{
  "vulnerabilities": [
    {
      "name": "CVE-2015-9251",
      "type": "CVE",
      "severity": "medium",
      "score": "4.3",
      "cvss3_severity": "MEDIUM",
      "cvss3_score": "6.1",
      "publishDate": "2018-01-18",
      "lastUpdatedDate": "2020-07-15",
      "scoreMetadataVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2015-9251",
      "description": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
      "project": "webgoat-container",
      "product": "My Product",
      "cvss3Attributes": {
        "attackVector": "NETWORK",
        "attackComplexity": "LOW",
        "userInteraction": "REQUIRED",
        "privilegesRequired": "NONE",
        "scope": "CHANGED",
        "confidentialityImpact": "LOW",
        "integrityImpact": "LOW",
        "availabilityImpact": "NONE"
      },
      "library": {
        "keyUuid": "b9ed1df8-a84f-4581-8bbf-90c0ac88b4fb",
        "filename": "jquery-2.1.4.min.js",
        "type": "JAVA_SCRIPT_LIBRARY",
        "description": "JavaScript library for DOM operations",
        "sha1": "8258d046f17dd3c15a5d3984e1868b7b5d1db329",
        "name": "jquery",
        "artifactId": "jquery-2.1.4.min.js",
        "version": "2.1.4",
        "groupId": "jquery",
        "architecture": ""
      },
      "topFix": {
        "vulnerability": "CVE-2015-9251",
        "type": "UPGRADE_VERSION",
        "origin": "WHITESOURCE_EXPERT",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
        "fixResolution": "Upgrade to version jQuery - v3.0.0",
        "date": "2018-01-18 23:29:00",
        "message": "Upgrade to version",
        "extraData": ""
      },
      "allFixes": [
        {
          "vulnerability": "CVE-2015-9251",
          "type": "UPGRADE_VERSION",
          "origin": "WHITESOURCE_EXPERT",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
          "fixResolution": "Upgrade to version jQuery - v3.0.0",
          "date": "2018-01-18 23:29:00",
          "message": "Upgrade to version",
          "extraData": ""
        },
        {
          "vulnerability": "CVE-2015-9251",
          "type": "CHANGE_FILES",
          "origin": "GITHUB_COMMIT",
          "url": "https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614#diff-bee4304906ea68bebadfc11be4368419",
          "fixResolution": "Replace or update the following files: script.js, ajax.js, ajax.js",
          "date": "2015-10-12 00:00:00",
          "message": "Ajax: Mitigate possible XSS vulnerability\n\nProposed by @jaubourg\n\nFixes gh-2432\nCloses gh-2588",
          "extraData": "key=b078a62&committerName=markelog&committerUrl=https://github.com/markelog&committerAvatar=https://avatars0.githubusercontent.com/u/945528?v=4"
        },
        {
          "vulnerability": "CVE-2015-9251",
          "type": "CHANGE_FILES",
          "origin": "GITHUB_COMMIT",
          "url": "https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc",
          "fixResolution": "Replace or update the following files: script.js, ajax.js",
          "date": "2015-10-12 00:00:00",
          "message": "Ajax: Mitigate possible XSS vulnerability\n\nProposed by @jaubourg\n\nCherry-picked from b078a62013782c7424a4a61a240c23c4c0b42614\nFixes gh-2432\nCloses gh-2588",
          "extraData": "key=f60729f&committerName=markelog&committerUrl=https://github.com/markelog&committerAvatar=https://avatars0.githubusercontent.com/u/945528?v=4"
        }
      ]
    },
    {
      "name": "CVE-2020-11023",
      "type": "CVE",
      "severity": "medium",
      "score": "4.3",
      "cvss3_severity": "MEDIUM",
      "cvss3_score": "6.1",
      "publishDate": "2020-04-29",
      "lastUpdatedDate": "2020-08-13",
      "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-11023",
      "description": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
      "project": "webgoat-container",
      "product": "My Product",
      "cvss3Attributes": {
        "attackVector": "NETWORK",
        "attackComplexity": "LOW",
        "userInteraction": "REQUIRED",
        "privilegesRequired": "NONE",
        "scope": "CHANGED",
        "confidentialityImpact": "LOW",
        "integrityImpact": "LOW",
        "availabilityImpact": "NONE"
      },
      "library": {
        "keyUuid": "b9ed1df8-a84f-4581-8bbf-90c0ac88b4fb",
        "filename": "jquery-2.1.4.min.js",
        "type": "JAVA_SCRIPT_LIBRARY",
        "description": "JavaScript library for DOM operations",
        "sha1": "8258d046f17dd3c15a5d3984e1868b7b5d1db329",
        "name": "jquery",
        "artifactId": "jquery-2.1.4.min.js",
        "version": "2.1.4",
        "groupId": "jquery",
        "architecture": ""
      },
      "topFix": {
        "vulnerability": "CVE-2020-11023",
        "type": "UPGRADE_VERSION",
        "origin": "WHITESOURCE_EXPERT",
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023",
        "fixResolution": "Upgrade to version jquery - 3.5.0",
        "date": "2020-04-29 21:15:00",
        "message": "Upgrade to version"
      },
      "allFixes": [
        {
          "vulnerability": "CVE-2020-11023",
          "type": "UPGRADE_VERSION",
          "origin": "WHITESOURCE_EXPERT",
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023",
          "fixResolution": "Upgrade to version jquery - 3.5.0",
          "date": "2020-04-29 21:15:00",
          "message": "Upgrade to version"
        },
        {
          "vulnerability": "CVE-2020-11023",
          "type": "UPGRADE_VERSION",
          "origin": "GENTOO_SECURITY",
          "url": "https://security.gentoo.org/glsa/202007-03",
          "fixResolution": "All Cacti users should upgrade to the latest version  # emerge --sync\n # emerge --ask --oneshot --verbose >=net-analyzer/cacti-1.2.13\n All Cacti Spine users should upgrade to the latest version  # emerge --sync\n # emerge --ask --oneshot --verbose >=net-analyzer/cacti-spine-1.2.13 >= ",
          "message": "Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details.",
          "extraData": "key=202007-03"
        },
        {
          "vulnerability": "CVE-2020-11023",
          "type": "CHANGE_FILES",
          "origin": "GITHUB_COMMIT",
          "url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77",
          "fixResolution": "Replace or update the following files: offset.js, data.js, attributes.js, deprecated.js, selector.js, traversing.js, css.js, testinit.js, localfile.html, core.js, event.js, effects.js, wrap.js, ajax.js, manipulation.js, manipulation.js, dimensions.js, basic.js",
          "date": "2020-03-16 00:00:00",
          "message": "Manipulation: Make jQuery.htmlPrefilter an identity function\n\nCloses gh-4642\n\n(cherry picked from 90fed4b453a5becdb7f173d9e3c1492390a1441f)",
          "extraData": "key=1d61fd9&committerName=mgol&committerUrl=https://github.com/mgol&committerAvatar=https://avatars0.githubusercontent.com/u/1758366?v=4"
        }
      ]
    },
    {
      "name": "CVE-2020-1745",
      "type": "CVE",
      "severity": "high",
      "score": "7.5",
      "cvss3_severity": "HIGH",
      "cvss3_score": "9.8",
      "publishDate": "2020-04-28",
      "lastUpdatedDate": "2020-07-08",
      "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1745",
      "description": "A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.",
      "project": "webgoat-container",
      "product": "My Product",
      "cvss3Attributes": {
        "attackVector": "NETWORK",
        "attackComplexity": "LOW",
        "userInteraction": "NONE",
        "privilegesRequired": "NONE",
        "scope": "UNCHANGED",
        "confidentialityImpact": "HIGH",
        "integrityImpact": "HIGH",
        "availabilityImpact": "HIGH"
      },
      "library": {
        "keyUuid": "4cf4465d-3714-4a3c-8622-f7546b4f927f",
        "filename": "undertow-core-2.0.28.Final.jar",
        "type": "MAVEN_ARTIFACT",
        "description": "Undertow",
        "sha1": "688f7a1096534a9fba1150a211b5cf939233f372",
        "name": "Undertow Core",
        "artifactId": "undertow-core",
        "version": "2.0.28.Final",
        "groupId": "io.undertow",
        "architecture": "",
        "languageVersion": ""
      },
      "topFix": {
        "vulnerability": "CVE-2020-1745",
        "type": "UPGRADE_VERSION",
        "origin": "WHITESOURCE_EXPERT",
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1745",
        "fixResolution": "Upgrade to version io.undertow:undertow-core:2.0.30.Final",
        "date": "2020-04-28 15:15:00",
        "message": "Upgrade to version"
      }
    }
  ]
}