5.2.1 NVD CVE Checked 2019-08-22T22:02:44 NVD CVE Modified 2019-08-22T21:33:49 VersionCheckOn 2019-08-22T22:02:44 Devsecops 2019-08-24T07:41:56.905Z This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community. javax.inject-1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/javax.inject-1.jar 289075e48b909e9e74e6c915b3631d2e 6975da39a7040257bd51d21a231b76c915872d38 91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff The javax.inject API The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt central groupid javax.inject pom name javax.inject jar package name inject pom groupid javax.inject jar package name javax pom url http://code.google.com/p/atinject/ pom artifactid javax.inject file name javax.inject-1 pom url http://code.google.com/p/atinject/ pom name javax.inject jar package name inject central artifactid javax.inject pom artifactid javax.inject file name javax.inject-1 pom groupid javax.inject central version 1 file version 1 pom version 1 pkg:maven/javax.inject/javax.inject@1 https://ossindex.sonatype.org/component/pkg:maven/javax.inject/javax.inject@1 pkg:maven/javax.inject/javax.inject@1 https://ossindex.sonatype.org/component/pkg:maven/javax.inject/javax.inject@1 commons-text-1.7.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-text-1.7.jar b621c9817128bb34db92a04c6137379d 4d7d6dc210f80d0bff18645cc534a0c45324d0d6 8434bbfb887e7a0f3dfef92ac84e783f847bc0f0f43b8cc9e026646b137b6065 Apache Commons Text is a library focused on algorithms working on strings. https://www.apache.org/licenses/LICENSE-2.0.txt Manifest bundle-symbolicname org.apache.commons.commons-text Manifest Implementation-Vendor-Id org.apache.commons pom name Apache Commons Text pom parent-artifactid commons-parent Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" pom groupid apache.commons Manifest implementation-url http://commons.apache.org/proper/commons-text pom parent-groupid org.apache.commons jar package name apache Manifest automatic-module-name org.apache.commons.text file name commons-text Manifest specification-vendor The Apache Software Foundation jar package name commons pom url http://commons.apache.org/proper/commons-text jar package name text Manifest bundle-docurl http://commons.apache.org/proper/commons-text pom artifactid commons-text Manifest Implementation-Vendor The Apache Software Foundation Manifest bundle-symbolicname org.apache.commons.commons-text pom parent-artifactid commons-parent pom name Apache Commons Text Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" pom artifactid commons-text Manifest implementation-url http://commons.apache.org/proper/commons-text jar package name apache Manifest specification-title Apache Commons Text Manifest Implementation-Title Apache Commons Text Manifest automatic-module-name org.apache.commons.text file name commons-text pom url http://commons.apache.org/proper/commons-text jar package name commons pom groupid apache.commons pom parent-groupid org.apache.commons jar package name text Manifest bundle-docurl http://commons.apache.org/proper/commons-text Manifest Bundle-Name Apache Commons Text pom version 1.7 file version 1.7 pom parent-version 1.7 Manifest Implementation-Version 1.7 pkg:maven/org.apache.commons/commons-text@1.7 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-text@1.7 pkg:maven/org.apache.commons/commons-text@1.7 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-text@1.7 h2-1.4.196.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/h2-1.4.196.jar 4ce376a2466f5b29573fc3e40606af6b dd0034398d593aa3588c6773faac429bbd9aea0e 0a05f4a0d5b85840148aadce63a423b5d3c36ef44756389b4faad08d2733faf5 H2 Database Engine MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html Manifest provide-capability osgi.service;objectClass:List=org.osgi.service.jdbc.DataSourceFactory pom url http://www.h2database.com file name h2 jar package name h2 central groupid com.h2database jar package name h2 Manifest implementation-url http://www.h2database.com pom name H2 Database Engine Manifest bundle-symbolicname org.h2 pom groupid h2database pom artifactid h2 Manifest bundle-category jdbc Manifest provide-capability osgi.service;objectClass:List=org.osgi.service.jdbc.DataSourceFactory file name h2 central artifactid h2 Manifest Implementation-Title H2 Database Engine jar package name h2 jar package name service Manifest implementation-url http://www.h2database.com Manifest Bundle-Name H2 Database Engine pom artifactid h2 pom name H2 Database Engine pom url http://www.h2database.com Manifest bundle-symbolicname org.h2 jar package name engine pom groupid h2database jar package name database Manifest bundle-category jdbc jar package name jdbc Manifest Implementation-Version 1.4.196 Manifest Bundle-Version 1.4.196 file version 1.4.196 pom version 1.4.196 central version 1.4.196 pkg:maven/com.h2database/h2@1.4.196 https://ossindex.sonatype.org/component/pkg:maven/com.h2database/h2@1.4.196 pkg:maven/com.h2database/h2@1.4.196 https://ossindex.sonatype.org/component/pkg:maven/com.h2database/h2@1.4.196 jcip-annotations-1.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/jcip-annotations-1.0.jar 9d5272954896c5a5d234f66b7372b17a afba4942caaeaf46aab0b976afd57cc7c181467e be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0 /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/jcip-annotations-1.0.jar be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0 afba4942caaeaf46aab0b976afd57cc7c181467e 9d5272954896c5a5d234f66b7372b17a file name jcip-annotations pom url http://jcip.net/ pom groupid net.jcip jar package name net central groupid net.jcip jar package name annotations pom artifactid jcip-annotations pom name "Java Concurrency in Practice" book annotations jar package name jcip file name jcip-annotations pom url http://jcip.net/ central artifactid jcip-annotations pom artifactid jcip-annotations jar package name annotations pom name "Java Concurrency in Practice" book annotations pom groupid net.jcip jar package name jcip central version 1.0 pom version 1.0 file version 1.0 pkg:maven/net.jcip/jcip-annotations@1.0 https://ossindex.sonatype.org/component/pkg:maven/net.jcip/jcip-annotations@1.0 pkg:maven/net.jcip/jcip-annotations@1.0 https://ossindex.sonatype.org/component/pkg:maven/net.jcip/jcip-annotations@1.0 jboss-logging-3.1.0.GA.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/jboss-logging-3.1.0.GA.jar 735bcea3e47fd715900cfb95ec68b50f c71f2856e7b60efe485db39b37a31811e6c84365 dea2fe7895033bdbbe2c1688ad08a0588d9d9b0f17d53349081cc20dda31353e The JBoss Logging Framework GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/lgpl-2.1.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/jboss-logging-3.1.0.GA.jar dea2fe7895033bdbbe2c1688ad08a0588d9d9b0f17d53349081cc20dda31353e c71f2856e7b60efe485db39b37a31811e6c84365 735bcea3e47fd715900cfb95ec68b50f pom url http://www.jboss.org file name jboss-logging jar package name logging Manifest Implementation-Vendor JBoss by Red Hat Manifest bundle-docurl http://www.jboss.org pom parent-artifactid jboss-parent Manifest bundle-symbolicname org.jboss.logging.jboss-logging pom name JBoss Logging 3 jar package name jboss Manifest specification-vendor JBoss by Red Hat Manifest implementation-url http://www.jboss.org pom groupid jboss.logging pom parent-groupid org.jboss Manifest Implementation-Vendor-Id org.jboss.logging pom artifactid jboss-logging pom parent-artifactid jboss-parent file name jboss-logging jar package name logging Manifest bundle-docurl http://www.jboss.org Manifest bundle-symbolicname org.jboss.logging.jboss-logging pom name JBoss Logging 3 pom url http://www.jboss.org jar package name jboss pom groupid jboss.logging Manifest implementation-url http://www.jboss.org pom parent-groupid org.jboss Manifest specification-title JBoss Logging 3 pom artifactid jboss-logging Manifest Bundle-Name JBoss Logging 3 Manifest Implementation-Title JBoss Logging 3 pom version 3.1.0.GA Manifest Bundle-Version 3.1.0.GA pom parent-version 3.1.0.GA Manifest Implementation-Version 3.1.0.GA pkg:maven/org.jboss.logging/jboss-logging@3.1.0.GA https://ossindex.sonatype.org/component/pkg:maven/org.jboss.logging/jboss-logging@3.1.0.GA pkg:maven/org.jboss.logging/jboss-logging@3.1.0.GA https://ossindex.sonatype.org/component/pkg:maven/org.jboss.logging/jboss-logging@3.1.0.GA guava-28.0-jre.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/guava-28.0-jre.jar 6eb33b6c6d29d7f6cfece0543f13fad3 54fed371b4b8a8cce1e94a9abd9620982d3aa54b 73e4d6ae5f0e8f9d292a4db83a2479b5468f83d972ac1ff36d6d0b43943b4f91 Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. http://www.apache.org/licenses/LICENSE-2.0.txt jar package name google pom name Guava: Google Core Libraries for Java Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Manifest bundle-symbolicname com.google.guava pom parent-groupid com.google.guava Manifest automatic-module-name com.google.common file name guava pom groupid google.guava pom artifactid guava jar package name common Manifest bundle-docurl https://github.com/google/guava/ pom parent-artifactid guava-parent jar package name google pom name Guava: Google Core Libraries for Java Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" pom parent-artifactid guava-parent pom artifactid guava Manifest bundle-symbolicname com.google.guava pom parent-groupid com.google.guava Manifest automatic-module-name com.google.common pom groupid google.guava file name guava Manifest Bundle-Name Guava: Google Core Libraries for Java jar package name common Manifest bundle-docurl https://github.com/google/guava/ pom version 28.0-jre pkg:maven/com.google.guava/guava@28.0-jre https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava@28.0-jre pkg:maven/com.google.guava/guava@28.0-jre https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava@28.0-jre jquery.scrollUp.min.js /var/lib/jenkins/workspace/test@2/src/main/webapp/js/jquery.scrollUp.min.js cbe4344d551f7c153fb3b84c44f2db8d 4c88929519b25690084dd3a91df86dab3c6316a9 d2c96e4da11d59d025a80d8f5abc2d6a375e3f18f67ddd5051244234f50c2cf6 /var/lib/jenkins/workspace/test@2/target/devsecops/js/jquery.scrollUp.min.js d2c96e4da11d59d025a80d8f5abc2d6a375e3f18f67ddd5051244234f50c2cf6 4c88929519b25690084dd3a91df86dab3c6316a9 cbe4344d551f7c153fb3b84c44f2db8d /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/jquery.scrollUp.min.js d2c96e4da11d59d025a80d8f5abc2d6a375e3f18f67ddd5051244234f50c2cf6 4c88929519b25690084dd3a91df86dab3c6316a9 cbe4344d551f7c153fb3b84c44f2db8d asm-commons-3.3.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/asm-commons-3.3.jar 47d6178194c38fc70d4e27db08ae5d10 3630d2095238beee3f94670af3d9a9dc115ce887 1cc6e5bcfab550397289875ac133d86562d4ec2f3875afa7c5c033d1f0ee96af /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/asm-commons-3.3.jar 1cc6e5bcfab550397289875ac133d86562d4ec2f3875afa7c5c033d1f0ee96af 3630d2095238beee3f94670af3d9a9dc115ce887 47d6178194c38fc70d4e27db08ae5d10 jar package name objectweb pom parent-artifactid asm-parent pom artifactid asm-commons Manifest Implementation-Vendor France Telecom R&D file name asm-commons pom groupid asm jar package name asm pom name ASM Commons central groupid asm jar package name commons pom artifactid asm-commons central artifactid asm-commons pom parent-artifactid asm-parent file name asm-commons jar package name commons Manifest Implementation-Title ASM commons jar package name asm jar package name asm pom name ASM Commons pom groupid asm jar package name commons Manifest Implementation-Version 3.3 central version 3.3 pom version 3.3 file version 3.3 pkg:maven/asm/asm-commons@3.3 https://ossindex.sonatype.org/component/pkg:maven/asm/asm-commons@3.3 pkg:maven/asm/asm-commons@3.3 https://ossindex.sonatype.org/component/pkg:maven/asm/asm-commons@3.3 lucene-core-8.2.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/lucene-core-8.2.0.jar 38017372e81035c484ad5cf94d88d8ea f6da40436d3633de272810fae1e339c237adfcf6 25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2 Apache Lucene Java Core /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/lucene-queryparser-8.2.0.jar 25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2 8925df7b104e78e308e236ff0740a064dd93cadd 26da5109a008179e59c6f3c39b46a5da pkg:maven/org.apache.lucene/lucene-queryparser@8.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.lucene/lucene-queryparser@8.2.0 /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/lucene-queries-8.2.0.jar 25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2 5da383678cb0a35a07ccb03487ba00cf184d1d71 e9fae556c8d24a4273d8600b851b33e7 pkg:maven/org.apache.lucene/lucene-queries@8.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.lucene/lucene-queries@8.2.0 /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/lucene-sandbox-8.2.0.jar 25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2 f50931f1db40cdcc31e5044439d4e5522a23f6c1 1de8e63c42e6db085d15d82ee5628921 pkg:maven/org.apache.lucene/lucene-sandbox@8.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.lucene/lucene-sandbox@8.2.0 /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/lucene-analyzers-common-8.2.0.jar 25564b27cebe18a5f0e988b5aeee342e1dd163b2dfca888eb1cea4dcadb32dd2 8e8abc90572ed74b110c75b546c675153aecc570 67e169936aefc775697cdf759794e31b pkg:maven/org.apache.lucene/lucene-analyzers-common@8.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.lucene/lucene-analyzers-common@8.2.0 central groupid org.apache.lucene Manifest extension-name org.apache.lucene pom parent-groupid org.apache.lucene jar package name apache pom artifactid lucene-core file name lucene-core jar package name lucene jar package name lucene jar package name org jar package name apache Manifest specification-vendor The Apache Software Foundation pom parent-artifactid lucene-parent pom groupid apache.lucene Manifest multi-release true pom name Lucene Core Manifest Implementation-Vendor The Apache Software Foundation Manifest specification-title Lucene Search Engine: core central artifactid lucene-core Manifest extension-name org.apache.lucene pom groupid apache.lucene file name lucene-core jar package name lucene jar package name lucene pom artifactid lucene-core jar package name org jar package name apache jar package name search pom parent-groupid org.apache.lucene Manifest Implementation-Title org.apache.lucene pom parent-artifactid lucene-parent Manifest multi-release true pom name Lucene Core file version 8.2.0 central version 8.2.0 pom version 8.2.0 pkg:maven/org.apache.lucene/lucene-core@8.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.lucene/lucene-core@8.2.0 pkg:maven/org.apache.lucene/lucene-core@8.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.lucene/lucene-core@8.2.0 packageurl-java-1.1.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/packageurl-java-1.1.0.jar 261fa48c4d0c6a302e2b8ecc65ce3431 e8969ecdafc70aad1b66521fcb5b8b252c1836b0 5b67a1b886af568ec31a630ee960635c3b01a6adc363d863d9d1f48843beac05 The official Java implementation of the PackageURL specification. PackageURL (purl) is a minimal specification for describing a package via a "mostly universal" URL. MIT: https://opensource.org/licenses/MIT pom artifactid packageurl-java pom groupid github.package-url file name packageurl-java jar package name packageurl pom name Package URL pom url package-url/packageurl-java jar package name github jar package name github jar package name packageurl pom artifactid packageurl-java pom groupid github.package-url file name packageurl-java jar package name packageurl pom name Package URL jar package name github pom url package-url/packageurl-java jar package name packageurl file version 1.1.0 pom version 1.1.0 pkg:maven/com.github.package-url/packageurl-java@1.1.0 https://ossindex.sonatype.org/component/pkg:maven/com.github.package-url/packageurl-java@1.1.0 pkg:maven/com.github.package-url/packageurl-java@1.1.0 https://ossindex.sonatype.org/component/pkg:maven/com.github.package-url/packageurl-java@1.1.0 findsecbugs-plugin-1.9.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/findsecbugs-plugin-1.9.0.jar 835db1e3bea68fbec6d8ab3b78a43faf f8b7b42c7008ad126ac12b5ee4ade33ca9ef56a1 0e2fcbdd15e6c333b6450c63e2f4ee89f0f3d4f85862e41c0b1d3e5de9a566c9 Core module of the project. It include all the FindBugs detectors. The resulting jar is the published plugin. pom parent-artifactid findsecbugs-root-pom pom groupid h3xstream.findsecbugs file name findsecbugs-plugin central groupid com.h3xstream.findsecbugs jar package name h3xstream pom parent-groupid com.h3xstream.findsecbugs pom artifactid findsecbugs-plugin jar package name findsecbugs pom name Find Security Bugs Plugin pom groupid h3xstream.findsecbugs file name findsecbugs-plugin pom artifactid findsecbugs-plugin pom parent-artifactid findsecbugs-root-pom central artifactid findsecbugs-plugin pom parent-groupid com.h3xstream.findsecbugs jar package name findsecbugs pom name Find Security Bugs Plugin file version 1.9.0 central version 1.9.0 pom version 1.9.0 pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.9.0 https://ossindex.sonatype.org/component/pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.9.0 pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.9.0 https://ossindex.sonatype.org/component/pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.9.0 javassist-3.11.0.GA.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/javassist-3.11.0.GA.jar cb8f91e65864b85c8c6f87164e3252a5 2c00105734a57e9ee4f27e4b17cd43200e5f0ff8 aa8c27fc46be68c58c25eab15bf3073587945e009455385da78439dea684ef58 Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java. /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/javassist-3.11.0.GA.jar aa8c27fc46be68c58c25eab15bf3073587945e009455385da78439dea684ef58 2c00105734a57e9ee4f27e4b17cd43200e5f0ff8 cb8f91e65864b85c8c6f87164e3252a5 jar package name javassist pom artifactid javassist Manifest specification-vendor Shigeru Chiba, Tokyo Institute of Technology pom groupid javassist pom name Javassist pom url http://www.javassist.org/ file name javassist central groupid javassist pom artifactid javassist jar package name javassist Manifest specification-title Javassist pom name Javassist pom url http://www.javassist.org/ file name javassist pom groupid javassist central artifactid javassist pom version 3.11.0.GA manifest: javassist/ specification-version 3.11.0.GA central version 3.11.0.GA pkg:maven/javassist/javassist@3.11.0.GA https://ossindex.sonatype.org/component/pkg:maven/javassist/javassist@3.11.0.GA pkg:maven/javassist/javassist@3.11.0.GA https://ossindex.sonatype.org/component/pkg:maven/javassist/javassist@3.11.0.GA jquery.prettyPhoto.js /var/lib/jenkins/workspace/test@2/target/devsecops/js/jquery.prettyPhoto.js 51d2c2977e3dbb58e8ee5a5f52673aa0 81e3ee36772fe61b742073a973be1fb840a5cafa 7d4adb5e9401f2d3c71467d1c2ab1a153e5b65fdc1d9f90ba7504fd700d7fac6 /var/lib/jenkins/workspace/test@2/src/main/webapp/js/jquery.prettyPhoto.js 7d4adb5e9401f2d3c71467d1c2ab1a153e5b65fdc1d9f90ba7504fd700d7fac6 81e3ee36772fe61b742073a973be1fb840a5cafa 51d2c2977e3dbb58e8ee5a5f52673aa0 /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/jquery.prettyPhoto.js 7d4adb5e9401f2d3c71467d1c2ab1a153e5b65fdc1d9f90ba7504fd700d7fac6 81e3ee36772fe61b742073a973be1fb840a5cafa 51d2c2977e3dbb58e8ee5a5f52673aa0 file name jquery.prettyPhoto file name jquery.prettyPhoto file version 3.1.5 pkg:javascript/jquery.prettyPhoto@3.1.5 https://ossindex.sonatype.org/component/pkg:javascript/jquery.prettyPhoto@3.1.5 pkg:javascript/jquery.prettyPhoto@3.1.5 https://ossindex.sonatype.org/component/pkg:javascript/jquery.prettyPhoto@3.1.5 Vulnerability in jquery.prettyPhoto high info https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto info info https://github.com/scaron/prettyphoto/issues/149 info spring-vault-core-2.1.1.RELEASE.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-vault-core-2.1.1.RELEASE.jar 7c0a62fa72e6dfc1d57aef0a34294fc1 ab5e3c0c6c40eac30993260cf4a0912499991a71 37cb59f9a16901414b1debeeb7aed013d1ec631a3d5a5963222e7119fdfbb881 Spring Vault Core Components /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-vault-core-2.1.1.RELEASE.jar 37cb59f9a16901414b1debeeb7aed013d1ec631a3d5a5963222e7119fdfbb881 ab5e3c0c6c40eac30993260cf4a0912499991a71 7c0a62fa72e6dfc1d57aef0a34294fc1 pom artifactid spring-vault-core jar package name core pom groupid springframework.vault jar package name springframework pom name Spring Vault Core jar package name vault pom parent-artifactid spring-vault-parent file name spring-vault-core pom parent-groupid org.springframework.vault Manifest automatic-module-name spring.vault.core pom artifactid spring-vault-core jar package name core pom parent-groupid org.springframework.vault Manifest Implementation-Title Spring Vault Core jar package name springframework pom parent-artifactid spring-vault-parent pom name Spring Vault Core jar package name vault file name spring-vault-core pom groupid springframework.vault Manifest automatic-module-name spring.vault.core Manifest Implementation-Version 2.1.1.RELEASE pom version 2.1.1.RELEASE pkg:maven/org.springframework.vault/spring-vault-core@2.1.1.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework.vault/spring-vault-core@2.1.1.RELEASE pkg:maven/org.springframework.vault/spring-vault-core@2.1.1.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework.vault/spring-vault-core@2.1.1.RELEASE bootstrap.min.js /var/lib/jenkins/workspace/test@2/target/devsecops/js/bootstrap.min.js 903657654e9be147571c1b0c4a657fc4 1261cc1e82c337ffd44b2b576c8685f7d77d5139 7f02a98976eb67a5f01fcb8d4f3220a5d7a8a757d9a41352b4d20f89036923dc /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/bootstrap.min.js 7f02a98976eb67a5f01fcb8d4f3220a5d7a8a757d9a41352b4d20f89036923dc 1261cc1e82c337ffd44b2b576c8685f7d77d5139 903657654e9be147571c1b0c4a657fc4 /var/lib/jenkins/workspace/test@2/src/main/webapp/js/bootstrap.min.js 7f02a98976eb67a5f01fcb8d4f3220a5d7a8a757d9a41352b4d20f89036923dc 1261cc1e82c337ffd44b2b576c8685f7d77d5139 903657654e9be147571c1b0c4a657fc4 file name bootstrap file name bootstrap file version 3.0.3 pkg:javascript/bootstrap@3.0.3 https://ossindex.sonatype.org/component/pkg:javascript/bootstrap@3.0.3 pkg:javascript/bootstrap@3.0.3 https://ossindex.sonatype.org/component/pkg:javascript/bootstrap@3.0.3 CVE-2018-14040 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. MISC https://github.com/twbs/bootstrap/issues/26423 https://github.com/twbs/bootstrap/issues/26423 info https://github.com/twbs/bootstrap/issues/20184 info BUGTRAQ https://seclists.org/bugtraq/2019/May/18 20190509 dotCMS v5.1.1 Vulnerabilities FULLDISC http://seclists.org/fulldisclosure/2019/May/13 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC http://seclists.org/fulldisclosure/2019/May/11 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability MISC https://github.com/twbs/bootstrap/pull/26630 https://github.com/twbs/bootstrap/pull/26630 MISC https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ MISC https://github.com/twbs/bootstrap/issues/26625 https://github.com/twbs/bootstrap/issues/26625 MLIST https://lists.debian.org/debian-lts-announce/2018/08/msg00027.html [debian-lts-announce] 20180827 [SECURITY] [DLA 1479-1] twitter-bootstrap3 security update FULLDISC http://seclists.org/fulldisclosure/2019/May/10 20190510 dotCMS v5.1.1 Vulnerabilities MISC http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:* CVE-2018-14041 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. MISC https://github.com/twbs/bootstrap/issues/26423 https://github.com/twbs/bootstrap/issues/26423 info https://github.com/twbs/bootstrap/issues/20184 info REDHAT https://access.redhat.com/errata/RHSA-2019:1456 RHSA-2019:1456 BUGTRAQ https://seclists.org/bugtraq/2019/May/18 20190509 dotCMS v5.1.1 Vulnerabilities FULLDISC http://seclists.org/fulldisclosure/2019/May/13 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC http://seclists.org/fulldisclosure/2019/May/11 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability MISC https://github.com/twbs/bootstrap/pull/26630 https://github.com/twbs/bootstrap/pull/26630 MISC https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ FULLDISC http://seclists.org/fulldisclosure/2019/May/10 20190510 dotCMS v5.1.1 Vulnerabilities MISC http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MISC https://github.com/twbs/bootstrap/issues/26627 https://github.com/twbs/bootstrap/issues/26627 cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:* CVE-2018-14042 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. MISC https://github.com/twbs/bootstrap/issues/26423 https://github.com/twbs/bootstrap/issues/26423 info https://github.com/twbs/bootstrap/issues/20184 info BUGTRAQ https://seclists.org/bugtraq/2019/May/18 20190509 dotCMS v5.1.1 Vulnerabilities FULLDISC http://seclists.org/fulldisclosure/2019/May/13 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC http://seclists.org/fulldisclosure/2019/May/11 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability MISC https://github.com/twbs/bootstrap/pull/26630 https://github.com/twbs/bootstrap/pull/26630 MISC https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ MISC https://github.com/twbs/bootstrap/issues/26628 https://github.com/twbs/bootstrap/issues/26628 FULLDISC http://seclists.org/fulldisclosure/2019/May/10 20190510 dotCMS v5.1.1 Vulnerabilities cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:* CVE-2019-8331 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. REDHAT https://access.redhat.com/errata/RHSA-2019:1456 RHSA-2019:1456 BUGTRAQ https://seclists.org/bugtraq/2019/May/18 20190509 dotCMS v5.1.1 Vulnerabilities FULLDISC http://seclists.org/fulldisclosure/2019/May/13 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability CONFIRM https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ info https://github.com/twbs/bootstrap/issues/28236 info MISC https://github.com/twbs/bootstrap/pull/28236 https://github.com/twbs/bootstrap/pull/28236 BID http://www.securityfocus.com/bid/107375 107375 MLIST https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E [flink-dev] 20190811 Apache flink 1.7.2 security issues MLIST https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E [flink-user] 20190811 Apache flink 1.7.2 security issues MLIST https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E [flink-user] 20190813 Apache flink 1.7.2 security issues FULLDISC http://seclists.org/fulldisclosure/2019/May/11 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability MLIST https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E [flink-user] 20190813 Re: Apache flink 1.7.2 security issues CONFIRM https://support.f5.com/csp/article/K24383845 https://support.f5.com/csp/article/K24383845 MISC https://github.com/twbs/bootstrap/releases/tag/v4.3.1 https://github.com/twbs/bootstrap/releases/tag/v4.3.1 FULLDISC http://seclists.org/fulldisclosure/2019/May/10 20190510 dotCMS v5.1.1 Vulnerabilities MISC https://github.com/twbs/bootstrap/releases/tag/v3.4.1 https://github.com/twbs/bootstrap/releases/tag/v3.4.1 cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* jackson-annotations-2.9.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/jackson-annotations-2.9.0.jar c09faa1b063681cf45706c6df50685b6 07c10d545325e3a6e72e06381afe469fd40eb701 45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a Core annotations used for value types, used by Jackson data binding package. http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/jackson-annotations-2.9.0.jar 45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a 07c10d545325e3a6e72e06381afe469fd40eb701 c09faa1b063681cf45706c6df50685b6 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/jackson-annotations-2.9.0.jar 45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a 07c10d545325e3a6e72e06381afe469fd40eb701 c09faa1b063681cf45706c6df50685b6 pom parent-artifactid jackson-parent Manifest Implementation-Vendor-Id com.fasterxml.jackson.core pom name Jackson-annotations Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom artifactid jackson-annotations Manifest Implementation-Vendor FasterXML pom parent-groupid com.fasterxml.jackson jar package name jackson Manifest bundle-docurl http://github.com/FasterXML/jackson file name jackson-annotations Manifest specification-vendor FasterXML pom url http://github.com/FasterXML/jackson Manifest implementation-build-date 2017-07-30 03:53:23+0000 pom groupid fasterxml.jackson.core Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations jar package name fasterxml pom parent-groupid com.fasterxml.jackson pom name Jackson-annotations Manifest Bundle-Name Jackson-annotations pom url http://github.com/FasterXML/jackson Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom groupid fasterxml.jackson.core Manifest specification-title Jackson-annotations Manifest Implementation-Title Jackson-annotations pom artifactid jackson-annotations jar package name jackson Manifest bundle-docurl http://github.com/FasterXML/jackson file name jackson-annotations Manifest implementation-build-date 2017-07-30 03:53:23+0000 Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations pom parent-artifactid jackson-parent jar package name fasterxml Manifest Implementation-Version 2.9.0 Manifest Bundle-Version 2.9.0 file version 2.9.0 pom version 2.9.0 pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0 https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0 pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0 https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar d094c22570d65e132c19cea5d352e381 b421526c5f297295adef1c886e5246c39d4ac629 b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99 An empty artifact that Guava depends on to signal that it is providing ListenableFuture -- but is also available in a second "version" that contains com.google.common.util.concurrent.ListenableFuture class, without any other Guava classes. The idea is: - If users want only ListenableFuture, they depend on listenablefuture-1.0. - If users want all of Guava, they depend on guava, which, as of Guava 27.0, depends on listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-... version number is enough for some build systems (notably, Gradle) to select that empty artifact over the "real" listenablefuture-1.0 -- avoiding a conflict with the copy of ListenableFuture in guava itself. If users are using an older version of Guava or a build system other than Gradle, they may see class conflicts. If so, they can solve them by manually excluding the listenablefuture artifact or manually forcing their build systems to use 9999.0-.... pom artifactid listenablefuture pom groupid google.guava pom name Guava ListenableFuture only pom parent-groupid com.google.guava pom parent-artifactid guava-parent file name listenablefuture pom parent-artifactid guava-parent pom name Guava ListenableFuture only pom parent-groupid com.google.guava pom artifactid listenablefuture pom groupid google.guava file name listenablefuture pom parent-version 9999.0-empty-to-avoid-conflict-with-guava pom version 9999.0-empty-to-avoid-conflict-with-guava pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava ognl-3.0.19.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/ognl-3.0.19.jar 06c9faa866cd2c8b3ff307d7f4c04ed5 b15af43375b38289cee867649125d5417adede81 7aa3897a57727a74519878862827cc6ff55bb1f19bd582c9c69f0e0e7887cb0d OGNL - Object Graph Navigation Library The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/ognl-3.0.19.jar 7aa3897a57727a74519878862827cc6ff55bb1f19bd582c9c69f0e0e7887cb0d b15af43375b38289cee867649125d5417adede81 06c9faa866cd2c8b3ff307d7f4c04ed5 file name ognl jar package name ognl pom artifactid ognl pom organization name OpenSymphony jar package name ognl pom url http://ognl.org pom name OGNL - Object Graph Navigation Library pom organization url http://www.opensymphony.com pom groupid ognl file name ognl pom organization url http://www.opensymphony.com pom groupid ognl pom url http://ognl.org jar package name ognl pom organization name OpenSymphony pom name OGNL - Object Graph Navigation Library pom artifactid ognl pom version 3.0.19 file version 3.0.19 pkg:maven/ognl/ognl@3.0.19 https://ossindex.sonatype.org/component/pkg:maven/ognl/ognl@3.0.19 pkg:maven/ognl/ognl@3.0.19 https://ossindex.sonatype.org/component/pkg:maven/ognl/ognl@3.0.19 json-20140107.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/json-20140107.jar 8ca2437d3dbbaa2e76195adedfd901f4 d1ffca6e2482b002702c6a576166fd685e3370e3 8e5aa0a368bee60347b5a4ad861d9f68c7793f60deeea89efd449eb70d5ae622 JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/ The files in this package implement JSON encoders/decoders in Java. It also includes the capability to convert between JSON and XML, HTTP headers, Cookies, and CDL. This is a reference implementation. There is a large number of JSON packages in Java. Perhaps someday the Java community will standardize on one. Until then, choose carefully. The license includes this restriction: "The software shall be used for good, not evil." If your conscience cannot live with that, then choose a different package. The package compiles on Java 1.2 thru Java 1.4. The JSON License: http://json.org/license.html jar package name xml jar package name cdl jar package name http file name json-20140107 pom groupid json jar package name json jar package name json pom artifactid json pom url douglascrockford/JSON-java pom name JSON in Java jar package name xml jar package name cdl jar package name http pom groupid json file name json-20140107 jar package name json pom artifactid json pom url douglascrockford/JSON-java pom name JSON in Java pom version 20140107 file version 20140107 pkg:maven/org.json/json@20140107 https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20140107 pkg:maven/org.json/json@20140107 https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20140107 toml4j-0.7.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/toml4j-0.7.2.jar efaec2fac998dce5bc118362bf724527 0a03337911d0bd2c40932aca3946edb30d0e7d0c f5475e63e7e89e5db62223489aec7a56bd303543772077a17c2cb54c19ca3a20 A parser for TOML The MIT License: http://www.opensource.org/licenses/mit-license.php jar package name moandjiezana file name toml4j jar package name moandjiezana pom url http://moandjiezana.com/toml/toml4j pom artifactid toml4j jar package name toml pom groupid moandjiezana.toml jar package name toml pom name toml4j pom url http://moandjiezana.com/toml/toml4j jar package name moandjiezana file name toml4j pom groupid moandjiezana.toml pom artifactid toml4j jar package name toml jar package name toml pom name toml4j file version 0.7.2 pom version 0.7.2 pkg:maven/com.moandjiezana.toml/toml4j@0.7.2 https://ossindex.sonatype.org/component/pkg:maven/com.moandjiezana.toml/toml4j@0.7.2 pkg:maven/com.moandjiezana.toml/toml4j@0.7.2 https://ossindex.sonatype.org/component/pkg:maven/com.moandjiezana.toml/toml4j@0.7.2 html5shiv.js /var/lib/jenkins/workspace/test@2/target/devsecops/js/html5shiv.js 0663c0c5da0bc9c27ac7e4a8e732552e 857ce461a7c72af1851531a1b4b5a1cd4794cea0 c01f0b67bea0acdf53dc73dd03c99adfcece8ca8d26dc1d7bfd18ba19b38ec5b /var/lib/jenkins/workspace/test@2/src/main/webapp/js/html5shiv.js c01f0b67bea0acdf53dc73dd03c99adfcece8ca8d26dc1d7bfd18ba19b38ec5b 857ce461a7c72af1851531a1b4b5a1cd4794cea0 0663c0c5da0bc9c27ac7e4a8e732552e /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/html5shiv.js c01f0b67bea0acdf53dc73dd03c99adfcece8ca8d26dc1d7bfd18ba19b38ec5b 857ce461a7c72af1851531a1b4b5a1cd4794cea0 0663c0c5da0bc9c27ac7e4a8e732552e slf4j-log4j12-1.7.5.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/slf4j-log4j12-1.7.5.jar 371e35747d6bd35e3800034bdac4150e 6edffc576ce104ec769d954618764f39f0f0f10d e3393b87604eeab24d72d71d0bfceb3436658ab0593f48f16523ad90f270c88f SLF4J LOG4J-12 Binding /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/slf4j-log4j12-1.7.5.jar e3393b87604eeab24d72d71d0bfceb3436658ab0593f48f16523ad90f270c88f 6edffc576ce104ec769d954618764f39f0f0f10d 371e35747d6bd35e3800034bdac4150e pom url http://www.slf4j.org file name slf4j-log4j12 pom groupid slf4j pom artifactid slf4j-log4j12 Manifest bundle-symbolicname slf4j.log4j12 pom parent-artifactid slf4j-parent pom name SLF4J LOG4J-12 Binding Manifest bundle-requiredexecutionenvironment J2SE-1.3 pom parent-groupid org.slf4j jar package name slf4j pom artifactid slf4j-log4j12 Manifest Bundle-Name slf4j-log4j12 pom parent-groupid org.slf4j pom name SLF4J LOG4J-12 Binding file name slf4j-log4j12 Manifest Implementation-Title slf4j-log4j12 pom parent-artifactid slf4j-parent Manifest bundle-symbolicname slf4j.log4j12 pom groupid slf4j pom url http://www.slf4j.org Manifest bundle-requiredexecutionenvironment J2SE-1.3 jar package name slf4j Manifest Bundle-Version 1.7.5 Manifest Implementation-Version 1.7.5 file version 1.7.5 pom version 1.7.5 pkg:maven/org.slf4j/slf4j-log4j12@1.7.5 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4j-log4j12@1.7.5 pkg:maven/org.slf4j/slf4j-log4j12@1.7.5 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4j-log4j12@1.7.5 xwork-core-2.3.8.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/xwork-core-2.3.8.jar 5b8f8d7a2a23c2d3412131380ed1a216 ac2a11eaa83c3b112ed3da9360bdf9ee4b80ce09 664d6b8be7da4bdbc566e68cf054517779c028b84430e5b5eafafa94e960d4f7 Apache Struts 2 http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/xwork-core-2.3.8.jar 664d6b8be7da4bdbc566e68cf054517779c028b84430e5b5eafafa94e960d4f7 ac2a11eaa83c3b112ed3da9360bdf9ee4b80ce09 5b8f8d7a2a23c2d3412131380ed1a216 file name xwork-core Manifest bundle-docurl http://www.apache.org Manifest bundle-symbolicname org.apache.struts.xwork.core Manifest originally-created-by 1.6.0_37 (Apple Inc.) Manifest Implementation-Vendor-Id org.apache.struts.xwork pom artifactid xwork-core pom parent-artifactid struts2-parent Manifest Implementation-Vendor Apache Software Foundation pom name XWork: Core Manifest specification-vendor Apache Software Foundation jar package name xwork pom groupid apache.struts.xwork pom parent-groupid org.apache.struts Manifest specification-title XWork: Core Manifest Implementation-Title XWork: Core file name xwork-core Manifest Bundle-Name XWork: Core Manifest bundle-docurl http://www.apache.org Manifest bundle-symbolicname org.apache.struts.xwork.core Manifest originally-created-by 1.6.0_37 (Apple Inc.) pom parent-groupid org.apache.struts pom artifactid xwork-core pom parent-artifactid struts2-parent pom groupid apache.struts.xwork pom name XWork: Core jar package name xwork Manifest Bundle-Version 2.3.8 Manifest Implementation-Version 2.3.8 file version 2.3.8 pom version 2.3.8 pkg:maven/org.apache.struts.xwork/xwork-core@2.3.8 https://ossindex.sonatype.org/component/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.8 pkg:maven/org.apache.struts.xwork/xwork-core@2.3.8 https://ossindex.sonatype.org/component/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.8 CVE-2013-1966 HIGH 9.3 N M N C C C HIGH Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. OSSINDEX https://ossindex.sonatype.org/vuln/64959e54-560d-4c85-b1ba-bae91251f948 [CVE-2013-1966] Improper Control of Generation of Code ("Code Injection") cpe:2.3:a:org.apache.struts.xwork:xwork-core:2.3.8:*:*:*:*:*:*:* CVE-2013-2135 HIGH 9.3 N M N C C C HIGH Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. OSSINDEX https://ossindex.sonatype.org/vuln/35c24ffb-ba83-44a8-95a7-008281c53ec9 [CVE-2013-2135] Improper Control of Generation of Code ("Code Injection") cpe:2.3:a:org.apache.struts.xwork:xwork-core:2.3.8:*:*:*:*:*:*:* CVE-2014-0112 HIGH 7.5 N L N P P P HIGH ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. OSSINDEX https://ossindex.sonatype.org/vuln/434eada7-81e4-4e5b-854c-a4ea6eedab39 [CVE-2014-0112] Permissions, Privileges, and Access Controls cpe:2.3:a:org.apache.struts.xwork:xwork-core:2.3.8:*:*:*:*:*:*:* CVE-2016-0785 HIGH 8.8 N L L N U H H H HIGH Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. OSSINDEX https://ossindex.sonatype.org/vuln/5684f0fd-6580-461f-a0f6-eda4176de9bb [CVE-2016-0785] Improper Input Validation cpe:2.3:a:org.apache.struts.xwork:xwork-core:2.3.8:*:*:*:*:*:*:* CVE-2016-2162 MEDIUM 6.1 N L N R C L L N MEDIUM Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. OSSINDEX https://ossindex.sonatype.org/vuln/4fa8ad37-bc1f-4136-a277-c1974de7242a [CVE-2016-2162] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") cpe:2.3:a:org.apache.struts.xwork:xwork-core:2.3.8:*:*:*:*:*:*:* CVE-2016-3093 MEDIUM 5.3 N L N N U N N L MEDIUM Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. OSSINDEX https://ossindex.sonatype.org/vuln/74cddd35-3e8e-4460-bb8f-03eef3b4d382 [CVE-2016-3093] Improper Input Validation cpe:2.3:a:org.apache.struts.xwork:xwork-core:2.3.8:*:*:*:*:*:*:* jFormatString-3.0.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/jFormatString-3.0.0.jar 22a6baee6cada23d5f4eab91acd81f44 d3995f9be450813bc2ccee8f0774c1a3033a0f30 4c0c5bbe29cf76fb59b23e821178e3e22c72380b2453cc952dc67324baad7f53 jFormatString for Findbugs GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/jFormatString-3.0.0.jar 4c0c5bbe29cf76fb59b23e821178e3e22c72380b2453cc952dc67324baad7f53 d3995f9be450813bc2ccee8f0774c1a3033a0f30 22a6baee6cada23d5f4eab91acd81f44 jar package name cs pom url http://findbugs.sourceforge.net/ file name jFormatString pom groupid google.code.findbugs pom name FindBugs-jFormatString central groupid com.google.code.findbugs pom artifactid jFormatString jar package name edu jar package name umd jar package name cs file name jFormatString pom artifactid jFormatString pom name FindBugs-jFormatString jar package name findbugs central artifactid jFormatString pom groupid google.code.findbugs pom url http://findbugs.sourceforge.net/ jar package name umd pom version 3.0.0 central version 3.0.0 file version 3.0.0 pkg:maven/com.google.code.findbugs/jFormatString@3.0.0 https://ossindex.sonatype.org/component/pkg:maven/com.google.code.findbugs/jFormatString@3.0.0 pkg:maven/com.google.code.findbugs/jFormatString@3.0.0 https://ossindex.sonatype.org/component/pkg:maven/com.google.code.findbugs/jFormatString@3.0.0 mysql-connector-java-5.1.18.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/mysql-connector-java-5.1.18.jar 78467fb2adf7f02bcfbff3ad022bc4e9 85dfedad243dc0303ad7ae3a323c39421d220690 5ce7735be853c1a6deaf88b6ea7659fb0f4aff2beb717430bd28efae3de35695 MySQL JDBC Type 4 driver The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/mysql-connector-java-5.1.18.jar 5ce7735be853c1a6deaf88b6ea7659fb0f4aff2beb717430bd28efae3de35695 85dfedad243dc0303ad7ae3a323c39421d220690 78467fb2adf7f02bcfbff3ad022bc4e9 hint analyzer (hint) vendor sun manifest: common Implementation-Vendor Oracle Manifest bundle-symbolicname com.mysql.jdbc central groupid mysql pom groupid mysql pom artifactid mysql-connector-java hint analyzer vendor oracle manifest: common (hint) Implementation-Vendor sun jar package name mysql pom organization url http://www.oracle.com pom url http://dev.mysql.com/doc/connector-j/en/ file name mysql-connector-java jar package name jdbc pom name MySQL Connector/J jar package name mysql jar package name jdbc pom organization name Oracle Corporation pom artifactid mysql-connector-java pom url http://dev.mysql.com/doc/connector-j/en/ Manifest bundle-symbolicname com.mysql.jdbc manifest: common Implementation-Title MySQL Connector/J hint analyzer product mysql_connectors manifest: common Specification-Title JDBC pom organization url http://www.oracle.com hint analyzer product mysql_connector/j jar package name mysql central artifactid mysql-connector-java file name mysql-connector-java jar package name jdbc pom groupid mysql hint analyzer product mysql_connector_j Manifest Bundle-Name Sun Microsystems' JDBC Driver for MySQL pom name MySQL Connector/J jar package name jdbc jar package name driver pom organization name Oracle Corporation pom version 5.1.18 manifest: common Implementation-Version 5.1.18 file version 5.1.18 central version 5.1.18 Manifest Bundle-Version 5.1.18 pkg:maven/mysql/mysql-connector-java@5.1.18 https://ossindex.sonatype.org/component/pkg:maven/mysql/mysql-connector-java@5.1.18 pkg:maven/mysql/mysql-connector-java@5.1.18 https://ossindex.sonatype.org/component/pkg:maven/mysql/mysql-connector-java@5.1.18 CVE-2017-3523 HIGH 6.0 NETWORK MEDIUM SINGLE PARTIAL PARTIAL PARTIAL MEDIUM 8.5 NETWORK HIGH LOW NONE CHANGED HIGH HIGH HIGH HIGH CWE-284 Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html BID http://www.securityfocus.com/bid/97982 97982 DEBIAN http://www.debian.org/security/2017/dsa-3840 DSA-3840 cpe:2.3:a:oracle:connector\/j:*:*:*:*:*:*:*:* CVE-2017-3589 LOW 2.1 LOCAL LOW NONE NONE NONE NONE LOW 3.3 LOCAL LOW LOW NONE UNCHANGED NONE LOW NONE LOW CWE-284 Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html BID http://www.securityfocus.com/bid/97836 97836 DEBIAN http://www.debian.org/security/2017/dsa-3857 DSA-3857 SECTRACK http://www.securitytracker.com/id/1038287 1038287 cpe:2.3:a:oracle:connector\/j:*:*:*:*:*:*:*:* CVE-2018-3258 HIGH 6.5 NETWORK LOW SINGLE PARTIAL PARTIAL PARTIAL MEDIUM 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-284 Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). BID http://www.securityfocus.com/bid/105589 105589 SECTRACK http://www.securitytracker.com/id/1041888 1041888 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM https://security.netapp.com/advisory/ntap-20181018-0002/ https://security.netapp.com/advisory/ntap-20181018-0002/ REDHAT https://access.redhat.com/errata/RHSA-2019:1545 RHSA-2019:1545 cpe:2.3:a:oracle:connector\/j:*:*:*:*:*:*:*:* CVE-2019-2692 MEDIUM 3.5 LOCAL HIGH SINGLE PARTIAL PARTIAL PARTIAL LOW 6.3 LOCAL HIGH HIGH REQUIRED UNCHANGED HIGH HIGH HIGH MEDIUM CWE-20 Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). MISC http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html cpe:2.3:a:oracle:mysql_connector\/j:*:*:*:*:*:*:*:* ossindex-service-client-1.2.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/ossindex-service-client-1.2.0.jar 201dbfb49f0b22a006243a5841a7dafc 802db8efdc5377ec4798324885e88f13bc4b2d2a aa4d40d0d3a5cefa5d2dd908ddde15106f0b66cc2d0e3aaaf74b609e0b6e335a pom parent-groupid org.sonatype.ossindex file name ossindex-service-client pom parent-artifactid ossindex-service jar package name service pom groupid sonatype.ossindex Manifest Implementation-Vendor-Id org.sonatype.ossindex jar package name sonatype jar package name ossindex Manifest implementation-url https://sonatype.github.io/ossindex-public/ossindex-service-client/ pom artifactid ossindex-service-client jar package name client Manifest Implementation-Vendor Sonatype, Inc. file name ossindex-service-client pom groupid sonatype.ossindex pom parent-groupid org.sonatype.ossindex jar package name service pom parent-artifactid ossindex-service Manifest specification-title org.sonatype.ossindex:ossindex-service-client Manifest Implementation-Title org.sonatype.ossindex:ossindex-service-client jar package name sonatype jar package name ossindex Manifest implementation-url https://sonatype.github.io/ossindex-public/ossindex-service-client/ jar package name client pom artifactid ossindex-service-client pom version 1.2.0 file version 1.2.0 Manifest Implementation-Version 1.2.0 pkg:maven/org.sonatype.ossindex/ossindex-service-client@1.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.sonatype.ossindex/ossindex-service-client@1.2.0 pkg:maven/org.sonatype.ossindex/ossindex-service-client@1.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.sonatype.ossindex/ossindex-service-client@1.2.0 asm-commons-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/asm-commons-6.2.jar a031c9a32770c02c2f91d2bcbeceabcd f0df1c69e34a0463679d7c8db36ddb4312836e76 15545913db06c987aa404f028e33501d9f27f8ced612f73727e3547ac4de878c Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework BSD: http://asm.ow2.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/asm-commons-6.2.jar 15545913db06c987aa404f028e33501d9f27f8ced612f73727e3547ac4de878c f0df1c69e34a0463679d7c8db36ddb4312836e76 a031c9a32770c02c2f91d2bcbeceabcd jar package name objectweb pom artifactid asm-commons Manifest bundle-docurl http://asm.ow2.org pom organization name OW2 Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true pom url http://asm.ow2.org/ file name asm-commons pom groupid ow2.asm pom parent-artifactid ow2 Manifest bundle-symbolicname org.objectweb.asm.commons jar package name asm jar package name commons central groupid org.ow2.asm jar package name objectweb pom organization url http://www.ow2.org/ pom name asm-commons jar package name commons jar package name asm Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom parent-groupid org.ow2 central artifactid asm-commons Manifest Bundle-Name org.objectweb.asm.commons Manifest bundle-docurl http://asm.ow2.org Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true file name asm-commons pom parent-groupid org.ow2 pom organization name OW2 Manifest bundle-symbolicname org.objectweb.asm.commons jar package name asm jar package name commons jar package name objectweb pom artifactid asm-commons pom url http://asm.ow2.org/ pom organization url http://www.ow2.org/ pom name asm-commons Manifest Implementation-Title Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework jar package name commons jar package name asm pom parent-artifactid ow2 Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom groupid ow2.asm pom parent-version 6.2 file version 6.2 pom version 6.2 central version 6.2 pkg:maven/org.ow2.asm/asm-commons@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-commons@6.2 pkg:maven/org.ow2.asm/asm-commons@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-commons@6.2 jackson-databind-2.9.7.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/jackson-databind-2.9.7.jar 2916db8b36f4078f07dd9580bccec6c2 e6faad47abd3179666e89068485a1b88a195ceb7 675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bf General data-binding functionality for Jackson: works on core streaming API http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/jackson-databind-2.9.7.jar 675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bf e6faad47abd3179666e89068485a1b88a195ceb7 2916db8b36f4078f07dd9580bccec6c2 pom name jackson-databind Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Manifest Implementation-Vendor FasterXML Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom parent-groupid com.fasterxml.jackson Manifest implementation-build-date 2018-09-19 02:48:44+0000 file name jackson-databind jar package name databind jar package name jackson pom parent-artifactid jackson-base Manifest bundle-docurl http://github.com/FasterXML/jackson Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Manifest specification-vendor FasterXML pom url http://github.com/FasterXML/jackson pom artifactid jackson-databind pom groupid fasterxml.jackson.core Manifest automatic-module-name com.fasterxml.jackson.databind jar package name fasterxml pom parent-groupid com.fasterxml.jackson pom name jackson-databind pom artifactid jackson-databind pom url http://github.com/FasterXML/jackson Manifest Bundle-Name jackson-databind pom groupid fasterxml.jackson.core Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Manifest implementation-build-date 2018-09-19 02:48:44+0000 file name jackson-databind jar package name databind jar package name jackson Manifest bundle-docurl http://github.com/FasterXML/jackson Manifest Implementation-Title jackson-databind Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Manifest automatic-module-name com.fasterxml.jackson.databind pom parent-artifactid jackson-base Manifest specification-title jackson-databind jar package name fasterxml Manifest Implementation-Version 2.9.7 Manifest Bundle-Version 2.9.7 file version 2.9.7 pom version 2.9.7 pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7 https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7 pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7 https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7 CVE-2018-1000873 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE PARTIAL MEDIUM 6.5 NETWORK LOW NONE REQUIRED UNCHANGED NONE NONE HIGH MEDIUM CWE-20 Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. MISC https://github.com/FasterXML/jackson-modules-java8/issues/90 https://github.com/FasterXML/jackson-modules-java8/issues/90 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1665601 https://bugzilla.redhat.com/show_bug.cgi?id=1665601 MLIST https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 MISC https://github.com/FasterXML/jackson-modules-java8/pull/87 https://github.com/FasterXML/jackson-modules-java8/pull/87 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html OSSINDEX https://ossindex.sonatype.org/vuln/292c11e9-cf66-4d76-aaf7-b63a091f8891 [CVE-2018-1000873] Improper Input Validation cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:* CVE-2018-19360 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-502 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. MLIST https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities MLIST https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html [debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update OSSINDEX https://ossindex.sonatype.org/vuln/dc5c85aa-ec0c-42b9-a11b-935184041ee7 [CVE-2018-19360] Deserialization of Untrusted Data MLIST https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 BID http://www.securityfocus.com/bid/107985 107985 MLIST https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E [infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities REDHAT https://access.redhat.com/errata/RHSA-2019:1822 RHSA-2019:1822 REDHAT https://access.redhat.com/errata/RHSA-2019:1782 RHSA-2019:1782 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html REDHAT https://access.redhat.com/errata/RHSA-2019:1823 RHSA-2019:1823 BUGTRAQ https://seclists.org/bugtraq/2019/May/68 20190527 [SECURITY] [DSA 4452-1] jackson-databind security update REDHAT https://access.redhat.com/errata/RHSA-2019:0877 RHSA-2019:0877 REDHAT https://access.redhat.com/errata/RHBA-2019:0959 RHBA-2019:0959 REDHAT https://access.redhat.com/errata/RHSA-2019:0782 RHSA-2019:0782 CONFIRM https://issues.apache.org/jira/browse/TINKERPOP-2121 https://issues.apache.org/jira/browse/TINKERPOP-2121 CONFIRM https://github.com/FasterXML/jackson-databind/issues/2186 https://github.com/FasterXML/jackson-databind/issues/2186 MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html CONFIRM https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b CONFIRM https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 CONFIRM https://security.netapp.com/advisory/ntap-20190530-0003/ https://security.netapp.com/advisory/ntap-20190530-0003/ REDHAT https://access.redhat.com/errata/RHSA-2019:1797 RHSA-2019:1797 DEBIAN https://www.debian.org/security/2019/dsa-4452 DSA-4452 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* CVE-2018-19361 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-502 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. MLIST https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities MLIST https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html [debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update OSSINDEX https://ossindex.sonatype.org/vuln/5a041483-5b69-47f8-b8a9-e631830ceaf9 [CVE-2018-19361] Deserialization of Untrusted Data MLIST https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 BID http://www.securityfocus.com/bid/107985 107985 MLIST https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E [infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities REDHAT https://access.redhat.com/errata/RHSA-2019:1822 RHSA-2019:1822 REDHAT https://access.redhat.com/errata/RHSA-2019:1782 RHSA-2019:1782 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html REDHAT https://access.redhat.com/errata/RHSA-2019:1823 RHSA-2019:1823 BUGTRAQ https://seclists.org/bugtraq/2019/May/68 20190527 [SECURITY] [DSA 4452-1] jackson-databind security update REDHAT https://access.redhat.com/errata/RHSA-2019:0877 RHSA-2019:0877 REDHAT https://access.redhat.com/errata/RHBA-2019:0959 RHBA-2019:0959 REDHAT https://access.redhat.com/errata/RHSA-2019:0782 RHSA-2019:0782 CONFIRM https://issues.apache.org/jira/browse/TINKERPOP-2121 https://issues.apache.org/jira/browse/TINKERPOP-2121 CONFIRM https://github.com/FasterXML/jackson-databind/issues/2186 https://github.com/FasterXML/jackson-databind/issues/2186 MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html CONFIRM https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b CONFIRM https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 CONFIRM https://security.netapp.com/advisory/ntap-20190530-0003/ https://security.netapp.com/advisory/ntap-20190530-0003/ REDHAT https://access.redhat.com/errata/RHSA-2019:1797 RHSA-2019:1797 DEBIAN https://www.debian.org/security/2019/dsa-4452 DSA-4452 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* CVE-2018-19362 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-502 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. MLIST https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities MLIST https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html [debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update MLIST https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 BID http://www.securityfocus.com/bid/107985 107985 MLIST https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E [infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities REDHAT https://access.redhat.com/errata/RHSA-2019:1822 RHSA-2019:1822 REDHAT https://access.redhat.com/errata/RHSA-2019:1782 RHSA-2019:1782 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html REDHAT https://access.redhat.com/errata/RHSA-2019:1823 RHSA-2019:1823 BUGTRAQ https://seclists.org/bugtraq/2019/May/68 20190527 [SECURITY] [DSA 4452-1] jackson-databind security update REDHAT https://access.redhat.com/errata/RHSA-2019:0877 RHSA-2019:0877 REDHAT https://access.redhat.com/errata/RHBA-2019:0959 RHBA-2019:0959 REDHAT https://access.redhat.com/errata/RHSA-2019:0782 RHSA-2019:0782 CONFIRM https://issues.apache.org/jira/browse/TINKERPOP-2121 https://issues.apache.org/jira/browse/TINKERPOP-2121 CONFIRM https://github.com/FasterXML/jackson-databind/issues/2186 https://github.com/FasterXML/jackson-databind/issues/2186 MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html CONFIRM https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b OSSINDEX https://ossindex.sonatype.org/vuln/5afe3c10-61cc-4ca0-99ae-c6ba8f330b45 [CVE-2018-19362] Deserialization of Untrusted Data CONFIRM https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 CONFIRM https://security.netapp.com/advisory/ntap-20190530-0003/ https://security.netapp.com/advisory/ntap-20190530-0003/ REDHAT https://access.redhat.com/errata/RHSA-2019:1797 RHSA-2019:1797 DEBIAN https://www.debian.org/security/2019/dsa-4452 DSA-4452 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* CVE-2019-12086 HIGH 5.0 NETWORK LOW NONE PARTIAL PARTIAL NONE MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED HIGH NONE NONE HIGH CWE-200 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. MISC https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 OSSINDEX https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029 [CVE-2019-12086] Information Exposure MLIST https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html [debian-lts-announce] 20190521 [SECURITY] [DLA 1798-1] jackson-databind security update MISC http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ CONFIRM https://security.netapp.com/advisory/ntap-20190530-0003/ https://security.netapp.com/advisory/ntap-20190530-0003/ CONFIRM https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html BID http://www.securityfocus.com/bid/109227 109227 MISC https://github.com/FasterXML/jackson-databind/issues/2326 https://github.com/FasterXML/jackson-databind/issues/2326 BUGTRAQ https://seclists.org/bugtraq/2019/May/68 20190527 [SECURITY] [DSA 4452-1] jackson-databind security update DEBIAN https://www.debian.org/security/2019/dsa-4452 DSA-4452 MLIST https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E [spark-reviews] 20190520 [GitHub] [spark] Fokko opened a new pull request #24646: Spark 27757 cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* CVE-2019-12384 MEDIUM 4.3 NETWORK MEDIUM NONE PARTIAL PARTIAL NONE MEDIUM 5.9 NETWORK HIGH NONE NONE UNCHANGED HIGH NONE NONE MEDIUM CWE-502 FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. REDHAT https://access.redhat.com/errata/RHSA-2019:1820 RHSA-2019:1820 MISC https://doyensec.com/research.html https://doyensec.com/research.html OSSINDEX https://ossindex.sonatype.org/vuln/33d59f1d-83ff-4527-9707-c3f1507b6125 [CVE-2019-12384] Deserialization of Untrusted Data CONFIRM https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html CONFIRM https://security.netapp.com/advisory/ntap-20190703-0002/ https://security.netapp.com/advisory/ntap-20190703-0002/ MISC https://blog.doyensec.com/2019/07/22/jackson-gadgets.html https://blog.doyensec.com/2019/07/22/jackson-gadgets.html MISC https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* CVE-2019-12814 MEDIUM 4.3 NETWORK MEDIUM NONE PARTIAL PARTIAL NONE MEDIUM 5.9 NETWORK HIGH NONE NONE UNCHANGED HIGH NONE NONE MEDIUM CWE-200 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. MLIST https://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190712 [jira] [Assigned] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 CONFIRM https://security.netapp.com/advisory/ntap-20190625-0006/ https://security.netapp.com/advisory/ntap-20190625-0006/ MLIST https://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190712 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 OSSINDEX https://ossindex.sonatype.org/vuln/3e008100-e0d4-45bf-afd2-9d5e9b13efa7 [CVE-2019-12814] Information Exposure MLIST https://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E [zookeeper-dev] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-notifications] 20190624 [GitHub] [zookeeper] phunt commented on a change in pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190712 [jira] [Resolved] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190713 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli commented on issue #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MLIST https://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt closed pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html [debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update MLIST https://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli closed pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190708 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E [zookeeper-issues] 20190623 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-notifications] 20190623 [GitHub] [zookeeper] eolivelli opened a new pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST https://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E [accumulo-commits] 20190723 [accumulo] branch 2.0 updated: Fix CVE-2019-12814 Use jackson-databind 2.9.9.1 CONFIRM https://github.com/FasterXML/jackson-databind/issues/2341 https://github.com/FasterXML/jackson-databind/issues/2341 cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* CVE-2019-14379 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. MLIST https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html [debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update CONFIRM https://security.netapp.com/advisory/ntap-20190814-0001/ https://security.netapp.com/advisory/ntap-20190814-0001/ MLIST https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E [ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066) OSSINDEX https://ossindex.sonatype.org/vuln/e5794172-1257-4372-9baf-7b87307a3cc9 [CVE-2019-14379] SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles de... MISC https://github.com/FasterXML/jackson-databind/issues/2387 https://github.com/FasterXML/jackson-databind/issues/2387 MLIST https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E [ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067) MLIST https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind MISC https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2 https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2 cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* CVE-2019-14439 HIGH 5.0 NETWORK LOW NONE PARTIAL PARTIAL NONE MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED HIGH NONE NONE HIGH CWE-200 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. MISC https://github.com/FasterXML/jackson-databind/issues/2389 https://github.com/FasterXML/jackson-databind/issues/2389 MLIST https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html [debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update MISC https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b CONFIRM https://security.netapp.com/advisory/ntap-20190814-0001/ https://security.netapp.com/advisory/ntap-20190814-0001/ OSSINDEX https://ossindex.sonatype.org/vuln/ac9dce23-7b35-4691-b05e-a68f58d48b8c [CVE-2019-14439] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x befo... MISC https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2 https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2 cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* devsecops.war /var/lib/jenkins/workspace/test@2/target/devsecops.war 982a1d844cc0246c765dc2c5463194b5 c5422e071104c0cbb50e62d75c576a0af93fd577 8bb458535f6e79fa915e63a44a9198c2c995d1ee097d07f941906bd09d44d93f jar package name web-inf pom url http://maven.apache.org pom groupid notsosecure jar package name com jar package name notsosecure pom artifactid devsecops jar package name classes file name devsecops pom name devsecops pom groupid notsosecure pom url http://maven.apache.org jar package name com pom artifactid devsecops jar package name notsosecure jar package name notsosecure jar package name classes file name devsecops pom name devsecops pom version 0.0.1-SNAPSHOT pkg:maven/com.notsosecure/devsecops@0.0.1-SNAPSHOT https://ossindex.sonatype.org/component/pkg:maven/com.notsosecure/devsecops@0.0.1-SNAPSHOT pkg:maven/com.notsosecure/devsecops@0.0.1-SNAPSHOT https://ossindex.sonatype.org/component/pkg:maven/com.notsosecure/devsecops@0.0.1-SNAPSHOT asm-tree-3.3.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/asm-tree-3.3.jar 3eeafc985d3ca624abf2d3ad549180d0 33c13070f194e1f0385877ec9306a24e983b00e3 d0d8a92d855a015db402675af123c8f39010501ba1d34a5072301ce6caf137ea /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/asm-tree-3.3.jar d0d8a92d855a015db402675af123c8f39010501ba1d34a5072301ce6caf137ea 33c13070f194e1f0385877ec9306a24e983b00e3 3eeafc985d3ca624abf2d3ad549180d0 pom artifactid asm-tree jar package name objectweb pom parent-artifactid asm-parent Manifest Implementation-Vendor France Telecom R&D jar package name tree pom groupid asm jar package name asm file name asm-tree central groupid asm pom name ASM Tree pom artifactid asm-tree Manifest Implementation-Title ASM Tree class visitor pom parent-artifactid asm-parent jar package name tree jar package name tree jar package name asm jar package name asm file name asm-tree pom name ASM Tree pom groupid asm central artifactid asm-tree Manifest Implementation-Version 3.3 central version 3.3 pom version 3.3 file version 3.3 pkg:maven/asm/asm-tree@3.3 https://ossindex.sonatype.org/component/pkg:maven/asm/asm-tree@3.3 pkg:maven/asm/asm-tree@3.3 https://ossindex.sonatype.org/component/pkg:maven/asm/asm-tree@3.3 commons-io-2.6.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-io-2.6.jar 467c2a1f64319c99b5faf03fc78572af 815893df5f31da2ece4040fe0a12fd44b577afaf f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513 The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. https://www.apache.org/licenses/LICENSE-2.0.txt Manifest automatic-module-name org.apache.commons.io pom url http://commons.apache.org/proper/commons-io/ pom parent-artifactid commons-parent jar package name io Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom parent-groupid org.apache.commons jar package name apache Manifest implementation-url http://commons.apache.org/proper/commons-io/ Manifest Implementation-Vendor-Id commons-io pom groupid commons-io Manifest specification-vendor The Apache Software Foundation pom artifactid commons-io jar package name commons Manifest bundle-symbolicname org.apache.commons.io pom name Apache Commons IO file name commons-io Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent Manifest automatic-module-name org.apache.commons.io pom groupid commons-io Manifest Bundle-Name Apache Commons IO jar package name io pom url http://commons.apache.org/proper/commons-io/ Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" jar package name apache Manifest implementation-url http://commons.apache.org/proper/commons-io/ jar package name commons Manifest specification-title Apache Commons IO Manifest Implementation-Title Apache Commons IO pom parent-groupid org.apache.commons Manifest bundle-symbolicname org.apache.commons.io pom name Apache Commons IO file name commons-io pom artifactid commons-io Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ pom parent-version 2.6 Manifest Implementation-Version 2.6 file version 2.6 pom version 2.6 pkg:maven/commons-io/commons-io@2.6 https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.6 pkg:maven/commons-io/commons-io@2.6 https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.6 hibernate-entitymanager-4.2.6.Final.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/hibernate-entitymanager-4.2.6.Final.jar 3ba0c05dc44a2858535bdfa57defc71c 31d70c201eacd2e19e9feafdf42523527a08b85b ea8b7731d1b77db42054194a4013c565d92306f404c8f436fc4dca522174fc99 A module of the Hibernate Core project GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/hibernate-entitymanager-4.2.6.Final.jar ea8b7731d1b77db42054194a4013c565d92306f404c8f436fc4dca522174fc99 31d70c201eacd2e19e9feafdf42523527a08b85b 3ba0c05dc44a2858535bdfa57defc71c Manifest implementation-url http://hibernate.org jar package name hibernate jar package name ejb central groupid org.hibernate pom name A Hibernate Core Module jar package name hibernate Manifest bundle-symbolicname org.hibernate.entitymanager Manifest Implementation-Vendor Hibernate.org pom url http://hibernate.org file name hibernate-entitymanager Manifest Implementation-Vendor-Id org.hibernate pom organization name Hibernate.org pom groupid hibernate pom artifactid hibernate-entitymanager pom organization url http://hibernate.org Manifest implementation-url http://hibernate.org jar package name hibernate Manifest Bundle-Name hibernate-entitymanager pom organization url http://hibernate.org jar package name ejb central artifactid hibernate-entitymanager pom name A Hibernate Core Module pom groupid hibernate pom artifactid hibernate-entitymanager Manifest bundle-symbolicname org.hibernate.entitymanager file name hibernate-entitymanager pom organization name Hibernate.org pom url http://hibernate.org central version 4.2.6.Final pom version 4.2.6.Final Manifest Bundle-Version 4.2.6.Final Manifest Implementation-Version 4.2.6.Final pkg:maven/org.hibernate/hibernate-entitymanager@4.2.6.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate/hibernate-entitymanager@4.2.6.Final pkg:maven/org.hibernate/hibernate-entitymanager@4.2.6.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate/hibernate-entitymanager@4.2.6.Final log4j-1.2.17.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/log4j-1.2.17.jar 04a41f0a068986f0f73485cf507c0f40 5af35056b4d257e4b64b9e8069c0746e8b08629f 1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9 Apache Log4j 1.2 The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/log4j-1.2.17.jar 1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9 5af35056b4d257e4b64b9e8069c0746e8b08629f 04a41f0a068986f0f73485cf507c0f40 pom url http://logging.apache.org/log4j/1.2/ manifest: org.apache.log4j Implementation-Vendor "Apache Software Foundation" jar package name log4j Manifest bundle-docurl http://logging.apache.org/log4j/1.2 pom organization name Apache Software Foundation Manifest bundle-symbolicname log4j jar package name apache pom groupid log4j pom organization url http://www.apache.org pom artifactid log4j file name log4j pom name Apache Log4j pom groupid log4j manifest: org.apache.log4j Implementation-Title log4j jar package name log4j Manifest Bundle-Name Apache Log4j Manifest bundle-docurl http://logging.apache.org/log4j/1.2 pom organization name Apache Software Foundation Manifest bundle-symbolicname log4j jar package name apache pom organization url http://www.apache.org pom url http://logging.apache.org/log4j/1.2/ file name log4j pom artifactid log4j pom name Apache Log4j pom version 1.2.17 file version 1.2.17 Manifest Bundle-Version 1.2.17 manifest: org.apache.log4j Implementation-Version 1.2.17 pkg:maven/log4j/log4j@1.2.17 https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.17 pkg:maven/log4j/log4j@1.2.17 https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.17 asm-3.3.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/asm-3.3.jar 968575ef15e4024d205fa6ecddec67a9 fb0f302a91a376fd5cfe23167c419375e8fc9b8f 07e685c385c652a3d2c4a08312004f653ba508e325d70ff3d9e8687d1ac6a8da /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/asm-3.3.jar 07e685c385c652a3d2c4a08312004f653ba508e325d70ff3d9e8687d1ac6a8da fb0f302a91a376fd5cfe23167c419375e8fc9b8f 968575ef15e4024d205fa6ecddec67a9 file name asm jar package name objectweb pom parent-artifactid asm-parent Manifest Implementation-Vendor France Telecom R&D pom groupid asm jar package name asm pom artifactid asm pom name ASM Core central groupid asm file name asm pom parent-artifactid asm-parent Manifest Implementation-Title ASM jar package name asm pom name ASM Core jar package name asm central artifactid asm pom artifactid asm pom groupid asm Manifest Implementation-Version 3.3 central version 3.3 pom version 3.3 file version 3.3 pkg:maven/asm/asm@3.3 https://ossindex.sonatype.org/component/pkg:maven/asm/asm@3.3 pkg:maven/asm/asm@3.3 https://ossindex.sonatype.org/component/pkg:maven/asm/asm@3.3 spotbugs-3.1.5.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/spotbugs-3.1.5.jar fcf3dd502f5be304413eec3f706b8ad0 39b5e21aa02e007a5347dd3e4d5d9421e2f1aa46 98ec84eb0a4dc0502773aca061750d655b9f398f8efc2ebf88d5540106d43e4e SpotBugs: Because it's easy! GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/spotbugs-3.1.5.jar 98ec84eb0a4dc0502773aca061750d655b9f398f8efc2ebf88d5540106d43e4e 39b5e21aa02e007a5347dd3e4d5d9421e2f1aa46 fcf3dd502f5be304413eec3f706b8ad0 file name spotbugs jar package name cs pom name SpotBugs pom groupid github.spotbugs Manifest automatic-module-name com.github.spotbugs.spotbugs pom artifactid spotbugs pom url https://spotbugs.github.io/ central groupid com.github.spotbugs jar package name edu jar package name umd file name spotbugs jar package name cs pom name SpotBugs jar package name findbugs central artifactid spotbugs pom artifactid spotbugs pom groupid github.spotbugs Manifest automatic-module-name com.github.spotbugs.spotbugs pom url https://spotbugs.github.io/ jar package name umd Manifest Bundle-Version 3.1.5 file version 3.1.5 central version 3.1.5 pom version 3.1.5 pkg:maven/com.github.spotbugs/spotbugs@3.1.5 https://ossindex.sonatype.org/component/pkg:maven/com.github.spotbugs/spotbugs@3.1.5 pkg:maven/com.github.spotbugs/spotbugs@3.1.5 https://ossindex.sonatype.org/component/pkg:maven/com.github.spotbugs/spotbugs@3.1.5 commons-collections4-4.0.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-collections4-4.0.jar a18f2d0153b5607dff8c5becbdd76dd1 da217367fd25e88df52ba79e47658d4cf928b0d1 93f8dfcd20831a28d092427723f696bceb70b28e7fb89d7914f14d5ea492ce5a The Apache Commons Collections package contains types that extend and augment the Java Collections Framework. http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-collections4-4.0.jar 93f8dfcd20831a28d092427723f696bceb70b28e7fb89d7914f14d5ea492ce5a da217367fd25e88df52ba79e47658d4cf928b0d1 a18f2d0153b5607dff8c5becbdd76dd1 Manifest implementation-build tags/COLLECTIONS_4_0_RC5@r1543977; 2013-11-20 23:44:45+0100 pom name Apache Commons Collections pom url http://commons.apache.org/proper/commons-collections/ Manifest bundle-docurl http://commons.apache.org/proper/commons-collections/ pom parent-artifactid commons-parent Manifest bundle-symbolicname org.apache.commons.collections4 pom groupid apache.commons file name commons-collections4 pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest specification-vendor The Apache Software Foundation jar package name commons pom artifactid commons-collections4 jar package name collections4 Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent Manifest implementation-build tags/COLLECTIONS_4_0_RC5@r1543977; 2013-11-20 23:44:45+0100 pom name Apache Commons Collections Manifest bundle-docurl http://commons.apache.org/proper/commons-collections/ Manifest bundle-symbolicname org.apache.commons.collections4 file name commons-collections4 pom artifactid commons-collections4 jar package name apache Manifest specification-title Apache Commons Collections Manifest Implementation-Title Apache Commons Collections Manifest Bundle-Name Apache Commons Collections jar package name commons pom groupid apache.commons pom parent-groupid org.apache.commons pom url http://commons.apache.org/proper/commons-collections/ jar package name collections4 Manifest Implementation-Version 4.0 pom version 4.0 file version 4.0 pom parent-version 4.0 pkg:maven/org.apache.commons/commons-collections4@4.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-collections4@4.0 pkg:maven/org.apache.commons/commons-collections4@4.0 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-collections4@4.0 CVE-2015-6420 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-502 Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 BID http://www.securityfocus.com/bid/78872 78872 CISCO http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization 20151209 Vulnerability in Java Deserialization Affecting Cisco Products CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 MISC https://www.tenable.com/security/research/tra-2017-14 https://www.tenable.com/security/research/tra-2017-14 CERT-VN https://www.kb.cert.org/vuls/id/581311 VU#581311 MISC https://www.kb.cert.org/vuls/id/576313 https://www.kb.cert.org/vuls/id/576313 OSSINDEX https://ossindex.sonatype.org/vuln/ac157388-2d0e-4c78-b3f4-033572d19286 [CVE-2015-6420] Serialized-object interfaces in certain Cisco Collaboration and Social Media; En... MISC https://www.tenable.com/security/research/tra-2017-23 https://www.tenable.com/security/research/tra-2017-23 cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* javax.ws.rs-api-2.0.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/javax.ws.rs-api-2.0.1.jar edcd111cf4d3ba8ac8e1f326efc37a17 104e9c2b5583cfcfeac0402316221648d6d8ea6b 38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d Java API for RESTful Web Services (JAX-RS) CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html pom groupid javax.ws.rs jar package name ws pom artifactid javax.ws.rs-api Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom name javax.ws.rs-api file name javax.ws.rs-api pom parent-artifactid jvnet-parent Manifest bundle-docurl http://www.oracle.com/ pom parent-groupid net.java jar package name rs jar package name javax Manifest bundle-symbolicname javax.ws.rs-api Manifest specification-vendor Oracle Corporation Manifest extension-name javax.ws.rs pom url http://jax-rs-spec.java.net pom organization url http://www.oracle.com/ pom organization name Oracle Corporation Manifest Bundle-Name javax.ws.rs-api pom organization url http://www.oracle.com/ jar package name ws pom url http://jax-rs-spec.java.net pom parent-artifactid jvnet-parent Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom name javax.ws.rs-api file name javax.ws.rs-api Manifest bundle-docurl http://www.oracle.com/ jar package name rs jar package name javax pom groupid javax.ws.rs pom artifactid javax.ws.rs-api Manifest bundle-symbolicname javax.ws.rs-api Manifest extension-name javax.ws.rs pom parent-groupid net.java pom organization name Oracle Corporation Manifest Implementation-Version 2.0.1 Manifest Bundle-Version 2.0.1 pom version 2.0.1 file version 2.0.1 pom parent-version 2.0.1 pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 https://ossindex.sonatype.org/component/pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 https://ossindex.sonatype.org/component/pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 struts2-core-2.3.8.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar 6eec4c966b11d3288216917c1781d503 b6f740a8626b1531b65701bd31fd80e066df7c8e 180feca55fc93f6c882546ed299493cb761bae062031b867d46e7af213259ccb Apache Struts 2 http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar 180feca55fc93f6c882546ed299493cb761bae062031b867d46e7af213259ccb b6f740a8626b1531b65701bd31fd80e066df7c8e 6eec4c966b11d3288216917c1781d503 Manifest bundle-symbolicname org.apache.struts.2-core Manifest bundle-docurl http://www.apache.org Manifest originally-created-by 1.6.0_37 (Apple Inc.) Manifest Implementation-Vendor-Id org.apache.struts jar package name struts2 pom parent-artifactid struts2-parent pom artifactid struts2-core jar package name apache Manifest Implementation-Vendor Apache Software Foundation file name struts2-core pom groupid apache.struts Manifest specification-vendor Apache Software Foundation pom name Struts 2 Core pom parent-groupid org.apache.struts pom artifactid struts2-core Manifest specification-title Struts 2 Core Manifest bundle-symbolicname org.apache.struts.2-core Manifest bundle-docurl http://www.apache.org Manifest originally-created-by 1.6.0_37 (Apple Inc.) Manifest Implementation-Title Struts 2 Core jar package name struts2 Manifest Bundle-Name Struts 2 Core jar package name apache pom parent-groupid org.apache.struts file name struts2-core pom parent-artifactid struts2-parent pom name Struts 2 Core pom groupid apache.struts Manifest Bundle-Version 2.3.8 Manifest Implementation-Version 2.3.8 file version 2.3.8 pom version 2.3.8 pkg:maven/org.apache.struts/struts2-core@2.3.8 https://ossindex.sonatype.org/component/pkg:maven/org.apache.struts/struts2-core@2.3.8 pkg:maven/org.apache.struts/struts2-core@2.3.8 https://ossindex.sonatype.org/component/pkg:maven/org.apache.struts/struts2-core@2.3.8 CVE-2013-1965 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH CWE-94 Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. BID http://www.securityfocus.com/bid/60082 60082 MISC https://bugzilla.redhat.com/show_bug.cgi?id=967655 https://bugzilla.redhat.com/show_bug.cgi?id=967655 CONFIRM http://struts.apache.org/development/2.x/docs/s2-012.html http://struts.apache.org/development/2.x/docs/s2-012.html OSSINDEX https://ossindex.sonatype.org/vuln/7aa02cd2-5370-4f43-b202-d30665527d05 [CVE-2013-1965] Improper Control of Generation of Code ("Code Injection") cpe:2.3:a:apache:struts2-showcase:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2013-1966 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH CWE-94 Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. BID http://www.securityfocus.com/bid/60166 60166 MISC https://bugzilla.redhat.com/show_bug.cgi?id=967656 https://bugzilla.redhat.com/show_bug.cgi?id=967656 CONFIRM http://struts.apache.org/development/2.x/docs/s2-013.html http://struts.apache.org/development/2.x/docs/s2-013.html OSSINDEX https://ossindex.sonatype.org/vuln/64959e54-560d-4c85-b1ba-bae91251f948 [CVE-2013-1966] Improper Control of Generation of Code ("Code Injection") MISC https://cwiki.apache.org/confluence/display/WW/S2-013 https://cwiki.apache.org/confluence/display/WW/S2-013 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2013-2115 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH CWE-94 Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. MISC https://bugzilla.redhat.com/show_bug.cgi?id=967656 https://bugzilla.redhat.com/show_bug.cgi?id=967656 OSSINDEX https://ossindex.sonatype.org/vuln/a902e7ce-8d2b-4de9-a3a4-e717c9ebea3e [CVE-2013-2115] Improper Control of Generation of Code ("Code Injection") BID http://www.securityfocus.com/bid/60167 60167 CONFIRM http://struts.apache.org/development/2.x/docs/s2-014.html http://struts.apache.org/development/2.x/docs/s2-014.html MISC https://cwiki.apache.org/confluence/display/WW/S2-014 https://cwiki.apache.org/confluence/display/WW/S2-014 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* CVE-2013-2134 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH CWE-94 Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. BID http://www.securityfocus.com/bid/64758 64758 GENTOO http://security.gentoo.org/glsa/glsa-201409-04.xml GLSA-201409-04 BID http://www.securityfocus.com/bid/60346 60346 CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html MISC https://cwiki.apache.org/confluence/display/WW/S2-015 https://cwiki.apache.org/confluence/display/WW/S2-015 CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html CONFIRM http://struts.apache.org/development/2.x/docs/s2-015.html http://struts.apache.org/development/2.x/docs/s2-015.html OSSINDEX https://ossindex.sonatype.org/vuln/5caecd83-b961-48ca-b29e-f39b8f302d08 [CVE-2013-2134] Improper Control of Generation of Code ("Code Injection") cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2013-2135 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH CWE-94 Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. BID http://www.securityfocus.com/bid/64758 64758 CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html OSSINDEX https://ossindex.sonatype.org/vuln/35c24ffb-ba83-44a8-95a7-008281c53ec9 [CVE-2013-2135] Improper Control of Generation of Code ("Code Injection") MISC https://cwiki.apache.org/confluence/display/WW/S2-015 https://cwiki.apache.org/confluence/display/WW/S2-015 CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html CONFIRM http://struts.apache.org/development/2.x/docs/s2-015.html http://struts.apache.org/development/2.x/docs/s2-015.html cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2013-2248 MEDIUM 5.8 NETWORK MEDIUM NONE PARTIAL PARTIAL NONE MEDIUM CWE-20 Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. BID http://www.securityfocus.com/bid/64758 64758 BID http://www.securityfocus.com/bid/61196 61196 OSSINDEX https://ossindex.sonatype.org/vuln/c9390e41-5b7a-44fb-a710-7b90ad7d184d [CVE-2013-2248] Improper Input Validation CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html CONFIRM http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-017.html http://struts.apache.org/release/2.3.x/docs/s2-017.html cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* CVE-2013-2251 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH CWE-20 Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. FULLDISC http://seclists.org/fulldisclosure/2013/Oct/96 20131013 Apache Software Foundation A Subsite Remote command execution CISCO http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 20131023 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products BID http://www.securityfocus.com/bid/61189 61189 CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-016.html http://struts.apache.org/release/2.3.x/docs/s2-016.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html SECTRACK http://www.securitytracker.com/id/1029184 1029184 CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html BID http://www.securityfocus.com/bid/64758 64758 MLIST http://seclists.org/oss-sec/2014/q1/89 [oss-security] 20140114 Re: CVE Request: Apache Archiva Remote Command Execution 0day OSVDB http://osvdb.org/98445 98445 SECTRACK http://www.securitytracker.com/id/1032916 1032916 MISC http://cxsecurity.com/issue/WLB-2014010087 http://cxsecurity.com/issue/WLB-2014010087 CONFIRM http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html CONFIRM http://archiva.apache.org/security.html http://archiva.apache.org/security.html OSSINDEX https://ossindex.sonatype.org/vuln/65c550a7-b490-400a-9858-dd19c74a8a76 [CVE-2013-2251] Improper Input Validation XF https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 apache-archiva-ognl-command-exec(90392) cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* CVE-2013-4310 MEDIUM 5.8 NETWORK MEDIUM NONE PARTIAL PARTIAL NONE MEDIUM CWE-264 Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. BID http://www.securityfocus.com/bid/64758 64758 BUGTRAQ http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html 20130921 [ANN] Struts 2.3.15.2 GA release available - security fix SECUNIA http://secunia.com/advisories/54919 54919 SECUNIA http://secunia.com/advisories/56492 56492 CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-018.html http://struts.apache.org/release/2.3.x/docs/s2-018.html BUGTRAQ http://archives.neohapsis.com/archives/bugtraq/2013-10/0083.html 20131017 [ANN] Struts 2.3.15.3 GA release available - security fix OSSINDEX https://ossindex.sonatype.org/vuln/5a506927-e6fa-4857-b80f-0c04f3d31a86 [CVE-2013-4310] Permissions, Privileges, and Access Controls SECTRACK http://www.securitytracker.com/id/1029077 1029077 SECUNIA http://secunia.com/advisories/56483 56483 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* CVE-2013-4316 HIGH 10.0 NETWORK LOW NONE COMPLETE COMPLETE COMPLETE HIGH CWE-284 NVD-CWE-noinfo CWE-16 Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. BID http://www.securityfocus.com/bid/64758 64758 BUGTRAQ http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html 20130921 [ANN] Struts 2.3.15.2 GA release available - security fix OSSINDEX https://ossindex.sonatype.org/vuln/9da89f99-d083-43d3-a74c-b20fd6cb2da7 [CVE-2013-4316] Improper Access Control CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html SECTRACK http://www.securitytracker.com/id/1029078 1029078 CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-019.html http://struts.apache.org/release/2.3.x/docs/s2-019.html cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:2.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:1.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:12.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:3.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:12.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.6.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* CVE-2014-0094 MEDIUM 5.0 NETWORK LOW NONE NONE NONE NONE MEDIUM NVD-CWE-noinfo The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html OSSINDEX https://ossindex.sonatype.org/vuln/46502110-4592-408e-836b-331e9ee41e6b [CVE-2014-0094] The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attacke... BUGTRAQ http://www.securityfocus.com/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library SECUNIA http://secunia.com/advisories/56440 56440 CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-020.html http://struts.apache.org/release/2.3.x/docs/s2-020.html BUGTRAQ http://www.securityfocus.com/archive/1/531362/100/0/threaded 20140306 [ANN] Struts 2.3.16.1 GA release available - security fix JVNDB http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 JVNDB-2014-000045 MISC http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html SECUNIA http://secunia.com/advisories/59178 59178 CONFIRM http://www.konakart.com/downloads/ver-7-3-0-0-whats-new http://www.konakart.com/downloads/ver-7-3-0-0-whats-new SECTRACK http://www.securitytracker.com/id/1029876 1029876 BID http://www.securityfocus.com/bid/65999 65999 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 JVN http://jvn.jp/en/jp/JVN19294237/index.html JVN#19294237 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0007.html http://www.vmware.com/security/advisories/VMSA-2014-0007.html CONFIRM http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2014-0112 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-264 ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1091939 https://bugzilla.redhat.com/show_bug.cgi?id=1091939 BID http://www.securityfocus.com/bid/67064 67064 SECUNIA http://secunia.com/advisories/59500 59500 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-021 https://cwiki.apache.org/confluence/display/WW/S2-021 BUGTRAQ http://www.securityfocus.com/archive/1/531952/100/0/threaded 20140426 [ANN] Struts 2.3.16.2 GA release available - security fix OSSINDEX https://ossindex.sonatype.org/vuln/434eada7-81e4-4e5b-854c-a4ea6eedab39 [CVE-2014-0112] Permissions, Privileges, and Access Controls BUGTRAQ http://www.securityfocus.com/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library REDHAT https://access.redhat.com/errata/RHSA-2019:0910 RHSA-2019:0910 JVNDB http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 JVNDB-2014-000045 MISC http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html SECUNIA http://secunia.com/advisories/59178 59178 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 JVN http://jvn.jp/en/jp/JVN19294237/index.html JVN#19294237 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0007.html http://www.vmware.com/security/advisories/VMSA-2014-0007.html cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2014-0113 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-264 CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. OSSINDEX https://ossindex.sonatype.org/vuln/ff890408-a4b8-4e3f-a892-ee7e72b2c8e3 [CVE-2014-0113] Permissions, Privileges, and Access Controls CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html SECUNIA http://secunia.com/advisories/59178 59178 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-021 https://cwiki.apache.org/confluence/display/WW/S2-021 BUGTRAQ http://www.securityfocus.com/archive/1/531952/100/0/threaded 20140426 [ANN] Struts 2.3.16.2 GA release available - security fix CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2014-0116 MEDIUM 5.8 NETWORK MEDIUM NONE NONE NONE PARTIAL MEDIUM CWE-264 CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html BID http://www.securityfocus.com/bid/67218 67218 OSSINDEX https://ossindex.sonatype.org/vuln/4fe47992-e6ac-4907-9255-dc29ce47c288 [CVE-2014-0116] Permissions, Privileges, and Access Controls SECUNIA http://secunia.com/advisories/59816 59816 CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-022.html http://struts.apache.org/release/2.3.x/docs/s2-022.html CONFIRM http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2014-7809 MEDIUM 6.8 NETWORK MEDIUM NONE PARTIAL PARTIAL PARTIAL MEDIUM CWE-352 Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. MISC http://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html http://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html OSSINDEX https://ossindex.sonatype.org/vuln/5649009f-ed2c-4307-b48a-77ba1fd80ac1 [CVE-2014-7809] Cross-Site Request Forgery (CSRF) BID http://www.securityfocus.com/bid/71548 71548 CONFIRM http://struts.apache.org/docs/s2-023.html http://struts.apache.org/docs/s2-023.html CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html SECTRACK http://www.securitytracker.com/id/1031309 1031309 BUGTRAQ http://www.securityfocus.com/archive/1/534175/100/0/threaded 20141208 [ANN] Apache Struts 2.3.20 GA release available with security fix cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2015-5169 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1260087 https://bugzilla.redhat.com/show_bug.cgi?id=1260087 CONFIRM https://struts.apache.org/docs/s2-025.html https://struts.apache.org/docs/s2-025.html JVNDB http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000125.html JVNDB-2015-000125 OSSINDEX https://ossindex.sonatype.org/vuln/6bd24132-f4fa-4dc0-b479-b69b115bd59f [CVE-2015-5169] Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. BID http://www.securityfocus.com/bid/76625 76625 CONFIRM https://security.netapp.com/advisory/ntap-20180629-0003/ https://security.netapp.com/advisory/ntap-20180629-0003/ JVN http://jvn.jp/en/jp/JVN95989300/index.html JVN#95989300 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2015-5209 HIGH 5.0 NETWORK LOW NONE NONE NONE NONE MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE HIGH NONE HIGH CWE-20 Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. CONFIRM https://security.netapp.com/advisory/ntap-20180629-0002/ https://security.netapp.com/advisory/ntap-20180629-0002/ OSSINDEX https://ossindex.sonatype.org/vuln/d8c9a55c-b6f6-4b1c-a675-947ac1c64ec7 [CVE-2015-5209] Improper Input Validation BID http://www.securityfocus.com/bid/82550 82550 SECTRACK http://www.securitytracker.com/id/1033908 1033908 CONFIRM https://struts.apache.org/docs/s2-026.html https://struts.apache.org/docs/s2-026.html cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-0785 HIGH 9.0 NETWORK LOW SINGLE COMPLETE COMPLETE COMPLETE HIGH 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. CONFIRM http://struts.apache.org/docs/s2-029.html http://struts.apache.org/docs/s2-029.html SECTRACK http://www.securitytracker.com/id/1035271 1035271 BID http://www.securityfocus.com/bid/85066 85066 OSSINDEX https://ossindex.sonatype.org/vuln/5684f0fd-6580-461f-a0f6-eda4176de9bb [CVE-2016-0785] Improper Input Validation cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2016-2162 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. SECTRACK http://www.securitytracker.com/id/1035272 1035272 CONFIRM http://struts.apache.org/docs/s2-030.html http://struts.apache.org/docs/s2-030.html BID http://www.securityfocus.com/bid/85070 85070 OSSINDEX https://ossindex.sonatype.org/vuln/4fa8ad37-bc1f-4136-a277-c1974de7242a [CVE-2016-2162] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2_beta:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3081 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH 8.1 NETWORK HIGH NONE NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-77 Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. CONFIRM https://struts.apache.org/docs/s2-032.html https://struts.apache.org/docs/s2-032.html BID http://www.securityfocus.com/bid/87327 87327 MISC http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec OSSINDEX https://ossindex.sonatype.org/vuln/fddf085b-72d4-4af0-a0a2-c1c1515e801b [CVE-2016-3081] Improper Neutralization of Special Elements used in a Command (Command Injection) CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html CONFIRM http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html MISC http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html MISC http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec SECTRACK http://www.securitytracker.com/id/1035665 1035665 EXPLOIT-DB https://www.exploit-db.com/exploits/39756/ 39756 BID http://www.securityfocus.com/bid/91787 91787 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_e-billing:7.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3082 CRITICAL 10.0 NETWORK LOW NONE COMPLETE COMPLETE COMPLETE HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. SECTRACK http://www.securitytracker.com/id/1035664 1035664 CONFIRM http://struts.apache.org/docs/s2-031.html http://struts.apache.org/docs/s2-031.html BID http://www.securityfocus.com/bid/88826 88826 OSSINDEX https://ossindex.sonatype.org/vuln/f996580c-3f8a-48b4-9aac-083e8a576ef6 [CVE-2016-3082] Improper Input Validation cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3090 HIGH 6.5 NETWORK LOW SINGLE PARTIAL PARTIAL PARTIAL MEDIUM 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. CONFIRM https://struts.apache.org/docs/s2-027.html https://struts.apache.org/docs/s2-027.html CONFIRM https://security.netapp.com/advisory/ntap-20180629-0005/ https://security.netapp.com/advisory/ntap-20180629-0005/ BID http://www.securityfocus.com/bid/85131 85131 SECTRACK https://www.securitytracker.com/id/1035267 1035267 OSSINDEX https://ossindex.sonatype.org/vuln/e5b8e18a-9921-4c6f-9d11-8bc2497571f0 [CVE-2016-3090] The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 a... cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3093 MEDIUM 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 5.3 NETWORK LOW NONE NONE UNCHANGED NONE NONE LOW MEDIUM CWE-20 Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. CONFIRM http://struts.apache.org/docs/s2-034.html http://struts.apache.org/docs/s2-034.html OSSINDEX https://ossindex.sonatype.org/vuln/74cddd35-3e8e-4460-bb8f-03eef3b4d382 [CVE-2016-3093] Improper Input Validation CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 SECTRACK http://www.securitytracker.com/id/1036018 1036018 BID http://www.securityfocus.com/bid/90961 90961 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:ognl_project:ognl:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-4003 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. BID http://www.securityfocus.com/bid/86311 86311 CONFIRM http://struts.apache.org/docs/s2-028.html http://struts.apache.org/docs/s2-028.html SECTRACK http://www.securitytracker.com/id/1035268 1035268 CONFIRM https://issues.apache.org/jira/browse/WW-4507 https://issues.apache.org/jira/browse/WW-4507 OSSINDEX https://ossindex.sonatype.org/vuln/0081c46d-8e5f-4553-9937-d25f3399d130 [CVE-2016-4003] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2016-4436 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL NVD-CWE-noinfo Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. BID http://www.securityfocus.com/bid/91280 91280 OSSINDEX https://ossindex.sonatype.org/vuln/63b9193d-7f44-46d5-8779-4a757d7bf37f [CVE-2016-4436] Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have uns... CONFIRM http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html CONFIRM https://struts.apache.org/docs/s2-035.html https://struts.apache.org/docs/s2-035.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-4461 HIGH 9.0 NETWORK LOW SINGLE COMPLETE COMPLETE COMPLETE HIGH 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. OSSINDEX https://ossindex.sonatype.org/vuln/12d9b800-934d-4726-94e9-7b83a650d274 [CVE-2016-4461] Improper Input Validation BID http://www.securityfocus.com/bid/91277 91277 CONFIRM https://struts.apache.org/docs/s2-036.html https://struts.apache.org/docs/s2-036.html CONFIRM https://security.netapp.com/advisory/ntap-20180629-0004/ https://security.netapp.com/advisory/ntap-20180629-0004/ cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:* CVE-2017-12611 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. BID http://www.securityfocus.com/bid/100829 100829 CONFIRM https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001 https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001 OSSINDEX https://ossindex.sonatype.org/vuln/dc3edaf8-51de-40d2-9ad1-725d1040aad2 [CVE-2017-12611] In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintenti... CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt CONFIRM https://struts.apache.org/docs/s2-053.html https://struts.apache.org/docs/s2-053.html cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-5638 CRITICAL 10.0 NETWORK LOW NONE COMPLETE COMPLETE COMPLETE HIGH 10.0 NETWORK LOW NONE NONE CHANGED HIGH HIGH HIGH CRITICAL CWE-20 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. MISC http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html MISC https://twitter.com/theog150/status/841146956135124993 https://twitter.com/theog150/status/841146956135124993 EXPLOIT-DB https://exploit-db.com/exploits/41570 41570 CONFIRM https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a OSSINDEX https://ossindex.sonatype.org/vuln/6fb3b58b-cf18-450e-ba0d-74432bc5ecff [CVE-2017-5638] Improper Input Validation CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html CONFIRM https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228 https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228 SECTRACK http://www.securitytracker.com/id/1037973 1037973 EXPLOIT-DB https://www.exploit-db.com/exploits/41614/ 41614 CONFIRM https://www.symantec.com/security-center/network-protection-security-advisories/SA145 https://www.symantec.com/security-center/network-protection-security-advisories/SA145 CONFIRM https://support.lenovo.com/us/en/product_security/len-14200 https://support.lenovo.com/us/en/product_security/len-14200 CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt CONFIRM https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-045 https://cwiki.apache.org/confluence/display/WW/S2-045 BID http://www.securityfocus.com/bid/96729 96729 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-046 https://cwiki.apache.org/confluence/display/WW/S2-046 MISC https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ MISC https://github.com/rapid7/metasploit-framework/issues/8064 https://github.com/rapid7/metasploit-framework/issues/8064 CONFIRM https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us CERT-VN https://www.kb.cert.org/vuls/id/834067 VU#834067 MISC https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt MISC https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html MISC https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ CONFIRM https://security.netapp.com/advisory/ntap-20170310-0001/ https://security.netapp.com/advisory/ntap-20170310-0001/ MISC http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ MISC https://isc.sans.edu/diary/22169 https://isc.sans.edu/diary/22169 CONFIRM https://struts.apache.org/docs/s2-046.html https://struts.apache.org/docs/s2-046.html MISC https://github.com/mazen160/struts-pwn https://github.com/mazen160/struts-pwn MISC http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html CONFIRM https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us CONFIRM https://struts.apache.org/docs/s2-045.html https://struts.apache.org/docs/s2-045.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9787 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-284 When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. BID http://www.securityfocus.com/bid/99562 99562 OSSINDEX https://ossindex.sonatype.org/vuln/e2ebe514-dc44-474a-82ab-d20bd81bfc4c [CVE-2017-9787] Improper Access Control SECTRACK http://www.securitytracker.com/id/1039115 1039115 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html MLIST https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E [announcements] 20170713 Apache Struts 2.5.12 GA with Security Fixes Release CONFIRM https://security.netapp.com/advisory/ntap-20180706-0002/ https://security.netapp.com/advisory/ntap-20180706-0002/ MLIST https://lists.apache.org/thread.html/de3d325f0433cd3b42258b6a302c0d7a72b69eedc1480ed561d3b065@%3Cannouncements.struts.apache.org%3E [announcements] 20170810 [ANN] Apache Struts: S2-049 Security Bulletin update CONFIRM http://struts.apache.org/docs/s2-049.html http://struts.apache.org/docs/s2-049.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9791 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. BID http://www.securityfocus.com/bid/99484 99484 SECTRACK http://www.securitytracker.com/id/1038838 1038838 EXPLOIT-DB https://www.exploit-db.com/exploits/42324/ 42324 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html CONFIRM https://security.netapp.com/advisory/ntap-20180706-0002/ https://security.netapp.com/advisory/ntap-20180706-0002/ EXPLOIT-DB https://www.exploit-db.com/exploits/44643/ 44643 CONFIRM http://struts.apache.org/docs/s2-048.html http://struts.apache.org/docs/s2-048.html OSSINDEX https://ossindex.sonatype.org/vuln/f2eb9ab7-09aa-4599-a351-7ebbd11ff11b [CVE-2017-9791] Improper Input Validation cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9793 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-20 The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. BID http://www.securityfocus.com/bid/100611 100611 SECTRACK http://www.securitytracker.com/id/1039262 1039262 OSSINDEX https://ossindex.sonatype.org/vuln/bf32e61b-04ce-4d34-b884-d775b7acf109 [CVE-2017-9793] The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is ... CONFIRM http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm CONFIRM https://security.netapp.com/advisory/ntap-20180629-0001/ https://security.netapp.com/advisory/ntap-20180629-0001/ CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 CONFIRM https://struts.apache.org/docs/s2-051.html https://struts.apache.org/docs/s2-051.html CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9804 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-399 In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. SECTRACK http://www.securitytracker.com/id/1039261 1039261 CONFIRM https://security.netapp.com/advisory/ntap-20180629-0001/ https://security.netapp.com/advisory/ntap-20180629-0001/ CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 OSSINDEX https://ossindex.sonatype.org/vuln/57ce5eee-b4a2-4054-9648-393b287cd86f [CVE-2017-9804] In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application ... CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html BID http://www.securityfocus.com/bid/100612 100612 CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt CONFIRM https://struts.apache.org/docs/s2-050.html https://struts.apache.org/docs/s2-050.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9805 HIGH 6.8 NETWORK MEDIUM NONE PARTIAL PARTIAL PARTIAL MEDIUM 8.1 NETWORK HIGH NONE NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-502 The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-052 https://cwiki.apache.org/confluence/display/WW/S2-052 EXPLOIT-DB https://www.exploit-db.com/exploits/42627/ 42627 CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 CERT-VN https://www.kb.cert.org/vuls/id/112992 VU#112992 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html OSSINDEX https://ossindex.sonatype.org/vuln/3c254119-620e-4d3a-b456-f150d179e2c1 [CVE-2017-9805] Deserialization of Untrusted Data BID http://www.securityfocus.com/bid/100609 100609 MISC https://lgtm.com/blog/apache_struts_CVE-2017-9805 https://lgtm.com/blog/apache_struts_CVE-2017-9805 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1488482 https://bugzilla.redhat.com/show_bug.cgi?id=1488482 CONFIRM https://security.netapp.com/advisory/ntap-20170907-0001/ https://security.netapp.com/advisory/ntap-20170907-0001/ CONFIRM https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax CONFIRM https://struts.apache.org/docs/s2-052.html https://struts.apache.org/docs/s2-052.html SECTRACK http://www.securitytracker.com/id/1039263 1039263 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2018-11776 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH 8.1 NETWORK HIGH NONE NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. SECTRACK http://www.securitytracker.com/id/1041547 1041547 EXPLOIT-DB https://www.exploit-db.com/exploits/45262/ 45262 CONFIRM https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012 BID http://www.securityfocus.com/bid/105125 105125 SECTRACK http://www.securitytracker.com/id/1041888 1041888 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html CONFIRM https://security.netapp.com/advisory/ntap-20181018-0002/ https://security.netapp.com/advisory/ntap-20181018-0002/ EXPLOIT-DB https://www.exploit-db.com/exploits/45367/ 45367 OSSINDEX https://ossindex.sonatype.org/vuln/aea7ad84-58a9-4883-a9ef-f69fae4dcd9c [CVE-2018-11776] Improper Input Validation CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-057 https://cwiki.apache.org/confluence/display/WW/S2-057 MISC https://github.com/hook-s3c/CVE-2018-11776-Python-PoC https://github.com/hook-s3c/CVE-2018-11776-Python-PoC CONFIRM https://security.netapp.com/advisory/ntap-20180822-0001/ https://security.netapp.com/advisory/ntap-20180822-0001/ CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html MISC https://lgtm.com/blog/apache_struts_CVE-2018-11776 https://lgtm.com/blog/apache_struts_CVE-2018-11776 EXPLOIT-DB https://www.exploit-db.com/exploits/45260/ 45260 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2018-1327 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-20 The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. SECTRACK http://www.securitytracker.com/id/1040575 1040575 OSSINDEX https://ossindex.sonatype.org/vuln/9b82d7bc-5262-43b8-bd0d-50ede8e76e56 [CVE-2018-1327] Improper Input Validation MISC https://cwiki.apache.org/confluence/display/WW/S2-056 https://cwiki.apache.org/confluence/display/WW/S2-056 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM https://security.netapp.com/advisory/ntap-20180330-0001/ https://security.netapp.com/advisory/ntap-20180330-0001/ BID http://www.securityfocus.com/bid/103516 103516 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') MEDIUM 6.1 N L N R C L L N MEDIUM CWE-79 The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. OSSINDEX https://ossindex.sonatype.org/vuln/69f81156-32f8-4ad5-b58a-ec60e2a7fde6 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') cpe:2.3:a:org.apache.struts:struts2-core:2.3.8:*:*:*:*:*:*:* Manipulation of Struts' internals 0.0 > ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings > > -- [apache.org](https://struts.apache.org/docs/s2-026.html) OSSINDEX https://ossindex.sonatype.org/vuln/d8afbd24-c683-4aec-b28f-218fbe5ad76b Manipulation of Struts' internals cpe:2.3:a:org.apache.struts:struts2-core:2.3.8:*:*:*:*:*:*:* semver4j-2.2.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/semver4j-2.2.0.jar 3b731d492b1f97c77d7b3c44228fe17e 2846945cb3bd65b65abf49a809f6cb907bbdb745 795d67b6e5854edb70d0925bd3dfc9595dd2a6862f9e0227ec9fc4d76d571f5e Semantic versioning for Java apps. The MIT License: http://www.opensource.org/licenses/mit-license.php jar package name semver4j pom artifactid semver4j pom name semver4j file name semver4j pom groupid vdurmont pom url vdurmont/semver4j jar package name semver4j jar package name vdurmont jar package name vdurmont pom artifactid semver4j jar package name semver4j pom name semver4j file name semver4j jar package name semver4j pom url vdurmont/semver4j pom groupid vdurmont jar package name vdurmont file version 2.2.0 pom version 2.2.0 pkg:maven/com.vdurmont/semver4j@2.2.0 https://ossindex.sonatype.org/component/pkg:maven/com.vdurmont/semver4j@2.2.0 pkg:maven/com.vdurmont/semver4j@2.2.0 https://ossindex.sonatype.org/component/pkg:maven/com.vdurmont/semver4j@2.2.0 spring-hashcorp-vault-tomcat.jar /var/lib/jenkins/workspace/test@2/infrastructure/production/tomcat/files/spring-hashcorp-vault-tomcat.jar 1a2c28d892cf726d93f2fd73ae93e07d c5055bb00a86c86bd14b7cba9b66e8d9a9ab26cc dea548c8db12e1c0023006a9345acee9d21a6b279bfbe370d2b7cb4b67f3d347 jar package name tomcat file name spring-hashcorp-vault-tomcat pom groupid rohitsalecha jar package name springframework jar package name vault pom artifactid spring-hashcorp-vault-tomcat jar package name rohitsalecha pom artifactid spring-hashcorp-vault-tomcat jar package name tomcat file name spring-hashcorp-vault-tomcat jar package name vault pom groupid rohitsalecha jar package name rohitsalecha pom version 0.0.1-SNAPSHOT pkg:maven/com.rohitsalecha/spring-hashcorp-vault-tomcat@0.0.1-SNAPSHOT https://ossindex.sonatype.org/component/pkg:maven/com.rohitsalecha/spring-hashcorp-vault-tomcat@0.0.1-SNAPSHOT pkg:maven/com.rohitsalecha/spring-hashcorp-vault-tomcat@0.0.1-SNAPSHOT https://ossindex.sonatype.org/component/pkg:maven/com.rohitsalecha/spring-hashcorp-vault-tomcat@0.0.1-SNAPSHOT ossindex-service-api-1.2.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/ossindex-service-api-1.2.0.jar 9348df420e1023fe344a429452bebeef c83599f23ad778277fbf6766e0052da3923d1633 d6b70dfcc8931dc953170bd14532417f5bacde906222d98f3db1810a1af81479 pom parent-groupid org.sonatype.ossindex pom artifactid ossindex-service-api pom parent-artifactid ossindex-service jar package name api file name ossindex-service-api Manifest implementation-url https://sonatype.github.io/ossindex-public/ossindex-service-api/ jar package name service pom groupid sonatype.ossindex Manifest Implementation-Vendor-Id org.sonatype.ossindex jar package name sonatype jar package name ossindex Manifest Implementation-Vendor Sonatype, Inc. jar package name api Manifest specification-title org.sonatype.ossindex:ossindex-service-api pom groupid sonatype.ossindex pom parent-groupid org.sonatype.ossindex file name ossindex-service-api jar package name service Manifest implementation-url https://sonatype.github.io/ossindex-public/ossindex-service-api/ pom artifactid ossindex-service-api pom parent-artifactid ossindex-service jar package name sonatype jar package name ossindex Manifest Implementation-Title org.sonatype.ossindex:ossindex-service-api pom version 1.2.0 file version 1.2.0 Manifest Implementation-Version 1.2.0 pkg:maven/org.sonatype.ossindex/ossindex-service-api@1.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.sonatype.ossindex/ossindex-service-api@1.2.0 pkg:maven/org.sonatype.ossindex/ossindex-service-api@1.2.0 https://ossindex.sonatype.org/component/pkg:maven/org.sonatype.ossindex/ossindex-service-api@1.2.0 compiler-0.8.17.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/compiler-0.8.17.jar e0e52f6ea100529dfb5f1e6ea54e72b4 50a290cf88e5981653796573c97fba1e0071ef07 2b1ece537f09457a459a256d3ddd434beec8077c19db9842e7f079acf8e7dd51 Implementation of mustache.js for Java Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0 pom parent-artifactid mustache.java jar package name mustache pom artifactid compiler pom name compiler pom parent-groupid com.github.spullara.mustache.java pom url http://github.com/spullara/mustache.java jar package name github jar package name mustachejava jar package name github file name compiler pom groupid github.spullara.mustache.java pom artifactid compiler jar package name mustache pom parent-artifactid mustache.java pom name compiler pom groupid github.spullara.mustache.java pom url http://github.com/spullara/mustache.java jar package name mustachejava jar package name github file name compiler pom parent-groupid com.github.spullara.mustache.java file version 0.8.17 pom version 0.8.17 pkg:maven/com.github.spullara.mustache.java/compiler@0.8.17 https://ossindex.sonatype.org/component/pkg:maven/com.github.spullara.mustache.java/compiler@0.8.17 pkg:maven/com.github.spullara.mustache.java/compiler@0.8.17 https://ossindex.sonatype.org/component/pkg:maven/com.github.spullara.mustache.java/compiler@0.8.17 commons-lang3-3.4.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-lang3-3.4.jar 8667a442ee77e509fbe8176b94726eb2 5fe28b9518e58819180a43a850fbc0dd24b7c050 734c8356420cc8e30c795d64fd1fcd5d44ea9d90342a2cc3262c5158fbc6d98b Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang. http://www.apache.org/licenses/LICENSE-2.0.txt file name commons-lang3 pom parent-artifactid commons-parent pom name Apache Commons Lang Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom artifactid commons-lang3 pom groupid apache.commons pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest implementation-build tags/LANG_3_4_RC2@r1671054; 2015-04-03 12:30:21+0000 Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Manifest specification-vendor The Apache Software Foundation jar package name commons jar package name lang3 pom url http://commons.apache.org/proper/commons-lang/ Manifest bundle-symbolicname org.apache.commons.lang3 Manifest Implementation-Vendor The Apache Software Foundation pom url http://commons.apache.org/proper/commons-lang/ pom parent-artifactid commons-parent file name commons-lang3 pom name Apache Commons Lang Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" jar package name apache Manifest implementation-build tags/LANG_3_4_RC2@r1671054; 2015-04-03 12:30:21+0000 Manifest Bundle-Name Apache Commons Lang Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ jar package name commons pom groupid apache.commons Manifest specification-title Apache Commons Lang pom parent-groupid org.apache.commons pom artifactid commons-lang3 jar package name lang3 Manifest Implementation-Title Apache Commons Lang Manifest bundle-symbolicname org.apache.commons.lang3 Manifest Implementation-Version 3.4 pom parent-version 3.4 pom version 3.4 file version 3.4 pkg:maven/org.apache.commons/commons-lang3@3.4 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-lang3@3.4 pkg:maven/org.apache.commons/commons-lang3@3.4 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-lang3@3.4 jsoup-1.12.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/jsoup-1.12.1.jar 79bb9e9e8b50ef80a18bd46426befc5a 55819a28fc834c2f2bcf4dcdb278524dc3cf088f 4f961f68e47740dd7576c9685774a7b25b92f1017af24e2f707b30e893abade3 jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do. The MIT License: https://jsoup.org/license jar package name parser file name jsoup Manifest bundle-docurl https://jsoup.org/ Manifest automatic-module-name org.jsoup pom organization name Jonathan Hedley pom name jsoup Java HTML Parser Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom groupid jsoup pom artifactid jsoup pom organization url https://jhy.io/ pom url https://jsoup.org/ jar package name jsoup Manifest bundle-symbolicname org.jsoup pom groupid jsoup Manifest Bundle-Name jsoup Java HTML Parser jar package name parser file name jsoup Manifest bundle-docurl https://jsoup.org/ Manifest automatic-module-name org.jsoup pom organization name Jonathan Hedley pom name jsoup Java HTML Parser pom artifactid jsoup Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom organization url https://jhy.io/ pom url https://jsoup.org/ jar package name jsoup Manifest bundle-symbolicname org.jsoup pom version 1.12.1 file version 1.12.1 Manifest Bundle-Version 1.12.1 pkg:maven/org.jsoup/jsoup@1.12.1 https://ossindex.sonatype.org/component/pkg:maven/org.jsoup/jsoup@1.12.1 pkg:maven/org.jsoup/jsoup@1.12.1 https://ossindex.sonatype.org/component/pkg:maven/org.jsoup/jsoup@1.12.1 commons-beanutils-1.7.0.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-beanutils-1.7.0.jar 0f18acf5fa857f9959675e14d901a7ce 5675fd96b29656504b86029551973d60fb41339b 24bcaa20ccbdc7c856ce0c0aea144566943403e2e9f27bd9779cda1d76823ef4 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-beanutils-1.7.0.jar 24bcaa20ccbdc7c856ce0c0aea144566943403e2e9f27bd9779cda1d76823ef4 5675fd96b29656504b86029551973d60fb41339b 0f18acf5fa857f9959675e14d901a7ce central groupid commons-beanutils Manifest extension-name org.apache.commons.beanutils jar package name beanutils jar package name apache jar package name commons jar package name apache Manifest Implementation-Vendor Apache Software Foundation pom groupid commons-beanutils jar package name beanutils pom artifactid commons-beanutils jar package name commons Manifest specification-vendor Apache Software Foundation file name commons-beanutils Manifest extension-name org.apache.commons.beanutils jar package name beanutils pom groupid commons-beanutils Manifest Implementation-Title org.apache.commons.beanutils jar package name commons jar package name apache jar package name beanutils Manifest specification-title Jakarta Commons Beanutils central artifactid commons-beanutils jar package name commons pom artifactid commons-beanutils file name commons-beanutils central version 1.7.0 pom version 1.7.0 file version 1.7.0 pkg:maven/commons-beanutils/commons-beanutils@1.7.0 https://ossindex.sonatype.org/component/pkg:maven/commons-beanutils/commons-beanutils@1.7.0 pkg:maven/commons-beanutils/commons-beanutils@1.7.0 https://ossindex.sonatype.org/component/pkg:maven/commons-beanutils/commons-beanutils@1.7.0 CVE-2014-0114 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-20 Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. MISC https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E MLIST http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html [apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114 CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 MLIST https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E [commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7) CONFIRM http://advisories.mageia.org/MGASA-2014-0219.html http://advisories.mageia.org/MGASA-2014-0219.html MLIST https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E [commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 MLIST https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E [commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 GENTOO https://security.gentoo.org/glsa/201607-09 GLSA-201607-09 SECUNIA http://secunia.com/advisories/59430 59430 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21675972 http://www-01.ibm.com/support/docview.wss?uid=swg21675972 FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html FEDORA-2014-9380 SECUNIA http://secunia.com/advisories/59245 59245 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676110 http://www-01.ibm.com/support/docview.wss?uid=swg21676110 DEBIAN http://www.debian.org/security/2014/dsa-2940 DSA-2940 CONFIRM https://access.redhat.com/solutions/869353 https://access.redhat.com/solutions/869353 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21674812 http://www-01.ibm.com/support/docview.wss?uid=swg21674812 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21674128 http://www-01.ibm.com/support/docview.wss?uid=swg21674128 MLIST https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E [commons-dev] 20190605 Re: [beanutils] Towards 1.10 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg27042296 http://www-01.ibm.com/support/docview.wss?uid=swg27042296 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21675387 http://www-01.ibm.com/support/docview.wss?uid=swg21675387 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21675266 http://www-01.ibm.com/support/docview.wss?uid=swg21675266 SECUNIA http://secunia.com/advisories/59704 59704 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676303 http://www-01.ibm.com/support/docview.wss?uid=swg21676303 MISC https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E OSSINDEX https://ossindex.sonatype.org/vuln/cc1835c0-63c3-4b0a-baa5-a3891271bf60 [CVE-2014-0114] Improper Input Validation SECUNIA http://secunia.com/advisories/59480 59480 CONFIRM https://issues.apache.org/jira/browse/BEANUTILS-463 https://issues.apache.org/jira/browse/BEANUTILS-463 MISC https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E MLIST https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E [pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities SECUNIA http://secunia.com/advisories/59479 59479 HP http://marc.info/?l=bugtraq&m=141451023707502&w=2 HPSBST03160 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676375 http://www-01.ibm.com/support/docview.wss?uid=swg21676375 MLIST https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E [commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html MLIST https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E [commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. HP http://marc.info/?l=bugtraq&m=140801096002766&w=2 HPSBMU03090 SECUNIA http://secunia.com/advisories/59228 59228 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21675898 http://www-01.ibm.com/support/docview.wss?uid=swg21675898 MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html SECUNIA http://secunia.com/advisories/59246 59246 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1091938 https://bugzilla.redhat.com/show_bug.cgi?id=1091938 MLIST http://openwall.com/lists/oss-security/2014/07/08/1 [oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE CONFIRM https://security.netapp.com/advisory/ntap-20140911-0001/ https://security.netapp.com/advisory/ntap-20140911-0001/ SECUNIA http://secunia.com/advisories/58851 58851 SECUNIA http://secunia.com/advisories/59718 59718 CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1116665 https://bugzilla.redhat.com/show_bug.cgi?id=1116665 MLIST https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E [commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request MLIST https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E [commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114. MISC https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E MLIST https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E [commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21677110 http://www-01.ibm.com/support/docview.wss?uid=swg21677110 HP http://marc.info/?l=bugtraq&m=140119284401582&w=2 HPSBGN03041 FULLDISC http://seclists.org/fulldisclosure/2014/Dec/23 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html SECUNIA http://secunia.com/advisories/57477 57477 MLIST https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E [commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 MLIST https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E [announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. SECUNIA http://secunia.com/advisories/60177 60177 MISC https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E MLIST https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E [commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 MLIST https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E [commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 SECUNIA http://secunia.com/advisories/59014 59014 MISC https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E CONFIRM http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html MLIST https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E [commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 MISC https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E MLIST https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E [infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities SECUNIA http://secunia.com/advisories/60703 60703 SECUNIA http://secunia.com/advisories/58947 58947 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0012.html http://www.vmware.com/security/advisories/VMSA-2014-0012.html SECUNIA http://secunia.com/advisories/59118 59118 MISC https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E CONFIRM https://security.netapp.com/advisory/ntap-20180629-0006/ https://security.netapp.com/advisory/ntap-20180629-0006/ SECUNIA http://secunia.com/advisories/59464 59464 MLIST https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E [commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21675496 http://www.ibm.com/support/docview.wss?uid=swg21675496 CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0008.html http://www.vmware.com/security/advisories/VMSA-2014-0008.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21675689 http://www-01.ibm.com/support/docview.wss?uid=swg21675689 MISC https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E MLIST https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E [commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2014:095 MDVSA-2014:095 SECUNIA http://secunia.com/advisories/58710 58710 BID http://www.securityfocus.com/bid/67121 67121 MLIST https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E [commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request MLIST https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E [commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676931 http://www-01.ibm.com/support/docview.wss?uid=swg21676931 BUGTRAQ http://www.securityfocus.com/archive/1/534161/100/0/threaded 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities MISC https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E MLIST http://openwall.com/lists/oss-security/2014/06/15/10 [oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html REDHAT https://access.redhat.com/errata/RHSA-2018:2669 RHSA-2018:2669 MLIST https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E [commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676091 http://www-01.ibm.com/support/docview.wss?uid=swg21676091 cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:* commons-io-2.0.1.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-io-2.0.1.jar edb9481c6eee07f4feaa61502af855da 7ffdb02f95af1c1a208544e076cea5b8e66e731a 2a3f5a206480863aae9dff03f53c930c3add6912f8785498d59442c7ebb98c5c Commons-IO contains utility classes, stream implementations, file filters, file comparators and endian classes. http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-io-2.0.1.jar 2a3f5a206480863aae9dff03f53c930c3add6912f8785498d59442c7ebb98c5c 7ffdb02f95af1c1a208544e076cea5b8e66e731a edb9481c6eee07f4feaa61502af855da pom parent-artifactid commons-parent jar package name io pom name Commons IO pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache pom groupid commons-io Manifest specification-vendor The Apache Software Foundation pom artifactid commons-io jar package name commons pom url http://commons.apache.org/io/ Manifest bundle-symbolicname org.apache.commons.io Manifest bundle-docurl http://commons.apache.org/io/ file name commons-io Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent pom groupid commons-io pom url http://commons.apache.org/io/ jar package name io pom name Commons IO Manifest specification-title Commons IO jar package name apache Manifest Bundle-Name Commons IO jar package name commons Manifest Implementation-Title Commons IO pom parent-groupid org.apache.commons Manifest bundle-symbolicname org.apache.commons.io Manifest bundle-docurl http://commons.apache.org/io/ file name commons-io pom artifactid commons-io Manifest Implementation-Version 2.0.1 Manifest Bundle-Version 2.0.1 pom version 2.0.1 file version 2.0.1 pom parent-version 2.0.1 pkg:maven/commons-io/commons-io@2.0.1 https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.0.1 pkg:maven/commons-io/commons-io@2.0.1 https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.0.1 asm-analysis-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/asm-analysis-6.2.jar bc8eb8c23002b2dd68672a5ed25acbbd c7d9a90d221cbb977848d2c777eb3aa7637e89df 62b2c0d818fde5c52cf6404aa10836dbb170a2c3fa8466e656f0f991732fa01f Static code analysis API of ASM, a very small and fast Java bytecode manipulation framework BSD: http://asm.ow2.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/asm-analysis-6.2.jar 62b2c0d818fde5c52cf6404aa10836dbb170a2c3fa8466e656f0f991732fa01f c7d9a90d221cbb977848d2c777eb3aa7637e89df bc8eb8c23002b2dd68672a5ed25acbbd jar package name objectweb Manifest bundle-symbolicname org.objectweb.asm.tree.analysis jar package name tree jar package name analysis Manifest bundle-docurl http://asm.ow2.org pom organization name OW2 pom url http://asm.ow2.org/ pom groupid ow2.asm pom parent-artifactid ow2 jar package name asm pom artifactid asm-analysis central groupid org.ow2.asm jar package name objectweb pom organization url http://www.ow2.org/ pom name asm-analysis jar package name tree Manifest module-requires org.objectweb.asm.tree;transitive=true jar package name asm file name asm-analysis Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom parent-groupid org.ow2 Manifest bundle-symbolicname org.objectweb.asm.tree.analysis jar package name tree jar package name analysis Manifest bundle-docurl http://asm.ow2.org pom parent-groupid org.ow2 pom organization name OW2 jar package name asm jar package name objectweb pom url http://asm.ow2.org/ pom name asm-analysis jar package name tree pom organization url http://www.ow2.org/ Manifest module-requires org.objectweb.asm.tree;transitive=true central artifactid asm-analysis jar package name asm pom artifactid asm-analysis Manifest Bundle-Name org.objectweb.asm.tree.analysis pom parent-artifactid ow2 Manifest Implementation-Title Static code analysis API of ASM, a very small and fast Java bytecode manipulation framework file name asm-analysis Manifest bundle-requiredexecutionenvironment J2SE-1.5 jar package name analysis pom groupid ow2.asm pom parent-version 6.2 file version 6.2 pom version 6.2 central version 6.2 pkg:maven/org.ow2.asm/asm-analysis@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-analysis@6.2 pkg:maven/org.ow2.asm/asm-analysis@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-analysis@6.2 hibernate-jpa-2.0-api-1.0.1.Final.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/hibernate-jpa-2.0-api-1.0.1.Final.jar d7e7d8f60fc44a127ba702d43e71abec 3306a165afa81938fc3d8a0948e891de9f6b192b bacfb6460317d421aa2906d9e63c293b69dc1a5dac480d0f6416df50796a4bb3 Hibernate definition of the Java Persistence 2.0 (JSR 317) API. license.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/hibernate-jpa-2.0-api-1.0.1.Final.jar bacfb6460317d421aa2906d9e63c293b69dc1a5dac480d0f6416df50796a4bb3 3306a165afa81938fc3d8a0948e891de9f6b192b d7e7d8f60fc44a127ba702d43e71abec jar package name javax pom groupid hibernate.javax.persistence file name hibernate-jpa-2.0-api-1.0.1.Final pom organization name Hibernate.org jar package name persistence Manifest specification-vendor Sun Microsystems, Inc. pom artifactid hibernate-jpa-2.0-api Manifest Implementation-Vendor hibernate.org pom organization url http://hibernate.org pom name JPA 2.0 API pom url http://hibernate.org Manifest Implementation-Title JPA API pom organization url http://hibernate.org file name hibernate-jpa-2.0-api-1.0.1.Final pom artifactid hibernate-jpa-2.0-api jar package name persistence pom groupid hibernate.javax.persistence pom name JPA 2.0 API jar package name javax jar package name version pom organization name Hibernate.org Manifest specification-title Java Persistence API, Version 2.0 pom url http://hibernate.org Manifest Implementation-Version 1.0.1.Final pom version 1.0.1.Final pkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final pkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final ant-1.9.9.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/ant-1.9.9.jar 03bbb3ac9cef4cea901c11ab10ea1b1a 9dc55233d8c0809e57b2ec7f78376da3f32872bd d81254bcb2e170c9ea16cd418050f3340da1736380a02415c8ddda9a0a0b8a1b pom url http://ant.apache.org/ file name ant jar package name apache manifest: org/apache/tools/ant/ Implementation-Vendor Apache Software Foundation pom groupid apache.ant pom parent-groupid org.apache.ant jar package name apache jar package name ant central groupid org.apache.ant pom parent-artifactid ant-parent jar package name tools pom name Apache Ant Core pom artifactid ant file name ant pom artifactid ant pom groupid apache.ant jar package name tools pom parent-artifactid ant-parent manifest: org/apache/tools/ant/ Specification-Title Apache Ant jar package name ant jar package name apache pom url http://ant.apache.org/ central artifactid ant jar package name ant manifest: org/apache/tools/ant/ Implementation-Title org.apache.tools.ant jar package name tools pom name Apache Ant Core pom parent-groupid org.apache.ant manifest: org/apache/tools/ant/ Implementation-Version 1.9.9 file version 1.9.9 central version 1.9.9 pom version 1.9.9 pkg:maven/org.apache.ant/ant@1.9.9 https://ossindex.sonatype.org/component/pkg:maven/org.apache.ant/ant@1.9.9 pkg:maven/org.apache.ant/ant@1.9.9 https://ossindex.sonatype.org/component/pkg:maven/org.apache.ant/ant@1.9.9 commons-digester-1.8.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-digester-1.8.jar cf89c593f0378e9509a06fce7030aeba dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e 05662373044f3dff112567b7bb5dfa1174e91e074c0c727b4412788013f49d56 The Digester package lets you configure an XML->Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized. The Apache Software License, Version 2.0: /LICENSE.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-digester-1.8.jar 05662373044f3dff112567b7bb5dfa1174e91e074c0c727b4412788013f49d56 dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e cf89c593f0378e9509a06fce7030aeba pom organization url http://jakarta.apache.org jar package name apache pom artifactid commons-digester jar package name commons pom groupid commons-digester pom name Digester Manifest Implementation-Vendor-Id org.apache jar package name apache pom url http://jakarta.apache.org/commons/digester/ central groupid commons-digester Manifest specification-vendor The Apache Software Foundation jar package name commons jar package name digester pom organization name The Apache Software Foundation jar package name digester file name commons-digester Manifest extension-name commons-digester Manifest Implementation-Vendor The Apache Software Foundation jar package name rule pom url http://jakarta.apache.org/commons/digester/ Manifest Implementation-Title org.apache.commons.digester jar package name commons pom organization url http://jakarta.apache.org pom name Digester jar package name apache jar package name commons jar package name digester pom groupid commons-digester pom organization name The Apache Software Foundation central artifactid commons-digester pom artifactid commons-digester Manifest specification-title Rule based XML->Java object mapping module jar package name digester file name commons-digester Manifest extension-name commons-digester pom version 1.8 file version 1.8 central version 1.8 Manifest Implementation-Version 1.8 pkg:maven/commons-digester/commons-digester@1.8 https://ossindex.sonatype.org/component/pkg:maven/commons-digester/commons-digester@1.8 pkg:maven/commons-digester/commons-digester@1.8 https://ossindex.sonatype.org/component/pkg:maven/commons-digester/commons-digester@1.8 jquery.js /var/lib/jenkins/workspace/test@2/target/devsecops/js/jquery.js 841dc30647f93349b7d8ef61deebe411 e0f962936599a6cd266f004b9d04b29d46811483 c3a7b608ebfa8d1dfe658bc119e6236a6aaf878a779e7c560aa11dd30881a56a /var/lib/jenkins/workspace/test@2/src/main/webapp/js/jquery.js c3a7b608ebfa8d1dfe658bc119e6236a6aaf878a779e7c560aa11dd30881a56a e0f962936599a6cd266f004b9d04b29d46811483 841dc30647f93349b7d8ef61deebe411 /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/jquery.js c3a7b608ebfa8d1dfe658bc119e6236a6aaf878a779e7c560aa11dd30881a56a e0f962936599a6cd266f004b9d04b29d46811483 841dc30647f93349b7d8ef61deebe411 file name jquery file name jquery file version 1.10.2 pkg:javascript/jquery@1.10.2 https://ossindex.sonatype.org/component/pkg:javascript/jquery@1.10.2 pkg:javascript/jquery@1.10.2 https://ossindex.sonatype.org/component/pkg:javascript/jquery@1.10.2 CVE-2015-9251 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. BUGTRAQ https://seclists.org/bugtraq/2019/May/18 20190509 dotCMS v5.1.1 Vulnerabilities MLIST https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E [flink-user] 20190811 Apache flink 1.7.2 security issues MISC https://github.com/jquery/jquery/issues/2432 https://github.com/jquery/jquery/issues/2432 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html info https://nvd.nist.gov/vuln/detail/CVE-2015-9251 info MLIST https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E [flink-user] 20190813 Apache flink 1.7.2 security issues FULLDISC http://seclists.org/fulldisclosure/2019/May/11 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability MLIST https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E [flink-user] 20190813 Re: Apache flink 1.7.2 security issues MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html info https://github.com/jquery/jquery/issues/2432 info MISC https://github.com/jquery/jquery/pull/2588 https://github.com/jquery/jquery/pull/2588 CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html FULLDISC http://seclists.org/fulldisclosure/2019/May/10 20190510 dotCMS v5.1.1 Vulnerabilities BID http://www.securityfocus.com/bid/105658 105658 FULLDISC http://seclists.org/fulldisclosure/2019/May/13 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability MISC https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf info http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ info MISC https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2 https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2 MLIST https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js MLIST https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E [flink-dev] 20190811 Apache flink 1.7.2 security issues MISC http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html MISC https://snyk.io/vuln/npm:jquery:20150627 https://snyk.io/vuln/npm:jquery:20150627 info http://research.insecurelabs.org/jquery/test/ info CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html MISC https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04 https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04 MISC http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MISC https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* CVE-2019-11358 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. SUSE http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html openSUSE-SU-2019:1839 REDHAT https://access.redhat.com/errata/RHSA-2019:1456 RHSA-2019:1456 BUGTRAQ https://seclists.org/bugtraq/2019/May/18 20190509 dotCMS v5.1.1 Vulnerabilities info https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b info BID http://www.securityfocus.com/bid/108023 108023 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC https://github.com/jquery/jquery/pull/4333 https://github.com/jquery/jquery/pull/4333 DEBIAN https://www.debian.org/security/2019/dsa-4460 DSA-4460 FULLDISC http://seclists.org/fulldisclosure/2019/May/11 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability BUGTRAQ https://seclists.org/bugtraq/2019/Jun/12 20190612 [SECURITY] [DSA 4460-1] mediawiki security update info https://nvd.nist.gov/vuln/detail/CVE-2019-11358 info MLIST https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/ FEDORA-2019-7eaf0bbe7c FULLDISC http://seclists.org/fulldisclosure/2019/May/10 20190510 dotCMS v5.1.1 Vulnerabilities FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/ FEDORA-2019-f563e66380 MISC https://backdropcms.org/security/backdrop-sa-core-2019-009 https://backdropcms.org/security/backdrop-sa-core-2019-009 FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/ FEDORA-2019-2a0ce0c58c MISC https://www.drupal.org/sa-core-2019-006 https://www.drupal.org/sa-core-2019-006 MISC https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ FULLDISC http://seclists.org/fulldisclosure/2019/May/13 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/ FEDORA-2019-1a3edd7e8a MISC https://snyk.io/vuln/SNYK-JS-JQUERY-174006 https://snyk.io/vuln/SNYK-JS-JQUERY-174006 MLIST https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/ FEDORA-2019-eba8e44ee6 MLIST http://www.openwall.com/lists/oss-security/2019/06/03/2 [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) REDHAT https://access.redhat.com/errata/RHBA-2019:1570 RHBA-2019:1570 MISC https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ DEBIAN https://www.debian.org/security/2019/dsa-4434 DSA-4434 MLIST https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update MLIST https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MISC http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html MISC https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b SUSE http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html openSUSE-SU-2019:1872 MLIST https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 info https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ info BUGTRAQ https://seclists.org/bugtraq/2019/Apr/32 20190421 [SECURITY] [DSA 4434-1] drupal7 security update MISC http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MLIST https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/ FEDORA-2019-a06dffab1c cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* velocity-engine-core-2.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/velocity-engine-core-2.1.jar b10fd2f10542c554d3750c9a2a642c67 af23c9cc6eafd771a75ef19c4bcaf89337401c10 48bd4f41c118bb5b6805c059c296691a7bfacb8edf4f3a6431778ab1309efbef Apache Velocity is a general purpose template engine. https://www.apache.org/licenses/LICENSE-2.0.txt pom parent-artifactid velocity-engine-parent pom name Apache Velocity - Engine Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Manifest implementation-url http://velocity.apache.org/engine/devel/velocity-engine-core/ pom groupid apache.velocity Manifest bundle-docurl https://www.apache.org/ jar package name apache pom parent-groupid org.apache.velocity pom artifactid velocity-engine-core Manifest specification-vendor The Apache Software Foundation Manifest bundle-symbolicname org.apache.velocity.engine-core Manifest Implementation-Vendor-Id org.apache.velocity file name velocity-engine-core jar package name velocity Manifest Implementation-Vendor The Apache Software Foundation pom name Apache Velocity - Engine Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Manifest implementation-url http://velocity.apache.org/engine/devel/velocity-engine-core/ pom groupid apache.velocity jar package name filter Manifest bundle-docurl https://www.apache.org/ jar package name apache Manifest specification-title Apache Velocity - Engine pom parent-groupid org.apache.velocity Manifest Implementation-Title Apache Velocity - Engine Manifest Bundle-Name Apache Velocity - Engine jar package name template Manifest bundle-symbolicname org.apache.velocity.engine-core file name velocity-engine-core pom parent-artifactid velocity-engine-parent pom artifactid velocity-engine-core jar package name velocity pom version 2.1 file version 2.1 Manifest Implementation-Version 2.1 pkg:maven/org.apache.velocity/velocity-engine-core@2.1 https://ossindex.sonatype.org/component/pkg:maven/org.apache.velocity/velocity-engine-core@2.1 pkg:maven/org.apache.velocity/velocity-engine-core@2.1 https://ossindex.sonatype.org/component/pkg:maven/org.apache.velocity/velocity-engine-core@2.1 asm-xml-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/asm-xml-6.2.jar 2e8a919a14c4d621f79006faa37ab33f 11cbb555182f8998eb6d7dfef17a22070e627846 b0362758957b49cd68f4f8a22235b0f3de74c1c3a217e9ef5bd42c3ed00e91b4 XML API of ASM, a very small and fast Java bytecode manipulation framework BSD: http://asm.ow2.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/asm-xml-6.2.jar b0362758957b49cd68f4f8a22235b0f3de74c1c3a217e9ef5bd42c3ed00e91b4 11cbb555182f8998eb6d7dfef17a22070e627846 2e8a919a14c4d621f79006faa37ab33f jar package name objectweb jar package name xml Manifest bundle-docurl http://asm.ow2.org pom organization name OW2 pom url http://asm.ow2.org/ pom groupid ow2.asm pom parent-artifactid ow2 jar package name asm file name asm-xml Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.util;transitive=true central groupid org.ow2.asm jar package name objectweb jar package name xml pom artifactid asm-xml pom organization url http://www.ow2.org/ pom name asm-xml Manifest bundle-symbolicname org.objectweb.asm.xml jar package name asm Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom parent-groupid org.ow2 jar package name xml Manifest Implementation-Title XML API of ASM, a very small and fast Java bytecode manipulation framework Manifest bundle-docurl http://asm.ow2.org pom artifactid asm-xml pom parent-groupid org.ow2 pom organization name OW2 jar package name asm file name asm-xml Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.util;transitive=true jar package name xml jar package name objectweb pom url http://asm.ow2.org/ Manifest Bundle-Name org.objectweb.asm.xml pom organization url http://www.ow2.org/ central artifactid asm-xml pom name asm-xml jar package name asm Manifest bundle-symbolicname org.objectweb.asm.xml pom parent-artifactid ow2 Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom groupid ow2.asm pom parent-version 6.2 file version 6.2 pom version 6.2 central version 6.2 pkg:maven/org.ow2.asm/asm-xml@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-xml@6.2 pkg:maven/org.ow2.asm/asm-xml@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-xml@6.2 asm-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/asm-6.2.jar 7abdce94068615d690495f45eb6eb980 1b6c4ff09ce03f3052429139c2a68e295cae6604 917bda888bc543187325d5fbc1034207eed152574ef78df1734ca0aee40b7fc8 ASM, a very small and fast Java bytecode manipulation framework BSD: http://asm.ow2.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/asm-6.2.jar 917bda888bc543187325d5fbc1034207eed152574ef78df1734ca0aee40b7fc8 1b6c4ff09ce03f3052429139c2a68e295cae6604 7abdce94068615d690495f45eb6eb980 Manifest bundle-symbolicname org.objectweb.asm jar package name objectweb Manifest bundle-docurl http://asm.ow2.org pom organization name OW2 pom url http://asm.ow2.org/ pom name asm pom groupid ow2.asm pom parent-artifactid ow2 jar package name asm pom artifactid asm central groupid org.ow2.asm file name asm jar package name objectweb pom organization url http://www.ow2.org/ jar package name asm Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom parent-groupid org.ow2 Manifest bundle-symbolicname org.objectweb.asm Manifest bundle-docurl http://asm.ow2.org pom parent-groupid org.ow2 pom organization name OW2 pom name asm jar package name asm central artifactid asm pom artifactid asm file name asm jar package name objectweb pom url http://asm.ow2.org/ pom organization url http://www.ow2.org/ Manifest Implementation-Title ASM, a very small and fast Java bytecode manipulation framework jar package name asm Manifest Bundle-Name org.objectweb.asm pom parent-artifactid ow2 Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom groupid ow2.asm pom parent-version 6.2 file version 6.2 pom version 6.2 central version 6.2 pkg:maven/org.ow2.asm/asm@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm@6.2 pkg:maven/org.ow2.asm/asm@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm@6.2 commons-lang-2.6.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/commons-lang-2.6.jar 4d5c1693079575b362edf41500630bbd 0ce1edb914c94ebc388f086c6827e8bdeec71ac2 50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang. http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/commons-lang-2.6.jar 50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c 0ce1edb914c94ebc388f086c6827e8bdeec71ac2 4d5c1693079575b362edf41500630bbd jar package name lang pom parent-artifactid commons-parent Manifest bundle-symbolicname org.apache.commons.lang file name commons-lang pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest bundle-docurl http://commons.apache.org/lang/ pom url http://commons.apache.org/lang/ pom artifactid commons-lang Manifest specification-vendor The Apache Software Foundation jar package name commons pom name Commons Lang pom groupid commons-lang Manifest Implementation-Vendor The Apache Software Foundation pom artifactid commons-lang pom parent-artifactid commons-parent jar package name lang pom groupid commons-lang Manifest bundle-symbolicname org.apache.commons.lang file name commons-lang pom url http://commons.apache.org/lang/ jar package name apache Manifest bundle-docurl http://commons.apache.org/lang/ Manifest Bundle-Name Commons Lang jar package name commons Manifest Implementation-Title Commons Lang pom parent-groupid org.apache.commons pom name Commons Lang Manifest specification-title Commons Lang pom parent-version 2.6 Manifest Implementation-Version 2.6 file version 2.6 Manifest Bundle-Version 2.6 pom version 2.6 pkg:maven/commons-lang/commons-lang@2.6 https://ossindex.sonatype.org/component/pkg:maven/commons-lang/commons-lang@2.6 pkg:maven/commons-lang/commons-lang@2.6 https://ossindex.sonatype.org/component/pkg:maven/commons-lang/commons-lang@2.6 checker-qual-2.8.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/checker-qual-2.8.1.jar e1c060246b024c4f260c6904e55a62a3 eb2e8ab75598548cc8acf9a1ca227e480e01881e 9103499008bcecd4e948da29b17864abb64304e15706444ae209d17ebe0575df Checker Qual is the set of annotations (qualifiers) and supporting classes used by the Checker Framework to type check Java source code. Please see artifact: org.checkerframework:checker The MIT License: http://opensource.org/licenses/MIT jar package name checkerframework jar package name checker Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Manifest implementation-url https://checkerframework.org jar package name qual pom artifactid checker-qual Manifest bundle-symbolicname checker-qual central groupid org.checkerframework Manifest automatic-module-name org.checkerframework.checker.qual pom groupid checkerframework pom name Checker Qual jar package name checker jar package name checkerframework pom url https://checkerframework.org file name checker-qual jar package name checkerframework jar package name checker pom url https://checkerframework.org pom groupid checkerframework Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Manifest implementation-url https://checkerframework.org jar package name qual jar package name qual Manifest bundle-symbolicname checker-qual Manifest automatic-module-name org.checkerframework.checker.qual pom name Checker Qual jar package name checker Manifest Bundle-Name checker-qual central artifactid checker-qual pom artifactid checker-qual file name checker-qual Manifest Implementation-Version 2.8.1 Manifest Bundle-Version 2.8.1 pom version 2.8.1 file version 2.8.1 central version 2.8.1 pkg:maven/org.checkerframework/checker-qual@2.8.1 https://ossindex.sonatype.org/component/pkg:maven/org.checkerframework/checker-qual@2.8.1 pkg:maven/org.checkerframework/checker-qual@2.8.1 https://ossindex.sonatype.org/component/pkg:maven/org.checkerframework/checker-qual@2.8.1 gson-2.8.5.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/gson-2.8.5.jar 089104cb90d8b4e1aa00b1f5faef0742 f645ed69d595b24d4cf8b3fbb64cc505bede8829 233a0149fc365c9f6edbd683cfe266b19bdc773be98eabdaf6b3c924b48e7d81 Gson JSON library file name gson pom parent-groupid com.google.code.gson jar package name google jar package name gson Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Manifest bundle-symbolicname com.google.gson pom groupid google.code.gson Manifest bundle-contactaddress https://github.com/google/gson pom name Gson pom artifactid gson pom parent-artifactid gson-parent Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6, JavaSE-1.7, JavaSE-1.8 file name gson pom groupid google.code.gson jar package name google jar package name gson Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Manifest bundle-symbolicname com.google.gson Manifest bundle-contactaddress https://github.com/google/gson pom name Gson Manifest Bundle-Name Gson Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6, JavaSE-1.7, JavaSE-1.8 pom artifactid gson pom parent-artifactid gson-parent pom parent-groupid com.google.code.gson pom version 2.8.5 file version 2.8.5 Manifest Bundle-Version 2.8.5 pkg:maven/com.google.code.gson/gson@2.8.5 https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/gson@2.8.5 pkg:maven/com.google.code.gson/gson@2.8.5 https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/gson@2.8.5 jackson-core-2.9.7.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/jackson-core-2.9.7.jar ae90e61fef491afefbc9c225b6497753 4b7f0e0dc527fab032e9800ed231080fdc3ac015 9e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84 Core Jackson processing abstractions (aka Streaming API), implementation for JSON http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/jackson-core-2.9.7.jar 9e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84 4b7f0e0dc527fab032e9800ed231080fdc3ac015 ae90e61fef491afefbc9c225b6497753 pom url FasterXML/jackson-core file name jackson-core Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Manifest bundle-docurl https://github.com/FasterXML/jackson-core Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" jar package name json Manifest Implementation-Vendor FasterXML pom parent-groupid com.fasterxml.jackson pom name Jackson-core jar package name jackson pom parent-artifactid jackson-base Manifest implementation-build-date 2018-09-19 02:41:39+0000 jar package name core jar package name base Manifest specification-vendor FasterXML pom groupid fasterxml.jackson.core pom artifactid jackson-core jar package name fasterxml Manifest automatic-module-name com.fasterxml.jackson.core Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core pom parent-groupid com.fasterxml.jackson file name jackson-core Manifest bundle-docurl https://github.com/FasterXML/jackson-core Manifest Implementation-Title Jackson-core Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom groupid fasterxml.jackson.core jar package name json Manifest Bundle-Name Jackson-core jar package name filter pom name Jackson-core jar package name jackson pom url FasterXML/jackson-core Manifest implementation-build-date 2018-09-19 02:41:39+0000 jar package name core jar package name version jar package name base pom artifactid jackson-core pom parent-artifactid jackson-base jar package name fasterxml Manifest automatic-module-name com.fasterxml.jackson.core Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Manifest specification-title Jackson-core Manifest Implementation-Version 2.9.7 Manifest Bundle-Version 2.9.7 file version 2.9.7 pom version 2.9.7 pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7 https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7 pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7 https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7 dependency-check-core-5.2.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-core-5.2.1.jar 09f8884f1bcb721259c50d6e763e6e12 b44c19dd79cf0ae85ce20c5251527339dc47397f 393e7f89621a91f4845e6056025734489dc28ea9280fc982601638b009873303 dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report. /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-cli-5.2.1.jar 393e7f89621a91f4845e6056025734489dc28ea9280fc982601638b009873303 21745e3757eaaad009c6158db9fcf01579d38105 606c3bc9577620c35041c37cc07b8eec pkg:maven/org.owasp/dependency-check-cli@5.2.1 https://ossindex.sonatype.org/component/pkg:maven/org.owasp/dependency-check-cli@5.2.1 /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-utils-5.2.1.jar 393e7f89621a91f4845e6056025734489dc28ea9280fc982601638b009873303 7ac90a9bc300d11ae3460429cff3fbdb1a0a89c5 ffab28d15e169ac88e45fa0d4777a0bf pkg:maven/org.owasp/dependency-check-utils@5.2.1 https://ossindex.sonatype.org/component/pkg:maven/org.owasp/dependency-check-utils@5.2.1 pom artifactid dependency-check-core pom parent-groupid org.owasp jar package name owasp jar package name data file name dependency-check-core pom name Dependency-Check Core pom groupid owasp Manifest build-jdk-spec 1.8 jar package name dependency pom parent-artifactid dependency-check-parent Manifest Implementation-Vendor OWASP jar package name reporting jar package name engine jar package name owasp jar package name data file name dependency-check-core pom name Dependency-Check Core Manifest Implementation-Title Dependency-Check Core Manifest build-jdk-spec 1.8 pom groupid owasp pom parent-groupid org.owasp jar package name dependency pom artifactid dependency-check-core pom parent-artifactid dependency-check-parent jar package name reporting jar package name engine pom version 5.2.1 file version 5.2.1 Manifest Implementation-Version 5.2.1 pkg:maven/org.owasp/dependency-check-core@5.2.1 https://ossindex.sonatype.org/component/pkg:maven/org.owasp/dependency-check-core@5.2.1 pkg:maven/org.owasp/dependency-check-core@5.2.1 https://ossindex.sonatype.org/component/pkg:maven/org.owasp/dependency-check-core@5.2.1 slf4j-api-1.7.5.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/slf4j-api-1.7.5.jar 3b1ececad9ebc3fbad2953ccf4a070ca 6b262da268f8ad9eff941b25503a9198f0a0ac93 fe30825245d2336c859dc38d60c0fc5f3668dbf29cd586828d2b5667ec355b91 The slf4j API /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/slf4j-api-1.7.5.jar fe30825245d2336c859dc38d60c0fc5f3668dbf29cd586828d2b5667ec355b91 6b262da268f8ad9eff941b25503a9198f0a0ac93 3b1ececad9ebc3fbad2953ccf4a070ca file name slf4j-api pom url http://www.slf4j.org Manifest bundle-symbolicname slf4j.api pom name SLF4J API Module pom groupid slf4j pom artifactid slf4j-api pom parent-artifactid slf4j-parent Manifest bundle-requiredexecutionenvironment J2SE-1.3 pom parent-groupid org.slf4j jar package name slf4j pom name SLF4J API Module pom parent-groupid org.slf4j pom artifactid slf4j-api Manifest Bundle-Name slf4j-api file name slf4j-api Manifest bundle-symbolicname slf4j.api Manifest Implementation-Title slf4j-api pom parent-artifactid slf4j-parent pom groupid slf4j pom url http://www.slf4j.org Manifest bundle-requiredexecutionenvironment J2SE-1.3 jar package name slf4j Manifest Bundle-Version 1.7.5 Manifest Implementation-Version 1.7.5 file version 1.7.5 pom version 1.7.5 pkg:maven/org.slf4j/slf4j-api@1.7.5 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4j-api@1.7.5 pkg:maven/org.slf4j/slf4j-api@1.7.5 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4j-api@1.7.5 jcl-over-slf4j-1.7.15.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/jcl-over-slf4j-1.7.15.jar ec012970331eea95119fe69cfc2719c4 598ffdd2f61d99a0244d095b96f3cb9c48b0cb8a 1faeb66c0b69e7d75369ca48fc1ce4b84c8b66c1f8610b5fd060ad46d53a6e01 JCL 1.1.1 implemented over SLF4J pom url http://www.slf4j.org file name jcl-over-slf4j pom name JCL 1.1.1 implemented over SLF4J Manifest bundle-symbolicname jcl.over.slf4j pom groupid slf4j pom artifactid jcl-over-slf4j pom parent-artifactid slf4j-parent pom parent-groupid org.slf4j Manifest bundle-requiredexecutionenvironment J2SE-1.5 Manifest Implementation-Title jcl-over-slf4j file name jcl-over-slf4j pom name JCL 1.1.1 implemented over SLF4J Manifest bundle-symbolicname jcl.over.slf4j pom artifactid jcl-over-slf4j pom parent-artifactid slf4j-parent Manifest Bundle-Name jcl-over-slf4j pom groupid slf4j pom parent-groupid org.slf4j pom url http://www.slf4j.org Manifest bundle-requiredexecutionenvironment J2SE-1.5 file version 1.7.15 pom version 1.7.15 Manifest Bundle-Version 1.7.15 Manifest Implementation-Version 1.7.15 pkg:maven/org.slf4j/jcl-over-slf4j@1.7.15 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/jcl-over-slf4j@1.7.15 pkg:maven/org.slf4j/jcl-over-slf4j@1.7.15 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/jcl-over-slf4j@1.7.15 price-range.js /var/lib/jenkins/workspace/test@2/target/devsecops/js/price-range.js 8565ff5f29372da52f220e2fe23ea730 6191abc3f5ee0e4ffdb6c1719face9754d81d12f e8648ac9f0a5b0c8bd6b984e9515f3ba15fe6bc12f5388f31c1bcc317cfebcf4 /var/lib/jenkins/workspace/test@2/src/main/webapp/js/price-range.js e8648ac9f0a5b0c8bd6b984e9515f3ba15fe6bc12f5388f31c1bcc317cfebcf4 6191abc3f5ee0e4ffdb6c1719face9754d81d12f 8565ff5f29372da52f220e2fe23ea730 /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/price-range.js e8648ac9f0a5b0c8bd6b984e9515f3ba15fe6bc12f5388f31c1bcc317cfebcf4 6191abc3f5ee0e4ffdb6c1719face9754d81d12f 8565ff5f29372da52f220e2fe23ea730 main.js /var/lib/jenkins/workspace/test@2/src/main/webapp/js/main.js c2f31dda690ac650ace679f27c690355 70d9cbd75dbd0ab0d7b57a9775d1f743009014b8 d5c212e0a4c875acace311a6afb09aeb6a21166afdd777cbdc3de69eb5bf431f /var/lib/jenkins/workspace/test@2/target/devsecops/js/main.js d5c212e0a4c875acace311a6afb09aeb6a21166afdd777cbdc3de69eb5bf431f 70d9cbd75dbd0ab0d7b57a9775d1f743009014b8 c2f31dda690ac650ace679f27c690355 /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/main.js d5c212e0a4c875acace311a6afb09aeb6a21166afdd777cbdc3de69eb5bf431f 70d9cbd75dbd0ab0d7b57a9775d1f743009014b8 c2f31dda690ac650ace679f27c690355 tiles-core-2.0.6.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/tiles-core-2.0.6.jar 283f1fa1743b357eb17db15b56e1a64c 234c747d4b7d70ec505d39d314db7b4fd443269f e4d37aa64ffb8e49ecc9ffd9cab8eae52e6fe553ff332515b3663503ead68d25 Tiles Core Library, including basic implementation of the APIs. /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/tiles-api-2.0.6.jar e4d37aa64ffb8e49ecc9ffd9cab8eae52e6fe553ff332515b3663503ead68d25 729a464b01317f178fdf5c8d0d97328487a3cb0d aa99867384889e44a46ddc68bb940366 /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/tiles-jsp-2.0.6.jar e4d37aa64ffb8e49ecc9ffd9cab8eae52e6fe553ff332515b3663503ead68d25 19b61ced8324efa01f3dd85c0509a6b473e53168 13abb2b6712544cea71c342043e85bd4 pkg:maven/org.apache.tiles/tiles-jsp@2.0.6 https://ossindex.sonatype.org/component/pkg:maven/org.apache.tiles/tiles-jsp@2.0.6 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/tiles-core-2.0.6.jar e4d37aa64ffb8e49ecc9ffd9cab8eae52e6fe553ff332515b3663503ead68d25 234c747d4b7d70ec505d39d314db7b4fd443269f 283f1fa1743b357eb17db15b56e1a64c /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/tiles-api-2.0.6.jar e4d37aa64ffb8e49ecc9ffd9cab8eae52e6fe553ff332515b3663503ead68d25 729a464b01317f178fdf5c8d0d97328487a3cb0d aa99867384889e44a46ddc68bb940366 pkg:maven/org.apache.tiles/tiles-api@2.0.6 https://ossindex.sonatype.org/component/pkg:maven/org.apache.tiles/tiles-api@2.0.6 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/tiles-jsp-2.0.6.jar e4d37aa64ffb8e49ecc9ffd9cab8eae52e6fe553ff332515b3663503ead68d25 19b61ced8324efa01f3dd85c0509a6b473e53168 13abb2b6712544cea71c342043e85bd4 Manifest Implementation-Vendor-Id org.apache jar package name apache Manifest Implementation-Vendor Apache Software Foundation pom groupid apache.tiles file name tiles-core jar package name tiles Manifest specification-vendor Apache Software Foundation pom artifactid tiles-core pom parent-artifactid tiles-parent pom name Tiles - Core Library pom parent-groupid org.apache.tiles jar package name apache pom groupid apache.tiles file name tiles-core jar package name tiles pom parent-groupid org.apache.tiles Manifest Implementation-Title Tiles - Core Library pom artifactid tiles-core Manifest specification-title Tiles - Core Library pom parent-artifactid tiles-parent pom name Tiles - Core Library file version 2.0.6 pom version 2.0.6 Manifest Implementation-Version 2.0.6 pkg:maven/org.apache.tiles/tiles-core@2.0.6 https://ossindex.sonatype.org/component/pkg:maven/org.apache.tiles/tiles-core@2.0.6 pkg:maven/org.apache.tiles/tiles-core@2.0.6 https://ossindex.sonatype.org/component/pkg:maven/org.apache.tiles/tiles-core@2.0.6 asm-util-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/asm-util-6.2.jar cf102ff32c9cef7fda92bd7b2a751ca4 a9690730f92cc79eeadc20e400ebb41eccce10b1 f2820ea6ef069b83f37d805f5cec58b2872a25650f5f95b4f3cc572156323df0 Utilities for ASM, a very small and fast Java bytecode manipulation framework BSD: http://asm.ow2.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/asm-util-6.2.jar f2820ea6ef069b83f37d805f5cec58b2872a25650f5f95b4f3cc572156323df0 a9690730f92cc79eeadc20e400ebb41eccce10b1 cf102ff32c9cef7fda92bd7b2a751ca4 jar package name objectweb jar package name util Manifest bundle-docurl http://asm.ow2.org pom organization name OW2 pom name asm-util Manifest bundle-symbolicname org.objectweb.asm.util Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true pom url http://asm.ow2.org/ pom artifactid asm-util pom groupid ow2.asm pom parent-artifactid ow2 jar package name asm central groupid org.ow2.asm jar package name objectweb pom organization url http://www.ow2.org/ jar package name util jar package name asm file name asm-util Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom parent-groupid org.ow2 jar package name util Manifest bundle-docurl http://asm.ow2.org pom name asm-util Manifest bundle-symbolicname org.objectweb.asm.util Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true pom parent-groupid org.ow2 pom organization name OW2 jar package name asm jar package name objectweb Manifest Bundle-Name org.objectweb.asm.util pom url http://asm.ow2.org/ Manifest Implementation-Title Utilities for ASM, a very small and fast Java bytecode manipulation framework jar package name util pom organization url http://www.ow2.org/ jar package name asm central artifactid asm-util pom parent-artifactid ow2 file name asm-util Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom groupid ow2.asm pom artifactid asm-util pom parent-version 6.2 file version 6.2 pom version 6.2 central version 6.2 pkg:maven/org.ow2.asm/asm-util@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-util@6.2 pkg:maven/org.ow2.asm/asm-util@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-util@6.2 gmaps.js /var/lib/jenkins/workspace/test@2/target/devsecops/js/gmaps.js 75a1b69b80f43aaaf74e3f56ca80e59d 8add2c5e4fc37d3723f975f6302e98771febcff3 5958050960c5d1cf4ff27afaf54acfd6a0a8ea1bbbf09573d74852063704201f /var/lib/jenkins/workspace/test@2/src/main/webapp/js/gmaps.js 5958050960c5d1cf4ff27afaf54acfd6a0a8ea1bbbf09573d74852063704201f 8add2c5e4fc37d3723f975f6302e98771febcff3 75a1b69b80f43aaaf74e3f56ca80e59d /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/gmaps.js 5958050960c5d1cf4ff27afaf54acfd6a0a8ea1bbbf09573d74852063704201f 8add2c5e4fc37d3723f975f6302e98771febcff3 75a1b69b80f43aaaf74e3f56ca80e59d jaxen-1.1.6.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/jaxen-1.1.6.jar a140517286b56eea981e188dcc3a13f6 3f8c36d9a0578e8e98f030c662b69888b1430ac0 5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb Jaxen is a universal Java XPath engine. http://jaxen.codehaus.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/jaxen-1.1.6.jar 5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb 3f8c36d9a0578e8e98f030c662b69888b1430ac0 a140517286b56eea981e188dcc3a13f6 Manifest bundle-symbolicname jaxen jar package name jaxen pom artifactid jaxen Manifest bundle-docurl http://codehaus.org jar package name xpath pom organization url http://codehaus.org pom organization name Codehaus pom groupid jaxen pom url http://jaxen.codehaus.org/ pom name jaxen file name jaxen Manifest bundle-docurl http://codehaus.org Manifest Bundle-Name jaxen file name jaxen pom organization url http://codehaus.org pom artifactid jaxen pom url http://jaxen.codehaus.org/ jar package name jaxen Manifest bundle-symbolicname jaxen jar package name xpath pom groupid jaxen pom organization name Codehaus pom name jaxen pom version 1.1.6 file version 1.1.6 Manifest Bundle-Version 1.1.6 pkg:maven/jaxen/jaxen@1.1.6 https://ossindex.sonatype.org/component/pkg:maven/jaxen/jaxen@1.1.6 pkg:maven/jaxen/jaxen@1.1.6 https://ossindex.sonatype.org/component/pkg:maven/jaxen/jaxen@1.1.6 spring-core-5.1.2.RELEASE.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-core-5.1.2.RELEASE.jar d64dcf8e0f28f8b74cea9868d5a52def b9b00d4075c92761cfd4e527e0bdce1931b4f3dc 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 Spring Core Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-context-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 5c85bc522a5adac9b09b7204fa20708519ab6a11 4575fc76a4c1974da992abe67d6f43fe pkg:maven/org.springframework/spring-context@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-context@5.1.2.RELEASE /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-context-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 5c85bc522a5adac9b09b7204fa20708519ab6a11 4575fc76a4c1974da992abe67d6f43fe /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-beans-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 5d513701a79c92f0549574f5170a05c4af7c893d 8e7e5b97f44fea3e6ff9924be235ac10 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-jcl-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 f0d7165b6cfb90356da4f25b14a6437fdef1ec8a d24c4517c318640edad0436bf35ee61f /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-aop-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 bc3cdf3c81bc0a3482cc7f6b9e00ab76847056a7 88619d03a3e2bdb4c4d51708e124a562 /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-beans-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 5d513701a79c92f0549574f5170a05c4af7c893d 8e7e5b97f44fea3e6ff9924be235ac10 pkg:maven/org.springframework/spring-beans@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-beans@5.1.2.RELEASE /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-web-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 3ff2a93b072da42c3930225e3dceeabb0678eb0b 296062cb66d11ba3630c9cc024002f5a /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-expression-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 03c16b062785e4c101db6b754fcb34a77c1e912c ac5b30ba1df477476cecafc3eed9a2cf pkg:maven/org.springframework/spring-expression@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-expression@5.1.2.RELEASE /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-expression-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 03c16b062785e4c101db6b754fcb34a77c1e912c ac5b30ba1df477476cecafc3eed9a2cf /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-jcl-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 f0d7165b6cfb90356da4f25b14a6437fdef1ec8a d24c4517c318640edad0436bf35ee61f pkg:maven/org.springframework/spring-jcl@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-jcl@5.1.2.RELEASE /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-aop-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 bc3cdf3c81bc0a3482cc7f6b9e00ab76847056a7 88619d03a3e2bdb4c4d51708e124a562 pkg:maven/org.springframework/spring-aop@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-aop@5.1.2.RELEASE /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/spring-core-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 b9b00d4075c92761cfd4e527e0bdce1931b4f3dc d64dcf8e0f28f8b74cea9868d5a52def /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/spring-web-5.1.2.RELEASE.jar 3f646f7a51bd3a32c89241b899f6cc73dc40ea8275cd3233f4699668bfb839c5 3ff2a93b072da42c3930225e3dceeabb0678eb0b 296062cb66d11ba3630c9cc024002f5a pkg:maven/org.springframework/spring-web@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-web@5.1.2.RELEASE file name spring-core hint analyzer vendor vmware pom artifactid spring-core pom groupid springframework pom url spring-projects/spring-framework hint analyzer vendor pivotal software pom name Spring Core jar package name core pom organization url http://projects.spring.io/spring-framework Manifest automatic-module-name spring.core jar package name springframework hint analyzer vendor SpringSource pom organization name Spring IO jar package name core central groupid org.springframework file name spring-core pom organization url http://projects.spring.io/spring-framework pom name Spring Core jar package name core pom url spring-projects/spring-framework Manifest automatic-module-name spring.core pom organization name Spring IO central artifactid spring-core Manifest Implementation-Title spring-core pom groupid springframework pom artifactid spring-core jar package name core hint analyzer product springsource_spring_framework Manifest Implementation-Version 5.1.2.RELEASE central version 5.1.2.RELEASE pom version 5.1.2.RELEASE pkg:maven/org.springframework/spring-core@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-core@5.1.2.RELEASE pkg:maven/org.springframework/spring-core@5.1.2.RELEASE https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-core@5.1.2.RELEASE commons-logging-1.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-logging-1.2.jar 040b4b4d8eac886f6b4a2a3bd2f31b00 4bfc12adfe4842bf07b657f0369c4cb522955686 daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636 Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems. http://www.apache.org/licenses/LICENSE-2.0.txt jar package name logging pom parent-artifactid commons-parent pom url http://commons.apache.org/proper/commons-logging/ Manifest bundle-symbolicname org.apache.commons.logging pom groupid commons-logging pom artifactid commons-logging Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ pom parent-groupid org.apache.commons pom name Apache Commons Logging jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Manifest specification-vendor The Apache Software Foundation jar package name commons file name commons-logging Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent jar package name logging Manifest bundle-symbolicname org.apache.commons.logging Manifest specification-title Apache Commons Logging pom artifactid commons-logging Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ pom name Apache Commons Logging jar package name apache Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 jar package name commons pom url http://commons.apache.org/proper/commons-logging/ file name commons-logging Manifest Implementation-Title Apache Commons Logging pom parent-groupid org.apache.commons Manifest Bundle-Name Apache Commons Logging pom groupid commons-logging Manifest Implementation-Version 1.2 pom parent-version 1.2 file version 1.2 pom version 1.2 pkg:maven/commons-logging/commons-logging@1.2 https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.2 pkg:maven/commons-logging/commons-logging@1.2 https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.2 hibernate-core-4.2.6.Final.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/hibernate-core-4.2.6.Final.jar 243590d8645131cc10cb4025a04a3345 472211fa82a5fffb69f2aa22e7b5e62fe0b52154 5cd0ac382b5f75fbc83b8d488dfff3e5c7b106b14edd56c96e244cf452cb1146 A module of the Hibernate Core project GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/hibernate-core-4.2.6.Final.jar 5cd0ac382b5f75fbc83b8d488dfff3e5c7b106b14edd56c96e244cf452cb1146 472211fa82a5fffb69f2aa22e7b5e62fe0b52154 243590d8645131cc10cb4025a04a3345 Manifest implementation-url http://hibernate.org jar package name hibernate pom artifactid hibernate-core central groupid org.hibernate pom name A Hibernate Core Module file name hibernate-core jar package name hibernate Manifest Implementation-Vendor Hibernate.org pom url http://hibernate.org Manifest Implementation-Vendor-Id org.hibernate Manifest bundle-symbolicname org.hibernate.core pom organization name Hibernate.org pom groupid hibernate pom organization url http://hibernate.org Manifest implementation-url http://hibernate.org Manifest Bundle-Name hibernate-core jar package name hibernate pom organization url http://hibernate.org pom name A Hibernate Core Module pom groupid hibernate file name hibernate-core central artifactid hibernate-core pom artifactid hibernate-core Manifest bundle-symbolicname org.hibernate.core pom organization name Hibernate.org pom url http://hibernate.org central version 4.2.6.Final pom version 4.2.6.Final Manifest Bundle-Version 4.2.6.Final Manifest Implementation-Version 4.2.6.Final pkg:maven/org.hibernate/hibernate-core@4.2.6.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate/hibernate-core@4.2.6.Final pkg:maven/org.hibernate/hibernate-core@4.2.6.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate/hibernate-core@4.2.6.Final jstl-1.2.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/jstl-1.2.jar 51e15f798e69358cb893e38c50596b9b 74aca283cd4f4b4f3e425f5820cda58f44409547 c6273119354a41522877e663582041012b22f8204fe72bba337ed84c7e649b0a /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/jstl-1.2.jar c6273119354a41522877e663582041012b22f8204fe72bba337ed84c7e649b0a 74aca283cd4f4b4f3e425f5820cda58f44409547 51e15f798e69358cb893e38c50596b9b pom groupid jstl Manifest extension-name javax.servlet.jsp.jstl pom groupid javax.servlet pom artifactid jstl central groupid jstl Manifest Implementation-Vendor Sun Microsystems, Inc. jar package name apache jar package name taglibs jar package name standard jar package name jstl central groupid javax.servlet jar package name servlet Manifest Implementation-Vendor-Id org.apache jar package name apache jar package name javax file name jstl Manifest specification-vendor Sun Microsystems, Inc. jar package name jsp Manifest extension-name javax.servlet.jsp.jstl jar package name taglibs Manifest specification-title JavaServer Pages(TM) Standard Tag Library jar package name standard jar package name jstl jar package name tag jar package name servlet jar package name javax central artifactid jstl pom groupid jstl pom groupid javax.servlet file name jstl jar package name standard pom artifactid jstl jar package name jsp Manifest Implementation-Version 1.2 file version 1.2 central version 1.2 pom version 1.2 pkg:maven/javax.servlet/jstl@1.2 https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/jstl@1.2 pkg:maven/jstl/jstl@1.2 https://ossindex.sonatype.org/component/pkg:maven/jstl/jstl@1.2 pkg:maven/javax.servlet/jstl@1.2 https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/jstl@1.2 pkg:maven/jstl/jstl@1.2 https://ossindex.sonatype.org/component/pkg:maven/jstl/jstl@1.2 CVE-2015-0254 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH NVD-CWE-Other Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a> REDHAT http://rhn.redhat.com/errata/RHSA-2016-1838.html RHSA-2016:1838 REDHAT https://access.redhat.com/errata/RHSA-2016:1376 RHSA-2016:1376 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html SECTRACK http://www.securitytracker.com/id/1034934 1034934 MLIST http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E [tomcat-taglibs-user] 20150227 [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags BUGTRAQ http://www.securityfocus.com/archive/1/534772/100/0/threaded 20150227 [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags BID http://www.securityfocus.com/bid/72809 72809 REDHAT http://rhn.redhat.com/errata/RHSA-2015-1695.html RHSA-2015:1695 MLIST https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190319 svn commit: r1855831 [27/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ MLIST https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [26/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ REDHAT http://rhn.redhat.com/errata/RHSA-2016-1839.html RHSA-2016:1839 REDHAT http://rhn.redhat.com/errata/RHSA-2016-1840.html RHSA-2016:1840 UBUNTU http://www.ubuntu.com/usn/USN-2551-1 USN-2551-1 MISC http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html OSSINDEX https://ossindex.sonatype.org/vuln/3e7cab6b-3859-45e0-877f-e8a5fa6f3f93 [CVE-2015-0254] Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrar... SUSE http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html openSUSE-SU-2015:1751 REDHAT http://rhn.redhat.com/errata/RHSA-2016-1841.html RHSA-2016:1841 cpe:2.3:a:apache:standard_taglibs:*:*:*:*:*:*:*:* spotbugs-annotations-3.1.12.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/spotbugs-annotations-3.1.12.jar 3e611c2dfc7976b3732891874d3acc3b ba2c77a05091820668987292f245f3b089387bfa b0954eeb5fbca69ab648dab24e812e24587ad67638a101d8fd16363431da7cb7 Annotations the SpotBugs tool supports GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html jar package name cs file name spotbugs-annotations central groupid com.github.spotbugs pom groupid github.spotbugs Manifest bundle-symbolicname spotbugs-annotations pom url https://spotbugs.github.io/ Manifest automatic-module-name com.github.spotbugs.annotations pom name SpotBugs Annotations jar package name edu pom artifactid spotbugs-annotations Manifest bundle-requiredexecutionenvironment J2SE-1.5 jar package name umd jar package name cs file name spotbugs-annotations jar package name findbugs pom artifactid spotbugs-annotations pom url https://spotbugs.github.io/ Manifest Bundle-Name spotbugs-annotations Manifest bundle-symbolicname spotbugs-annotations pom groupid github.spotbugs central artifactid spotbugs-annotations Manifest automatic-module-name com.github.spotbugs.annotations pom name SpotBugs Annotations Manifest bundle-requiredexecutionenvironment J2SE-1.5 jar package name umd pom version 3.1.12 Manifest Bundle-Version 3.1.12 file version 3.1.12 central version 3.1.12 pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.12 https://ossindex.sonatype.org/component/pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.12 pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.12 https://ossindex.sonatype.org/component/pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.12 commons-cli-1.4.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-cli-1.4.jar c966d7e03507c834d5b09b848560174e c51c00206bb913cd8612b24abd9fa98ae89719b1 fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328 Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface. https://www.apache.org/licenses/LICENSE-2.0.txt pom parent-artifactid commons-parent jar package name cli Manifest bundle-docurl http://commons.apache.org/proper/commons-cli/ pom groupid commons-cli pom name Apache Commons CLI pom parent-groupid org.apache.commons pom artifactid commons-cli jar package name apache Manifest Implementation-Vendor-Id org.apache file name commons-cli Manifest bundle-symbolicname org.apache.commons.cli Manifest specification-vendor The Apache Software Foundation jar package name commons Manifest implementation-url http://commons.apache.org/proper/commons-cli/ pom url http://commons.apache.org/proper/commons-cli/ Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Manifest implementation-build tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000 Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent Manifest Implementation-Title Apache Commons CLI pom url http://commons.apache.org/proper/commons-cli/ pom artifactid commons-cli Manifest Bundle-Name Apache Commons CLI jar package name cli Manifest bundle-docurl http://commons.apache.org/proper/commons-cli/ pom name Apache Commons CLI Manifest specification-title Apache Commons CLI jar package name apache file name commons-cli Manifest bundle-symbolicname org.apache.commons.cli jar package name commons Manifest implementation-url http://commons.apache.org/proper/commons-cli/ pom parent-groupid org.apache.commons pom groupid commons-cli Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Manifest implementation-build tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000 Manifest Implementation-Version 1.4 pom version 1.4 file version 1.4 pom parent-version 1.4 pkg:maven/commons-cli/commons-cli@1.4 https://ossindex.sonatype.org/component/pkg:maven/commons-cli/commons-cli@1.4 pkg:maven/commons-cli/commons-cli@1.4 https://ossindex.sonatype.org/component/pkg:maven/commons-cli/commons-cli@1.4 dom4j-2.1.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/dom4j-2.1.0.jar dcd0b683599cb29fd0a684d54c38e71d 6ad46940de4d721df3d6bbcd2977149742095445 95b11e251e4f0fdcc5d1b3b984d30452260f65d1b382c7aea1448d2b83e8c222 flexible XML framework for Java BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/dom4j-2.1.0.jar 95b11e251e4f0fdcc5d1b3b984d30452260f65d1b382c7aea1448d2b83e8c222 6ad46940de4d721df3d6bbcd2977149742095445 dcd0b683599cb29fd0a684d54c38e71d pom groupid dom4j pom artifactid dom4j pom url http://dom4j.github.io/ file name dom4j jar package name dom4j pom name dom4j central groupid org.dom4j pom url http://dom4j.github.io/ pom artifactid dom4j file name dom4j pom name dom4j central artifactid dom4j pom groupid dom4j pom version 2.1.0 file version 2.1.0 central version 2.1.0 pkg:maven/org.dom4j/dom4j@2.1.0 https://ossindex.sonatype.org/component/pkg:maven/org.dom4j/dom4j@2.1.0 pkg:maven/org.dom4j/dom4j@2.1.0 https://ossindex.sonatype.org/component/pkg:maven/org.dom4j/dom4j@2.1.0 CVE-2018-1000632 HIGH 6.4 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE HIGH NONE HIGH CWE-91 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. MLIST https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E [maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year CONFIRM https://security.netapp.com/advisory/ntap-20190530-0001/ https://security.netapp.com/advisory/ntap-20190530-0001/ REDHAT https://access.redhat.com/errata/RHSA-2019:1161 RHSA-2019:1161 MLIST https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E [maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year REDHAT https://access.redhat.com/errata/RHSA-2019:0380 RHSA-2019:0380 REDHAT https://access.redhat.com/errata/RHSA-2019:1159 RHSA-2019:1159 REDHAT https://access.redhat.com/errata/RHSA-2019:1162 RHSA-2019:1162 REDHAT https://access.redhat.com/errata/RHSA-2019:0365 RHSA-2019:0365 MISC https://ihacktoprotect.com/post/dom4j-xml-injection/ https://ihacktoprotect.com/post/dom4j-xml-injection/ REDHAT https://access.redhat.com/errata/RHSA-2019:0364 RHSA-2019:0364 MLIST https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html [debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update REDHAT https://access.redhat.com/errata/RHSA-2019:1160 RHSA-2019:1160 OSSINDEX https://ossindex.sonatype.org/vuln/09883ba9-5094-49df-bd4a-1eaf1d6ba07b [CVE-2018-1000632] XML Injection (aka Blind XPath Injection) CONFIRM https://github.com/dom4j/dom4j/issues/48 https://github.com/dom4j/dom4j/issues/48 MLIST https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E [maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year MLIST https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E [maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E [maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) REDHAT https://access.redhat.com/errata/RHSA-2019:0362 RHSA-2019:0362 MLIST https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E [maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E [maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html CONFIRM https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387 https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387 cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:* logback-core-1.2.3.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/logback-core-1.2.3.jar 841fc80c6edff60d947a3872a2db4d45 864344400c3d4d92dfeb0a305dc87d953677c03c 5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22 logback-core module http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/logback-classic-1.2.3.jar 5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22 7c4f3c474fb2c041d8028740440937705ebb473a 64f7a68f931aed8e5ad8243470440f0b pkg:maven/ch.qos.logback/logback-classic@1.2.3 https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logback-classic@1.2.3 Manifest bundle-docurl http://www.qos.ch pom parent-artifactid logback-parent Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom groupid ch.qos.logback Manifest bundle-symbolicname ch.qos.logback.core file name logback-core pom name Logback Core Module jar package name core jar package name ch jar package name qos jar package name logback Manifest originally-created-by Apache Maven Bundle Plugin Manifest bundle-requiredexecutionenvironment JavaSE-1.6 pom artifactid logback-core Manifest bundle-docurl http://www.qos.ch pom parent-artifactid logback-parent Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Manifest Bundle-Name Logback Core Module Manifest bundle-symbolicname ch.qos.logback.core file name logback-core pom name Logback Core Module jar package name core jar package name ch jar package name qos pom artifactid logback-core jar package name logback Manifest originally-created-by Apache Maven Bundle Plugin pom groupid ch.qos.logback Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Manifest Bundle-Version 1.2.3 pom version 1.2.3 file version 1.2.3 pkg:maven/ch.qos.logback/logback-core@1.2.3 https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logback-core@1.2.3 pkg:maven/ch.qos.logback/logback-core@1.2.3 https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logback-core@1.2.3 commons-fileupload-1.2.2.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-fileupload-1.2.2.jar a0ad9550a7062ddb6528d8725c8230dd 1e48256a2341047e7d729217adeec8217f6e3a1a 939e5d9a239407f57237b2fb2ad02cefca782905b2ac32f83826a7c4ad083667 The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-fileupload-1.2.2.jar 939e5d9a239407f57237b2fb2ad02cefca782905b2ac32f83826a7c4ad083667 1e48256a2341047e7d729217adeec8217f6e3a1a a0ad9550a7062ddb6528d8725c8230dd Manifest bundle-symbolicname org.apache.commons.fileupload pom parent-artifactid commons-parent file name commons-fileupload pom name Commons FileUpload pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache pom groupid commons-fileupload jar package name fileupload Manifest bundle-docurl http://commons.apache.org/fileupload/ Manifest specification-vendor The Apache Software Foundation jar package name commons pom artifactid commons-fileupload pom url http://commons.apache.org/fileupload/ Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent Manifest bundle-symbolicname org.apache.commons.fileupload pom groupid commons-fileupload pom url http://commons.apache.org/fileupload/ file name commons-fileupload Manifest specification-title Commons FileUpload pom name Commons FileUpload pom artifactid commons-fileupload jar package name apache jar package name fileupload Manifest bundle-docurl http://commons.apache.org/fileupload/ jar package name commons pom parent-groupid org.apache.commons Manifest Implementation-Title Commons FileUpload Manifest Bundle-Name Commons FileUpload pom version 1.2.2 file version 1.2.2 Manifest Implementation-Version 1.2.2 Manifest Bundle-Version 1.2.2 pom parent-version 1.2.2 pkg:maven/commons-fileupload/commons-fileupload@1.2.2 https://ossindex.sonatype.org/component/pkg:maven/commons-fileupload/commons-fileupload@1.2.2 pkg:maven/commons-fileupload/commons-fileupload@1.2.2 https://ossindex.sonatype.org/component/pkg:maven/commons-fileupload/commons-fileupload@1.2.2 Arbitrary file upload via deserialization 0.0 > The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance. > > -- [redhat.com](https://access.redhat.com/security/cve/CVE-2013-2186) OSSINDEX https://ossindex.sonatype.org/vuln/fb810cbf-d8fb-4f30-b79b-82652ae7192a Arbitrary file upload via deserialization cpe:2.3:a:commons-fileupload:commons-fileupload:1.2.2:*:*:*:*:*:*:* CVE-2013-0248 LOW 3.3 LOCAL MEDIUM NONE NONE NONE PARTIAL LOW CWE-264 The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. HP http://marc.info/?l=bugtraq&m=144050155601375&w=2 HPSBMU03409 OSVDB http://www.osvdb.org/90906 90906 OSSINDEX https://ossindex.sonatype.org/vuln/88c767c5-36d0-4f1f-afe8-4a595454c436 [CVE-2013-0248] Permissions, Privileges, and Access Controls BUGTRAQ http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html 20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html BID http://www.securityfocus.com/bid/58326 58326 cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:* CVE-2014-0050 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-264 MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. The previous CVSS assessment ( Base Score: 5.0 - AV:N/AC:L/AU:N/C:N/I:N/A:P) was provided at the time of initial analysis based on the best available published information at that time. The score has been updated to reflect the impact to Oracle products per <a href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html> Oracle Critical Patch Update Advisory - October 2015 </a>. Other products listed as vulnerable may or may not be similarly impacted. REDHAT http://rhn.redhat.com/errata/RHSA-2014-0252.html RHSA-2014:0252 CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 FULLDISC http://seclists.org/fulldisclosure/2014/Dec/23 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities SECUNIA http://secunia.com/advisories/59500 59500 SECUNIA http://secunia.com/advisories/58075 58075 CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 JVN http://jvn.jp/en/jp/JVN14876762/index.html JVN#14876762 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1062337 https://bugzilla.redhat.com/show_bug.cgi?id=1062337 SECUNIA http://secunia.com/advisories/59232 59232 CONFIRM http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-7.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21677724 http://www-01.ibm.com/support/docview.wss?uid=swg21677724 SECUNIA http://secunia.com/advisories/59399 59399 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0007.html http://www.vmware.com/security/advisories/VMSA-2014-0007.html CONFIRM http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676092 http://www-01.ibm.com/support/docview.wss?uid=swg21676092 SECUNIA http://secunia.com/advisories/59185 59185 SECUNIA http://secunia.com/advisories/59187 59187 DEBIAN http://www.debian.org/security/2014/dsa-2856 DSA-2856 UBUNTU http://www.ubuntu.com/usn/USN-2130-1 USN-2130-1 MISC http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21669554 http://www-01.ibm.com/support/docview.wss?uid=swg21669554 MISC http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html SECUNIA http://secunia.com/advisories/59183 59183 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676853 http://www-01.ibm.com/support/docview.wss?uid=swg21676853 CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html HP http://marc.info/?l=bugtraq&m=143136844732487&w=2 HPSBGN03329 SECUNIA http://secunia.com/advisories/59039 59039 CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html CONFIRM http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html BID http://www.securityfocus.com/bid/65400 65400 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21681214 http://www-01.ibm.com/support/docview.wss?uid=swg21681214 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0012.html http://www.vmware.com/security/advisories/VMSA-2014-0012.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676410 http://www-01.ibm.com/support/docview.wss?uid=swg21676410 SECUNIA http://secunia.com/advisories/60475 60475 REDHAT http://rhn.redhat.com/errata/RHSA-2014-0253.html RHSA-2014:0253 MLIST http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html REDHAT http://rhn.redhat.com/errata/RHSA-2014-0400.html RHSA-2014:0400 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0008.html http://www.vmware.com/security/advisories/VMSA-2014-0008.html CONFIRM http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-8.html SECUNIA http://secunia.com/advisories/58976 58976 CONFIRM http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2015:084 MDVSA-2015:084 CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html SECUNIA http://secunia.com/advisories/59184 59184 SECUNIA http://secunia.com/advisories/59041 59041 SECUNIA http://secunia.com/advisories/57915 57915 CONFIRM http://advisories.mageia.org/MGASA-2014-0110.html http://advisories.mageia.org/MGASA-2014-0110.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676405 http://www-01.ibm.com/support/docview.wss?uid=swg21676405 JVNDB http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017 JVNDB-2014-000017 SECUNIA http://secunia.com/advisories/59492 59492 OSSINDEX https://ossindex.sonatype.org/vuln/43e6c5a5-b586-4b31-9244-b62b6e36f2d0 [CVE-2014-0050] Permissions, Privileges, and Access Controls CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21675432 http://www-01.ibm.com/support/docview.wss?uid=swg21675432 BUGTRAQ http://www.securityfocus.com/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html BUGTRAQ http://www.securityfocus.com/archive/1/534161/100/0/threaded 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21677691 http://www-01.ibm.com/support/docview.wss?uid=swg21677691 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676401 http://www-01.ibm.com/support/docview.wss?uid=swg21676401 SECUNIA http://secunia.com/advisories/60753 60753 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html CONFIRM http://svn.apache.org/r1565143 http://svn.apache.org/r1565143 SECUNIA http://secunia.com/advisories/59725 59725 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676656 http://www-01.ibm.com/support/docview.wss?uid=swg21676656 CONFIRM http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676091 http://www-01.ibm.com/support/docview.wss?uid=swg21676091 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676403 http://www-01.ibm.com/support/docview.wss?uid=swg21676403 CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:13.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:13.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:14.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:12.0:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:13.4:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:13.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:12.0in:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_applications:13.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:* CVE-2016-1000031 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-284 Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution Per Apache: "Having reviewed your report we have concluded that it does not represent a valid vulnerability in Apache Commons File Upload. If an application deserializes data from an untrusted source without filtering and/or validation that is an application vulnerability not a vulnerability in the library a potential attacker might leverage." CONFIRM https://security.netapp.com/advisory/ntap-20190212-0001/ https://security.netapp.com/advisory/ntap-20190212-0001/ SUSE http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00036.html openSUSE-SU-2019:1399 MLIST https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E [announce] 20181105 [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior BID http://www.securityfocus.com/bid/93604 93604 MISC https://www.tenable.com/security/research/tra-2016-30 https://www.tenable.com/security/research/tra-2016-30 CONFIRM https://issues.apache.org/jira/browse/FILEUPLOAD-279 https://issues.apache.org/jira/browse/FILEUPLOAD-279 CONFIRM https://issues.apache.org/jira/browse/WW-4812 https://issues.apache.org/jira/browse/WW-4812 MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html OSSINDEX https://ossindex.sonatype.org/vuln/3d5968a4-4e14-4a98-8816-a4e847bc1426 [CVE-2016-1000031] Improper Access Control CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html MISC https://www.tenable.com/security/research/tra-2016-12 https://www.tenable.com/security/research/tra-2016-12 MISC https://www.tenable.com/security/research/tra-2016-23 https://www.tenable.com/security/research/tra-2016-23 MISC http://www.zerodayinitiative.com/advisories/ZDI-16-570/ http://www.zerodayinitiative.com/advisories/ZDI-16-570/ cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:* CVE-2016-3092 HIGH 7.8 NETWORK LOW NONE NONE NONE COMPLETE HIGH 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-20 The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. DEBIAN http://www.debian.org/security/2016/dsa-3609 DSA-3609 UBUNTU http://www.ubuntu.com/usn/USN-3027-1 USN-3027-1 CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840 JVN http://jvn.jp/en/jp/JVN89379547/index.html JVN#89379547 REDHAT http://rhn.redhat.com/errata/RHSA-2016-2071.html RHSA-2016:2071 REDHAT https://access.redhat.com/errata/RHSA-2017:0456 RHSA-2017:0456 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM https://security.netapp.com/advisory/ntap-20190212-0001/ https://security.netapp.com/advisory/ntap-20190212-0001/ REDHAT http://rhn.redhat.com/errata/RHSA-2016-2068.html RHSA-2016:2068 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1349468 https://bugzilla.redhat.com/show_bug.cgi?id=1349468 CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1743738 http://svn.apache.org/viewvc?view=revision&revision=1743738 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1743480 http://svn.apache.org/viewvc?view=revision&revision=1743480 UBUNTU http://www.ubuntu.com/usn/USN-3024-1 USN-3024-1 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html MLIST https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ REDHAT http://rhn.redhat.com/errata/RHSA-2016-2808.html RHSA-2016:2808 REDHAT https://access.redhat.com/errata/RHSA-2017:0455 RHSA-2017:0455 MLIST http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability SECTRACK http://www.securitytracker.com/id/1036427 1036427 REDHAT http://rhn.redhat.com/errata/RHSA-2017-0457.html RHSA-2017:0457 CONFIRM http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html GENTOO https://security.gentoo.org/glsa/201705-09 GLSA-201705-09 REDHAT http://rhn.redhat.com/errata/RHSA-2016-2070.html RHSA-2016:2070 SECTRACK http://www.securitytracker.com/id/1037029 1037029 MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html CONFIRM http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-7.html DEBIAN http://www.debian.org/security/2016/dsa-3614 DSA-3614 CONFIRM http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-8.html CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371 CONFIRM http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-9.html CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 REDHAT http://rhn.redhat.com/errata/RHSA-2016-2069.html RHSA-2016:2069 SUSE http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html openSUSE-SU-2016:2252 BID http://www.securityfocus.com/bid/91453 91453 SECTRACK http://www.securitytracker.com/id/1036900 1036900 CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1743722 http://svn.apache.org/viewvc?view=revision&revision=1743722 JVNDB http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121 JVNDB-2016-000121 CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1743742 http://svn.apache.org/viewvc?view=revision&revision=1743742 DEBIAN http://www.debian.org/security/2016/dsa-3611 DSA-3611 MLIST https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ REDHAT http://rhn.redhat.com/errata/RHSA-2016-2072.html RHSA-2016:2072 SECTRACK http://www.securitytracker.com/id/1039606 1039606 REDHAT http://rhn.redhat.com/errata/RHSA-2016-2807.html RHSA-2016:2807 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html OSSINDEX https://ossindex.sonatype.org/vuln/39d74cc8-457a-4e57-89ef-a258420138c5 [CVE-2016-3092] Improper Input Validation REDHAT http://rhn.redhat.com/errata/RHSA-2016-2599.html RHSA-2016:2599 cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:* cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:* cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:* cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:* javassist-3.15.0-GA.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/javassist-3.15.0-GA.jar 2fcae06eedcddd3e5b0fe32416f99c1c 79907309ca4bb4e5e51d4086cc4179b2611358d7 eeec97d5987dc8d525285fab888bab4c68a2ef1412335f73aba2b804f88a6cb5 Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java. MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html Apache License 2.0: http://www.apache.org/licenses/ /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/javassist-3.15.0-GA.jar eeec97d5987dc8d525285fab888bab4c68a2ef1412335f73aba2b804f88a6cb5 79907309ca4bb4e5e51d4086cc4179b2611358d7 2fcae06eedcddd3e5b0fe32416f99c1c pom artifactid javassist pom groupid javassist jar package name javassist pom name Javassist pom url http://www.javassist.org/ file name javassist Manifest specification-vendor Shigeru Chiba jar package name bytecode pom artifactid javassist jar package name javassist Manifest specification-title Javassist pom name Javassist pom url http://www.javassist.org/ file name javassist jar package name bytecode pom groupid javassist pom version 3.15.0-GA pkg:maven/org.javassist/javassist@3.15.0-GA https://ossindex.sonatype.org/component/pkg:maven/org.javassist/javassist@3.15.0-GA pkg:maven/org.javassist/javassist@3.15.0-GA https://ossindex.sonatype.org/component/pkg:maven/org.javassist/javassist@3.15.0-GA asm-tree-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/asm-tree-6.2.jar e7279981c6764dcd73a99705acf5c9a6 61570e046111559f38d4e0e580c005f75988c0a6 02317d9ed739dab470a96f44de712fde51a811362ca26852b34324388e61257c Tree API of ASM, a very small and fast Java bytecode manipulation framework BSD: http://asm.ow2.org/license.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/asm-tree-6.2.jar 02317d9ed739dab470a96f44de712fde51a811362ca26852b34324388e61257c 61570e046111559f38d4e0e580c005f75988c0a6 e7279981c6764dcd73a99705acf5c9a6 jar package name objectweb jar package name tree Manifest bundle-docurl http://asm.ow2.org pom organization name OW2 pom url http://asm.ow2.org/ pom name asm-tree pom groupid ow2.asm pom parent-artifactid ow2 jar package name asm file name asm-tree central groupid org.ow2.asm jar package name objectweb pom artifactid asm-tree pom organization url http://www.ow2.org/ Manifest module-requires org.objectweb.asm;transitive=true jar package name tree Manifest bundle-symbolicname org.objectweb.asm.tree jar package name asm Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom parent-groupid org.ow2 pom artifactid asm-tree jar package name tree Manifest bundle-docurl http://asm.ow2.org Manifest Implementation-Title Tree API of ASM, a very small and fast Java bytecode manipulation framework pom parent-groupid org.ow2 pom organization name OW2 pom name asm-tree Manifest Bundle-Name org.objectweb.asm.tree jar package name asm file name asm-tree central artifactid asm-tree jar package name objectweb pom url http://asm.ow2.org/ Manifest module-requires org.objectweb.asm;transitive=true jar package name tree pom organization url http://www.ow2.org/ Manifest bundle-symbolicname org.objectweb.asm.tree jar package name asm pom parent-artifactid ow2 Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom groupid ow2.asm pom parent-version 6.2 file version 6.2 pom version 6.2 central version 6.2 pkg:maven/org.ow2.asm/asm-tree@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-tree@6.2 pkg:maven/org.ow2.asm/asm-tree@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.ow2.asm/asm-tree@6.2 error_prone_annotations-2.3.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/error_prone_annotations-2.3.2.jar 42c8312a7eb4b6ff612049c4f7b514a6 d1a0c5032570e0f64be6b4d9c90cdeb103129029 357cd6cfb067c969226c442451502aee13800a24e950fdfde77bcdb4565a668d Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt pom parent-artifactid error_prone_parent jar package name errorprone jar package name google file name error_prone_annotations jar package name annotations pom name error-prone annotations jar package name errorprone pom parent-groupid com.google.errorprone pom artifactid error_prone_annotations jar package name annotations pom groupid google.errorprone jar package name google pom parent-groupid com.google.errorprone jar package name errorprone pom parent-artifactid error_prone_parent pom name error-prone annotations jar package name errorprone jar package name google file name error_prone_annotations jar package name annotations jar package name annotations pom groupid google.errorprone pom artifactid error_prone_annotations file version 2.3.2 pom version 2.3.2 pkg:maven/com.google.errorprone/error_prone_annotations@2.3.2 https://ossindex.sonatype.org/component/pkg:maven/com.google.errorprone/error_prone_annotations@2.3.2 pkg:maven/com.google.errorprone/error_prone_annotations@2.3.2 https://ossindex.sonatype.org/component/pkg:maven/com.google.errorprone/error_prone_annotations@2.3.2 findsecbugs-plugin-1.8.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/findsecbugs-plugin-1.8.0.jar 95fd6be78da3682e3e7f1ee5e774fddb b9809c4294b946495c55ff9e90cf07da47fcf38b 8aaee6a21a4e448c5beff4785ba7e2f89e78e6934f07621ca9c8702ebe759f77 Core module of the project. It include all the FindBugs detectors. The resulting jar is the published plugin. pom parent-artifactid findsecbugs-root-pom pom groupid h3xstream.findsecbugs file name findsecbugs-plugin central groupid com.h3xstream.findsecbugs jar package name h3xstream pom parent-groupid com.h3xstream.findsecbugs pom artifactid findsecbugs-plugin jar package name findsecbugs pom name Find Security Bugs Plugin pom groupid h3xstream.findsecbugs file name findsecbugs-plugin pom artifactid findsecbugs-plugin pom parent-artifactid findsecbugs-root-pom central artifactid findsecbugs-plugin pom parent-groupid com.h3xstream.findsecbugs jar package name findsecbugs pom name Find Security Bugs Plugin pom version 1.8.0 file version 1.8.0 central version 1.8.0 pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.8.0 https://ossindex.sonatype.org/component/pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.8.0 pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.8.0 https://ossindex.sonatype.org/component/pkg:maven/com.h3xstream.findsecbugs/findsecbugs-plugin@1.8.0 j2objc-annotations-1.3.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/j2objc-annotations-1.3.jar 5fa4ec4ec0c5aa70af8a7d4922df1931 ba035118bc8bac37d7eff77700720999acd9986d 21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b A set of annotations that provide additional information to the J2ObjC translator to modify the result of translation. The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt jar package name j2objc file name j2objc-annotations jar package name j2objc jar package name google pom url google/j2objc/ jar package name annotations jar package name annotations pom artifactid j2objc-annotations pom name J2ObjC Annotations jar package name google pom groupid google.j2objc jar package name j2objc file name j2objc-annotations jar package name j2objc jar package name google pom groupid google.j2objc pom artifactid j2objc-annotations jar package name annotations jar package name annotations pom name J2ObjC Annotations pom url google/j2objc/ pom version 1.3 file version 1.3 pkg:maven/com.google.j2objc/j2objc-annotations@1.3 https://ossindex.sonatype.org/component/pkg:maven/com.google.j2objc/j2objc-annotations@1.3 pkg:maven/com.google.j2objc/j2objc-annotations@1.3 https://ossindex.sonatype.org/component/pkg:maven/com.google.j2objc/j2objc-annotations@1.3 commons-collections-3.2.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-collections-3.2.2.jar f54a8510f834a1a57166970bfc982e94 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5 eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8 Types that extend and augment the Java Collections Framework. http://www.apache.org/licenses/LICENSE-2.0.txt Manifest bundle-symbolicname org.apache.commons.collections pom groupid commons-collections pom name Apache Commons Collections pom artifactid commons-collections Manifest implementation-build tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100 pom parent-artifactid commons-parent Manifest bundle-docurl http://commons.apache.org/collections/ pom parent-groupid org.apache.commons pom url http://commons.apache.org/collections/ Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))" jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest specification-vendor The Apache Software Foundation jar package name commons file name commons-collections jar package name collections Manifest implementation-url http://commons.apache.org/collections/ Manifest Implementation-Vendor The Apache Software Foundation Manifest bundle-symbolicname org.apache.commons.collections pom parent-artifactid commons-parent pom name Apache Commons Collections Manifest implementation-build tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100 Manifest bundle-docurl http://commons.apache.org/collections/ pom groupid commons-collections Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))" jar package name apache Manifest specification-title Apache Commons Collections Manifest Implementation-Title Apache Commons Collections pom artifactid commons-collections Manifest Bundle-Name Apache Commons Collections jar package name commons file name commons-collections pom parent-groupid org.apache.commons pom url http://commons.apache.org/collections/ jar package name collections Manifest implementation-url http://commons.apache.org/collections/ Manifest Implementation-Version 3.2.2 pom parent-version 3.2.2 Manifest Bundle-Version 3.2.2 pom version 3.2.2 file version 3.2.2 pkg:maven/commons-collections/commons-collections@3.2.2 https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2.2 pkg:maven/commons-collections/commons-collections@3.2.2 https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2.2 dom4j-1.6.1.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/dom4j-1.6.1.jar 4d8f51d3fe3900efc6e395be48030d6d 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94 593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73 dom4j: the flexible XML framework for Java /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/dom4j-1.6.1.jar 593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94 4d8f51d3fe3900efc6e395be48030d6d Manifest Implementation-Vendor MetaStuff Ltd. Manifest extension-name dom4j pom name Zenframework Z8 Dependencies - Commons - dom4j-1.6.1 file name dom4j central groupid org.zenframework.z8.dependencies.commons pom organization name MetaStuff Ltd. pom organization url http://sourceforge.net/projects/dom4j pom url http://dom4j.org central groupid dom4j jar package name dom4j pom parent-groupid org.zenframework.z8.dependencies pom groupid dom4j pom artifactid dom4j-1.6.1 pom artifactid dom4j jar package name dom4j pom groupid zenframework.z8.dependencies.commons pom parent-artifactid z8-dependencies pom name dom4j Manifest specification-vendor MetaStuff Ltd. pom groupid zenframework.z8.dependencies.commons central artifactid dom4j pom artifactid dom4j-1.6.1 central artifactid dom4j-1.6.1 pom url http://dom4j.org pom artifactid dom4j Manifest extension-name dom4j pom name Zenframework Z8 Dependencies - Commons - dom4j-1.6.1 file name dom4j Manifest specification-title dom4j : XML framework for Java pom parent-artifactid z8-dependencies jar package name dom4j pom groupid dom4j pom parent-groupid org.zenframework.z8.dependencies pom organization name MetaStuff Ltd. pom name dom4j Manifest Implementation-Title org.dom4j pom organization url http://sourceforge.net/projects/dom4j pom version 2.0 central version 2.0 pkg:maven/dom4j/dom4j@1.6.1 https://ossindex.sonatype.org/component/pkg:maven/dom4j/dom4j@1.6.1 pkg:maven/org.zenframework.z8.dependencies.commons/dom4j-1.6.1@2.0 https://ossindex.sonatype.org/component/pkg:maven/org.zenframework.z8.dependencies.commons/dom4j-1.6.1@2.0 pkg:maven/dom4j/dom4j@1.6.1 https://ossindex.sonatype.org/component/pkg:maven/dom4j/dom4j@1.6.1 pkg:maven/org.zenframework.z8.dependencies.commons/dom4j-1.6.1@2.0 https://ossindex.sonatype.org/component/pkg:maven/org.zenframework.z8.dependencies.commons/dom4j-1.6.1@2.0 CVE-2018-1000632 HIGH 6.4 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE HIGH NONE HIGH CWE-91 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. MLIST https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E [maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year CONFIRM https://security.netapp.com/advisory/ntap-20190530-0001/ https://security.netapp.com/advisory/ntap-20190530-0001/ REDHAT https://access.redhat.com/errata/RHSA-2019:1161 RHSA-2019:1161 MLIST https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E [maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year REDHAT https://access.redhat.com/errata/RHSA-2019:0380 RHSA-2019:0380 REDHAT https://access.redhat.com/errata/RHSA-2019:1159 RHSA-2019:1159 REDHAT https://access.redhat.com/errata/RHSA-2019:1162 RHSA-2019:1162 REDHAT https://access.redhat.com/errata/RHSA-2019:0365 RHSA-2019:0365 MISC https://ihacktoprotect.com/post/dom4j-xml-injection/ https://ihacktoprotect.com/post/dom4j-xml-injection/ REDHAT https://access.redhat.com/errata/RHSA-2019:0364 RHSA-2019:0364 MLIST https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html [debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update REDHAT https://access.redhat.com/errata/RHSA-2019:1160 RHSA-2019:1160 OSSINDEX https://ossindex.sonatype.org/vuln/09883ba9-5094-49df-bd4a-1eaf1d6ba07b [CVE-2018-1000632] XML Injection (aka Blind XPath Injection) CONFIRM https://github.com/dom4j/dom4j/issues/48 https://github.com/dom4j/dom4j/issues/48 MLIST https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E [maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year MLIST https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E [maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E [maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) REDHAT https://access.redhat.com/errata/RHSA-2019:0362 RHSA-2019:0362 MLIST https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E [maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E [maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html CONFIRM https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387 https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387 cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:* slf4j-api-1.7.26.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/slf4j-api-1.7.26.jar 60ec8751be37d54a2aa1b6178f87b968 77100a62c2e6f04b53977b9f541044d7d722693d 6d9e5b86cfd1dd44c676899285b5bb4fa0d371cf583e8164f9c8a0366553242b The slf4j API file name slf4j-api pom url http://www.slf4j.org Manifest bundle-symbolicname slf4j.api pom name SLF4J API Module pom groupid slf4j pom artifactid slf4j-api pom parent-artifactid slf4j-parent pom parent-groupid org.slf4j jar package name slf4j Manifest bundle-requiredexecutionenvironment J2SE-1.5 pom name SLF4J API Module pom parent-groupid org.slf4j pom artifactid slf4j-api Manifest Bundle-Name slf4j-api file name slf4j-api Manifest bundle-symbolicname slf4j.api Manifest Implementation-Title slf4j-api pom parent-artifactid slf4j-parent pom groupid slf4j pom url http://www.slf4j.org jar package name slf4j Manifest bundle-requiredexecutionenvironment J2SE-1.5 file version 1.7.26 pom version 1.7.26 Manifest Bundle-Version 1.7.26 Manifest Implementation-Version 1.7.26 pkg:maven/org.slf4j/slf4j-api@1.7.26 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4j-api@1.7.26 pkg:maven/org.slf4j/slf4j-api@1.7.26 https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4j-api@1.7.26 cpe-parser-2.0.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/cpe-parser-2.0.1.jar f5914901fb201b0f555806c0490d0c7e bed94a84a8cea2347e6b5049fc92b52f0af6f91b 696233733023bfc1944887a31476cde9c47847f45b0d76b0d8644c0ef3483251 A utility for validating and parsing Common Platform Enumeration (CPE) v2.2 and v2.3 as originally defined by MITRE and maintained by NIST. Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.txt jar package name cpe jar package name us jar package name parsers pom groupid us.springett pom artifactid cpe-parser pom url stevespringett/CPE-Parser jar package name springett jar package name springett pom name CPE Parser file name cpe-parser jar package name us jar package name cpe pom groupid us.springett jar package name parsers jar package name cpe jar package name springett jar package name springett pom url stevespringett/CPE-Parser pom name CPE Parser file name cpe-parser jar package name us pom artifactid cpe-parser pom version 2.0.1 file version 2.0.1 pkg:maven/us.springett/cpe-parser@2.0.1 https://ossindex.sonatype.org/component/pkg:maven/us.springett/cpe-parser@2.0.1 pkg:maven/us.springett/cpe-parser@2.0.1 https://ossindex.sonatype.org/component/pkg:maven/us.springett/cpe-parser@2.0.1 jboss-transaction-api_1.1_spec-1.0.1.Final.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/jboss-transaction-api_1.1_spec-1.0.1.Final.jar 679cd909d6130e6bf467b291031e1e2d 18f0e1d42f010a8b53aa447bf274a706d5148852 d9ccc72cdcf5450fcb8cc614b4930261d5cc5b40da6b3be783308cebcd100723 The Java Transaction 1.1 API classes Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/jboss-transaction-api_1.1_spec-1.0.1.Final.jar d9ccc72cdcf5450fcb8cc614b4930261d5cc5b40da6b3be783308cebcd100723 18f0e1d42f010a8b53aa447bf274a706d5148852 679cd909d6130e6bf467b291031e1e2d jar package name transaction Manifest Implementation-Vendor JBoss by Red Hat file name jboss-transaction-api_1.1_spec-1.0.1.Final Manifest bundle-docurl http://www.jboss.org Manifest os-name Linux pom parent-artifactid jboss-parent Manifest Implementation-Vendor-Id org.jboss.spec.javax.transaction pom groupid jboss.spec.javax.transaction jar package name javax Manifest os-arch i386 pom name Java Transaction API pom parent-groupid org.jboss Manifest implementation-url http://www.jboss.org/jboss-transaction-api_1.1_spec Manifest java-vendor Sun Microsystems Inc. Manifest build-timestamp Sat, 17 Mar 2012 11:49:45 -0500 Manifest bundle-symbolicname org.jboss.spec.javax.transaction.jboss-transaction-api_1.1_spec pom artifactid jboss-transaction-api_1.1_spec pom parent-artifactid jboss-parent jar package name transaction file name jboss-transaction-api_1.1_spec-1.0.1.Final Manifest Implementation-Title Java Transaction API Manifest bundle-docurl http://www.jboss.org Manifest os-name Linux pom groupid jboss.spec.javax.transaction Manifest specification-title JSR 907: Java Transaction API (JTA) jar package name javax Manifest os-arch i386 pom name Java Transaction API pom parent-groupid org.jboss Manifest implementation-url http://www.jboss.org/jboss-transaction-api_1.1_spec Manifest Bundle-Name Java Transaction API pom artifactid jboss-transaction-api_1.1_spec Manifest build-timestamp Sat, 17 Mar 2012 11:49:45 -0500 Manifest bundle-symbolicname org.jboss.spec.javax.transaction.jboss-transaction-api_1.1_spec pom parent-version 1.0.1.Final Manifest Implementation-Version 1.0.1.Final Manifest Bundle-Version 1.0.1.Final pom version 1.0.1.Final pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.1_spec@1.0.1.Final https://ossindex.sonatype.org/component/pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.1_spec@1.0.1.Final pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.1_spec@1.0.1.Final https://ossindex.sonatype.org/component/pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.1_spec@1.0.1.Final commons-compress-1.18.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-compress-1.18.jar bcbecfff4bdb0d3d0cdead3d995da2ef 1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5 5f2df1e467825e4cac5996d44890c4201c000b43c0b23cffc0782d28a0beb9b0 Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj. https://www.apache.org/licenses/LICENSE-2.0.txt pom parent-artifactid commons-parent Manifest implementation-url https://commons.apache.org/proper/commons-compress/ Manifest extension-name org.apache.commons.compress pom groupid apache.commons Manifest automatic-module-name org.apache.commons.compress pom artifactid commons-compress Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest bundle-symbolicname org.apache.commons.commons-compress file name commons-compress Manifest specification-vendor The Apache Software Foundation jar package name commons Manifest bundle-docurl https://commons.apache.org/proper/commons-compress/ pom name Apache Commons Compress Manifest implementation-build UNKNOWN@rb95d5cde4c68640f886e3c6802384fae47408a37; 2018-08-13 07:16:03+0000 pom url https://commons.apache.org/proper/commons-compress/ jar package name compress Manifest Implementation-Vendor The Apache Software Foundation Manifest Bundle-Name Apache Commons Compress pom parent-artifactid commons-parent pom url https://commons.apache.org/proper/commons-compress/ Manifest implementation-url https://commons.apache.org/proper/commons-compress/ Manifest extension-name org.apache.commons.compress Manifest Implementation-Title Apache Commons Compress Manifest automatic-module-name org.apache.commons.compress Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" jar package name apache Manifest bundle-symbolicname org.apache.commons.commons-compress file name commons-compress jar package name commons pom groupid apache.commons Manifest bundle-docurl https://commons.apache.org/proper/commons-compress/ pom artifactid commons-compress pom parent-groupid org.apache.commons pom name Apache Commons Compress Manifest specification-title Apache Commons Compress Manifest implementation-build UNKNOWN@rb95d5cde4c68640f886e3c6802384fae47408a37; 2018-08-13 07:16:03+0000 jar package name compress Manifest Implementation-Version 1.18 pom parent-version 1.18 file version 1.18 pom version 1.18 pkg:maven/org.apache.commons/commons-compress@1.18 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-compress@1.18 pkg:maven/org.apache.commons/commons-compress@1.18 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-compress@1.18 retirejs-core-3.0.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/retirejs-core-3.0.1.jar af51ed61a72671ff8c61942ddc8225cd 5aa8c3ee326e382ce9d55cc58e2182852a5b3421 6e5f2db50efa4f248af753b877858b6cd11bf31c1b7efb064634691a82784ea4 file name retirejs-core pom groupid h3xstream.retirejs jar package name retirejs jar package name h3xstream pom artifactid retirejs-core pom parent-groupid com.h3xstream.retirejs pom parent-artifactid retirejs-root-pom jar package name h3xstream jar package name repo jar package name retirejs file name retirejs-core pom parent-artifactid retirejs-root-pom jar package name retirejs pom artifactid retirejs-core pom parent-groupid com.h3xstream.retirejs pom groupid h3xstream.retirejs jar package name h3xstream jar package name repo jar package name retirejs file version 3.0.1 pom version 3.0.1 pkg:maven/com.h3xstream.retirejs/retirejs-core@3.0.1 https://ossindex.sonatype.org/component/pkg:maven/com.h3xstream.retirejs/retirejs-core@3.0.1 pkg:maven/com.h3xstream.retirejs/retirejs-core@3.0.1 https://ossindex.sonatype.org/component/pkg:maven/com.h3xstream.retirejs/retirejs-core@3.0.1 commons-logging-api-1.1.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-logging-api-1.1.jar 4374238076ab08e60e0d296234480837 7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322 33a4dd47bb4764e4eb3692d86386d17a0d9827f4f4bb0f70121efab6bc03ba35 Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems. The Apache Software License, Version 2.0: /LICENSE.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-logging-api-1.1.jar 33a4dd47bb4764e4eb3692d86386d17a0d9827f4f4bb0f70121efab6bc03ba35 7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322 4374238076ab08e60e0d296234480837 pom name Logging jar package name logging pom organization url http://jakarta.apache.org jar package name apache pom groupid commons-logging jar package name logging jar package name commons pom artifactid commons-logging-api Manifest Implementation-Vendor-Id org.apache jar package name apache Manifest Implementation-Vendor Apache Software Foundation Manifest extension-name org.apache.commons.logging file name commons-logging-api central groupid commons-logging jar package name commons pom url http://jakarta.apache.org/commons/logging/ Manifest specification-vendor Apache Software Foundation pom organization name The Apache Software Foundation pom name Logging jar package name logging Manifest specification-title Jakarta Commons Logging central artifactid commons-logging-api Manifest Implementation-Title Jakarta Commons Logging pom url http://jakarta.apache.org/commons/logging/ jar package name logging jar package name commons pom organization url http://jakarta.apache.org jar package name impl jar package name apache Manifest extension-name org.apache.commons.logging file name commons-logging-api jar package name commons pom artifactid commons-logging-api pom organization name The Apache Software Foundation pom groupid commons-logging Manifest Implementation-Version 1.1 file version 1.1 central version 1.1 pom version 1.1 pkg:maven/commons-logging/commons-logging-api@1.1 https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging-api@1.1 pkg:maven/commons-logging/commons-logging-api@1.1 https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging-api@1.1 failureaccess-1.0.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/failureaccess-1.0.1.jar 091883993ef5bfa91da01dcc8fc52236 1dcf1de382a0bf95a3d8b0849546c88bac1292c9 a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26 Contains com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most users will never need to use this artifact. Its classes is conceptually a part of Guava, but they're in this separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact). http://www.apache.org/licenses/LICENSE-2.0.txt jar package name google pom name Guava InternalFutureFailureAccess and InternalFutures pom parent-groupid com.google.guava Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" file name failureaccess jar package name concurrent jar package name util pom groupid google.guava pom artifactid failureaccess Manifest bundle-docurl https://github.com/google/guava/ jar package name common pom parent-artifactid guava-parent Manifest bundle-symbolicname com.google.guava.failureaccess jar package name google pom name Guava InternalFutureFailureAccess and InternalFutures pom parent-artifactid guava-parent pom artifactid failureaccess pom parent-groupid com.google.guava Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom groupid google.guava file name failureaccess jar package name concurrent jar package name util Manifest Bundle-Name Guava InternalFutureFailureAccess and InternalFutures jar package name common Manifest bundle-docurl https://github.com/google/guava/ Manifest bundle-symbolicname com.google.guava.failureaccess pom parent-version 1.0.1 file version 1.0.1 pom version 1.0.1 Manifest Bundle-Version 1.0.1 pkg:maven/com.google.guava/failureaccess@1.0.1 https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/failureaccess@1.0.1 pkg:maven/com.google.guava/failureaccess@1.0.1 https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/failureaccess@1.0.1 antlr-2.7.7.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/antlr-2.7.7.jar f8f1352c52a4c6a500b597596501fc64 83cd2cd674a217ade95a4bb83a8a14f351f48bd0 88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions. BSD License: http://www.antlr.org/license.html /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/antlr-2.7.7.jar 88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c 83cd2cd674a217ade95a4bb83a8a14f351f48bd0 f8f1352c52a4c6a500b597596501fc64 pom name AntLR Parser Generator central groupid antlr pom url http://www.antlr.org/ pom artifactid antlr file name antlr jar package name antlr pom groupid antlr pom name AntLR Parser Generator pom url http://www.antlr.org/ pom groupid antlr central artifactid antlr pom artifactid antlr file name antlr file version 2.7.7 central version 2.7.7 pom version 2.7.7 pkg:maven/antlr/antlr@2.7.7 https://ossindex.sonatype.org/component/pkg:maven/antlr/antlr@2.7.7 pkg:maven/antlr/antlr@2.7.7 https://ossindex.sonatype.org/component/pkg:maven/antlr/antlr@2.7.7 jsr305-3.0.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/jsr305-3.0.2.jar dd83accb899363c32b07d7a1b2e4ce40 25ea2e8b0c338a877313bd4672d3fe056ea78f0d 766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 JSR305 Annotations for Findbugs The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/jsr305-3.0.2.jar 766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 25ea2e8b0c338a877313bd4672d3fe056ea78f0d dd83accb899363c32b07d7a1b2e4ce40 /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/jsr305-3.0.2.jar 766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 25ea2e8b0c338a877313bd4672d3fe056ea78f0d dd83accb899363c32b07d7a1b2e4ce40 pom url http://findbugs.sourceforge.net/ pom groupid google.code.findbugs pom name FindBugs-jsr305 pom artifactid jsr305 Manifest bundle-symbolicname org.jsr-305 file name jsr305 pom name FindBugs-jsr305 Manifest bundle-symbolicname org.jsr-305 pom groupid google.code.findbugs Manifest Bundle-Name FindBugs-jsr305 pom artifactid jsr305 pom url http://findbugs.sourceforge.net/ file name jsr305 pom version 3.0.2 file version 3.0.2 Manifest Bundle-Version 3.0.2 pkg:maven/com.google.code.findbugs/jsr305@3.0.2 https://ossindex.sonatype.org/component/pkg:maven/com.google.code.findbugs/jsr305@3.0.2 pkg:maven/com.google.code.findbugs/jsr305@3.0.2 https://ossindex.sonatype.org/component/pkg:maven/com.google.code.findbugs/jsr305@3.0.2 package-url-java-1.0.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/package-url-java-1.0.1.jar c3ad4b16cbc442ae5f0faca7f7a45ec0 15aa42711e3c142a088818357073f8f85bf42b08 27811dedb123d3cd685f301d629627f54275307313b00fcb671ab05a9bb19bea ASL2: http://www.apache.org/licenses/LICENSE-2.0.txt pom groupid sonatype.goodies pom url https://sonatype.github.io/package-url-java/ jar package name sonatype jar package name goodies pom parent-groupid org.sonatype.buildsupport Manifest implementation-url https://sonatype.github.io/package-url-java/ pom artifactid package-url-java Manifest Implementation-Vendor-Id org.sonatype.goodies pom parent-artifactid public-parent Manifest Implementation-Vendor Sonatype, Inc. file name package-url-java pom groupid sonatype.goodies pom parent-groupid org.sonatype.buildsupport jar package name sonatype jar package name goodies pom url https://sonatype.github.io/package-url-java/ Manifest Implementation-Title org.sonatype.goodies:package-url-java Manifest implementation-url https://sonatype.github.io/package-url-java/ pom parent-artifactid public-parent pom artifactid package-url-java Manifest specification-title org.sonatype.goodies:package-url-java file name package-url-java pom parent-version 1.0.1 file version 1.0.1 pom version 1.0.1 Manifest Implementation-Version 1.0.1 pkg:maven/org.sonatype.goodies/package-url-java@1.0.1 https://ossindex.sonatype.org/component/pkg:maven/org.sonatype.goodies/package-url-java@1.0.1 pkg:maven/org.sonatype.goodies/package-url-java@1.0.1 https://ossindex.sonatype.org/component/pkg:maven/org.sonatype.goodies/package-url-java@1.0.1 spotbugs-annotations-3.1.5.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/spotbugs-annotations-3.1.5.jar b95dcad8c0cf00c399b5c24b161ffbd8 4e2e5448fba7b4aa298d4eb9af25a9ba707bcb0e c32907af3441aaeb2948825ef30d70d34ca938be832910df73a46aa20554aecf Annotations the SpotBugs tool supports GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/spotbugs-annotations-3.1.5.jar c32907af3441aaeb2948825ef30d70d34ca938be832910df73a46aa20554aecf 4e2e5448fba7b4aa298d4eb9af25a9ba707bcb0e b95dcad8c0cf00c399b5c24b161ffbd8 jar package name cs file name spotbugs-annotations central groupid com.github.spotbugs pom groupid github.spotbugs Manifest bundle-symbolicname spotbugs-annotations pom url https://spotbugs.github.io/ Manifest automatic-module-name com.github.spotbugs.annotations pom name SpotBugs Annotations jar package name edu pom artifactid spotbugs-annotations Manifest bundle-requiredexecutionenvironment J2SE-1.5 jar package name umd jar package name cs file name spotbugs-annotations jar package name findbugs pom artifactid spotbugs-annotations pom url https://spotbugs.github.io/ Manifest Bundle-Name spotbugs-annotations Manifest bundle-symbolicname spotbugs-annotations pom groupid github.spotbugs central artifactid spotbugs-annotations Manifest automatic-module-name com.github.spotbugs.annotations pom name SpotBugs Annotations Manifest bundle-requiredexecutionenvironment J2SE-1.5 jar package name umd Manifest Bundle-Version 3.1.5 file version 3.1.5 central version 3.1.5 pom version 3.1.5 pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.5 https://ossindex.sonatype.org/component/pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.5 pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.5 https://ossindex.sonatype.org/component/pkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.5 minlog-1.3.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/minlog-1.3.jar b4e9b84eaea9750fe58ac3e196c7ed9b 8d2b87348c82b82e69ac2039ddbbc9d36dc69c9a 12d586cbfc6fab0063fc4ff56a93cc7094ae020d6b368f53025727b2e8ca02d7 Minimal overhead Java logging New BSD License: http://www.opensource.org/licenses/bsd-license.php Manifest Implementation-Vendor-Id com.esotericsoftware jar package name minlog pom artifactid minlog pom groupid esotericsoftware pom url EsotericSoftware/minlog pom name MinLog file name minlog jar package name esotericsoftware jar package name minlog Manifest specification-title MinLog pom url EsotericSoftware/minlog pom name MinLog file name minlog pom artifactid minlog Manifest Implementation-Title MinLog pom groupid esotericsoftware jar package name esotericsoftware Manifest Implementation-Version 1.3 pom version 1.3 file version 1.3 pkg:maven/com.esotericsoftware/minlog@1.3 https://ossindex.sonatype.org/component/pkg:maven/com.esotericsoftware/minlog@1.3 pkg:maven/com.esotericsoftware/minlog@1.3 https://ossindex.sonatype.org/component/pkg:maven/com.esotericsoftware/minlog@1.3 struts2-tiles-plugin-2.3.16.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-tiles-plugin-2.3.16.jar bf0c91600c512941ae9aafe17ed77da1 08516d4707f21d4ea115e6cd08ef0e0c116a1286 a6037033d7ac6994bc0aa7661889b47cb1860c3dffcbd31780137045afc0b97c Apache Struts 2 http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-tiles-plugin-2.3.16.jar a6037033d7ac6994bc0aa7661889b47cb1860c3dffcbd31780137045afc0b97c 08516d4707f21d4ea115e6cd08ef0e0c116a1286 bf0c91600c512941ae9aafe17ed77da1 Manifest bundle-symbolicname org.apache.struts.2-tiles-plugin Manifest bundle-docurl http://www.apache.org pom artifactid struts2-tiles-plugin Manifest Implementation-Vendor-Id org.apache.struts jar package name struts2 pom name Struts 2 Tiles Plugin jar package name apache Manifest Implementation-Vendor Apache Software Foundation file name struts2-tiles-plugin jar package name tiles pom groupid apache.struts Manifest specification-vendor Apache Software Foundation pom parent-artifactid struts2-plugins pom parent-groupid org.apache.struts Manifest bundle-symbolicname org.apache.struts.2-tiles-plugin Manifest bundle-docurl http://www.apache.org pom artifactid struts2-tiles-plugin pom parent-artifactid struts2-plugins jar package name struts2 Manifest specification-title Struts 2 Tiles Plugin pom name Struts 2 Tiles Plugin jar package name apache Manifest Implementation-Title Struts 2 Tiles Plugin file name struts2-tiles-plugin jar package name tiles pom parent-groupid org.apache.struts Manifest Bundle-Name Struts 2 Tiles Plugin pom groupid apache.struts Manifest Bundle-Version 2.3.16 Manifest Implementation-Version 2.3.16 file version 2.3.16 pom version 2.3.16 pkg:maven/org.apache.struts/struts2-tiles-plugin@2.3.16 https://ossindex.sonatype.org/component/pkg:maven/org.apache.struts/struts2-tiles-plugin@2.3.16 pkg:maven/org.apache.struts/struts2-tiles-plugin@2.3.16 https://ossindex.sonatype.org/component/pkg:maven/org.apache.struts/struts2-tiles-plugin@2.3.16 CVE-2014-0094 MEDIUM 5.0 NETWORK LOW NONE NONE NONE NONE MEDIUM NVD-CWE-noinfo The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html BUGTRAQ http://www.securityfocus.com/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library SECUNIA http://secunia.com/advisories/56440 56440 CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-020.html http://struts.apache.org/release/2.3.x/docs/s2-020.html BUGTRAQ http://www.securityfocus.com/archive/1/531362/100/0/threaded 20140306 [ANN] Struts 2.3.16.1 GA release available - security fix JVNDB http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 JVNDB-2014-000045 MISC http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html SECUNIA http://secunia.com/advisories/59178 59178 CONFIRM http://www.konakart.com/downloads/ver-7-3-0-0-whats-new http://www.konakart.com/downloads/ver-7-3-0-0-whats-new SECTRACK http://www.securitytracker.com/id/1029876 1029876 BID http://www.securityfocus.com/bid/65999 65999 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 JVN http://jvn.jp/en/jp/JVN19294237/index.html JVN#19294237 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0007.html http://www.vmware.com/security/advisories/VMSA-2014-0007.html CONFIRM http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2014-0112 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-264 ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1091939 https://bugzilla.redhat.com/show_bug.cgi?id=1091939 BID http://www.securityfocus.com/bid/67064 67064 SECUNIA http://secunia.com/advisories/59500 59500 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-021 https://cwiki.apache.org/confluence/display/WW/S2-021 BUGTRAQ http://www.securityfocus.com/archive/1/531952/100/0/threaded 20140426 [ANN] Struts 2.3.16.2 GA release available - security fix BUGTRAQ http://www.securityfocus.com/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library REDHAT https://access.redhat.com/errata/RHSA-2019:0910 RHSA-2019:0910 JVNDB http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 JVNDB-2014-000045 MISC http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html SECUNIA http://secunia.com/advisories/59178 59178 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 JVN http://jvn.jp/en/jp/JVN19294237/index.html JVN#19294237 CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0007.html http://www.vmware.com/security/advisories/VMSA-2014-0007.html cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2014-0113 HIGH 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH CWE-264 CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html SECUNIA http://secunia.com/advisories/59178 59178 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-021 https://cwiki.apache.org/confluence/display/WW/S2-021 BUGTRAQ http://www.securityfocus.com/archive/1/531952/100/0/threaded 20140426 [ANN] Struts 2.3.16.2 GA release available - security fix CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2014-0116 MEDIUM 5.8 NETWORK MEDIUM NONE NONE NONE PARTIAL MEDIUM CWE-264 CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html BID http://www.securityfocus.com/bid/67218 67218 SECUNIA http://secunia.com/advisories/59816 59816 CONFIRM http://struts.apache.org/release/2.3.x/docs/s2-022.html http://struts.apache.org/release/2.3.x/docs/s2-022.html CONFIRM http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2014-7809 MEDIUM 6.8 NETWORK MEDIUM NONE PARTIAL PARTIAL PARTIAL MEDIUM CWE-352 Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. MISC http://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html http://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html BID http://www.securityfocus.com/bid/71548 71548 CONFIRM http://struts.apache.org/docs/s2-023.html http://struts.apache.org/docs/s2-023.html CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html SECTRACK http://www.securitytracker.com/id/1031309 1031309 BUGTRAQ http://www.securityfocus.com/archive/1/534175/100/0/threaded 20141208 [ANN] Apache Struts 2.3.20 GA release available with security fix cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2015-5169 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1260087 https://bugzilla.redhat.com/show_bug.cgi?id=1260087 CONFIRM https://struts.apache.org/docs/s2-025.html https://struts.apache.org/docs/s2-025.html JVNDB http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000125.html JVNDB-2015-000125 BID http://www.securityfocus.com/bid/76625 76625 CONFIRM https://security.netapp.com/advisory/ntap-20180629-0003/ https://security.netapp.com/advisory/ntap-20180629-0003/ JVN http://jvn.jp/en/jp/JVN95989300/index.html JVN#95989300 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2015-5209 HIGH 5.0 NETWORK LOW NONE NONE NONE NONE MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE HIGH NONE HIGH CWE-20 Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. CONFIRM https://security.netapp.com/advisory/ntap-20180629-0002/ https://security.netapp.com/advisory/ntap-20180629-0002/ BID http://www.securityfocus.com/bid/82550 82550 SECTRACK http://www.securitytracker.com/id/1033908 1033908 CONFIRM https://struts.apache.org/docs/s2-026.html https://struts.apache.org/docs/s2-026.html cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-0785 HIGH 9.0 NETWORK LOW SINGLE COMPLETE COMPLETE COMPLETE HIGH 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. CONFIRM http://struts.apache.org/docs/s2-029.html http://struts.apache.org/docs/s2-029.html SECTRACK http://www.securitytracker.com/id/1035271 1035271 BID http://www.securityfocus.com/bid/85066 85066 cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2016-2162 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. SECTRACK http://www.securitytracker.com/id/1035272 1035272 CONFIRM http://struts.apache.org/docs/s2-030.html http://struts.apache.org/docs/s2-030.html BID http://www.securityfocus.com/bid/85070 85070 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2_beta:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3081 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH 8.1 NETWORK HIGH NONE NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-77 Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. CONFIRM https://struts.apache.org/docs/s2-032.html https://struts.apache.org/docs/s2-032.html BID http://www.securityfocus.com/bid/87327 87327 MISC http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html CONFIRM http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html MISC http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html MISC http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec SECTRACK http://www.securitytracker.com/id/1035665 1035665 EXPLOIT-DB https://www.exploit-db.com/exploits/39756/ 39756 BID http://www.securityfocus.com/bid/91787 91787 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_e-billing:7.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3082 CRITICAL 10.0 NETWORK LOW NONE COMPLETE COMPLETE COMPLETE HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. SECTRACK http://www.securitytracker.com/id/1035664 1035664 CONFIRM http://struts.apache.org/docs/s2-031.html http://struts.apache.org/docs/s2-031.html BID http://www.securityfocus.com/bid/88826 88826 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3090 HIGH 6.5 NETWORK LOW SINGLE PARTIAL PARTIAL PARTIAL MEDIUM 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. CONFIRM https://struts.apache.org/docs/s2-027.html https://struts.apache.org/docs/s2-027.html CONFIRM https://security.netapp.com/advisory/ntap-20180629-0005/ https://security.netapp.com/advisory/ntap-20180629-0005/ BID http://www.securityfocus.com/bid/85131 85131 SECTRACK https://www.securitytracker.com/id/1035267 1035267 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-3093 MEDIUM 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 5.3 NETWORK LOW NONE NONE UNCHANGED NONE NONE LOW MEDIUM CWE-20 Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. CONFIRM http://struts.apache.org/docs/s2-034.html http://struts.apache.org/docs/s2-034.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 SECTRACK http://www.securitytracker.com/id/1036018 1036018 BID http://www.securityfocus.com/bid/90961 90961 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:ognl_project:ognl:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-4003 MEDIUM 4.3 NETWORK MEDIUM NONE NONE NONE NONE MEDIUM 6.1 NETWORK LOW NONE REQUIRED CHANGED LOW LOW NONE MEDIUM CWE-79 Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. BID http://www.securityfocus.com/bid/86311 86311 CONFIRM http://struts.apache.org/docs/s2-028.html http://struts.apache.org/docs/s2-028.html SECTRACK http://www.securitytracker.com/id/1035268 1035268 CONFIRM https://issues.apache.org/jira/browse/WW-4507 https://issues.apache.org/jira/browse/WW-4507 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2016-4436 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL NVD-CWE-noinfo Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. BID http://www.securityfocus.com/bid/91280 91280 CONFIRM http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html CONFIRM https://struts.apache.org/docs/s2-035.html https://struts.apache.org/docs/s2-035.html CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2016-4461 HIGH 9.0 NETWORK LOW SINGLE COMPLETE COMPLETE COMPLETE HIGH 8.8 NETWORK LOW LOW NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. BID http://www.securityfocus.com/bid/91277 91277 CONFIRM https://struts.apache.org/docs/s2-036.html https://struts.apache.org/docs/s2-036.html CONFIRM https://security.netapp.com/advisory/ntap-20180629-0004/ https://security.netapp.com/advisory/ntap-20180629-0004/ cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:* CVE-2017-12611 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. BID http://www.securityfocus.com/bid/100829 100829 CONFIRM https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001 https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt CONFIRM https://struts.apache.org/docs/s2-053.html https://struts.apache.org/docs/s2-053.html cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-5638 CRITICAL 10.0 NETWORK LOW NONE COMPLETE COMPLETE COMPLETE HIGH 10.0 NETWORK LOW NONE NONE CHANGED HIGH HIGH HIGH CRITICAL CWE-20 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. MISC http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html MISC https://twitter.com/theog150/status/841146956135124993 https://twitter.com/theog150/status/841146956135124993 EXPLOIT-DB https://exploit-db.com/exploits/41570 41570 CONFIRM https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html CONFIRM https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228 https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228 SECTRACK http://www.securitytracker.com/id/1037973 1037973 EXPLOIT-DB https://www.exploit-db.com/exploits/41614/ 41614 CONFIRM https://www.symantec.com/security-center/network-protection-security-advisories/SA145 https://www.symantec.com/security-center/network-protection-security-advisories/SA145 CONFIRM https://support.lenovo.com/us/en/product_security/len-14200 https://support.lenovo.com/us/en/product_security/len-14200 CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt CONFIRM https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-045 https://cwiki.apache.org/confluence/display/WW/S2-045 BID http://www.securityfocus.com/bid/96729 96729 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-046 https://cwiki.apache.org/confluence/display/WW/S2-046 MISC https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ MISC https://github.com/rapid7/metasploit-framework/issues/8064 https://github.com/rapid7/metasploit-framework/issues/8064 CONFIRM https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us CERT-VN https://www.kb.cert.org/vuls/id/834067 VU#834067 MISC https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt MISC https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html MISC https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ CONFIRM https://security.netapp.com/advisory/ntap-20170310-0001/ https://security.netapp.com/advisory/ntap-20170310-0001/ MISC http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ MISC https://isc.sans.edu/diary/22169 https://isc.sans.edu/diary/22169 CONFIRM https://struts.apache.org/docs/s2-046.html https://struts.apache.org/docs/s2-046.html MISC https://github.com/mazen160/struts-pwn https://github.com/mazen160/struts-pwn MISC http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html CONFIRM https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us CONFIRM https://struts.apache.org/docs/s2-045.html https://struts.apache.org/docs/s2-045.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9787 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-284 When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. BID http://www.securityfocus.com/bid/99562 99562 SECTRACK http://www.securitytracker.com/id/1039115 1039115 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html MLIST https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E [announcements] 20170713 Apache Struts 2.5.12 GA with Security Fixes Release CONFIRM https://security.netapp.com/advisory/ntap-20180706-0002/ https://security.netapp.com/advisory/ntap-20180706-0002/ MLIST https://lists.apache.org/thread.html/de3d325f0433cd3b42258b6a302c0d7a72b69eedc1480ed561d3b065@%3Cannouncements.struts.apache.org%3E [announcements] 20170810 [ANN] Apache Struts: S2-049 Security Bulletin update CONFIRM http://struts.apache.org/docs/s2-049.html http://struts.apache.org/docs/s2-049.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9791 CRITICAL 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL HIGH 9.8 NETWORK LOW NONE NONE UNCHANGED HIGH HIGH HIGH CRITICAL CWE-20 The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. BID http://www.securityfocus.com/bid/99484 99484 SECTRACK http://www.securitytracker.com/id/1038838 1038838 EXPLOIT-DB https://www.exploit-db.com/exploits/42324/ 42324 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html CONFIRM https://security.netapp.com/advisory/ntap-20180706-0002/ https://security.netapp.com/advisory/ntap-20180706-0002/ EXPLOIT-DB https://www.exploit-db.com/exploits/44643/ 44643 CONFIRM http://struts.apache.org/docs/s2-048.html http://struts.apache.org/docs/s2-048.html cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12.0:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9793 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-20 The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. BID http://www.securityfocus.com/bid/100611 100611 SECTRACK http://www.securitytracker.com/id/1039262 1039262 CONFIRM http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm CONFIRM https://security.netapp.com/advisory/ntap-20180629-0001/ https://security.netapp.com/advisory/ntap-20180629-0001/ CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 CONFIRM https://struts.apache.org/docs/s2-051.html https://struts.apache.org/docs/s2-051.html CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9804 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-399 In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. SECTRACK http://www.securitytracker.com/id/1039261 1039261 CONFIRM https://security.netapp.com/advisory/ntap-20180629-0001/ https://security.netapp.com/advisory/ntap-20180629-0001/ CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html BID http://www.securityfocus.com/bid/100612 100612 CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt CONFIRM https://struts.apache.org/docs/s2-050.html https://struts.apache.org/docs/s2-050.html cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2017-9805 HIGH 6.8 NETWORK MEDIUM NONE PARTIAL PARTIAL PARTIAL MEDIUM 8.1 NETWORK HIGH NONE NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-502 The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-052 https://cwiki.apache.org/confluence/display/WW/S2-052 MISC https://lgtm.com/blog/apache_struts_CVE-2017-9805 https://lgtm.com/blog/apache_struts_CVE-2017-9805 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1488482 https://bugzilla.redhat.com/show_bug.cgi?id=1488482 CONFIRM https://security.netapp.com/advisory/ntap-20170907-0001/ https://security.netapp.com/advisory/ntap-20170907-0001/ EXPLOIT-DB https://www.exploit-db.com/exploits/42627/ 42627 CONFIRM https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 CERT-VN https://www.kb.cert.org/vuls/id/112992 VU#112992 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html CONFIRM https://struts.apache.org/docs/s2-052.html https://struts.apache.org/docs/s2-052.html BID http://www.securityfocus.com/bid/100609 100609 SECTRACK http://www.securitytracker.com/id/1039263 1039263 cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.11:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:* CVE-2018-11776 HIGH 9.3 NETWORK MEDIUM NONE COMPLETE COMPLETE COMPLETE HIGH 8.1 NETWORK HIGH NONE NONE UNCHANGED HIGH HIGH HIGH HIGH CWE-20 Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. SECTRACK http://www.securitytracker.com/id/1041547 1041547 EXPLOIT-DB https://www.exploit-db.com/exploits/45262/ 45262 CONFIRM https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012 BID http://www.securityfocus.com/bid/105125 105125 SECTRACK http://www.securitytracker.com/id/1041888 1041888 CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html CONFIRM https://security.netapp.com/advisory/ntap-20181018-0002/ https://security.netapp.com/advisory/ntap-20181018-0002/ EXPLOIT-DB https://www.exploit-db.com/exploits/45367/ 45367 CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-057 https://cwiki.apache.org/confluence/display/WW/S2-057 MISC https://github.com/hook-s3c/CVE-2018-11776-Python-PoC https://github.com/hook-s3c/CVE-2018-11776-Python-PoC CONFIRM https://security.netapp.com/advisory/ntap-20180822-0001/ https://security.netapp.com/advisory/ntap-20180822-0001/ CONFIRM http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html MISC https://lgtm.com/blog/apache_struts_CVE-2018-11776 https://lgtm.com/blog/apache_struts_CVE-2018-11776 EXPLOIT-DB https://www.exploit-db.com/exploits/45260/ 45260 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* CVE-2018-1327 HIGH 5.0 NETWORK LOW NONE NONE NONE PARTIAL MEDIUM 7.5 NETWORK LOW NONE NONE UNCHANGED NONE NONE HIGH HIGH CWE-20 The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. SECTRACK http://www.securitytracker.com/id/1040575 1040575 MISC https://cwiki.apache.org/confluence/display/WW/S2-056 https://cwiki.apache.org/confluence/display/WW/S2-056 CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM https://security.netapp.com/advisory/ntap-20180330-0001/ https://security.netapp.com/advisory/ntap-20180330-0001/ BID http://www.securityfocus.com/bid/103516 103516 cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* javax.json-1.0.4.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/javax.json-1.0.4.jar 569870f975deeeb6691fcb9bc02a9555 3178f73569fd7a1e5ffc464e680f7a8cc784b85a 0e1dec40a1ede965941251eda968aeee052cc4f50378bc316cc48e8159bdbeb4 Default provider for JSR 353:Java API for Processing JSON https://glassfish.java.net/public/CDDL+GPL_1_1.html pom groupid glassfish pom artifactid javax.json Manifest bundle-docurl http://www.oracle.com pom parent-groupid org.glassfish jar package name api jar package name json pom parent-artifactid json jar package name javax jar package name glassfish pom url http://jsonp.java.net Manifest extension-name javax.json Manifest bundle-symbolicname org.glassfish.javax.json file name javax.json pom name JSR 353 (JSON Processing) Default Provider pom url http://jsonp.java.net Manifest bundle-docurl http://www.oracle.com Manifest Bundle-Name JSR 353 (JSON Processing) Default Provider jar package name api jar package name json pom parent-groupid org.glassfish jar package name javax jar package name glassfish pom parent-artifactid json pom groupid glassfish Manifest extension-name javax.json pom artifactid javax.json Manifest bundle-symbolicname org.glassfish.javax.json file name javax.json pom name JSR 353 (JSON Processing) Default Provider Manifest Bundle-Version 1.0.4 Manifest Implementation-Version 1.0.4 pom version 1.0.4 file version 1.0.4 pkg:maven/org.glassfish/javax.json@1.0.4 https://ossindex.sonatype.org/component/pkg:maven/org.glassfish/javax.json@1.0.4 pkg:maven/org.glassfish/javax.json@1.0.4 https://ossindex.sonatype.org/component/pkg:maven/org.glassfish/javax.json@1.0.4 hibernate-commons-annotations-4.0.2.Final.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/hibernate-commons-annotations-4.0.2.Final.jar 916d4ddfb26db16da75ee8f973fd08ad 0094edcc5572efb02e123cc9ef7ad7d0fa5f76cf ae6b6708a03a144265ac7bf1def64b18def3b6576a8a52d7a6787d9cf00aa0ec Common reflection code used in support of annotation processing GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl-2.1.html /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/hibernate-commons-annotations-4.0.2.Final.jar ae6b6708a03a144265ac7bf1def64b18def3b6576a8a52d7a6787d9cf00aa0ec 0094edcc5572efb02e123cc9ef7ad7d0fa5f76cf 916d4ddfb26db16da75ee8f973fd08ad Manifest implementation-url http://hibernate.org Manifest Implementation-Vendor-Id hibernate.org pom artifactid hibernate-commons-annotations jar package name hibernate jar package name reflection Manifest Implementation-Vendor hibernate.org pom groupid hibernate.common pom url http://hibernate.org Manifest bundle-symbolicname org.hibernate.common.hibernate-commons-annotations Manifest bundle-docurl http://hibernate.org pom name Hibernate Commons Annotations pom organization name Hibernate.org jar package name annotations Manifest originally-created-by Apache Maven Bundle Plugin file name hibernate-commons-annotations jar package name common pom organization url http://hibernate.org Manifest implementation-url http://hibernate.org jar package name hibernate jar package name reflection Manifest Implementation-Title Hibernate Commons Annotations pom organization url http://hibernate.org Manifest Bundle-Name Hibernate Commons Annotations pom artifactid hibernate-commons-annotations Manifest bundle-symbolicname org.hibernate.common.hibernate-commons-annotations Manifest bundle-docurl http://hibernate.org pom name Hibernate Commons Annotations pom organization name Hibernate.org pom groupid hibernate.common jar package name annotations Manifest originally-created-by Apache Maven Bundle Plugin file name hibernate-commons-annotations jar package name common pom url http://hibernate.org Manifest Bundle-Version 4.0.2.Final Manifest Implementation-Version 4.0.2.Final pom version 4.0.2.Final pkg:maven/org.hibernate.common/hibernate-commons-annotations@4.0.2.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate.common/hibernate-commons-annotations@4.0.2.Final pkg:maven/org.hibernate.common/hibernate-commons-annotations@4.0.2.Final https://ossindex.sonatype.org/component/pkg:maven/org.hibernate.common/hibernate-commons-annotations@4.0.2.Final commons-jcs-core-2.2.1.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/commons-jcs-core-2.2.1.jar fd41b509c3853faf088e5c340402d609 3ffac1956b0d88fff8adefdf1e68d69cfe296191 7f98edf1e69b32137a2181722dadd1220f61d184414df17061a0e10e40535a2d Apache Commons JCS is a distributed, versatile caching system. https://www.apache.org/licenses/LICENSE-2.0.txt pom parent-artifactid commons-jcs pom name Apache Commons JCS :: Core Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" pom groupid apache.commons Manifest bundle-docurl http://commons.apache.org/proper/commons-jcs/commons-jcs-core/ pom parent-groupid org.apache.commons pom artifactid commons-jcs-core jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest specification-vendor The Apache Software Foundation file name commons-jcs-core Manifest bundle-symbolicname org.apache.commons.commons-jcs-core jar package name commons Manifest implementation-build tags/commons-jcs-2.2.1-RC4/commons-jcs-core@r1838701; 2018-08-23 08:44:59+0000 jar package name jcs Manifest implementation-url http://commons.apache.org/proper/commons-jcs/commons-jcs-core/ Manifest Implementation-Vendor The Apache Software Foundation pom name Apache Commons JCS :: Core Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Manifest bundle-docurl http://commons.apache.org/proper/commons-jcs/commons-jcs-core/ jar package name apache Manifest Bundle-Name Apache Commons JCS :: Core Manifest Implementation-Title Apache Commons JCS :: Core pom artifactid commons-jcs-core Manifest specification-title Apache Commons JCS :: Core file name commons-jcs-core Manifest bundle-symbolicname org.apache.commons.commons-jcs-core jar package name commons pom groupid apache.commons Manifest implementation-build tags/commons-jcs-2.2.1-RC4/commons-jcs-core@r1838701; 2018-08-23 08:44:59+0000 pom parent-groupid org.apache.commons jar package name jcs pom parent-artifactid commons-jcs Manifest implementation-url http://commons.apache.org/proper/commons-jcs/commons-jcs-core/ Manifest Bundle-Version 2.2.1 Manifest Implementation-Version 2.2.1 file version 2.2.1 pom version 2.2.1 pkg:maven/org.apache.commons/commons-jcs-core@2.2.1 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-jcs-core@2.2.1 pkg:maven/org.apache.commons/commons-jcs-core@2.2.1 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-jcs-core@2.2.1 freemarker-2.3.19.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/freemarker-2.3.19.jar 03358fb59a2260a0c37f063e2ba58436 a251045e5fadd02824d17f1aa8c412accf1aa1c9 c26923394f3f1cf0427f515ee3bb6be66d1a7f4261e6d6f0504fdec63ab85da8 FreeMarker is a "template engine"; a generic tool to generate text output based on templates. BSD-style license: http://freemarker.org/LICENSE.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/freemarker-2.3.19.jar c26923394f3f1cf0427f515ee3bb6be66d1a7f4261e6d6f0504fdec63ab85da8 a251045e5fadd02824d17f1aa8c412accf1aa1c9 03358fb59a2260a0c37f063e2ba58436 pom url http://freemarker.org file name freemarker Manifest extension-name FreeMarker jar package name freemarker central groupid org.freemarker pom artifactid freemarker pom name FreeMarker Manifest specification-vendor Visigoth Software Society jar package name freemarker pom groupid freemarker Manifest Implementation-Vendor Visigoth Software Society file name freemarker jar package name freemarker Manifest extension-name FreeMarker Manifest Implementation-Title VSS Java FreeMarker pom name FreeMarker Manifest specification-title FreeMarker pom groupid freemarker central artifactid freemarker pom url http://freemarker.org pom artifactid freemarker Manifest Implementation-Version 2.3.19 file version 2.3.19 central version 2.3.19 pom version 2.3.19 pkg:maven/org.freemarker/freemarker@2.3.19 https://ossindex.sonatype.org/component/pkg:maven/org.freemarker/freemarker@2.3.19 pkg:maven/org.freemarker/freemarker@2.3.19 https://ossindex.sonatype.org/component/pkg:maven/org.freemarker/freemarker@2.3.19 animal-sniffer-annotations-1.17.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/animal-sniffer-annotations-1.17.jar 7ca108b790cf6ab5dbf5422cc79f0d89 f97ce6decaea32b36101e37979f8b647f00681fb 92654f493ecfec52082e76354f0ebf87648dc3d5cec2e3c3cdb947c016747a53 jar package name animal_sniffer pom artifactid animal-sniffer-annotations jar package name codehaus jar package name mojo jar package name mojo pom parent-groupid org.codehaus.mojo pom groupid codehaus.mojo pom name Animal Sniffer Annotations pom parent-artifactid animal-sniffer-parent file name animal-sniffer-annotations jar package name codehaus pom artifactid animal-sniffer-annotations jar package name animal_sniffer pom parent-artifactid animal-sniffer-parent jar package name ignorejrerequirement pom groupid codehaus.mojo jar package name codehaus jar package name mojo jar package name mojo pom parent-groupid org.codehaus.mojo pom name Animal Sniffer Annotations file name animal-sniffer-annotations pom version 1.17 file version 1.17 pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.17 https://ossindex.sonatype.org/component/pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.17 pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.17 https://ossindex.sonatype.org/component/pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.17 bcel-6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/lib/bcel-6.2.jar f0b8a17310c039ee51d265228ed89d1c 2c1499b28bf2638cbdb5fa94350d41a46d2bd4e0 d6aff83c840646b922b3658d57898bb5314af4a02d70ebf0f7db8bc46203d72e Apache Commons Bytecode Engineering Library Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/infrastructure/findsecbugs/archive/lib/bcel-6.2.jar d6aff83c840646b922b3658d57898bb5314af4a02d70ebf0f7db8bc46203d72e 2c1499b28bf2638cbdb5fa94350d41a46d2bd4e0 f0b8a17310c039ee51d265228ed89d1c pom parent-artifactid commons-parent jar package name bcel pom organization url http://www.apache.org/ Manifest implementation-url http://commons.apache.org/proper/commons-bcel Manifest bundle-docurl http://commons.apache.org/proper/commons-bcel Manifest Implementation-Vendor-Id org.apache.bcel Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" pom parent-groupid org.apache.commons jar package name apache Manifest automatic-module-name org.apache.bcel Manifest specification-vendor The Apache Software Foundation pom groupid apache.bcel pom artifactid bcel Manifest bundle-symbolicname org.apache.bcel pom organization name The Apache Software Foundation pom url http://commons.apache.org/proper/commons-bcel pom name Apache Commons BCEL file name bcel Manifest Implementation-Vendor The Apache Software Foundation pom parent-artifactid commons-parent pom groupid apache.bcel jar package name bcel Manifest implementation-url http://commons.apache.org/proper/commons-bcel Manifest bundle-docurl http://commons.apache.org/proper/commons-bcel pom url http://commons.apache.org/proper/commons-bcel pom organization url http://www.apache.org/ Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Manifest Bundle-Name Apache Commons BCEL jar package name apache Manifest specification-title Apache Commons BCEL Manifest Implementation-Title Apache Commons BCEL Manifest automatic-module-name org.apache.bcel pom parent-groupid org.apache.commons pom organization name The Apache Software Foundation Manifest bundle-symbolicname org.apache.bcel pom artifactid bcel pom name Apache Commons BCEL file name bcel Manifest Implementation-Version 6.2 pom parent-version 6.2 file version 6.2 pom version 6.2 pkg:maven/org.apache.bcel/bcel@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.apache.bcel/bcel@6.2 pkg:maven/org.apache.bcel/bcel@6.2 https://ossindex.sonatype.org/component/pkg:maven/org.apache.bcel/bcel@6.2 annotations-17.0.0.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/annotations-17.0.0.jar 7b06437ed47fa7b4a8ec8909f4fb9022 8ceead41f4e71821919dbdb7a9847608f1a938cb 195fb0da046d55bb042e91543484cf1da68b02bb7afbfe031f229e45ac84b3f2 A set of annotations used for code inspection support and code documentation. The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt file name annotations Manifest automatic-module-name org.jetbrains.annotations pom groupid jetbrains jar package name intellij jar package name annotations jar package name lang pom name JetBrains Java Annotations pom url JetBrains/java-annotations pom artifactid annotations jar package name annotations central groupid org.jetbrains jar package name jetbrains file name annotations Manifest automatic-module-name org.jetbrains.annotations pom name JetBrains Java Annotations jar package name annotations central artifactid annotations jar package name annotations jar package name lang pom groupid jetbrains pom url JetBrains/java-annotations jar package name jetbrains pom artifactid annotations pom version 17.0.0 central version 17.0.0 file version 17.0.0 pkg:maven/org.jetbrains/annotations@17.0.0 https://ossindex.sonatype.org/component/pkg:maven/org.jetbrains/annotations@17.0.0 pkg:maven/org.jetbrains/annotations@17.0.0 https://ossindex.sonatype.org/component/pkg:maven/org.jetbrains/annotations@17.0.0 contact.js /var/lib/jenkins/workspace/test@2/src/main/webapp/js/contact.js 520d4b62598ca9e60024a4e6a0db24fd 71f32466e5e5da2c08f97b2ea85e1282c9805a84 09a9a9eaf863d4942d45c25ea6c5ff145ab46c380d3ed32286c51a6ad8d84cf4 /var/lib/jenkins/workspace/test@2/target/devsecops.war/js/contact.js 09a9a9eaf863d4942d45c25ea6c5ff145ab46c380d3ed32286c51a6ad8d84cf4 71f32466e5e5da2c08f97b2ea85e1282c9805a84 520d4b62598ca9e60024a4e6a0db24fd /var/lib/jenkins/workspace/test@2/target/devsecops/js/contact.js 09a9a9eaf863d4942d45c25ea6c5ff145ab46c380d3ed32286c51a6ad8d84cf4 71f32466e5e5da2c08f97b2ea85e1282c9805a84 520d4b62598ca9e60024a4e6a0db24fd commons-lang3-3.1.jar /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/commons-lang3-3.1.jar 71b48e6b3e1b1dc73fe705604b9c7584 905075e6c80f206bbe6cf1e809d2caa69f420c76 131f0519a8e4602e47cf024bfd7e0834bcf5592a7207f9a2fdb711d4f5afc166 Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang. http://www.apache.org/licenses/LICENSE-2.0.txt /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/commons-lang3-3.1.jar 131f0519a8e4602e47cf024bfd7e0834bcf5592a7207f9a2fdb711d4f5afc166 905075e6c80f206bbe6cf1e809d2caa69f420c76 71b48e6b3e1b1dc73fe705604b9c7584 file name commons-lang3 pom parent-artifactid commons-parent pom artifactid commons-lang3 pom groupid apache.commons pom parent-groupid org.apache.commons jar package name apache Manifest Implementation-Vendor-Id org.apache Manifest bundle-docurl http://commons.apache.org/lang/ pom url http://commons.apache.org/lang/ Manifest specification-vendor The Apache Software Foundation jar package name commons pom name Commons Lang jar package name lang3 Manifest bundle-symbolicname org.apache.commons.lang3 Manifest Implementation-Vendor The Apache Software Foundation Manifest implementation-build UNKNOWN_BRANCH@r??????; 2011-11-09 22:58:07-0800 pom parent-artifactid commons-parent file name commons-lang3 pom url http://commons.apache.org/lang/ jar package name apache Manifest bundle-docurl http://commons.apache.org/lang/ Manifest Bundle-Name Commons Lang jar package name commons pom groupid apache.commons Manifest Implementation-Title Commons Lang pom parent-groupid org.apache.commons pom name Commons Lang pom artifactid commons-lang3 jar package name lang3 Manifest specification-title Commons Lang Manifest bundle-symbolicname org.apache.commons.lang3 Manifest implementation-build UNKNOWN_BRANCH@r??????; 2011-11-09 22:58:07-0800 pom parent-version 3.1 file version 3.1 pom version 3.1 Manifest Implementation-Version 3.1 pkg:maven/org.apache.commons/commons-lang3@3.1 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-lang3@3.1 pkg:maven/org.apache.commons/commons-lang3@3.1 https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-lang3@3.1 joda-time-2.9.9.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/joda-time-2.9.9.jar eca438c8cc2b1de38e28d884b7f15dbc f7b520c458572890807d143670c9b24f4de90897 b049a43c1057942e6acfbece008e4949b2e35d1658d0c8e06f4485397e2fa4e7 Date and time library to replace JDK date handling Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt Manifest bundle-docurl http://www.joda.org/joda-time/ pom url http://www.joda.org/joda-time/ Manifest specification-vendor Joda.org pom artifactid joda-time pom organization url http://www.joda.org Manifest extension-name joda-time pom organization name Joda.org file name joda-time jar package name time Manifest Implementation-Vendor-Id org.joda Manifest Implementation-Vendor Joda.org pom name Joda-Time Manifest implementation-url http://www.joda.org/joda-time/ jar package name joda pom groupid joda-time Manifest bundle-symbolicname joda-time Manifest specification-title Joda-Time Manifest bundle-docurl http://www.joda.org/joda-time/ Manifest extension-name joda-time pom organization name Joda.org file name joda-time Manifest Bundle-Name Joda-Time jar package name time Manifest Implementation-Title org.joda.time pom artifactid joda-time pom url http://www.joda.org/joda-time/ pom name Joda-Time pom organization url http://www.joda.org Manifest implementation-url http://www.joda.org/joda-time/ pom groupid joda-time jar package name joda Manifest bundle-symbolicname joda-time file version 2.9.9 pom version 2.9.9 Manifest Bundle-Version 2.9.9 Manifest Implementation-Version 2.9.9 pkg:maven/joda-time/joda-time@2.9.9 https://ossindex.sonatype.org/component/pkg:maven/joda-time/joda-time@2.9.9 pkg:maven/joda-time/joda-time@2.9.9 https://ossindex.sonatype.org/component/pkg:maven/joda-time/joda-time@2.9.9 mailapi-1.6.2.jar /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/mailapi-1.6.2.jar b89a9ff8ac681f01dfd06798a008f0af 208b6439dfbe6713c384ebf54ecd62cd4423cc50 d37c0f88efa5973ccb4100f4cc49aee3510cd01ab25012d1f085b1b798ae2ebb JavaMail API (no providers) https://javaee.github.io/javamail/LICENSE Manifest (hint) Implementation-Vendor sun pom parent-artifactid all pom groupid sun.mail Manifest bundle-docurl http://www.oracle.com file name mailapi jar package name mail pom artifactid mailapi jar (hint) package name oracle Manifest Implementation-Vendor-Id com.sun Manifest specification-vendor Oracle Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" jar package name javax Manifest extension-name com.sun.mail.mailapi Manifest automatic-module-name java.mail Manifest (hint) specification-vendor sun pom name JavaMail API (no providers) Manifest originally-created-by Apache Maven Bundle Plugin Manifest Implementation-Vendor Oracle Manifest probe-provider-xml-file-names Manifest bundle-symbolicname javax.mail.api jar package name sun pom parent-groupid com.sun.mail pom parent-artifactid all Manifest bundle-docurl http://www.oracle.com file name mailapi jar package name mail Manifest Implementation-Title com.sun.mail.mailapi Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" jar package name javax jar package name version pom parent-groupid com.sun.mail pom artifactid mailapi Manifest extension-name com.sun.mail.mailapi Manifest automatic-module-name java.mail Manifest specification-title com.sun.mail.mailapi pom name JavaMail API (no providers) Manifest originally-created-by Apache Maven Bundle Plugin Manifest Bundle-Name JavaMail API (no providers) Manifest probe-provider-xml-file-names Manifest bundle-symbolicname javax.mail.api jar package name sun pom groupid sun.mail file version 1.6.2 Manifest Bundle-Version 1.6.2 Manifest Implementation-Version 1.6.2 pom version 1.6.2 pkg:maven/com.sun.mail/mailapi@1.6.2 https://ossindex.sonatype.org/component/pkg:maven/com.sun.mail/mailapi@1.6.2 pkg:maven/com.sun.mail/mailapi@1.6.2 https://ossindex.sonatype.org/component/pkg:maven/com.sun.mail/mailapi@1.6.2 h2-1.4.196.jar: data.zip: table.js /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/h2-1.4.196.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js a914a66de53dcdeb39684f1ce8ce8527 c41ef5fb193ac25622f4e129470339aec24d731a 8c5b079b38e94718bb58a71b0e310bad6c1004670a19c1bc0f63b32fdd81134a h2-1.4.196.jar: data.zip: tree.js /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/h2-1.4.196.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js 495277155635a72b0c69f987d938b6e1 446cad47e33a62baf330ee5200646b5ccb9c0df9 14c797bd700570c38e8af1aa50ecea205a385be466ec9431e46dbe586ce7a61c struts2-core-2.3.8.jar: validation.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/template/css_xhtml/validation.js 37ed34e2e84c52abfbce27316c5aa5ab 18ad7aa804605489e17b8d32b799005e3887e6d5 513b90f5c49bd6b2296f4bf3484e621d5bf13895ce33eb18fde229c02f332010 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/template/css_xhtml/validation.js 513b90f5c49bd6b2296f4bf3484e621d5bf13895ce33eb18fde229c02f332010 18ad7aa804605489e17b8d32b799005e3887e6d5 37ed34e2e84c52abfbce27316c5aa5ab struts2-core-2.3.8.jar: validation.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/template/xhtml/validation.js 5cd9d63907b5b68b3f87c16e30215f96 d1894e98d8f67796dcf1c43940204d044a2e8a53 db3db93404b56482cf98eb6b379f57b154c832ba3f73b1a261e4830951c6d2b3 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/template/xhtml/validation.js db3db93404b56482cf98eb6b379f57b154c832ba3f73b1a261e4830951c6d2b3 d1894e98d8f67796dcf1c43940204d044a2e8a53 5cd9d63907b5b68b3f87c16e30215f96 struts2-core-2.3.8.jar: webconsole.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/interceptor/debugging/webconsole.js d917c7e3dcaadafd7a985de498c4d7ec c6bf9311b8f57ee82d23916e3393f78d608a43c2 b85caebe4fe7f089e0abb0cedfdaeacfce178ba70e13811e09f73e36bd4897ed /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/interceptor/debugging/webconsole.js b85caebe4fe7f089e0abb0cedfdaeacfce178ba70e13811e09f73e36bd4897ed c6bf9311b8f57ee82d23916e3393f78d608a43c2 d917c7e3dcaadafd7a985de498c4d7ec struts2-core-2.3.8.jar: utils.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/utils.js 3c198bb745496d1069014c2f354a76dc c4a636bba8a83b9b3545e631afb8214a28f3d5f9 8a2ddd072cdc7e97d57427ba55b4aba71d7a01925dac2020d2618a2dcedad99c /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/utils.js 8a2ddd072cdc7e97d57427ba55b4aba71d7a01925dac2020d2618a2dcedad99c c4a636bba8a83b9b3545e631afb8214a28f3d5f9 3c198bb745496d1069014c2f354a76dc struts2-core-2.3.8.jar: domTT.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/domTT.js 44ed51154c7fa928005f39bbbed7d01a 5584aa1028220f041ff7d89c48e9e8ffeaa05256 60c72fad5a9688fc6a143176d84814b9ea2c4c9c882b4799921b950c415b961e /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/domTT.js 60c72fad5a9688fc6a143176d84814b9ea2c4c9c882b4799921b950c415b961e 5584aa1028220f041ff7d89c48e9e8ffeaa05256 44ed51154c7fa928005f39bbbed7d01a struts2-core-2.3.8.jar: optiontransferselect.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/optiontransferselect.js de5f040192eb49fadbfd0f46ab7573df 1c57bcc13707d9d04e244a7caf3b1cc32d4e6998 c437d3f691f467d25225e4d710b3a7508b8bd4e194607baf8301da306450b02b /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/optiontransferselect.js c437d3f691f467d25225e4d710b3a7508b8bd4e194607baf8301da306450b02b 1c57bcc13707d9d04e244a7caf3b1cc32d4e6998 de5f040192eb49fadbfd0f46ab7573df struts2-core-2.3.8.jar: inputtransferselect.js /var/lib/jenkins/workspace/test@2/target/devsecops/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/inputtransferselect.js cb108ba1100f77a6ef02e9e051333508 c6dfa1f3664578a6f65c620ce172bc731d1224e4 53f55339da9ef84edba21df53bd55a975e955e742b24440efc0583447682b0b8 /var/lib/jenkins/workspace/test@2/target/devsecops.war/WEB-INF/lib/struts2-core-2.3.8.jar/org/apache/struts2/static/inputtransferselect.js 53f55339da9ef84edba21df53bd55a975e955e742b24440efc0583447682b0b8 c6dfa1f3664578a6f65c620ce172bc731d1224e4 cb108ba1100f77a6ef02e9e051333508 dependency-check-core-5.2.1.jar: jquery-3.4.1.min.js /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-core-5.2.1.jar/templates/scripts/jquery-3.4.1.min.js 220afd743d9e9643852e31a135a9f3ae 88523924351bac0b5d560fe0c5781e2556e7693d 0925e8ad7bd971391a8b1e98be8e87a6971919eb5b60c196485941c3c1df089a dependency-check-core-5.2.1.jar: GrokAssembly.zip: System.Reflection.Metadata.dll /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-core-5.2.1.jar/GrokAssembly.zip/System.Reflection.Metadata.dll 5e6125aa4a7c0ca54f73a9e6833ef404 303d712269ebbaac476f8b6db4472bd2464bd3ce 2e180767f1415cb5bbed14450e1d4003cf56a9da6aeaf91ce969a4b9d2a54314 file name System.Reflection.Metadata file name System.Reflection.Metadata dependency-check-core-5.2.1.jar: GrokAssembly.zip: GrokAssembly.dll /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-core-5.2.1.jar/GrokAssembly.zip/GrokAssembly.dll 3436d483f09388fe16d1c559dd331574 31acefe2e2ae79bdea3622385c6af63ae2de18ed 662b0c74b1a87c2ac5861f238a47f08a7c1d2e6ab79ea104baec8680110aba1d file name GrokAssembly file name GrokAssembly dependency-check-core-5.2.1.jar: GrokAssembly.zip: System.Collections.Immutable.dll /var/lib/jenkins/workspace/test@2/infrastructure/dependency-check/lib/dependency-check-core-5.2.1.jar/GrokAssembly.zip/System.Collections.Immutable.dll d8203aedaabeac1e606cd0e2af397d01 eef943e4369166a039dee90f2d81504613d49ca0 2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 file name System.Collections.Immutable file name System.Collections.Immutable