/simplicite/.m2/repository/org/apache/httpcomponents/httpcore/4.4.12/httpcore-4.4.12.jar
MD5: c152f231bf2570eca354c49ef8756b41
SHA1: 21ebaf6d532bc350ba95bd81938fa5f0e511c132
SHA256:ab765334beabf0ea024484a5e90a7c40e8160b145f22d199e11e27f68d57da08
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

httpmime-4.5.10.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /var/simplicite/.m2/repository/org/apache/httpcomponents/httpmime/4.5.10/httpmime-4.5.10.jar
MD5: 47abc8053a7cdaaee8a7f5c727955ced
SHA1: 3513ca10d24d7aa962741c90e914fec650f0848c
SHA256:2bdf3dc862e39e2c69e42f036759e53d457af35a7ce178d8cf286fdb42528864
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

httpservices-4.5.5.jar

File Path: /var/simplicite/.m2/repository/edu/ucar/httpservices/4.5.5/httpservices-4.5.5.jar
MD5: c5207827b8b7e6045b2af7e1e8c5b1d4
SHA1: ee5f217be599e5e03f7f0e55e03f9e721a154f62
SHA256:8334da7adc9ed7a7b941a780f4d22054f8a11d03973be83ae8399400d55300e4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

icu4j-64.2.jar

Description:

    International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
    providing Unicode and Globalization support

License:

Unicode/ICU License: https://raw.githubusercontent.com/unicode-org/icu/master/icu4c/LICENSE
File Path: /var/simplicite/.m2/repository/com/ibm/icu/icu4j/64.2/icu4j-64.2.jar
MD5: 56a4015e1362c79dee5bd06feabc3116
SHA1: 1d2b0ed49ba380d0c69c0a912a9909c1dbcc3d7c
SHA256:ec5a7d92495a2c0f0a09506aef935cca6a68ce8ac18fbae105381a38288127e3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • pkg:maven/com.ibm.icu/icu4j@64.2  (Confidence:High)
  • cpe:2.3:a:icu-project:international_components_for_unicode:64.2:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:unicode:international_components_for_unicode:64.2:*:*:*:*:*:*:*  (Confidence:Low)  

isoparser-1.1.22.jar

Description:

A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)

License:

Apache Software License - Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/googlecode/mp4parser/isoparser/1.1.22/isoparser-1.1.22.jar
MD5: b6cb35cf16232e5850de5900f753ed91
SHA1: 70b5c26b52c120d2e94643717a764c4a67640fd6
SHA256:f37f0a997dcc494409b60aeb48cef319348503f84efcd1edcb0fcfb81148fc2d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

istack-commons-runtime-3.0.8.jar

Description:

istack common utility code

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/com/sun/istack/istack-commons-runtime/3.0.8/istack-commons-runtime-3.0.8.jar
MD5: d8555a2f242c55d6727b4d0e82ab8446
SHA1: d6a97364045aa6b99bf2d3c566a3f98599c2d296
SHA256:4ffabb06be454a05e4398e20c77fa2b6308d4b88dfbef7ca30a76b5b7d5505ef
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

istack-commons-tools-3.0.8.jar

Description:

istack common utility code

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/com/sun/istack/istack-commons-tools/3.0.8/istack-commons-tools-3.0.8.jar
MD5: 920af7b9915c9724948517228e727a11
SHA1: a9bb4e2d83d50623bb2dd26cde8d7dd88e6b7104
SHA256:3b0e0a85924ebb91303175f2a2183c7f9246fa00342be95205397e73434008ec
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

itext-2.1.7.jar

Description:

iText, a free Java-PDF library

License:

Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /var/simplicite/.m2/repository/com/lowagie/itext/2.1.7/itext-2.1.7.jar
MD5: 7587a618197a065eac4a453d173d4ed6
SHA1: 892bfb3e97074a61123b3b2d7caa2db112750864
SHA256:7d82c6b097a31cdf5a6d49a327bf582fdec7304da69308f9f6abf54aa9fd9055
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2017-9096 (OSSINDEX)  

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.lowagie:itext:2.1.7:*:*:*:*:*:*:*

itext-rtf-2.1.7.jar

Description:

iText, a free Java-PDF library (rtf package)

License:

Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /var/simplicite/.m2/repository/com/lowagie/itext-rtf/2.1.7/itext-rtf-2.1.7.jar
MD5: f95d38da50192bc9e3876e3a987f02c1
SHA1: ed1cbe69ff69c6e6fa7645f51c8d25894a177e7b
SHA256:49d3b9df20ccc6565c91b8b18c638ecb018fd528b6eb64991d6d8ba73975c135
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

j2objc-annotations-1.3.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
MD5: 5fa4ec4ec0c5aa70af8a7d4922df1931
SHA1: ba035118bc8bac37d7eff77700720999acd9986d
SHA256:21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackcess-3.0.1.jar

Description:

A pure Java library for reading from and writing to MS Access databases.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/healthmarketscience/jackcess/jackcess/3.0.1/jackcess-3.0.1.jar
MD5: e787e04bfd785b16d366021373309617
SHA1: e753ed760d06a0b6849c02d3d4c603ae6c8e05c8
SHA256:743bfe830de83f2a64b0ff23337c18f1412c3caf35f98c5f6668f65c109993d7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackcess-encrypt-3.0.0.jar

Description:

An add-on to the Jackcess library for handling encryption in MS Access files.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/healthmarketscience/jackcess/jackcess-encrypt/3.0.0/jackcess-encrypt-3.0.0.jar
MD5: 4e12f5c0713e5e1b38b74f8946d17c27
SHA1: 24ee9302d731e7c66e828049bb055ca710e29f03
SHA256:d624d55b3090ab733192041a758727b94a3136031660ab794998f3bd72b4c213
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-annotations-2.10.5.jar

Description:

Core annotations used for value types, used by Jackson data binding package.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.10.5/jackson-annotations-2.10.5.jar
MD5: 2d98c7a68e9e99d98ea99dd9dc3639a4
SHA1: 33298de8da86f92f8ccd61ced214d3b16f8c531e
SHA256:5ad94fbb2642df695892c4d6e2ab4c319821e5f9bfb7b920f1378de4f611417c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-core-2.10.5.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.10.5/jackson-core-2.10.5.jar
MD5: 467e771df80da5f50fadb399f78f4ce1
SHA1: db2ba27938de7f2d478a97d6abcdaa17cbbd3cea
SHA256:2656010d1e921ac69b76fc7e0c0f5a6b14aca62fa9603e78831e6148eb7c77ba
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jackson-core-asl-1.9.13.jar

Description:

Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.13/jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256:440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-databind-2.10.5.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar
MD5: 40a3ee2381813fdcfc6ad026e914ab0c
SHA1: 52414bbb464a2836c12649169930bed0c41e31a7
SHA256:5e19fdaed7e0f2a37aa756d480879ae26926b9fc0d8270d78c4dcd5bf65a7a54
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-25649  

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-46877  

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-35116  

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jackson-dataformat-csv-2.10.5.jar

Description:

Support for reading and writing CSV-encoded data via Jackson
abstractions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-csv/2.10.5/jackson-dataformat-csv-2.10.5.jar
MD5: 6e3bc88152fdedb3207e760c5de00e9e
SHA1: 2fdba33036a74540f59ec21f956a3a5427e1c9db
SHA256:573325172f7919399ab9a6f81d1c05d746cfc45e74bb211e01b2ecf92f96481a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-datatype-guava-2.10.5.jar

Description:

Add-on datatype-support module for Jackson (https://github.com/FasterXML/jackson) that handles
Guava (http://code.google.com/p/guava-libraries/) types (currently mostly just collection ones)

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-guava/2.10.5/jackson-datatype-guava-2.10.5.jar
MD5: d9451b1397aa6e288892c425d999bd55
SHA1: a8b0a978c18ab51006a0ef03ba2b2c156b92b1d8
SHA256:a42d52513f39a77a6481ab1e03b0f42874502c7b7c9dc5116819b1d78175d3fe
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-datatype-joda-2.10.5.jar

Description:

Add-on module for Jackson (http://jackson.codehaus.org) to support
Joda (http://joda-time.sourceforge.net/) data types.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.10.5/jackson-datatype-joda-2.10.5.jar
MD5: 87c36914caee49ec19b6deb12535bb1d
SHA1: b6ad58040fe4987b8abbdb7a22114382c8df5dda
SHA256:da4ee5119e4dd63c35bc3e27a712999d15d465144dc127f97278435491aff775
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-jaxrs-base-2.10.5.jar

Description:

Pile of code that is shared by all Jackson-based JAX-RS
providers.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.10.5/jackson-jaxrs-base-2.10.5.jar
MD5: 5aa5208b0f40ed929cc1d5558d2219b2
SHA1: 2c0c330f121ca5396560a692113c8339f7aac9b5
SHA256:98f27188fa2a72ef5d3f85fab6e6ca0e76bde1a58c9396cb1cf91028080435d6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-jaxrs-json-provider-2.10.5.jar

Description:

Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.10.5/jackson-jaxrs-json-provider-2.10.5.jar
MD5: 523048dfe6878997218ea0b2cdb9af08
SHA1: e7be01e92f7ef9361118eef78f1974c5f778dd6a
SHA256:f0817100df27ded044dc9ac6effdb9961a3c37327c6c9262ed344218db048c7b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jackson-jaxrs-xml-provider-2.10.5.jar

Description:

Functionality to handle XML input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-xml-provider/2.10.5/jackson-jaxrs-xml-provider-2.10.5.jar
MD5: 395bf69b81245c6dc274c7b8d2358876
SHA1: 8e374b72f30e3861040f1ab7f859bc8bcc804eac
SHA256:478951b5abc1d53c850f247fcacbb9a1c1c6315a6e9e1a3853571d4d96a71f10
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jackson-module-jaxb-annotations-2.10.5.jar

Description:

Support for using JAXB annotations as an alternative to "native" Jackson annotations, for configuring
data-binding.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.10.5/jackson-module-jaxb-annotations-2.10.5.jar
MD5: 85f8c37a9c6504d0891b909c0d210be6
SHA1: f438b5eb66d15cbffca1497408b4cb379af9b068
SHA256:994a0a510a35d55a869567807075736597da97e9d36ad1ebaff5e37def5a55d3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jai-imageio-core-1.4.0.jar

Description:

    Java Advanced Imaging Image I/O Tools API core, but without the classes 
    involved with javax.media.jai dependencies, JPEG2000 or 
    codecLibJIIO, meaning that this library can be distributed under the 
    modified BSD license and should be GPL compatible.

License:

BSD 3-clause License w/nuclear disclaimer: LICENSE.txt
File Path: /var/simplicite/.m2/repository/com/github/jai-imageio/jai-imageio-core/1.4.0/jai-imageio-core-1.4.0.jar
MD5: 6978d733bfb55c0a82639f724fe5f3bb
SHA1: fb6d79b929556362a241b2f65a04e538062f0077
SHA256:8ad3c68e9efffb10ac87ff8bc589adf64b04a729c5194c079efd0643607fd72a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jakarta.activation-1.2.1.jar

Description:

JavaBeans Activation Framework

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/com/sun/activation/jakarta.activation/1.2.1/jakarta.activation-1.2.1.jar
MD5: dc519b1f09bbaf9274ea5da358a00110
SHA1: 8013606426a73d8ba6b568370877251e91a38b89
SHA256:d84d4ba8b55cdb7fdcbb885e6939386367433f56f5ab8cfdc302a7c3587fa92b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jakarta.activation-api-1.2.1.jar

Description:

JavaBeans Activation Framework API jar

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.1/jakarta.activation-api-1.2.1.jar
MD5: 9b647398add993324d3d9e5effa6005a
SHA1: 562a587face36ec7eff2db7f2fc95425c6602bc1
SHA256:8b0a0f52fa8b05c5431921a063ed866efaa41dadf2e3a7ee3e1961f2b0d9645b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jakarta.xml.bind-api-2.3.2.jar

Description:

JAXB (JSR 222) API

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/2.3.2/jakarta.xml.bind-api-2.3.2.jar
MD5: dabb40ba58199304c640b7bd8bb2fbac
SHA1: 8d49996a4338670764d7ca4b85a1c4ccf7fe665d
SHA256:69156304079bdeed9fc0ae3b39389f19b3cc4ba4443bc80508995394ead742ea
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

java-jwt-3.10.2.jar

Description:

Java implementation of JSON Web Token (JWT)

License:

The MIT License (MIT): https://raw.githubusercontent.com/auth0/java-jwt/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/auth0/java-jwt/3.10.2/java-jwt-3.10.2.jar
MD5: 88ecbde4572957aa2333f1f2e8317584
SHA1: a73fc34425dffbf32207f74f1b78531ebeaf7685
SHA256:df47b77d8feda8cd9199b2a03ae2d2ebe60d40576c58ee6c6ef05c3407d20011
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

java-libpst-0.8.1.jar

Description:

A library to read PST files with java, without need for external libraries.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/pff/java-libpst/0.8.1/java-libpst-0.8.1.jar
MD5: 6be27662e0b06154e5f05938937d16b7
SHA1: ad31986653dac9cb5132ea5b2999c20b4b286255
SHA256:a3f7b3c934f477b0fc3c0eadebc3d24872bbebc3ac5a22ab575e5f476ea34757
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

java-saml-2.5.0.jar

File Path: /var/simplicite/.m2/repository/com/onelogin/java-saml/2.5.0/java-saml-2.5.0.jar
MD5: 4471c76d5079596c9737a069bf8c16dd
SHA1: 98ef55b85676076f1fc94cc68d359e826170a16b
SHA256:8959df4e44cb4ef3fdc740536609b6462928b1ce8912ac15d667c772da4a36b6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

java-saml-core-2.5.0.jar

File Path: /var/simplicite/.m2/repository/com/onelogin/java-saml-core/2.5.0/java-saml-core-2.5.0.jar
MD5: 630920f20b6ad95203ae6ca0ceefa518
SHA1: ec4c26db2b833511836f2cf37f445c275d0dff45
SHA256:40ef219f434852a400501f5766848fbb62f16ec671d7a79fc0dfeb969c04fd6c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

java-xmlbuilder-1.1.jar

Description:

XML Builder is a utility that creates simple XML documents using relatively sparse Java code

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/com/jamesmurty/utils/java-xmlbuilder/1.1/java-xmlbuilder-1.1.jar
MD5: cd9afe97b82d327ceda4dac0de24d61c
SHA1: 05527416a8f63a8dad440434a1d42937d0ef6391
SHA256:5257fdeb719b95039fc6cf35012527939856b2f2c9d763d593cc0cb64e88ab24
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2014-125087  

A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2021-4277  

A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.
CWE-330 Use of Insufficiently Random Values

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

javase-3.0.1.jar

Description:

Java SE-specific extensions to core ZXing library

File Path: /var/simplicite/.m2/repository/com/google/zxing/javase/3.0.1/javase-3.0.1.jar
MD5: 04258960339322ce4fb90718899ff4c9
SHA1: 06fa0ae253f5bb2943fb64100c936d6a142832c2
SHA256:83c1e61db240c81b9b9628ea8dd63944cacf2b4f3578b4f3f4d3104506e4d0a4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

javax.activation-api-1.2.0.jar

Description:

JavaBeans Activation Framework API jar

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /var/simplicite/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

javax.annotation-api-1.3.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/javax/annotation/javax.annotation-api/1.3.2/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256:e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b
Referenced In Project/Scope:Simplicite Platform:provided

Identifiers

javax.ejb-api-3.2.2.jar

Description:

Project GlassFish Enterprise JavaBean API

License:

CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /var/simplicite/.m2/repository/javax/ejb/javax.ejb-api/3.2.2/javax.ejb-api-3.2.2.jar
MD5: f7a1ffa8ec359720a01dd09f79f042c3
SHA1: 8921a3e3cb30fe5966531ad53902eef19303123b
SHA256:13ff874c58c32b649077dab6ab23bc93938610adc99e90d63933f6f074805b72
Referenced In Project/Scope:Simplicite Platform:provided

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

javax.jms-api-2.0.1.jar

Description:

Java(TM) Message Service Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /var/simplicite/.m2/repository/javax/jms/javax.jms-api/2.0.1/javax.jms-api-2.0.1.jar
MD5: d69d2e02910e97b2478c0105e9b2caab
SHA1: 5faaa3864ff6025ce69809b60d65bda3e358610c
SHA256:aa4a16fac46d949b17b32091036e4d1e3c812ef3b4bd184ec838efffb53ba4f8
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

javax.mail-1.6.2.jar

Description:

JavaMail API

License:

https://javaee.github.io/javamail/LICENSE
File Path: /var/simplicite/.m2/repository/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2.jar
MD5: 0b81d022797740d72d21620781841374
SHA1: 935151eb71beff17a2ffac15dd80184a99a0514f
SHA256:45b515e7104944c09e45b9c7bb1ce5dff640486374852dd2b2e80cc3752dfa11
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

javax.servlet-api-4.0.1.jar

Description:

Java(TM) Servlet 4.0 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /var/simplicite/.m2/repository/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1.jar
MD5: b80414033bf3397de334b95e892a2f44
SHA1: a27082684a2ff0bf397666c3943496c44541d1ca
SHA256:83a03dd877d3674576f0da7b90755c8524af099ccf0607fc61aa971535ad7c60
Referenced In Project/Scope:Simplicite Platform:provided

Identifiers

javax.servlet.jsp-api-2.3.3.jar

Description:

Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: ://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /var/simplicite/.m2/repository/javax/servlet/jsp/javax.servlet.jsp-api/2.3.3/javax.servlet.jsp-api-2.3.3.jar
MD5: f6676a5961328c41c5e722da5e48d047
SHA1: 81191ab80e342912dc9cea735c30ff4eddc64de3
SHA256:409a534d275ef0958a2c1692472da30e3706bfe6933d56c039376f53f13689b7
Referenced In Project/Scope:Simplicite Platform:provided

Identifiers

javax.transaction-api-1.3.jar

Description:

Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.transaction/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/javax/transaction/javax.transaction-api/1.3/javax.transaction-api-1.3.jar
MD5: 6e9cb1684621821248b6823143ae26c0
SHA1: e006adf5cf3cca2181d16bd640ecb80148ec0fce
SHA256:603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da
Referenced In Project/Scope:Simplicite Platform:provided

Identifiers

javax.websocket-api-1.1.jar

Description:

JSR 356: Java API for WebSocket

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/simplicite/.m2/repository/javax/websocket/javax.websocket-api/1.1/javax.websocket-api-1.1.jar
MD5: be29e11a4a15742aa6fb418fa46345e3
SHA1: eeeb68631711256418dfbb47b11c731b6c8f6235
SHA256:a260973517bf6411d659b588a719aa27e7e4e47dfbd510fceb5bf1023a2c45e4
Referenced In Project/Scope:Simplicite Platform:provided

Identifiers

javax.ws.rs-api-2.0.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/simplicite/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jawk-1.02.jar

Description:

POM was created from install:install-file

File Path: /var/simplicite/.m2/repository/org/jawk/jawk/1.02/jawk-1.02.jar
MD5: cd04ea3460d71a03ca5f4232c9ee5f0c
SHA1: 7bdd8bb1a1b9adff9b471cc041cba83ef3a2abe6
SHA256:2773c7f47b2ee8f483d6cb30f799c31f81645d23f49910e58ef4cccb2ffe1c7b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jaxb-api-2.3.1.jar

Description:

JAXB (JSR 222) API

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /var/simplicite/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jaxb-runtime-2.3.2.jar

Description:

JAXB (JSR 222) Reference Implementation

File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/jaxb-runtime/2.3.2/jaxb-runtime-2.3.2.jar
MD5: 9c3bf13a58e56c1b955bf5a365ca10b2
SHA1: 5528bc882ea499a09d720b42af11785c4fc6be2a
SHA256:e6e0a1e89fb6ff786279e6a0082d5cef52dc2ebe67053d041800737652b4fd1b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jaxb-svg11-1.0.2.jar

Description:

JAXB classes modelling SVG 1.1

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/plutext/jaxb-svg11/1.0.2/jaxb-svg11-1.0.2.jar
MD5: 91f22bed36295692c384e846dfc460b0
SHA1: 3c0cd54d5691f5b5f8c60ed0c06353ff1db424e1
SHA256:6799f39d49d9dbfef140e76b33d0884d55372935768a3955900eb022576a760d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jaxb-xjc-2.3.2.jar

Description:

        JAXB Binding Compiler. Contains source code needed for binding customization files into java sources.
        In other words: the *tool* to generate java classes for the given xml representation.

File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/jaxb-xjc/2.3.2/jaxb-xjc-2.3.2.jar
MD5: 1c78df3990145ef0acfeb83c1d2ae567
SHA1: 9cfd86529359747d07251c017d4e46254faa2c2b
SHA256:b68ad7eeb5c0b514114897c37ff7efb8885419d03fd6e8e5fae2d4ce76f51d89
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jbig2-imageio-3.0.2.jar

Description:

	Java Image I/O plugin for reading JBIG2-compressed image data. 
	Formerly known as the levigo JBig2 ImageIO plugin (com.levigo.jbig2:levigo-jbig2-imageio).

File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/jbig2-imageio/3.0.2/jbig2-imageio-3.0.2.jar
MD5: 75dacf14cc468045f89d7f5fff1aa494
SHA1: 46a53edceceabcdf9b81cd6d14f052bdfa171f4b
SHA256:3dc510cd41511f2e2382eb7ac3550b2f94e21847f0b7221be8ddd0f2252a8fe4
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jcip-annotations-1.0.jar

File Path: /var/simplicite/.m2/repository/net/jcip/jcip-annotations/1.0/jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
SHA256:be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jcl-over-slf4j-1.7.30.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.30/jcl-over-slf4j-1.7.30.jar
MD5: 69ad224b2feb6f86554fe8997b9c3d4b
SHA1: cd92524ea19d27e5b94ecd251e1af729cffdfe15
SHA256:71e9ee37b9e4eb7802a2acc5f41728a4cf3915e7483d798db3b4ff2ec8847c50
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jclouds-core-2.2.0.jar

Description:

Core components to access jclouds services

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/jclouds-core/2.2.0/jclouds-core-2.2.0.jar
MD5: 29914e31e40bc56f933abf680e9b5954
SHA1: 488b7d20b163057e6d9767b2073714333f6c708a
SHA256:df69b0c8b13bf34465b42c1dd32b7200a9e5cf9b4cda9ea22bc5f34ad222ceec
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jclouds-log4j-2.2.0.jar

Description:

jclouds Log4J Logging Module

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/driver/jclouds-log4j/2.2.0/jclouds-log4j-2.2.0.jar
MD5: fece8cd73ad778783c7afa58d1a4b512
SHA1: 20ab9d90c50e6343a2a5f023dc93a2935828005f
SHA256:3da7521e48790521e48ebe9a70292ec2e8d180a40b8fcb6852cf0029de397d37
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-44228  

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (10.0)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5645  

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-45046  

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.0)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-44832  

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (8.5)
  • Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: MEDIUM (6.6)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-45105  

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CWE-20 Improper Input Validation, CWE-674 Uncontrolled Recursion

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9488  

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

jcommander-1.35.jar

Description:

A Java framework to parse command line options with annotations.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/beust/jcommander/1.35/jcommander-1.35.jar
MD5: 90216444fab67357c5bdf3293b47107e
SHA1: 47592e181b0bdbbeb63029e08c5e74f6803c4edd
SHA256:019c12fec1ce5c02cbabb150f6ac8a86d92a0ecc9c89a549e5537283e863000c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jdom2-2.0.6.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /var/simplicite/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-33813  

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jempbox-1.8.16.jar

Description:

    The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
    specification. JempBox is a subproject of Apache PDFBox.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/jempbox/1.8.16/jempbox-1.8.16.jar
MD5: 1cb997cdd8302c7e19131c81ba0b7ee2
SHA1: 1f41de81768ef84ca2d8cda4cb79e9272c8ee966
SHA256:ebef7cca5a5a77768e686972b4a89f0ffce7b46907fd96ac3d4f6ce2fa038055
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jersey-core-1.19.1.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/simplicite/.m2/repository/com/sun/jersey/jersey-core/1.19.1/jersey-core-1.19.1.jar
MD5: 577161779fabb561d73388d1ffc46b1f
SHA1: 04282d106f2acd5051bd9bc2935ed9a2920c9385
SHA256:86c3b0f6b933478dfdd2486f047861dd2f68502e05e3c76c7dfa3968ea2b5532
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jfreechart-1.5.0.jar

Description:

        JFreeChart is a class library, written in Java, for generating charts. 
        Utilising the Java2D APIs, it currently supports bar charts, pie charts, 
        line charts, XY-plots and time series plots.

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /var/simplicite/.m2/repository/org/jfree/jfreechart/1.5.0/jfreechart-1.5.0.jar
MD5: 7f2c7d92183516747cbe5269fa8f2201
SHA1: bc7919249bac68c15c433ed51cb798a1bf8cd74e
SHA256:ae3788e0977723ed6769d3569c6f2003df8735eca6fc108c67ad10a62a15bc5e
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jhighlight-1.0.3.jar

Description:

    JHighlight is an embeddable pure Java syntax highlighting
    library that supports Java, HTML, XHTML, XML and LZX
    languages and outputs to XHTML.
    
    It also supports RIFE templates tags and highlights them
    clearly so that you can easily identify the difference
    between your RIFE markup and the actual marked up source.

License:

CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php
LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.php
File Path: /var/simplicite/.m2/repository/org/codelibs/jhighlight/1.0.3/jhighlight-1.0.3.jar
MD5: 318e72a07b2bbe089f0c41df45d2f484
SHA1: 88831dce3d56aa53a1bfcba78518e8939b8d4779
SHA256:34405394e068b5d8c40ed45928ce077f8b5140bf33851a55b9cb53116ded43e5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jjwt-0.4.jar

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/io/jsonwebtoken/jjwt/0.4/jjwt-0.4.jar
MD5: 3c8fc46151456368494680026debae21
SHA1: 61ce246d937a0fd3acf06d3bef5fc9e3933ae812
SHA256:64f06aa7c74916036ffe3bb96b5a1aac7d4c6c6b1914b3ea828959da2117920b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jlessc-1.8.jar

Description:

A Less CSS compiler written completely in Java (pure Java).

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/de/inetsoftware/jlessc/1.8/jlessc-1.8.jar
MD5: fd47b0c7d5eb68328f681f698ea32316
SHA1: 8ca4880ced86c740fa65b3ad922c576066975e87
SHA256:74bac7175cf637813ccc3fe951a96d1d6d8189428c5f7a97181bde1f817d1c32
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jlessc-ant-1.8.jar

Description:

Simple Apache Ant task for JLessC

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/simplicite/ant/jlessc-ant/1.8/jlessc-ant-1.8.jar
MD5: 497812e55df43aec9955d8c88303c4c8
SHA1: a16cfcb7848fe42b76d5178fdb6234ec817891ed
SHA256:fd9a6a6146151674652ed353d16d835ae8308118faab3f6bccab43e59e2c8875
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jmatio-1.5.jar

Description:

Matlab's MAT-file I/O API in JAVA. Supports Matlab 5 MAT-flie format reading and writing. Written in pure JAVA.

License:

BSD: http://www.linfo.org/bsdlicense.html
File Path: /var/simplicite/.m2/repository/org/tallison/jmatio/1.5/jmatio-1.5.jar
MD5: 6eccf45b3a4bb3dd0518afcf37b8ed35
SHA1: 517d932cc87a3b564f3f7a07ac347b725b619ab4
SHA256:70db8cf9a1818072f290fd464f14a8369c9c58993e6640128a6e8a6379d67ac7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jmustache-1.15.jar

Description:

A Java implementation of the Mustache templating language.

License:

The (New) BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /var/simplicite/.m2/repository/com/samskivert/jmustache/1.15/jmustache-1.15.jar
MD5: 0b166350b8b372d5caae4f0b692e016f
SHA1: 7b3b15951d13b774c76db2f4e14d977952f8b4d8
SHA256:1aeb96b9dc17bc29540b8c3342e8e91ee974d5c604165ecd469dd76b041c250c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jna-5.3.1.jar

Description:

Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/net/java/dev/jna/jna/5.3.1/jna-5.3.1.jar
MD5: df3ad04f50fb50840eeb674210200f64
SHA1: 6eb9d07456c56b9c2560722e90382252f0f98405
SHA256:01cb505c0698d0f7acf3524c7e73acb7dc424a5bae5e9c86ce44075ab32bc4ee
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jna-5.3.1.jar: jnidispatch.dll

File Path: /var/simplicite/.m2/repository/net/java/dev/jna/jna/5.3.1/jna-5.3.1.jar/com/sun/jna/win32-x86-64/jnidispatch.dll
MD5: 3c016613eb59259f94e2add2b8d926c0
SHA1: e26183f9919ed1daf5c1856c16f8a074bd9ef6dc
SHA256:df09119557efe5a5fc2237996b09c3da34fb60eb3ff0c6a5b2a35ec4212e0119
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • None

jna-5.3.1.jar: jnidispatch.dll

File Path: /var/simplicite/.m2/repository/net/java/dev/jna/jna/5.3.1/jna-5.3.1.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: 391d7cbfc2c03d0be890541004e6a0ac
SHA1: 1a48c577532b6dbec44b5401fa8268a86daa35b0
SHA256:2d0342e81527fc07255f6585e7de2e89dcd33b2ccf3e770eb83889353265cec3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • None

joda-time-2.10.3.jar

Description:

Date and time library to replace JDK date handling

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/joda-time/joda-time/2.10.3/joda-time-2.10.3.jar
MD5: c7d774a821ec6b1a923d82563d657e2b
SHA1: 2e5366cf1f77ca3bafffecf6e87d30e1d504e959
SHA256:ebb6a6aade36fba2e5aa3f2b98ff9904f20f6f59db1ec6513be5e97d0c578e89
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jsch-0.1.55.jar

Description:

JSch is a pure Java implementation of SSH2

License:

Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt
File Path: /var/simplicite/.m2/repository/com/jcraft/jsch/0.1.55/jsch-0.1.55.jar
MD5: c395ada0fc012d66f11bd30246f6c84d
SHA1: bbd40e5aa7aa3cfad5db34965456cee738a42a50
SHA256:d492b15a6d2ea3f1cc39c422c953c40c12289073dbe8360d98c0f6f9ec74fc44
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

json-20190722.jar

Description:

		JSON is a light-weight, language independent, data interchange format.
		See http://www.JSON.org/

		The files in this package implement JSON encoders/decoders in Java.
		It also includes the capability to convert between JSON and XML, HTTP
		headers, Cookies, and CDL.

		This is a reference implementation. There is a large number of JSON packages
		in Java. Perhaps someday the Java community will standardize on one. Until
		then, choose carefully.

		The license includes this restriction: "The software shall be used for good,
		not evil." If your conscience cannot live with that, then choose a different
		package.

License:

The JSON License: http://json.org/license.html
File Path: /var/simplicite/.m2/repository/org/json/json/20190722/json-20190722.jar
MD5: cdb0aa1fd126bc94b34da5856b57f13a
SHA1: 07bce7bacf0ab5e9f894d307a3de8b7f540064d5
SHA256:e35b3830de02a8992ca8beb6936f52ee80e509753d64469c8f0dde93e17a880b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

json-simple-1.1.1.jar

Description:

A simple Java toolkit for JSON

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/googlecode/json-simple/json-simple/1.1.1/json-simple-1.1.1.jar
MD5: 5cc2c478d73e8454b4c369cee66c5bc7
SHA1: c9ad4a0850ab676c5c64461a05ca524cdfff59f1
SHA256:4e69696892b88b41c55d49ab2fdcc21eead92bf54acc588c0050596c3b75199c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jsoup-1.12.1.jar

Description:

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

License:

The MIT License: https://jsoup.org/license
File Path: /var/simplicite/.m2/repository/org/jsoup/jsoup/1.12.1/jsoup-1.12.1.jar
MD5: 79bb9e9e8b50ef80a18bd46426befc5a
SHA1: 55819a28fc834c2f2bcf4dcdb278524dc3cf088f
SHA256:4f961f68e47740dd7576c9685774a7b25b92f1017af24e2f707b30e893abade3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-37714  

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
CWE-248 Uncaught Exception, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-36033  

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jsr311-api-1.1.1.jar

License:

                CDDL License
            : http://www.opensource.org/licenses/cddl1.php
File Path: /var/simplicite/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

jtidy-r938.jar

Description:

    JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be
    used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the
    document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.

License:

Java HTML Tidy License: http://jtidy.svn.sourceforge.net/viewvc/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: /var/simplicite/.m2/repository/net/sf/jtidy/jtidy/r938/jtidy-r938.jar
MD5: 6a9121561b8f98c0a8fb9b6e57f50e6b
SHA1: ab08d87a225a715a69107732b67f21e1da930349
SHA256:6fc03e51e73fa884f06e7eae0761e045e56fdeb4e146a4d952e3023cc9e3fb43
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-34623  

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jul-to-slf4j-1.7.30.jar

Description:

JUL to SLF4J bridge

File Path: /var/simplicite/.m2/repository/org/slf4j/jul-to-slf4j/1.7.30/jul-to-slf4j-1.7.30.jar
MD5: f2c78cb93d70dc5dea0c50f36ace09c1
SHA1: d58bebff8cbf70ff52b59208586095f467656c30
SHA256:bbcbfdaa72572255c4f85207a9bfdb24358dc993e41252331bd4d0913e4988b9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

junit-4.13.2.jar

Description:

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

License:

Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /var/simplicite/.m2/repository/junit/junit/4.13.2/junit-4.13.2.jar
MD5: d98a9a02a99a9acd22d7653cbcc1f31f
SHA1: 8ac9e16d933b6fb43bc7f576336b8f4d7eb5ba12
SHA256:8e495b634469d64fb8acfa3495a065cbacc8a0fff55ce1e31007be4c16dc57d3
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

juniversalchardet-1.0.3.jar

Description:

Java port of universalchardet

License:

Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /var/simplicite/.m2/repository/com/googlecode/juniversalchardet/juniversalchardet/1.0.3/juniversalchardet-1.0.3.jar
MD5: d9ea0a9a275336c175b343f2e4cd8f27
SHA1: cd49678784c46aa8789c060538e0154013bb421b
SHA256:757bfe906193b8b651e79dc26cd67d6b55d0770a2cdfb0381591504f779d4a76
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

junrar-4.0.0.jar

Description:

rar decompression library in plain java

License:

UnRar License: https://raw.github.com/junrar/junrar/master/license.txt
File Path: /var/simplicite/.m2/repository/com/github/junrar/junrar/4.0.0/junrar-4.0.0.jar
MD5: 38103347e0c3e06ee52ce032cee9e902
SHA1: 93f9b74e1507db9c55c5bdd35369376a474e4db5
SHA256:2eafa4571dfebe4e42e686657f9e597aaa86bb68942b590d5af9902e7caddb20
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-23596  

Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users. The problem is patched in 7.4.1. There are no known workarounds and users are advised to upgrade as soon as possible.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jzlib-1.1.1.jar

Description:

JZlib is a re-implementation of zlib in pure Java

License:

Revised BSD: http://www.jcraft.com/jzlib/LICENSE.txt
File Path: /var/simplicite/.m2/repository/com/jcraft/jzlib/1.1.1/jzlib-1.1.1.jar
MD5: 553b605c56ec6f508ab46ed026e21622
SHA1: a1551373315ffc2f96130a0e5704f74e151777ba
SHA256:5cb1e9f9cf0be011487545694ff0a178237c6bfcbb21c97865cdc52c60b9347a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

libphonenumber-8.12.6.jar

Description:

Google's common Java library for parsing, formatting, storing and validating international phone numbers.    Optimized for running on smartphones.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/googlecode/libphonenumber/libphonenumber/8.12.6/libphonenumber-8.12.6.jar
MD5: 61e2edb830516cca446822a3f2ccf77e
SHA1: ade471e53eb8c848f91dba4fdb2f462f8319220e
SHA256:c118abe8954172149c98e727c8630eda4954e048582a9e5007e3479681453e94
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar

Description:

    An empty artifact that Guava depends on to signal that it is providing
    ListenableFuture -- but is also available in a second "version" that
    contains com.google.common.util.concurrent.ListenableFuture class, without
    any other Guava classes. The idea is:

    - If users want only ListenableFuture, they depend on listenablefuture-1.0.

    - If users want all of Guava, they depend on guava, which, as of Guava
    27.0, depends on
    listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
    version number is enough for some build systems (notably, Gradle) to select
    that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
    conflict with the copy of ListenableFuture in guava itself. If users are
    using an older version of Guava or a build system other than Gradle, they
    may see class conflicts. If so, they can solve them by manually excluding
    the listenablefuture artifact or manually forcing their build systems to
    use 9999.0-....

File Path: /var/simplicite/.m2/repository/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
MD5: d094c22570d65e132c19cea5d352e381
SHA1: b421526c5f297295adef1c886e5246c39d4ac629
SHA256:b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

log4j-1.2.17.jar

Description:

Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256:1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-17571  

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9493  

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23305  

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23302  

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23307  

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-4104 (OSSINDEX)  

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-4104 for details
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:log4j:log4j:1.2.17:*:*:*:*:*:*:*

CVE-2023-26464  

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) 
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

lucene-core-8.2.0.jar

Description:

Apache Lucene Java Core

File Path: /var/simplicite/.m2/repository/org/apache/lucene/lucene-core/8.2.0/lucene-core-8.2.0.jar
MD5: 38017372e81035c484ad5cf94d88d8ea
SHA1: f6da40436d3633de272810fae1e339c237adfcf6
SHA256:25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

mbassador-1.3.2.jar

Description:

        Mbassador is a fast and flexible event bus system following the publish subscribe pattern.
        It is designed for ease of use and aims to be feature rich and extensible while preserving resource efficiency
        and performance.
        It provides non-blocking iterators and minimal write contention with low memory footprint.

        Some features:
        declarative handler definition via annotations,
        sync and/or async event delivery,
        weak or strong references,
        configurable event filters,

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/net/engio/mbassador/1.3.2/mbassador-1.3.2.jar
MD5: 6844d9220e623fa491776e38a61f29a2
SHA1: 4ebb2c5f853bf8a5f87147b186a9758d2e2ec0af
SHA256:469e2e9c68271eadaff12483bbb1abc640ea9973af7fa0519250e04f503aca67
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

mchange-commons-java-0.2.15.jar

Description:

mchange-commons-java

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.html
File Path: /var/simplicite/.m2/repository/com/mchange/mchange-commons-java/0.2.15/mchange-commons-java-0.2.15.jar
MD5: 97c4575d9d49d9afb71492e6bb4417da
SHA1: 6ef5abe5f1b94ac45b7b5bad42d871da4fda6bbc
SHA256:2b8fce65e95a3e968d5ab3507e2833f43df3daee0635ee51c7ce33343bb3a21c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

metadata-extractor-2.11.0.jar

Description:

Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/drewnoakes/metadata-extractor/2.11.0/metadata-extractor-2.11.0.jar
MD5: e95f394e786c0c7f22e61bff2e54ff8d
SHA1: 5f11883f6d06a16ca5fb8a9edf7c6c1237a92da0
SHA256:f5ec56c6b01afbfd7019e2da73bdec5d22c60d620c0e8043e6a85adb554d0df7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-14262 (OSSINDEX)  

MetadataExtractor 2.1.0 allows stack consumption.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.drewnoakes:metadata-extractor:2.11.0:*:*:*:*:*:*:*

CVE-2022-24613  

metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-24614  

When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

migbase64-2.2.jar

Description:

MiGBase64 is a very fast and small Base64 Codec written in Java

License:

Prior BSD License: http://en.wikipedia.org/wiki/BSD_licenses
File Path: /var/simplicite/.m2/repository/com/brsanthu/migbase64/2.2/migbase64-2.2.jar
MD5: da3ef3a9a9fa358ed789b37a3c780727
SHA1: bcc14967d516e93c527897a6c531ba76b5751faa
SHA256:07224584b6227efbb815e96e3153945786e2a6b1a934620b6130331c2351c129
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

mimepull-1.9.3.jar

Description:

        Provides a streaming API to access attachments parts in a MIME message.

License:

CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/simplicite/.m2/repository/org/jvnet/mimepull/mimepull/1.9.3/mimepull-1.9.3.jar
MD5: a3ee04c11e1c613128f07d5f819196ca
SHA1: c55096ff89a27e22c2e081371d0570ac19cc6788
SHA256:072eb5692f180ed0685705fb31c900eca0986b4523c23eefc0779e87d79eea35
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

mongodb-driver-core-3.11.0.jar

Description:

The Java operations layer for the MongoDB Java Driver.
 Third parties can wrap this layer to provide custom higher-level APIs

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/mongodb/mongodb-driver-core/3.11.0/mongodb-driver-core-3.11.0.jar
MD5: e62d9fd039afce756432e537a8c0f0c2
SHA1: af6b55599d9b2d8c1dd5ba2eb5e6095583d13969
SHA256:fbcf6f4993d7fefba5e39abd7f62e4aafad1b578968f94f8fd138c68efd8e39a
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

CVE-2021-20328  

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:A/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.8)
  • Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

mssql-jdbc-12.2.0.jre8.jar

Description:

		Microsoft JDBC Driver for SQL Server.

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre8/mssql-jdbc-12.2.0.jre8.jar
MD5: 06ec244736a3f34258fac4c32fb76d07
SHA1: 24230b89715e4a101e1f2263293a2343a710ecd1
SHA256:7f1d146d53f61261de22e1af910c43329fb59ef4299041ae6705ec711c418548
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

mysql-connector-j-8.1.0.jar

Description:

JDBC Type 4 driver for MySQL.

License:

The GNU General Public License, v2 with Universal FOSS Exception, v1.0
File Path: /var/simplicite/.m2/repository/com/mysql/mysql-connector-j/8.1.0/mysql-connector-j-8.1.0.jar
MD5: e84fdafa40e6625878f79efc7339d93b
SHA1: 3f78d2963935f44a61edb3961a591cdc392c8941
SHA256:e2e657e9c5ebe06a73485c9739ebd8a18e7bebb852a58d0da287da850beca1c7
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

CVE-2023-22102  

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (8.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

netcdf4-4.5.5.jar

File Path: /var/simplicite/.m2/repository/edu/ucar/netcdf4/4.5.5/netcdf4-4.5.5.jar
MD5: 5f14df469295650fd65748a003c9ba56
SHA1: 0675d63ecc857c50dd50858011b670160aa30b62
SHA256:131e3983dcf001677be069a7471797a4a9ad2c9783e88db56e32506cf1039635
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

netty-codec-4.1.49.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar
MD5: d93ec0a7903c28b2b4c74eda0912aa41
SHA1: 20218de83c906348283f548c255650fd06030424
SHA256:670c1f09d43b6e881437296ce6e8fa7f8dcb1eaef78b2144d61234d6515b47af
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41915 (OSSINDEX)  

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41915 for details
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-codec:4.1.49.Final:*:*:*:*:*:*:*

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

netty-codec-mqtt-4.1.49.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/io/netty/netty-codec-mqtt/4.1.49.Final/netty-codec-mqtt-4.1.49.Final.jar
MD5: 14e4d0ff5219c11a43001f55712d0735
SHA1: 5a71467b1a92cc3a7a6e8dd12dc69af33089a067
SHA256:b2f7bf31bececabdfdf65418831c358f4be61ce185e1b044bb274c0bf99e61a9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

netty-common-4.1.49.Final.jar (shaded: org.jctools:jctools-core:3.0.0)

Description:

Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/io/netty/netty-common/4.1.49.Final/netty-common-4.1.49.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: 095b6221b2a65322d08458d37fa574d2
SHA1: ad6ba95498dc140e8d8c7b4c1348f73be69205c9
SHA256:87c10bb67da5c9894623829c24d8290edcd429979ebe568d97009ee3eca9d6c1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

netty-transport-4.1.49.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/io/netty/netty-transport/4.1.49.Final/netty-transport-4.1.49.Final.jar
MD5: f94308ae6129d24af529effbf3fc4cab
SHA1: 415ea7f326635743aec952fe2349ca45959e94a7
SHA256:94e95c5d2b3372806e25c574bb2f51e92eb2e84ff9ae0738789f0aa0a34fb036
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

netty-transport-native-kqueue-4.1.48.Final-osx-x86_64.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/simplicite/.m2/repository/io/netty/netty-transport-native-kqueue/4.1.48.Final/netty-transport-native-kqueue-4.1.48.Final-osx-x86_64.jar
MD5: 54f481effe90ff48eef20a5d0e6043f0
SHA1: 6c904f9dadbd4fa242697339a512e2c4b66f4b8c
SHA256:8b992851ef9991b56493ab76d5c98d6958ea3045832c04dc8e2d1ca3c62f763c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41881  

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2023-44487  

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-34462  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

oauth-2.2.0.jar

Description:

jclouds components to access OAuth

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/oauth/2.2.0/oauth-2.2.0.jar
MD5: 8808e0e07ab9a59b59145e41cde732bd
SHA1: 693ec29e9dc563386dae46368b6da9d1f44ab048
SHA256:75cb471ad1cc56dcca39bee1c488a2a7f571f8466c9e21d2e565891c6b736e69
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

ojdbc8-23.3.0.23.09.jar

Description:

 Oracle JDBC Driver compatible with JDK8, JDK11, JDK12, JDK13, JDK14 and JDK15

License:

Oracle Free Use Terms and Conditions (FUTC): https://www.oracle.com/downloads/licenses/oracle-free-license.html
File Path: /var/simplicite/.m2/repository/com/oracle/database/jdbc/ojdbc8/23.3.0.23.09/ojdbc8-23.3.0.23.09.jar
MD5: c6f402fe18e14e384f76ede75f8dc211
SHA1: d36f44a0ed8a07dcff2afef7f12ccdbd460d053d
SHA256:58d793f5bd0c5b074d8a9d2fd7695a36c7d5c7621bc01d2caeeb4422180ae816
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

opencensus-api-0.24.0.jar

Description:

null

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-api/0.24.0/opencensus-api-0.24.0.jar
MD5: 57e26d9c2d3947a0b3716ec8bb32c9bf
SHA1: f974451b19007ce820f433311ce8adb88e2b7d2c
SHA256:f561b1cc2673844288e596ddf5bb6596868a8472fd2cb8993953fc5c034b2352
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

opencensus-contrib-grpc-metrics-0.21.0.jar

Description:

null

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-contrib-grpc-metrics/0.21.0/opencensus-contrib-grpc-metrics-0.21.0.jar
MD5: dbbefdc1c3e6bee5e578812d961ca6ba
SHA1: f07d3a325f1fe69ee40d6b409086964edfef4e69
SHA256:29fc79401082301542cab89d7054d2f0825f184492654c950020553ef4ff0ef8
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

opencensus-contrib-grpc-util-0.21.0.jar

Description:

null

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-contrib-grpc-util/0.21.0/opencensus-contrib-grpc-util-0.21.0.jar
MD5: c8d17aa0a8707b0244c324ac8722094f
SHA1: 758d60f34833809df6563e7532e852f61f14b898
SHA256:ad44bf7df586d2e8eb1dad5849cd8b50429ed20fe80da76129006318a4a30ef1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

opencensus-contrib-http-util-0.24.0.jar

Description:

null

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/io/opencensus/opencensus-contrib-http-util/0.24.0/opencensus-contrib-http-util-0.24.0.jar
MD5: 12d9df25feb2c6ff817465103dd3e13f
SHA1: 006d96406c272d884038eb63b262458df75b5445
SHA256:7155273bbb1ed3d477ea33cf19d7bbc0b285ff395f43b29ae576722cf247000f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

openjson-1.0.11.jar

Description:

A clean-room Apache-licensed implementation of simple JSON processing

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/github/openjson/openjson/1.0.11/openjson-1.0.11.jar
MD5: adea05d96e2b300d8d93d87877bbfc0c
SHA1: 89d80fba6ebca174f23614cdfd6e50331c676d26
SHA256:6086e8c4219281e42c4ccb3dbf207995bd10787d27b01aaf00ac1f9b0dd34c9f
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-45688  

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072  

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

opennlp-tools-1.9.1.jar

Description:

The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/opennlp/opennlp-tools/1.9.1/opennlp-tools-1.9.1.jar
MD5: d7c38308f18fcbba1bd87d0d8991ed82
SHA1: 8145429d82a4b811fdd3390557dbe6546b0153ad
SHA256:79711328756f4c8a909d7ae36d62bf2f949cca685d98bfd46b052e24b15df7e2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

openstack-keystone-2.2.0.jar

Description:

jclouds components to access an implementation of OpenStack Keystone

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/openstack-keystone/2.2.0/openstack-keystone-2.2.0.jar
MD5: ba713f3c51fee7ad71e8ab3578935b7a
SHA1: 27151bb37c58c3eb45a519b829148435798dc2ca
SHA256:299711877eda635713a7a946a29bacfdaeeeb19f965d54fd8b5491261d5a0596
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-12689  

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-12690  

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-12691  

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3563  

A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-863 Incorrect Authorization

CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-12692  

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
CWE-347 Improper Verification of Cryptographic Signature, CWE-294 Authentication Bypass by Capture-replay

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-14432  

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-20170  

OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

openstack-swift-2.2.0.jar

Description:

jclouds components to access an implementation of OpenStack Swift

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/openstack-swift/2.2.0/openstack-swift-2.2.0.jar
MD5: ca0768eb49f2856e5000e7fc424d3047
SHA1: bf907cbeec176840dbd0daeea90c4b4902f7fbc0
SHA256:aca9b128760baefd27418cbcef560e74038da5645b2421729e7354ed6adf7f00
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2017-16613  

An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2016-0737  

OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2016-0738  

OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-47950  

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).
CWE-552 Files or Directories Accessible to External Parties

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2015-1856  

OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:P

References:

Vulnerable Software & Versions:

CVE-2015-5223  

OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2017-8761  

In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

org.apache.oltu.oauth2.client-1.0.2.jar

Description:

Apache Oltu is an OAuth protocol implementation in Java.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/oltu/oauth2/org.apache.oltu.oauth2.client/1.0.2/org.apache.oltu.oauth2.client-1.0.2.jar
MD5: 433638a5fab67c3a8f111d58c1fec0a0
SHA1: b34e09d1cb84c4b63cedb65c5346ac44eecc22c5
SHA256:ebbe0095c829ecbbb29b5ab572277ff11b9e3969114e6f1bac5d23a8c97e7708
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

org.apache.oltu.oauth2.common-1.0.2.jar

Description:

OAuth 2.0 library - Common

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/oltu/oauth2/org.apache.oltu.oauth2.common/1.0.2/org.apache.oltu.oauth2.common-1.0.2.jar
MD5: 48d5e8f17d2f292b32788d2b98b1aebd
SHA1: a82fff95276f4c6feadc7993670e659076e43260
SHA256:5e7ce01db88b361543e75644269c9447a059a5fecc23a15f3546eff8680ec968
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

org.eclipse.jgit.http.server-5.5.0.201909110433-r.jar

Description:

    Git aware HTTP server implementation.

File Path: /var/simplicite/.m2/repository/org/eclipse/jgit/org.eclipse.jgit.http.server/5.5.0.201909110433-r/org.eclipse.jgit.http.server-5.5.0.201909110433-r.jar
MD5: ec48075bfa53e1ca3c6975ac4bfd2b0b
SHA1: df2a73da47d2b38fc90bd941adda8d2f69d5653b
SHA256:446fbfacb5dcea6c93218ba59a720fe66510a730cc409aac1384282ecb47199b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-4759  

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.


The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
CWE-59 Improper Link Resolution Before File Access ('Link Following'), CWE-178 Improper Handling of Case Sensitivity

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

org.eclipse.paho.client.mqttv3-1.2.1.jar

File Path: /var/simplicite/.m2/repository/org/eclipse/paho/org.eclipse.paho.client.mqttv3/1.2.1/org.eclipse.paho.client.mqttv3-1.2.1.jar
MD5: 94e4b9eac1b077dd6157a71994256f8d
SHA1: 0a0932397520960d23566d1d9d09075f28bc8164
SHA256:56e4708abf2e051028f2cd0b206c8d04ec83f272ee30d543a074738269dfeaac
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

parso-2.0.11.jar

Description:

Parso is a lightweight Java library designed to read SAS7BDAT datasets. The Parso interfaces
        are analogous to libraries designed to read table-storing files, for example, CSVReader library.
        Despite its small size, the Parso library is the only full-featured open-source solution to process SAS7BDAT
        datasets, both uncompressed, CHAR-compressed and BIN-compressed. It is effective in processing clinical and
        statistical data often stored in SAS7BDAT format. Parso allows converting data into CSV format.

License:

Apache License v2: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /var/simplicite/.m2/repository/com/epam/parso/2.0.11/parso-2.0.11.jar
MD5: 5600fb69b3bb3ca4c0270941fa80bf10
SHA1: 3cd3dde9ace470e102bb344e05467ce308108a8e
SHA256:c3042420664fccf8634f77d99bd75e1d2ec03af985e1bf9f1c7a9f4cc79c8fe8
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

pdfbox-2.0.16.jar

Description:

        The Apache PDFBox library is an open source Java tool for working with PDF documents.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/pdfbox/pdfbox/2.0.16/pdfbox-2.0.16.jar
MD5: 0f1782f92a3c66df7d821ab251f2cb89
SHA1: 5dce5e41fc472d02800df5ef060a1f3a58c36902
SHA256:f53d8e869042296703f6753a6dc48e4823d45b7fc1e9c30bf7d20907f0180068
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-27807  

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
CWE-834 Excessive Iteration

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-27906  

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-31811  

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-31812  

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

perfmark-api-0.17.0.jar

Description:

PerfMark API

License:

Apache 2.0: https://opensource.org/licenses/Apache-2.0
File Path: /var/simplicite/.m2/repository/io/perfmark/perfmark-api/0.17.0/perfmark-api-0.17.0.jar
MD5: 1c8d1c8e70fd55114f1c31c28da7a813
SHA1: 97e81005e3a7f537366ffdf20e11e050303b58c1
SHA256:816c11409b8a0c6c9ce1cda14bed526e7b4da0e772da67c5b7b88eefd41520f9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

poi-4.1.0.jar

Description:

Apache POI - Java API To Access Microsoft Format Files

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/poi/poi/4.1.0/poi-4.1.0.jar
MD5: 2d38a6074de57cf93d86e7c5b988c31d
SHA1: 66ea82c8e7cd87e9ae8bceca45daf01328c8d623
SHA256:0d578177f2bde41aa2b68dbac743186208b7a00ccef3c767d5f3271bed2731bf
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-12415  

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26336  

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

postgresql-42.6.0.jar

Description:

PostgreSQL JDBC Driver Postgresql

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html
File Path: /var/simplicite/.m2/repository/org/postgresql/postgresql/42.6.0/postgresql-42.6.0.jar
MD5: 527f2c51d65f6a78d6548c51a35556aa
SHA1: 7614cfce466145b84972781ab0079b8dea49e363
SHA256:b817c67a40c94249fd59d4e686e3327ed0d3d3fae426b20da0f1e75652cfc461
Referenced In Project/Scope:Simplicite Platform:runtime

Identifiers

proto-google-cloud-firestore-admin-v1-1.9.0.jar

Description:

PROTO library for proto-google-cloud-firestore-admin-v1

File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-firestore-admin-v1/1.9.0/proto-google-cloud-firestore-admin-v1-1.9.0.jar
MD5: b0efde7002174970fc09abb0c4ae19b2
SHA1: 0503a6729169653c152a8dc86913bd74f82de7da
SHA256:5d54251efc740f0beb9d7144d18d8b6a2dc7f8052fbbbda50ce917ad9c4b27a1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

proto-google-cloud-firestore-v1-1.9.0.jar

Description:

PROTO library for proto-google-cloud-firestore-v1

File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-firestore-v1/1.9.0/proto-google-cloud-firestore-v1-1.9.0.jar
MD5: f8890ed41d3dec67526185af8e9bff7e
SHA1: f7010c387aefaf022df0a9550bee4f20229d6aaa
SHA256:8dbc7a5046ad60d38d4d375fe1aa4e27c6a2550fe3c09bf1d3eaf1d2d1d0272d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

proto-google-cloud-firestore-v1beta1-0.62.0.jar

Description:

PROTO library for proto-google-cloud-firestore-v1beta1

File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-firestore-v1beta1/0.62.0/proto-google-cloud-firestore-v1beta1-0.62.0.jar
MD5: 93266d7f21e7849f00b07743d8546f79
SHA1: 632e27a101f7d8f0feae5024b14ac00e7a91698f
SHA256:673fabfb4a0d699b22ad2d92c3de0fe325748ad1602ea2d77dc35e1136a7d2af
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

proto-google-cloud-pubsub-v1-1.73.0.jar

Description:

PROTO library for proto-google-cloud-pubsub-v1

File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-cloud-pubsub-v1/1.73.0/proto-google-cloud-pubsub-v1-1.73.0.jar
MD5: 36c54e399c2fdcdd7c4057832e81bbe1
SHA1: 81e98f12b862cb8702a65d9603248b2bbbeb3ef7
SHA256:eddd39520e620515b9e62890f4bdd512f75bacc9ec13e3ed58a7d147ec85f06e
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

proto-google-common-protos-1.16.0.jar

Description:

Google Cloud Common Protos for Java

License:

Apache: https://github.com/googleapis/common-protos-java/blob/master/LICENSE
File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-common-protos/1.16.0/proto-google-common-protos-1.16.0.jar
MD5: e60d9ae5f85493ee06f1fe91c884e8c9
SHA1: 2c5f022ea3b8e8df6a619c4cd8faf9af86022daa
SHA256:e6eff21b0a5cc049b0bf2c571fac23abe8dd9d5f9143189f501c04164dc37da2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

proto-google-iam-v1-0.12.0.jar

Description:

PROTO library for proto-google-iam-v1

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/google/api/grpc/proto-google-iam-v1/0.12.0/proto-google-iam-v1-0.12.0.jar
MD5: 2adb121a4d06c28cf1669f904832e041
SHA1: ea312c0250a5d0a7cdd1b20bc2c3259938b79855
SHA256:ddabb48fe072ada50484c98f00893a3e1356b4f05d2d0bf0045bc830145d1e0c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

protobuf-java-3.10.0.jar

Description:

    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /var/simplicite/.m2/repository/com/google/protobuf/protobuf-java/3.10.0/protobuf-java-3.10.0.jar
MD5: ee4e91af9399c52cdad88bd078f5a71a
SHA1: 410b61dd0088aab4caa05739558d43df248958c9
SHA256:161d7d61a8cb3970891c299578702fd079646e032329d6c2cabf998d191437c9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-3171  

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-3509 (OSSINDEX)  

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.google.protobuf:protobuf-java:3.10.0:*:*:*:*:*:*:*

CVE-2022-3510 (OSSINDEX)  

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.



Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-3510 for details
CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.google.protobuf:protobuf-java:3.10.0:*:*:*:*:*:*:*

CVE-2021-22569  

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

protobuf-java-util-3.10.0.jar

Description:

Utilities for Protocol Buffers

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /var/simplicite/.m2/repository/com/google/protobuf/protobuf-java-util/3.10.0/protobuf-java-util-3.10.0.jar
MD5: 2e87271cc08f426faf26f474f7308a74
SHA1: a68c906db83e93babbb4024ce91e7441bb7598dd
SHA256:619b0b0dc344cb141e493cbedc5687c8fb7c985e609a1b035e621bfab2f89021
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-3171  

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-22569  

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

proton-j-0.33.4.jar

Description:

Proton is a library for speaking AMQP.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/qpid/proton-j/0.33.4/proton-j-0.33.4.jar
MD5: 1e03613999e16d99dfd735c7ae5befba
SHA1: ae78c5552b1ed6549fc5b51f9739e8dbd921ffc3
SHA256:1d2bd1955536d9762229ad9e7e4d63baf2388095841a3839ba723241f201b838
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

qpid-jms-client-0.51.0.jar

Description:

The core JMS Client implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/qpid/qpid-jms-client/0.51.0/qpid-jms-client-0.51.0.jar
MD5: 479f5e93eaa0a76d031cdc092cd525a1
SHA1: 45201d940dca87f04823bfdf39d6aae9b4a145f4
SHA256:272e82564f995120816c5b5fab98cc1d9e195fbddc2a3a4be115a2e45b114767
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

qrgen-1.4.jar

Description:

a simple QRCode generation api for java built on top ZXING

License:

Apache License v2: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /var/simplicite/.m2/repository/net/glxn/qrgen/1.4/qrgen-1.4.jar
MD5: 22aedd5cea2b5d4edc650ab1e08a1ff9
SHA1: fbb2465ec16db786a164e66f2a1e67e2e9254303
SHA256:4985f423c0ced38a1b60ac0f2b76e9a260fe54a276ed313c362ae85fdbe39c35
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

quartz-2.3.1.jar

Description:

Enterprise Job Scheduler

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0
File Path: /var/simplicite/.m2/repository/org/quartz-scheduler/quartz/2.3.1/quartz-2.3.1.jar
MD5: be3926e0e2d77e84f9f6a1bba18d2b49
SHA1: 8d4e9a8191092402e77a7d1edb5bbfd8b212186c
SHA256:7b1e8d8a093ab2d102645397e200bdae7989f69f3e3df93c5e372ab00759ff46
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2019-13990  

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-39017  

quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

relaxng-datatype-2.3.2.jar

File Path: /var/simplicite/.m2/repository/com/sun/xml/bind/external/relaxng-datatype/2.3.2/relaxng-datatype-2.3.2.jar
MD5: 0ebc89465bebcaedb3d97ed959b45fa8
SHA1: d202e2c8bdd0a5286490260e311f0df1955f4dbf
SHA256:6a746e2e38eb08b755e1a6b1badc3ab99c1fce81159c1687974da868714a82f5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

rhino-1.7.13.jar

Description:

    Rhino is an open-source implementation of JavaScript written entirely in Java.
    It is typically embedded into Java applications to provide scripting to end users.

License:

Mozilla Public License, Version 2.0: http://www.mozilla.org/MPL/2.0/index.txt
File Path: /var/simplicite/.m2/repository/org/mozilla/rhino/1.7.13/rhino-1.7.13.jar
MD5: 17d7bed97d9c03a77578ec16e26bfc2f
SHA1: e6b2e12dc79fbdc58d8bf62a583705a551ec37d6
SHA256:931dda33789d8e004ff5b5478ee3d6d224305de330c48266df7c3e49d52fc606
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

rhino-1.7.13.jar: test.js

File Path: /var/simplicite/.m2/repository/org/mozilla/rhino/1.7.13/rhino-1.7.13.jar/org/mozilla/javascript/tools/debugger/test.js
MD5: 3f4137118304ccd25816067cf8d1edd6
SHA1: d3c7ae4c10cb6c7ac191cb65a39e53ba6a4e6cfb
SHA256:950d2db0a646488500b58ba76a02c33501a048708c083e3b743b73b16e105331
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • None

rhino-js-engine-1.7.10.jar

Description:

A js-engine.jar that provides a script engine "rhino" with old Rhino JavaScript.

The source code for js-engine comes from https://java.net/projects/Scripting.

The Rhino engine itself is pulled by maven. Its source is at https://github.com/mozilla/rhino.

License:

The BSD 3-Clause License: https://opensource.org/licenses/BSD-3-Clause
File Path: /var/simplicite/.m2/repository/cat/inspiracio/rhino-js-engine/1.7.10/rhino-js-engine-1.7.10.jar
MD5: 5543d39bea21e5c9515e8d967a61e1b1
SHA1: 09cc9336acf7bd2f370ae812d5713e90463edc33
SHA256:b47d73c223c86fd3f70470a9a8269626dbb6e9cb0195d062ba53171a2df7ff44
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

rhino-js-engine-1.7.10.jar: toplevel.js

File Path: /var/simplicite/.m2/repository/cat/inspiracio/rhino-js-engine/1.7.10/rhino-js-engine-1.7.10.jar/META-INF/toplevel.js
MD5: 491854ddbf3787e63aec2d77d4aad938
SHA1: 0cc36fe5c5269749b8d94252d7490d2d82bda8ed
SHA256:511041250766b0811a7767801a1bec1be89a5bddbbe9e455ad7ea2057ba473f7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • None

rngom-2.3.2.jar

Description:

        RNGOM is a RelaxNG Object model library (XSOM for RelaxNG).

File Path: /var/simplicite/.m2/repository/com/sun/xml/bind/external/rngom/2.3.2/rngom-2.3.2.jar
MD5: 16cae2e80f24e2cf10ad6b5d95114ae0
SHA1: 6b8c5d0984c31a01d98290cee4ab9bde13536431
SHA256:02165b9f0020160873f13e29e243b02e5c578792f9d1f2367fbadfcf8374fc78
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

rome-1.12.1.jar

Description:

All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
        easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
        (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
        a set of parsers and generators for the various flavors of feeds, as well as converters
        to convert from one format to another. The parsers can give you back Java objects that
        are either specific for the format you want to work with, or a generic normalized
        SyndFeed object that lets you work on with the data without bothering about the
        underlying format.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/rometools/rome/1.12.1/rome-1.12.1.jar
MD5: ff2b10fb031f44513e5c291817aca032
SHA1: e9038b34b001007b2a1f3823c532f3524222075f
SHA256:13414d70a6c185e1374588321861c6e9eb7928eee502d032094ef3ca0fd921ae
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

rome-utils-1.12.1.jar

Description:

Utility classes for ROME projects

File Path: /var/simplicite/.m2/repository/com/rometools/rome-utils/1.12.1/rome-utils-1.12.1.jar
MD5: 6772713213cee7862e5e9ac1a8c0b79c
SHA1: e14b9757402f0971fabe245f8a3ee7c889151f26
SHA256:d65ce5f0926ee80e1ed19b176428846098000fc4db09360a1b4dd3a1a36ed477
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2021-4277  

A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.
CWE-330 Use of Insufficiently Random Values

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

s3-2.2.0.jar

Description:

jclouds components to access an implementation of S3

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/s3/2.2.0/s3-2.2.0.jar
MD5: fed1f33af4d2be951084edb7338be653
SHA1: 5e4e3d12349d8fd89ae35319df1f993be04694f8
SHA256:964cb268008696ac2c12108ad43ba9dc03d5edb4cb1d69f5b37d138b4c249522
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

sentiment-analysis-parser-0.1.jar

Description:

Combines Apache OpenNLP and Apache Tika and provides facilities for automatically deriving sentiment from text.

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/edu/usc/ir/sentiment-analysis-parser/0.1/sentiment-analysis-parser-0.1.jar
MD5: 69727e01cb8165e2e5d637e527ea82d4
SHA1: 20d1524a1270c1d26e3314d2ee71a12e6a29a27d
SHA256:035a28b4d65993b405ddcc98b4bb67cd038d4617e5c8e5c2f4d16d34c8f49e2b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

serializer-2.7.2.jar

Description:

    Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
    SAX events.

File Path: /var/simplicite/.m2/repository/xalan/serializer/2.7.2/serializer-2.7.2.jar
MD5: e8325763fd4235f174ab7b72ed815db1
SHA1: 24247f3bb052ee068971393bdb83e04512bb1c3c
SHA256:e8f5b4340d3b12a0cfa44ac2db4be4e0639e479ae847df04c4ed8b521734bb4a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-34169  

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

sis-feature-0.8.jar

Description:

  
Representations of geographic features.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-feature/0.8/sis-feature-0.8.jar
MD5: abcd6da5f22d8a177f7f86ad9de6779b
SHA1: 65ea6ab21713dee99a0d2fd7196b80dd631a7e02
SHA256:c90e420f46c407060b11f62787a088b1127d9e6adb7c79d65ff5a6a99dabd9e2
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

sis-metadata-0.8.jar

Description:

  
Implementations of metadata derived from ISO 19115. This module provides both an implementation
 of the metadata interfaces defined in GeoAPI, and a framework for handling those metadata through
 Java reflection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-metadata/0.8/sis-metadata-0.8.jar
MD5: de28abdfc0d83256a87db3ceb6b094c2
SHA1: b5d309428e78ebdaf1ea04aec8747a2093689e20
SHA256:d04e98ee08441d30663d1bc45582da9672360b1a148a4faccbb55a5e1437da7c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

sis-netcdf-0.8.jar

Description:

  
Bridge between netCDF Climate and Forecast (CF) convention and ISO 19115 metadata.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/sis/storage/sis-netcdf/0.8/sis-netcdf-0.8.jar
MD5: 2096511e5dac7016da8eacd3a4914e99
SHA1: 0aa44675239c11eeb598ef054efdf2673cd4953a
SHA256:a6477f4437c0a0ed623664739b6c9ada0cceba01d5163d0793eadb5b23677511
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

sis-referencing-0.8.jar

Description:

  
Implementations of Coordinate Reference Systems (CRS),
 conversion and transformation services derived from ISO 19111.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-referencing/0.8/sis-referencing-0.8.jar
MD5: c0bbeebdff505844f3d7181a127abcbb
SHA1: 8c9eb6766665eea110f47c53787b7a9bc1310400
SHA256:f194d08bdda2509e104ea32004384298014ecd664aa7d7c30dacf0ee41bfa2f9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-3485  

Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.
If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.
CWE-1188

CVSSv3:
  • Base Score: LOW (3.6)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions:

sis-storage-0.8.jar

Description:

  
Provides the interfaces and base classes to be implemented by various storage formats.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/sis/storage/sis-storage/0.8/sis-storage-0.8.jar
MD5: 5f3238f3d977f9299174e18c45cfaba2
SHA1: 53b323f55881b4cd6fe1ecf9464a7066a3ae2eb6
SHA256:7cade99264a96233e11f1fd888c23f647d94673cab0275a3d81d0d990bd204e5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

sis-utility-0.8.jar

Description:

  
Miscellaneous utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/sis/core/sis-utility/0.8/sis-utility-0.8.jar
MD5: 10e3a9e45b8256c21eb143e7f6060474
SHA1: 4ad2d0805780c5a2cebc0dadbfb8307f94c91c4f
SHA256:add922cad9d64c14ff2098c8c599dcdad8f8593978ee94a68e2278aa0b0dff41
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

slf4j-api-1.7.30.jar

Description:

The slf4j API

File Path: /var/simplicite/.m2/repository/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.jar
MD5: f8be00da99bc4ab64c79ab1e2be7cb7c
SHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922c
SHA256:cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

slf4j-log4j12-1.7.30.jar

Description:

SLF4J LOG4J-12 Binding

File Path: /var/simplicite/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar
MD5: 78f1ff83b38c52a30a278dec6e023a6d
SHA1: c21f55139d8141d2231214fb1feaf50a1edca95e
SHA256:4d41e01c40caf8a6c74add2b073055d8a4ce1c30e58154177b13f12d78abbe7b
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

snakeyaml-1.25.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
MD5: 6f7d5b8f596047aae07a3bf6f23a0bf2
SHA1: 8b6e01ef661d8378ae6dd7b511a7f2a33fae1421
SHA256:b50ef33187e7dc922b26dbe4dd0fdb3a9cf349e75a08b95269901548eee546eb
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-1471  

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2017-18640  

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-25857  

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38749  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38751  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38752  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-41854  

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38750  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

stax-ex-1.8.1.jar

Description:

Extensions to JSR-173 StAX API.

License:

Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/simplicite/.m2/repository/org/jvnet/staxex/stax-ex/1.8.1/stax-ex-1.8.1.jar
MD5: 8fea4418fa80e957e39c174cec08053c
SHA1: 78011e483a21102fb4858f3e8f269a677e50aa23
SHA256:20522549056e9e50aa35ef0b445a2e47a53d06be0b0a9467d704e2483ffb049a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

stax2-api-4.2.jar

Description:

tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /var/simplicite/.m2/repository/org/codehaus/woodstox/stax2-api/4.2/stax2-api-4.2.jar
MD5: 5d22fe6dbb276d1fd6dab40c386a4f0a
SHA1: 13c2b30926bca0429c704c4b4ca0b5d0432b69cd
SHA256:badf6081a0bb526fd2c01951dfefad91b6846b6dd0eb0048587e30d1dd334e68
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-40152  

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

stringtemplate-3.2.1.jar

Description:

StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.

StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. 

It evolved over years of effort developing jGuru.com. 

StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic 
is that unlike other engines, it strictly enforces model-view separation.

Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.

There are currently about 600 StringTemplate source downloads a month.

License:

BSD licence: http://antlr.org/license.html
File Path: /var/simplicite/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar
MD5: b58ca53e518a92a1991eb63b61917582
SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
SHA256:f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

stripe-java-12.0.0.jar

Description:

Stripe Java Bindings

License:

The MIT License: https://opensource.org/licenses/MIT
File Path: /var/simplicite/.m2/repository/com/stripe/stripe-java/12.0.0/stripe-java-12.0.0.jar
MD5: 78c7e3844db994a92b3737de088c720c
SHA1: 126bbc011f3a25472d7180db10f8e24ce8bd9e91
SHA256:ec7353106e0533db0bc52ab7bb9a4cd77e3647765847c6fe97859b9ebc6e2f40
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

sts-2.2.0.jar

Description:

jclouds components to access an implementation of Security Token Service (STS)

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/jclouds/api/sts/2.2.0/sts-2.2.0.jar
MD5: c28fdf7b52053995204ab1073eeffa50
SHA1: dc2f27e3cee17446a905dce8474761a43b3d2561
SHA256:9e939a535b94290309c9a8d9db76735a6e8cf199df4d5f585654adf2777ca0fa
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

swagger-annotations-1.5.8.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /var/simplicite/.m2/repository/io/swagger/swagger-annotations/1.5.8/swagger-annotations-1.5.8.jar
MD5: 57370150b5f709d54e96e50162653b51
SHA1: 48d3002e43bde443f19750ec5670d345e9cd8d62
SHA256:a476592aad2355c20559ba323c08fd1d8bf630aab75a8c8ddde22987d65f2d52
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

tagsoup-1.2.1.jar

Description:

TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/ccil/cowan/tagsoup/tagsoup/1.2.1/tagsoup-1.2.1.jar
MD5: ae73a52cdcbec10cd61d9ef22fab5936
SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
SHA256:ac97f7b4b1d8e9337edfa0e34044f8d0efe7223f6ad8f3a85d54cc1018ea2e04
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

threeten-extra-1.5.0.jar

Description:

Additional functionality that enhances JSR-310 dates and times in Java SE 8 and later

License:

BSD 3-clause: https://raw.githubusercontent.com/ThreeTen/threeten-extra/master/LICENSE.txt
File Path: /var/simplicite/.m2/repository/org/threeten/threeten-extra/1.5.0/threeten-extra-1.5.0.jar
MD5: 25fcd93381bd0b0d2cf6b99c231e4bb4
SHA1: d6adb54fefe72482ed049f07af31ddf2c287345f
SHA256:e7def554536188fbaf8aac1a0a2f956b039cbbb5696edc3b8336c442c56ae445
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

threetenbp-1.3.3.jar

Description:

Backport of JSR-310 from JDK 8 to JDK 7 and JDK 6. NOT an implementation of the JSR.

License:

BSD 3-clause: https://raw.githubusercontent.com/ThreeTen/threetenbp/master/LICENSE.txt
File Path: /var/simplicite/.m2/repository/org/threeten/threetenbp/1.3.3/threetenbp-1.3.3.jar
MD5: 6c45c54a06806225d2754b51fbdf088d
SHA1: 3ea31c96676ff12ab56be0b1af6fff61d1a4f1f2
SHA256:7bbee842b0334f63627556d3c657aab82431f3a207c8dc4dcfc379d7d210a8c6
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

tika-core-1.22.jar

Description:

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
    includes the core facades for the Tika API.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/tika/tika-core/1.22/tika-core-1.22.jar
MD5: 078d3798a32e444b3e3425457402dce3
SHA1: b193f1f977e64ff77025a4cecd7997cff344c4bc
SHA256:81a9e28c9fa9d6b00d1e5d85795403fb773d4c571175487b35b83a8c02599dd7
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-1950  

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1951  

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28657  

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-25169  

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-30126  

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-30973  

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-33879  

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

tika-parsers-1.22.jar

Description:

Apache Tika is a toolkit for detecting and extracting metadata and    structured text content from various documents using existing parser    libraries.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/tika/tika-parsers/1.22/tika-parsers-1.22.jar
MD5: 688b25cce3d2ba79d4172309ef5a4e58
SHA1: b8a823128f6165882ae41de3ded8655609d62d88
SHA256:756e77987077cc485763beeac77925001b9b4993e58978be09b8e6c510770aea
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-1950  

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1951  

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9489 (OSSINDEX)  

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-9489 for details
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:L/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.tika:tika-parsers:1.22:*:*:*:*:*:*:*

CVE-2021-28657  

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-25169  

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-30126  

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-30973  

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-33879  

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

twilio-7.42.0.jar

Description:

Twilio Java Helper Library

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /var/simplicite/.m2/repository/com/twilio/sdk/twilio/7.42.0/twilio-7.42.0.jar
MD5: 5827cc6fb38a4948b41f197bc11d71d9
SHA1: 90428a9e9fc22c3fbe6cb8e5a1d5075df1420607
SHA256:76add2813e7ebb4a60e11acca594dd2f7e3cb1b076c354456f46a0b0f511bfaf
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

txw2-2.3.2.jar

Description:

        TXW is a library that allows you to write XML documents.

File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/txw2/2.3.2/txw2-2.3.2.jar
MD5: 3f278f148c5d27dc608c25cb7d093b94
SHA1: ce5be7da2e442c25ec14c766cb60cb802741727b
SHA256:4a6a9f483388d461b81aa9a28c685b8b74c0597993bf1884b04eddbca95f48fe
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

udunits-4.5.5.jar

Description:

The ucar.units Java package is for decoding and encoding
    formatted unit specifications (e.g. "m/s"), converting numeric values
    between compatible units (e.g. between "m/s" and "knot"), and for
    performing arithmetic operations on units (e.g. dividing one unit by
    another, raising a unit to a power).

File Path: /var/simplicite/.m2/repository/edu/ucar/udunits/4.5.5/udunits-4.5.5.jar
MD5: 025ffadf77de73601443c8262c995df0
SHA1: d8c8d65ade13666eedcf764889c69321c247f153
SHA256:fb641ad901d1526d53f2b13bc86baec703c57d58e6001cfa54ca7734c97fb30d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

unit-api-1.0.jar

Description:

Units of Measurement Standard - This JSR specifies Java packages for modeling and working with measurement values, quantities and their corresponding units.

License:

BSD: LICENSE.txt
File Path: /var/simplicite/.m2/repository/javax/measure/unit-api/1.0/unit-api-1.0.jar
MD5: 0e62b80ee212b7bb9d3cd150ff988a93
SHA1: 6b960260278588d7ff02fe376e5aad39a9c7440b
SHA256:35da65fdbd3f9c1fe79cfc8399db975fd97660d8a219febfda9fd1a5fc058f10
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

vorbis-java-core-0.8.jar

File Path: /var/simplicite/.m2/repository/org/gagravarr/vorbis-java-core/0.8/vorbis-java-core-0.8.jar
MD5: 71b623b57f56daf112bddb3337ee896d
SHA1: 7e9937c2575cda2e3fc116415117c74f23e43fa6
SHA256:879bb0c8923fea686609e207fd9050ab246e001868341c725929405e755cf68e
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

vorbis-java-tika-0.8.jar

File Path: /var/simplicite/.m2/repository/org/gagravarr/vorbis-java-tika/0.8/vorbis-java-tika-0.8.jar
MD5: 85c7b34d5f94e66bf0c79f5d673db750
SHA1: 4ddbb27ac5884a0f0398a63d46a89d3bc87dc457
SHA256:a1b62281a99aec10dc69db1d2f8250952dca5841eedf1167b6b6f9585e2d0d26
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

wmf2svg-0.9.8.jar

Description:

WMF to SVG Converting Tool & Library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/net/arnx/wmf2svg/0.9.8/wmf2svg-0.9.8.jar
MD5: 34b920f0aa840b1792702d253c2c58b7
SHA1: 365614a3ee72ec475d9032f906d37b753fbe2bfa
SHA256:c7f136558140c3fbe9410199ca509895faad4fa79bdc185e72a868f1c2819b4a
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

woodstox-core-6.2.0.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)

Description:

Unknown version of isorelax library used in JAXB project

File Path: /var/simplicite/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.2.0/woodstox-core-6.2.0.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xml
MD5: 6fbb4bc95fbf2072bc6e3b790553fe81
SHA1: 314ec72948d5c1fc71d553cbbd7a130caa6f9f13
SHA256:cda6451d0231a973352b592ff950e39224ba6ba1a2f35eeab66511b5c225dff1
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2023-34411  

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

woodstox-core-6.2.0.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)

Description:

XML Schema datatypes library

File Path: /var/simplicite/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.2.0/woodstox-core-6.2.0.jar/META-INF/maven/net.java.dev.msv/xsdlib/pom.xml
MD5: aaf872ed9d1aabee25e03c2a132ffd8e
SHA1: 47f218a999411ed028f089d59ebef8f14e0fe914
SHA256:d6e83c124436049d83238fc532a26c5d8ccd7e4ab10eba6d96043c850ac82f3c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

woodstox-core-6.2.0.jar

Description:

Woodstox is a high-performance XML processor that implements Stax (JSR-173),
SAX2 and Stax2 APIs

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.2.0/woodstox-core-6.2.0.jar
MD5: 0a45f2441d81fb2c01781f11ee1e3fd3
SHA1: bfe9e1c4436230011e6aadced5df9262ec821cda
SHA256:078f8f918344f2c195917339060dedfb758cec1e014f96c6082fe0bdb6037af5
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-40152  

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

xalan-2.7.2.jar

Description:

    Xalan-Java is an XSLT processor for transforming XML documents into HTML,
    text, or other XML document types. It implements XSL Transformations (XSLT)
    Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
    the command line, in an applet or a servlet, or as a module in other program.

File Path: /var/simplicite/.m2/repository/xalan/xalan/2.7.2/xalan-2.7.2.jar
MD5: 6aa6607802502c8016b676f25f8e4873
SHA1: d55d3f02a56ec4c25695fe67e1334ff8c2ecea23
SHA256:a44bd80e82cb0f4cfac0dac8575746223802514e3cec9dc75235bc0de646af14
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2022-34169  

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

xalan-interpretive-11.0.0.jar

Description:

xalan-interpretive

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/org/apache/xalan-interpretive/11.0.0/xalan-interpretive-11.0.0.jar
MD5: fc5a8e36ca1cbe5eb05dbf328e058403
SHA1: 7494b62aced4c3d0ffa259e59c435dc9bd7f07b3
SHA256:badfeb922041262d667363e05bd1cea3947f2ad63dc0f586582ef20ab5a52456
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

xalan-serializer-11.0.0.jar

Description:

xalan-serializer

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/org/apache/xalan-serializer/11.0.0/xalan-serializer-11.0.0.jar
MD5: f21112d50f8c5e067bcb388697cb6af1
SHA1: 7a6b5802bdba3d3b12e935b8a0ae2e020d839cfd
SHA256:ee20541b9180bbd4dc4d55b825e397aefc1545d11d819e4d488012fa76a4b6dc
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

xercesImpl-2.12.0.jar

Description:

      Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

    The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

    Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

    Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

    Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar
MD5: b89632b53c4939a2982bcb52806f6dec
SHA1: f02c844149fd306601f20e0b34853a670bef7fa2
SHA256:b50d3a4ca502faa4d1c838acb8aa9480446953421f7327e338c5dda3da5e76d0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • pkg:maven/xerces/xercesImpl@2.12.0  (Confidence:High)
  • cpe:2.3:a:apache:xerces-j:2.12.0:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:apache:xerces2_java:2.12.0:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2022-23437  

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: HIGH (7.1)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-10355 (OSSINDEX)  

sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
CWE-833 Deadlock

CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:xerces:xercesImpl:2.12.0:*:*:*:*:*:*:*

xhtmlrenderer-3.0.0.jar

Description:

		Modified flyingsaucer XML/XHTML and CSS 2.1 renderer, to support docx (and eventually pptx) output

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/docx4j/xhtmlrenderer/3.0.0/xhtmlrenderer-3.0.0.jar
MD5: d1f1faf911c376261b7698282bbf0c08
SHA1: 14c766017bd26c1b1f96f170833845bc1bab6aeb
SHA256:7189d588e7888c92da996eded1b5a17ac435eb6193b47e2207805fc458e318c9
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

xmlbeans-3.1.0.jar

Description:

XmlBeans main jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/xmlbeans/xmlbeans/3.1.0/xmlbeans-3.1.0.jar
MD5: 408902d943e5bd51a4813dae131681a3
SHA1: 6dac1f897dfb3e3f17fc79b18a3353b2e51c464e
SHA256:a19ea1ec835a101165f7aa3c55427e81b5f2b187bfe7689a19277c51402620b0
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

xmlgraphics-commons-2.3.jar

Description:

    Apache XML Graphics Commons is a library that consists of several reusable 
    components used by Apache Batik and Apache FOP. Many of these components 
    can easily be used separately outside the domains of SVG and XSL-FO.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/2.3/xmlgraphics-commons-2.3.jar
MD5: 3edc187a769f9ff50e53f095bccb20cd
SHA1: f0b77d80c4d8f02538512b4d505af0cf5286eb7f
SHA256:1fb91bac2795f7a768a7665f40cde996023a489ecc43e5ee67ad40fbaa79e194
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

CVE-2020-11988  

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.
CWE-20 Improper Input Validation, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (8.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References:

Vulnerable Software & Versions:

xmlsec-2.1.4.jar

Description:

        Apache XML Security for Java supports XML-Signature Syntax and Processing,
        W3C Recommendation 12 February 2002, and XML Encryption Syntax and
        Processing, W3C Recommendation 10 December 2002. As of version 1.4,
        the library supports the standard Java API JSR-105: XML Digital Signature APIs.

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/simplicite/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar
MD5: bedb9da77422052baeab84af891392a6
SHA1: cb43326f02e3e77526c24269c8b5d3cc3f7f6653
SHA256:2e2ec8fe0cf873979f630ae4d35e7ede3390321279b7a15de9deed3f3430990c
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

  • pkg:maven/org.apache.santuario/xmlsec@2.1.4  (Confidence:High)
  • cpe:2.3:a:apache:santuario_xml_security_for_java:2.1.4:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:apache:xml_security_for_java:2.1.4:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2021-40690  

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-44483  

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
CWE-532 Information Exposure Through Log Files

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

xmpcore-5.1.3.jar

Description:

    The XMP Library for Java is based on the C++ XMPCore library
    and the API is similar.

License:

The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html
File Path: /var/simplicite/.m2/repository/com/adobe/xmp/xmpcore/5.1.3/xmpcore-5.1.3.jar
MD5: 08d154cf297e87471637df85172f93e6
SHA1: 57e70c3b10ff269fff9adfa7a31d61af0df30757
SHA256:821be907f1e514ebb50f0ca04b2c098370a3cb5e5f9ddcc2ecf81e73eb265daa
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

xsom-2.3.2.jar

Description:

XML Schema Object Model (XSOM) is a Java library that allows applications to easily parse XML Schema
        documents and inspect information in them. It is expected to be useful for applications that need to take XML
        Schema as an input.

File Path: /var/simplicite/.m2/repository/org/glassfish/jaxb/xsom/2.3.2/xsom-2.3.2.jar
MD5: 69490072151ce34b84c8d0990a931c6d
SHA1: 0157dc2bf479c524d63a214e8fe9888f45a667db
SHA256:598196320e56138f78895c9bbc3055983d25b76814f072dfcb836f8cc4437c73
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers

xz-1.8.jar

Description:

XZ data compression

License:

Public Domain
File Path: /var/simplicite/.m2/repository/org/tukaani/xz/1.8/xz-1.8.jar
MD5: 5f982127e0de85b785c4b2abad21aa2e
SHA1: c4f7d054303948eb6a4066194253886c8af07128
SHA256:8c7964b36fe3f0cbe644b04fcbff84e491ce81917db2f5bfa0cba8e9548aff5d
Referenced In Project/Scope:Simplicite Platform:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.