Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Description:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\activation-1.1.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\annogen-0.1.0.jar
MD5: ff275c3491ac6715ad9f6c22a9660503
SHA1: a8de34ea7aa93765d24dc16ec9c61af5160bb899
Description: Annotation the FindBugs tool supports
License:
GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\annotations-3.0.1u2.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ant-1.9.7.jar
MD5: a14502c25ee6bc76c4614315845b29e9
SHA1: 3b2a10512ee6537d3852c9b693a0284dcab5de68
Description: AOP Alliance
License:
Public DomainFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\aopalliance-1.0.jar
Description: The runtime needed to execute a program using AspectJ
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\aspectjrt-1.6.5.jar
Description: The AspectJ weaver introduces advices to java classes
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\aspectjweaver-1.6.5.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\autoconf\binutils\configure
MD5: 87ef7e524d4c3190c297ce64df0e600e
SHA1: ed33427ceee41faa5e69fb89452cd69318e3723a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\autoconf\binutils\configure.ac
MD5: 1982a659f09482b4eabbf19a000822fa
SHA1: 4dd69b029c1e0ebd8a087f0ef14742e83708b79a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\autoconf\ghostscript\configure.ac
MD5: a7e8bdc5c0dab93d042e822130b8cfc9
SHA1: 94d7acda832dc53ab91892dcdd4b1ac9fc191e75
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-189 Numeric Errors
Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-189 Numeric Errors
icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file.
Vulnerable Software & Versions:
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\autoconf\readable-code\configure
MD5: e4b0986a605c8d223bcd8cbf036caae8
SHA1: cd18db2a682ef6c3deeeab099d2036e405a1f07c
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\autoconf\readable-code\configure.ac
MD5: d130e2fa32a516b4898b3de12b1b42bc
SHA1: 5dba846da57603462614e4b6801cc82655519023
Description: The Axiom API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\axiom-api-1.2.7.jar
Description: The Axiom DOM implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\axiom-dom-1.2.7.jar
Description: The Axiom default implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\axiom-impl-1.2.7.jar
Description:
An implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\axis-1.4.jar
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Core Parts of Axis 2.0. This includes Axis 2.0 engine, Client API, Addressing support, etc.,
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\axis2-kernel-1.4.1.jar
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-255 Credentials Management
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Vulnerable Software & Versions: (show all)
Description: Dawid Kurzyniec's backport of JSR 166
License:
Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\backport-util-concurrent-3.1.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\bootable-0.1.0.jar
MD5: 22d05d41c7d7174a1166802d5cb34a01
SHA1: f8801c5780e56c6b7e86b3a729b0f4003225dae7
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\bootable-0.1.0.jar\lib\lib-0.1.0.jar
MD5: 877e0eb39e3c985e2c1d553bb6dad934
SHA1: 13af17492135898d8ebced6cfe7aa3b9914ddeaa
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\3rdparty\ffmpeg\ffmpeg_version.cmake
MD5: 47c336385aec534dee9a316f3ac04773
SHA1: 81feb6f931f727482b71b2e34f325387f46ad09b
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-189 Numeric Errors
Integer underflow in the asfrtp_parse_packet function in libavformat/rtpdec_asf.c in FFmpeg before 0.8.3 allows remote attackers to execute arbitrary code via a crafted ASF packet.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-189 Numeric Errors
Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\cl2cpp.cmake
MD5: 39ac6f35af7d4dd3ac3d75c06afe0613
SHA1: 1113347fe96d7d514c9f0bf711b96b352808dd0a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\copyAndroidLibs.cmake
MD5: 6cea8a766548a7db3855ccec5627271d
SHA1: 8c9e2de7b35767238467548af3e05166e39edf4f
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\FindCUDA.cmake
MD5: 082b257f892af1049627ab591e88ad5e
SHA1: 30b72858802f64c3e5331b6ec70e59dbad58673a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\FindCUDA\make2cmake.cmake
MD5: 5a3c246f2fc21437ba265fa979b160d8
SHA1: 43d5d598c58f5f140d162975a92d2730806cce3f
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\FindCUDA\parse_cubin.cmake
MD5: 5e5fb166c6c93c04621796f04189d0d7
SHA1: 3ecad79fcfe7c5d88a1535d1030026e1fcb2fce0
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\FindCUDA\run_nvcc.cmake
MD5: d6160a6dcaaec3e526bc34cfcea2ee23
SHA1: 0349f1a43fbd380b0c7b578ae3242a7cb6d43cae
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVCompilerOptions.cmake
MD5: b40df1c984b511841c40d05a907d433d
SHA1: 30589febdc497eb330eb932a6a1f10197b362fb4
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVConfig.cmake
MD5: f1f68ff13813a495470c6e73cc9b892a
SHA1: ad85337bb1ccac4a1261f6dda6ad1efcbce8b19d
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVCRTLinkage.cmake
MD5: 7f8dcbf9848068f53e352679c0859cd5
SHA1: 25bcb6542245cf8497b467a1363fdf6adeaa67e2
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectAndroidSDK.cmake
MD5: bd17bbe3d290b31f39ca4f7876baf725
SHA1: c72e36dd3a7e6b933595c0724a2ce47a9d0fc45e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectApacheAnt.cmake
MD5: c94b15ca35aec95bb1bdc6a8eec5ede1
SHA1: 33e018cfb004b30a5bd9c58e613172c36d74af41
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectCStripes.cmake
MD5: b7be59d929d4daf4ff6e367cd413f795
SHA1: a9e20a51d1d50603da768ab3fd7b6fdc03257370
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectCUDA.cmake
MD5: e8acb70a35eafaf93531804da5b3e827
SHA1: ca9162fe9849f5ebe84e14fc0ac6ea2a864da811
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectCXXCompiler.cmake
MD5: d57d4cab100ce6d86a2abcf43895759d
SHA1: 1ed30817b5b2dd7c02d832ba95654ae120175715
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectDirectX.cmake
MD5: 30652d429f0a8562c7e8856517c4514d
SHA1: ce1afeafae26f37681b1a5ac698723e9d098dcff
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectOpenCL.cmake
MD5: 7420a52a371cea66b93e2067c70b7f38
SHA1: 7d318b5bf007a532d3adc8f1c6978fdb365fa2c5
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectPython.cmake
MD5: 5be7cd9ed88517f1017de27b8eb3228c
SHA1: 9bc4060369dbf9e7ece57639db81488115c84e13
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-693 Protection Mechanism Failure
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says "It was determined that this is a longtime behavior of Python that cannot really be altered at this point."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectTBB.cmake
MD5: 35189457dc179a836ad4484994d5976d
SHA1: 40ea5f223fe4deb3713b3f3d2e16e6e1b6772617
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVDetectVTK.cmake
MD5: c134da83c26ab7a2da167d844c79ad03
SHA1: 47fe39d954f02e6ece66d6b30294798c2d1057bf
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVExtraTargets.cmake
MD5: 300f1984f05136a2550662b4bba28484
SHA1: f9df6c52285f609bc449e0d264cec3ba4d33495c
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindIntelPerCSDK.cmake
MD5: 4a8839ddf7a69626978b6f51d8148ba8
SHA1: a0c46db81c0ccadc5c0d4d8d1b28c506836e3dc5
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindIPP.cmake
MD5: 1b0e6265a662426ed5ee3a8eae3571f1
SHA1: 1bffb60918a63d6865165cb47e53d08971bfdb3e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindIPPAsync.cmake
MD5: 9053f0d6f31a969eaa1fc6ae03d72b45
SHA1: 0487f605adcfaabf4c4d2898691c3c453c6cd98d
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindLATEX.cmake
MD5: c048924d7b99ee46b0ad194b0e9236a2
SHA1: 59493c4b35f9772e5f46b8195804b73bc0b8cd68
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindLibsGrfmt.cmake
MD5: 471c89912ae29f34ce3d8951bfaba775
SHA1: e41b7bd06b878254fba925fd6d5d97e8f7e4abdd
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindLibsGUI.cmake
MD5: c744b1958188a1418eab4eb8f295631a
SHA1: e4791e1c486531692bc0aa07ee144276ff957b17
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindLibsPerf.cmake
MD5: 10f99115bf875881b2802eabd746a628
SHA1: 1ebfda9512e60f2f75ec491b17c3b2bf3649980d
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindLibsVideo.cmake
MD5: 4d81f6af4a31bd51dee812e87617219d
SHA1: 979689596b9e86b846f514d87e56bf87895c1279
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindMatlab.cmake
MD5: 9f8df03241c51e2003d1bcfe9f99949d
SHA1: 895e96702c15ae75ed3a9904762104e8e67c9349
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindOpenEXR.cmake
MD5: c596e3648c5aed16362c90abf1a69885
SHA1: 91cd4c5d5cd98d1990f23dfd8a52de7525fe2636
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindOpenNI.cmake
MD5: 98bcd2f11e0793e231abd8a3ffb32faa
SHA1: b7274cea06a5973a42553d6b4b9ff428785f6d48
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindOpenNI2.cmake
MD5: 1409780229828db7219727ad64db1f6e
SHA1: daa97eb9f5072aa4bc951eda2a921fc35d2eac2b
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindWebP.cmake
MD5: 02b64eac70bf1852a0be5fda17c92e11
SHA1: 949fb1bd9eeebf9b55eeaa3a8f4d95a450c47b13
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVFindXimea.cmake
MD5: b65b6afa478b612f1ab8f4486b3ba791
SHA1: f8cf6b2baa915d9488062a317f2c6e473ad96ef1
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVGenABI.cmake
MD5: dab62ee8b994fba211e1877c88dcb7ae
SHA1: d01fed523caff4a3be0c0b0062e7a192f0b3e592
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVGenAndroidMK.cmake
MD5: 9523098110ae460e82b9d5e44ad4c7ad
SHA1: 63024b62e8b39fa23658b8ec10830d94b72587d9
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVGenConfig.cmake
MD5: a2ab87729d247b60a7c4aaedd9a9389d
SHA1: 0bdf47a9c04ac44f62d8cf7806640bf8be9825b2
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVGenHeaders.cmake
MD5: 5a7d0877b8f16a4f5c62757a0051dcc5
SHA1: d7cfe5e707b00ec2e79d6aef77b339ea3c7b2f17
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVGenInfoPlist.cmake
MD5: ce0875d872f99c9ef28d52a8f59a85f2
SHA1: 313376669a28af75d25ab8b735132550a4f3052e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVGenPkgconfig.cmake
MD5: 61f497e15c639f7231c0657cf51202fd
SHA1: d2e5ea3b8a68485bbac4a205c7a68217ed66e779
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVMinDepVersions.cmake
MD5: d1dde2680e36cc1889856ca3f1502d2a
SHA1: 139df4b6c44a3454d180e608dcac8a6489c68a18
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVModule.cmake
MD5: 5f5dcd91004c42bdf9f42babcc2d2d56
SHA1: ff2a67f9ac07ca9e24060423f17ca6c9b9249a5b
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVPackaging.cmake
MD5: 523b5531ee9126224ba0573830643176
SHA1: 96797a22ee5edac0629dc40cbe823f492d531d69
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVPCHSupport.cmake
MD5: 9d50a0c038a112a9f3b4312930244fd0
SHA1: ed94777aaa7d9f2b58411a3ce2ec38863473f9f7
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVUtils.cmake
MD5: bf033cbe5749eb6eb060c3ac076a33f8
SHA1: 97c14247374bce9ff0595063c2fe0ff96081b0fb
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\cmake\OpenCVVersion.cmake
MD5: 9afc0036841d17576b57b714120fc629
SHA1: aff16bf50579427fd3e55d407b0d3ac2f72ef18e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\CMakeLists.txt
MD5: b1b39612f8273876aeed9039f3aa7254
SHA1: 69a4df896246065fc9a16ff259d415c833b9c95a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\zlib\CMakeLists.txt
MD5: 6452c3208faaaafdb71447a509a9c78a
SHA1: 7b4d80f4fe6bf3086fa3f6c19a8fc8179e172721
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-cli-1.2.jar
Description: The codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-codec-1.2.jar
MD5: 2617b220009f952bb9542af167d040cf
SHA1: 397f4731a9f9b6eb1907e224911c77ea3aa27a8b
Description: Types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-collections-3.2.2.jar
Description:
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-compress-1.12.jar
Description:
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-fileupload-1.2.1.jar
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3 (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Vulnerable Software & Versions: (show all)
Description: The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
License:
Apache License: http://www.apache.org/licenses/LICENSE-2.0File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-httpclient-3.1.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Vulnerable Software & Versions: (show all)
Description:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-io-2.5.jar
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-lang-2.4.jar
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-lang3-3.3.2.jar
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-logging-1.1.1.jar
MD5: ed448347fc0104034aa14c8189bf37de
SHA1: 5043bfebc3db072ed80fbd362e7caf00e885d8ae
Description: Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-pool-1.5.3.jar
Description:
Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\commons-validator-1.4.0.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 875ecf45948aeed57d09c0ddba43e5b2e99fa8c7
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear
MD5: 9fa8c4e8072904589fc0d1a12e8eb291
SHA1: 61868609eb138c41c0298373c9f8c19713fefa54
Description: Daytrader EJBs
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\dt-ejb.jar
MD5: 26e92dbacad11c73f03ede043b113653
SHA1: f2f7c05243ec8e5fb93efb35f5908bba88651bf3
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\geronimo-jaxrpc_1.1_spec-2.0.0.jar
Description: Streamer Application for Day Trader
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\streamer.jar
MD5: 5bc6de1a34935d20331ef777463fd28b
SHA1: ec631c926ab667182840b3e5e32bd3d2f8a808ac
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\web.war
MD5: 857655bb1ddb4204f09d63e5ca8c56bc
SHA1: 7a7455f5d78bb4e1b8e66cd3e6c1f964d18705f9
Description: Client demonstrating Web Services
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\daytrader-ear-2.1.7.ear\wsappclient.jar
MD5: c343646c162fdd19156400fe83f41ce2
SHA1: ece01974be048ba75e2b344c39efb176915a1c16
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: dependency-check-utils is a collection of common utility classes used within dependency-check that might be useful in other projects.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\dependency-check-utils-1.4.4-SNAPSHOT.jar
MD5: c1c61050f7fdb6af867729d932610092
SHA1: 62504c3acda5ffa039bca63231caee6209dc69bb
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\dojo-war-1.3.0.war
MD5: cd00cb6bc15004638548148a21d799aa
SHA1: 36572b4e096421becab9346da41bbc4ec1316a54
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-16 Configuration
The default configuration of the build process in Dojo 0.4.x before 0.4.4, 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 has the copyTests=true and mini=false options, which makes it easier for remote attackers to have an unspecified impact via a request to a (1) test or (2) demo component.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon.js in Dojo Toolkit SDK before 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the theme parameter, as demonstrated by an attack against dijit/tests/form/test_Button.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, util/buildscripts/jslib/buildUtil.js, and util/doh/runner.html.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Vulnerable Software & Versions: (show all)
Description: DWR is easy Ajax for Java.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\dwr.jar
MD5: b7f7865f90401b843ef5c032e6767f7f
SHA1: 3b8c0e896a586f825e31af06508b321b520e5aeb
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Getahead Direct Web Remoting (DWR) before 1.1.3 allows attackers to cause a denial of service (infinite loop) via unknown vectors related to "crafted input."
Vulnerable Software & Versions:
Description: This is the ehcache core module. Pair it with other modules for added
functionality.
License:
The Apache Software License, Version 2.0: src/assemble/LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ehcache-core-2.2.0.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg
MD5: 0bf948b505852a2af8a597b8a129ef9a
SHA1: 30fb37d6163cf16e3ba740343becdd14d5457619
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-189 Numeric Errors
Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.
Vulnerable Software & Versions:
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\FileHelpers.nuspec
MD5: 9e2287f0174bcd79cf7e2427d73a1197
SHA1: d14a722b66388d84ac3b57c4de56e702aa5fea96
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\FileHelpers.dll
MD5: 4829fa768de37c315a3a3b7bca027b64
SHA1: a256f622a6209ec21a13d490443ffd6dbda4f5b7
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\FileHelpers.ExcelStorage.dll
MD5: d22aeca6ee71a2e6f5b3d296280ba98a
SHA1: e416350e2ee0e0711e2716cf7efce54168accc52
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\Interop.Excel.dll
MD5: 728ff3aeae71cbd8d303f442e3843c4c
SHA1: cdaa993485f737951fd91c71f41c929cd06dffa3
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\FileHelpers.2.0.0.0.nupkg\lib\Interop.Office.dll
MD5: 7b55e3bf19775b7a6fa5bf3c271e2c0c
SHA1: eefcfe4b0c90b6f4232d07d588a08bc04fd32e84
Description:
FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
License:
BSD-style license: http://www.freemarker.org/LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\freemarker-2.3.12.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-activation_1.1_spec-1.0.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-javamail_1.4_spec-1.2.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-jms_1.1_spec-1.1.1.jar
Description: Implementation of Sun JSR-317 JPA 2.0 Spec API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-jpa_2.0_spec-1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-jta_1.1_spec-1.1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\geronimo-stax-api_1.0_spec-1.0.1.jar
Description: Guice is a lightweight dependency injection framework for Java 5 and above
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\guice-3.0.jar
Description: H2 Database Engine
License:
The H2 License, Version 1.0: http://h2database.com/html/license.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\h2-1.3.176.jar
Description:
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Description: Hazelcast In-Memory DataGrid
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hazelcast-2.5.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar
MD5: b22bbafa38341db968033f1acbfa8dd9
SHA1: 826da9fc452e7009116dffc2d348ba705fe2aa82
Description:
HttpComponents Core (Java 1.3 compatible)
License:
Apache License: ../LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\httpcore-4.0-beta1.jar
Description:
HttpComponents Core (NIO extensions)
License:
Apache License: ../LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\httpcore-nio-4.0-beta1.jar
Description: The javax.inject API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\javax.inject-1.jar
Description: Default provider for JSR 353:Java API for Processing JSON
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\javax.json-1.0.4.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jaxb-xercesImpl-1.5.jar
MD5: 8cd074364c830fc8ff40a8a19c0a74c8
SHA1: 73a51faadb407dccdbd77234e0d5a0a648665692
Description: Jaxen is a universal Java XPath engine.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jaxen-1.1.1.jar
MD5: 261d1aa59865842ecc32b3848b0c6538
SHA1: 9f5d3c5974dbe5cf69c2c2ec7d8a4eb6e0fce7f9
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jetty-6.1.0.jar
MD5: 121a72b1dea1a9adf83079a44ca08e7b
SHA1: fb39ebc0cdccea6b54ad87d229a352a894eebecc
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Mort Bay Jetty 6.x and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Vulnerable Software & Versions: (show all)
Description:
JMockit is a Java toolkit for automated developer testing.
It contains mocking and faking APIs and a code coverage tool, supporting both JUnit and TestNG.
The mocking API allows all kinds of Java code, without testability restrictions, to be tested
in isolation from selected dependencies.
License:
The MIT License: http://www.opensource.org/licenses/mit-license.phpFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jmockit-1.24.jar
Description: jsoup HTML parser
License:
The MIT License: https://jsoup.org/licenseFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jsoup-1.9.2.jar
Description: JSR305 Annotations for Findbugs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\jsr305-3.0.1.jar
Description: JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
License:
Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\junit-4.12.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\junit4-ant-2.0.13.jar
MD5: ebab7fecab4398e859176ecb81e63d0e
SHA1: 33904a47c5f920d270437ea1075cc9fa5ecb8099
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\log4net.2.0.3.nuspec
MD5: d95207bfd2539c046ba7271b695b08f7
SHA1: b82102a0767f56525926698fbba4b7c47e96d4ab
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\log4net.dll
MD5: e873f47ff9ed73a7ed7054aaf4e7601a
SHA1: 44d7ee86c72be615da883a24f0b54fd0725ad298
Description: logback-classic module
License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\logback-classic-1.1.7.jar
Description: logback-core module
License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\logback-core-1.1.7.jar
Description: Additional Analyzers
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-analyzers-common-4.7.2.jar
MD5: cbc49dfc4ed6ee29db3a1ed5a84c5a9e
SHA1: 72017b7643f6e2389a140099a3fce198a569b599
Description:
Codecs and postings formats for Apache Lucene.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-codecs-4.7.2.jar
MD5: c442ec2c5e403d9c6f8ba8ad8762cd81
SHA1: 386adfd04528461f9ddfa0ff839190f6a6d9c1a5
Description: Apache Lucene Java Core
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-core-4.7.2.jar
MD5: 6ed7375bfe046610363a10915ce2dd8b
SHA1: c9ec1d5b48635aa032ca3d2c824dea0e6523a4a5
Description: Lucene Queries Module
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-queries-4.7.2.jar
MD5: fe815419a0aff3f76452ac516fffb680
SHA1: c357a2494e341f2680fccbf9e96138c7083aaad4
Description: Lucene QueryParsers module
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-queryparser-4.7.2.jar
MD5: e7c72fce30aae45d9e3ad43b24b2a58f
SHA1: 0ef6eb0d081065d3b69a4f097eec115a80f3a8f7
Description: Lucene Sandbox
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-sandbox-4.7.2.jar
MD5: a6e13813e4bf0d0053423a51b6588f4d
SHA1: 447747b4ddd1f2af2ae8a1759ada5988393e945c
Description: Apache Lucene Java Test Framework
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\lucene-test-framework-4.7.2.jar
MD5: ceef8bf76c02cb58b40d6e43a22c5165
SHA1: 194947eb27a42e777c2a02ff3b6842c8dbfd2678
Description:
The JavaMail API provides a platform-independent and protocol-independent framework to build mail and messaging applications.
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\mail-1.4.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Description: JavaMail API (no providers)
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\mailapi-1.5.6.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Description: The SCM API provides mechanisms to manage all SCM tools.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\maven-scm-api-1.8.1.jar
MD5: c409fc1a6c9baf928cc37b2ffb852c83
SHA1: d72bcdc54a873e8bfbc53fde6200e53911c3d9fe
Description: Common library for SCM CVS Provider.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\maven-scm-provider-cvs-commons-1.8.1.jar
MD5: 7d35f493a22226b821b5d5363e85765c
SHA1: 97411239d474ecafcc2ab89facaf2593eb0de49b
Description: Executable implementation for SCM CVS Provider.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\maven-scm-provider-cvsexe-1.8.1.jar
MD5: 8900abe1192b79b35aedb0f683a8b412
SHA1: 5c7bf6d2c741885d2a6c17cb044ff8e2966f69ca
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\mysql-connector-java-5.1.27-bin.jar
MD5: 0317d93cccab2dd08a7a3cca06403e78
SHA1: 180296391137c12da3ba2a35dcc93ef23fb2c1ff
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3 (AV:N/AC:L/Au:M/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.0 (AV:L/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to Server Install.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5.29 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.63 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Types.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8 (AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.30, has unspecified impact and attack vectors, a different vulnerability than CVE-2012-0553.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.6 (AV:L/AC:L/Au:N/C:C/I:C/A:N)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows local users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote attackers to affect availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.65 and earlier and 5.5.27 and earlier allows remote authenticated users to affect availability, related to GIS Extension.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB Plugin.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Full Text Search.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows local users to affect confidentiality via unknown vectors related to Server Installation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Protocol.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.1.x before 5.1.63 and 5.5.x before 5.5.24 allows remote authenticated users to cause a denial of service (mysqld crash) via vectors related to incorrect calculation and a sort order index.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
MySQL 5.1.x before 5.1.62 and 5.5.x before 5.5.22 allows remote authenticated users to cause a denial of service (assertion failure and mysqld abort) by deleting a record and using HANDLER READ NEXT.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote attackers to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.19 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.5.20 and possibly other versions including 5.5.x before 5.5.22 and 5.1.x before 5.1.62, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VulnDisco Pack Professional 9.17. NOTE: as of 20120224, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. NOTE: due to lack of details, it is not clear whether this issue is a duplicate of CVE-2012-0492 or another CVE.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.60 and earlier, and 5.5.19 and earlier, allows remote authenticated users to affect availability, related to MyISAM.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.28, has unspecified impact and attack vectors, a different vulnerability than CVE-2013-1492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier and 5.5.23 and earlier allows remote authenticated users to affect availability, related to GIS Extension.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.0 (AV:L/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0101.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0102.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.7 (AV:N/AC:H/Au:M/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL 5.1 before 5.1.51 allows remote authenticated users to cause a denial of service (server crash) by calling the PolyFromWKB function with Well-Known Binary (WKB) data containing a crafted number of (1) line strings or (2) line points.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (infinite loop) via multiple invocations of a (1) prepared statement or (2) stored procedure that creates a query with nested JOIN statements.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a query that uses the (1) GREATEST or (2) LEAST function with a mixed list of numeric and LONGBLOB arguments, which is not properly handled when the function's result is "processed using an intermediate temporary table."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier, probably triggering a use-after-free error when a copied object is modified in a way that also affects the original object.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (assertion failure and server crash) via vectors related to view preparation, pre-evaluation of LIKE predicates, and IN Optimizers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (mysqld server crash) by performing a user-variable assignment in a logical expression that is calculated and stored in a temporary table for GROUP BY, then causing the expression value to be used after the table is created, which causes the expression to be re-evaluated instead of accessing its value from the table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via vectors related to "materializing a derived table that required a temporary table for grouping" and "user variable assignments."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2) GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet when a LOAD DATA INFILE request generates SQL errors, which allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a crafted request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using the HANDLER interface and performing "alternate reads from two indexes on a table," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by creating temporary tables with nullable columns while using InnoDB, which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via certain arguments to the BINLOG command, which triggers an access of uninitialized memory, as demonstrated by valgrind.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (crash) via (1) IN or (2) CASE operations with NULL arguments that are explicitly specified or indirectly provided by the WITH ROLLUP modifier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
storage/innobase/dict/dict0crea.c in mysqld in Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (assertion failure) by modifying the (1) innodb_file_format or (2) innodb_file_per_table configuration parameters for the InnoDB storage engine, then executing a DDL statement.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Vulnerable Software & Versions: (show all)
Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\neethi-2.0.4.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\nodejs\node_modules\dns-sync\node_modules\debug\package.json
MD5: 8bde2d664cbfbe632bb74602151feefa
SHA1: 66db3474c54858d0d9005c4de8c3ec6f0cbe8a3b
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\nodejs\node_modules\dns-sync\node_modules\shelljs\package.json
MD5: 3fa247269c2cc51f43108eca3bc041df
SHA1: 0826e1bf6c1950eb6e5193b58b35c4f5f2820b59
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\nodejs\node_modules\dns-sync\package.json
MD5: 315fc29c23ad89bad4173f1891fd62ba
SHA1: 30f69d1288fd405cdba7e3d17947433a7999a4b1
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.
Vulnerable Software & Versions:
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ognl-2.6.11.jar
MD5: 1173ec5f8b1f6fb1473f4546d4b83bba
SHA1: 0c3f31f4a65461c44e6697bf29070e638bef09d8
Description: Apache OpenJPA implementation of JSR-317 JPA 2.0
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\openjpa-2.0.1.jar
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\openssl\opensslv.h
MD5: 3d2889670d528538224b1618ef68f6c2
SHA1: 5eb05c0b783ccbcdc53d0109eab74b3c6e4a4e2c
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-125 Out-of-bounds Read
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-787 Out-of-bounds Write
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-787 Out-of-bounds Write
The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-125 Out-of-bounds Read
The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-200 Information Exposure
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-254 Security Features
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Vulnerable Software & Versions: (show all)
Description:
Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java. It is released under the Apache 2.0 licence and is therefore free for commercial use and distribution. First created in 1995, Jetty has benefitted from input from a vast user community and consistent and focused development by a stable core of lead developers. There are many more examples of Jetty in action on the Jetty Powered Page that has selections from among the tens of thousands of production Jetty instances. However, as Jetty aims to be as unobtrusive as possible, countless websites and products are based around Jetty, but Jetty is invisible!
License:
Apache 2.0: http://jetty.mortbay.org/LICENSE.TXTFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\org.mortbay.jetty.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\org.mortbay.jmx.jar
MD5: 82d35b88a6caecb9ad5cc8a0ca2c6c81
SHA1: 938031afdf33d3c5fee6077312fb44be25a9725c
Description: A collection of various utility classes to ease working with strings, files, command lines, XML and more.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\plexus-utils-3.0.7.jar
MD5: c22b393490a46da89d91dd6322446e40
SHA1: eb10e9cb2b2326fbf0cb68249b10a5c89e0642ef
Description: Simple project for producing an .egg.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\python\dist\EggTest-0.0.1-py2.7.egg
MD5: d314004a75bb4fe6907c016126ee0c7f
SHA1: 7cb9966e32f5d53564ec4c90868b31794ffa6130
Description: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\python\Django-1.7.2-py2.py3-none-any.whl
MD5: dc54b224746c157e89df31c886412a40
SHA1: 3aff2fabdd09e00b51bd0522a2c3ad672958d361
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-17 Code
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Vulnerable Software & Versions: (show all)
Description: Simple project for producing an .egg.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\python\eggtest\__init__.py
MD5: ee53cac6173f2233cb2dd6dac4413b67
SHA1: e55fa8e5d163a2e3d1044d1bf17dd2c09d7f4d43
Description: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\python\site-packages\Django-1.7.2.dist-info\METADATA
MD5: d77b67751477ae5bfb425e707222c275
SHA1: 7f928e5ecbf0fa6d65d51d84d7d3abb3be7cf50d
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\python\site-packages\django\__init__.py
MD5: 0e41218a36f1a34dd1a9544640f50f16
SHA1: 4c00f46811bb9586b41f349ce4b1588f606171cf
Description: Simple project for producing an .egg.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\python\site-packages\EggTest-0.0.1-py2.7.egg\EGG-INFO\PKG-INFO
MD5: 583b6174a81fc2428ea51510ea082a69
SHA1: 7b80ef725101822f447a3f85b39ed7f00263e98c
Description: Foundation classes and rules for applying the principles of Randomized Testing.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\randomizedtesting-runner-2.0.13.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\regexp-1.3.jar
MD5: 6dcdc325850e40b843cac2a25fb2121e
SHA1: 973df2b78b67bcd3144c3dbbb88da691065a3f8d
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ruby\vulnerable\gems\rails-4.1.15\Gemfile.lock
MD5: 3c5baa06825e2a7d5c8a03010a3133c8
SHA1: e018b3bb1dd61e65799726afc2089ee22ce90f88
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ruby\vulnerable\gems\rails-4.1.15\vendor\bundle\ruby\2.2.0\specifications\dalli-2.7.5.gemspec
MD5: 80f623e624660a26966428d7ea819b9d
SHA1: 4b47b6f5da978a2cedd4bf745d737770d6be2fde
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ruby\vulnerable\gems\sinatra\Gemfile.lock
MD5: 9c8c4ff99c58d504abedb155c5ac0cd3
SHA1: 565ccbd69c1e63619ea2e884e585589093dd070a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\ruby\vulnerable\gems\specifications\activerecord-oracle_enhanced-adapter-1.1.7.gemspec
MD5: 147c9868415ea548eb32c1d73e90b5e2
SHA1: a421278b3c50c05cf426ab7e0e70990d6c65091d
Description: Serp is an open source framework for manipulating Java bytecode.
License:
BSD: LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\serp-1.13.1.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Network Security Services (NSS) in Sun Java System Web Server 6.0 before SP 10 and ONE Application Server 7 before Update 3, when SSLv2 is enabled, allows remote authenticated users to cause a denial of service (application crash) via unspecified vectors. NOTE: due to lack of details from the vendor, it is unclear whether this is related to vector 1 in CVE-2006-5201 or CVE-2006-3127.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Cross-site scripting (XSS) vulnerability in Sun ONE Application Server 7 before Update 9, Java System Application Server 7 2004Q2 before Update 5, and Java System Application Server Enterprise Edition 8.1 2005 Q1 allows remote attackers to inject arbitrary HTML or web script via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cross-site scripting (XSS) vulnerability in Sun ONE Web Server 6.0 SP9 and earlier, Java System Web Server 6.1 SP4 and earlier, Sun ONE Application Server 7 Platform and Standard Edition Update 6 and earlier, and Java System Application Server 7 2004Q2 Standard and Enterprise Edition Update 2 and earlier, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving error messages.
Vulnerable Software & Versions: (show all)
Description: The slf4j API
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\slf4j-api-1.7.21.jar
MD5: c9be56284a92dcb2576679282eff80bf
SHA1: 139535a69a4239db087de9bab0bee568bf8e0b70
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-aop-3.0.0.RELEASE.jar
MD5: 67d9894cd97f071dd9839f92a280799b
SHA1: 395eff01b78c4d2190bc949225f6dc74d3a820b4
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-asm-3.0.0.RELEASE.jar
MD5: c92d22fa8aa9ff22c3087db016060682
SHA1: e5d8571c27128045f119d793b5e277256d9e39c7
Description: Spring Framework: Core
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-core-2.5.5.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-core-3.0.0.RELEASE.jar
MD5: 2d52a505f093291e4a2c7e1a28f34557
SHA1: 4f268922155ff53fb7b28aeca24fb28d5a439d95
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-expression-3.0.0.RELEASE.jar
MD5: eb2414ee8ed573139038ccecd9f76e0e
SHA1: b98f80c3f03fbffa16f9256df9bae34dae5df08c
Description: Spring Retry provides an abstraction around retrying failed operations, with an emphasis on declarative control of the process and policy-based bahaviour that is easy to extend and customize. For instance, you can configure a plain POJO operation to retry if it fails, based on the type of exception, and with a fixed or exponential backoff.
License:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-retry-1.1.0.RELEASE.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-security-core-3.0.0.RELEASE.jar
MD5: 740649fa36b65f4bfe7d2a57e2b2807e
SHA1: 23dd919891e86a1b74b9198bd67a4ae9f4849c28
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-security-web-3.0.0.RELEASE.jar
MD5: 0a37a920e2dfa3ce8d502fb8922d117c
SHA1: ec46f545b5abd27c38588a1ae7e8eab1472f2261
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\spring-tx-3.0.0.RELEASE.jar
MD5: 09b7bed15d5c5c50faaa29f17b639271
SHA1: 8d5a9940ad1687e8d6fc13eed11203619b47e248
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\commons-httpclient-2.0.jar
MD5: e0c0c1f887a8b1025a8bed9bff6ab771
SHA1: 19f1cb5ffd50c37b7ee43b8bc7a185b421ea3e9c
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Vulnerable Software & Versions: (show all)
Description: Commons Logging
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\commons-logging.jar
MD5: 5bc8bdd15b18018e84fd862993aaca42
SHA1: 760c711c71588bc273d3e56d196d720a7678cd93
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\dom4j.jar
MD5: 85e3e7dfd9d039da0b8ea0a46129323f
SHA1: 8decb7e2c04c9340375aaf7dd43a7a6a9b9a46b1
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\jgroups-all.jar
MD5: 06b44a40f4215af9a534ace65c51a2ca
SHA1: 15201a98948972d4e890a1d9bd6b728b917ef21c
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\log4j.jar
MD5: 91e6a0cd2788d69808c05fae11d69679
SHA1: c28b336aa1547a885ddef944af6bfb7bff25abf0
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\mail.jar
MD5: 3ad3cde613b7e9700fed08d979bcccc7
SHA1: 6d16579c99ea9fd5ca5fd2dbe45a5144c2873681
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
** DISPUTED ** JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Directory traversal vulnerability in the MimeBodyPart.getFileName method in JavaMail 1.3.2 allows remote attackers to write arbitrary files via a .. (dot dot) in the filename in the Content-Disposition header.
Vulnerable Software & Versions:
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\serializer.jar
MD5: 35aa6a56662458d9dc28a9b628f84847
SHA1: 85ddd38e4cdbc22fb6c518f3d35744336da6fbfd
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xalan.jar
MD5: 126c0c876a6b9726cfdd43f052923660
SHA1: 10f170da8dfbcdcc4098131ba773710f0ba7aef1
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Vulnerable Software & Versions: (show all)
Description:
The XML Security project is aimed at providing implementation of security standards for XML
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xmlsec-1.3.0.jar
MD5: ed82e8662f1823e70ba8f468f57eb11b
SHA1: 59c4b71e0a5871f26db91eaab236e5b9bf41122e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\stagedhttp-modified.tar\WEB-INF\lib\xss4j.jar
MD5: 3572ac321c3a854ec49d8594a17e3699
SHA1: d0f4126b39370c3fad93163ca17fd3caa3d29e97
Description: The core of the Struts framework is a flexible control layer based on
standard technologies like Java Servlets, JavaBeans, ResourceBundles,
and Extensible Markup Language (XML), as well as various Jakarta Commons
packages.
Struts encourages application architectures based on the Model
2 approach, a variation of the classic Model-View-Controller (MVC) design
paradigm. Struts provides its own Controller component and integrates with
other technologies to provide the Model and the View.
For the Model, Struts can interact with any standard data access technology,
including Enterprise Java Beans, JDBC, and Object Relational Bridge.
For the View, Struts works well with JavaServer Pages, including JSTL and
JSF, as well as Velocity Templates, XSLT, and other presentation systems.
The Struts framework provides the invisible underpinnings every professional
web application needs to survive. Struts helps you create an extensible
development environment for your application, based on published standards
and proven design patterns.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\struts.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.
Vulnerable Software & Versions:
Description: Apache Struts 2
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\struts2-core-2.1.2.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-16 Configuration
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.1, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\swift\cocoapods\EasyPeasy.podspec
MD5: f17f3fa4c6eb3e97a6f99902b139eaee
SHA1: a8e94b2992000037764db7f3d2d2d660b7e1f8a7
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\swift\Gloss\Gloss.podspec
MD5: 4f2a4dc4c1f2e87b164232ab7ed5260f
SHA1: 339ed3206c04892fed1569e6b09a747c169fe065
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar
MD5: 634d5cc32238fc3d023941d265189ddd
SHA1: e9a3159254a01777f536d556bcdb539c7617b0e5
Description: Apache Velocity is a general purpose template engine.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\velocity-1.7.jar
MD5: 3692dd72f8367cb35fb6280dc2916725
SHA1: 2ceb567b8f3f21118ecdec129fe1271dbc09aa7a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war
MD5: 54070e31aa8e6256ea8c850642a3c434
SHA1: eaede5596599912d70cb9b517cb87fff336a8422
Description: The FileUpload component provides a simple yet flexible means of adding
support for multipart file upload functionality to servlets and web
applications.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\commons-fileupload-1.1.1.jar
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3 (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Vulnerable Software & Versions: (show all)
Description: Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\commons-io-1.3.1.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\dojo-ajax-nodemo-0.4.1.jar
MD5: 91fda9e8b3c95eee6f566567cf790a9e
SHA1: 0e77d6bb7687a7084a1b92da563dfda6324ba83f
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\json-1.0.jar
MD5: a7aa9a187cb901ec6e299f65f583f140
SHA1: 0fe8ce55b9f83f16185192821a385916b0eef38e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\prototype-1.5.0.jar
MD5: 206bd786024eca29e41a12e44c055c0a
SHA1: b02b002f0e9bb289b311db49c561c58afb8eb58c
Description: Project Woodstock
License:
CDDL + GPLv2 with classpath exception: http://glassfish.java.net/nonav/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\webui-jsf-4.0.2.10.jar
Description: Project Woodstock
License:
CDDL + GPLv2 with classpath exception: http://glassfish.java.net/nonav/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\extra\webui-jsf-suntheme-4.0.2.10.jar
Description: Java.net - The Source for Java Technology Collaboration
License:
http://glassfish.java.net/nonav/public/CDDL+GPL.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\war-4.0.war\WEB-INF\lib\console-core-4.0.jar
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\woden-api-1.0M8.jar
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\woden-impl-dom-1.0M8.jar
Description: Java stub generator for WSDL
License:
CPL: http://www.opensource.org/licenses/cpl1.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\wsdl4j-1.6.2.jar
Description: Woodstox is a high-performance XML processor that implements Stax (JSR-173) API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\wstx-asl-3.2.4.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xalan-2.7.0.jar
MD5: a018d032c21a873225e702b36b171a10
SHA1: a33c0097f1c70b20fa7ded220ea317eb3500515e
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Vulnerable Software & Versions: (show all)
Description: Xerces2 is the next generation of high performance, fully
compliant XML parsers in the Apache Xerces family. This new
version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and
configurations that is extremely modular and easy to program.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xercesImpl-2.8.1.jar
MD5: e86f321c8191b37bd720ff5679f57288
SHA1: 25101e37ec0c907db6f0612cbf106ee519c1aef1
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xml-apis-1.0.b2.jar
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xmlParserAPIs-2.6.0.jar
MD5: 2651f9f7c39e3524f3e2c394625ac63a
SHA1: 065acede1e5305bd2b92213d7b5761328c6f4fd9
License:
Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xmlpull-1.1.3.1.jar
Description: Commons XMLSchema is a light weight schema object model that can be used to manipualte or
generate a schema. It has a clean, easy to use API and can easily be integrated into an existing project
since it has almost no dependancies on third party libraries.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\XmlSchema-1.4.2.jar
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xpp3_min-1.1.4c.jar
Description: XStream is a serialization library from Java objects to XML and back.
License:
http://xstream.codehaus.org/license.htmlFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xstream-1.4.8.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Vulnerable Software & Versions:
Description:
XWork is an command-pattern framework that is used to power WebWork
as well as other applications. XWork provides an Inversion of Control
container, a powerful expression language, data type conversion,
validation, and pluggable configuration.
License:
The OpenSymphony Software License 1.1: src/etc/LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\xwork-2.1.1.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Vulnerable Software & Versions: (show all)
Description: The core functionality of Hibernate
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-core/pom.xml
MD5: bd41ed501d7218dc30403320127372f2
SHA1: 7d8f09aa7d0100318d826625cb42dbc358e07abd
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has two code dependencies - javax.annotation
per the JSR-305 spec and javax.inject per the JSR-330 spec.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\junit4-ant-2.0.13.jar\META-INF/maven/com.google.guava/guava/pom.xml
MD5: b9406eec5781ea391a26972c394bf129
SHA1: 7b4c8f117c11a8f1fcaf4f1b0fd07cbe756a1430
Description: Common reflection code used in support of annotation processing
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-commons-annotations/pom.xml
Description: Integration of Hibernate with Ehcache
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-ehcache/pom.xml
MD5: 19610cc4510ae1067e83e910590ca011
SHA1: 9218f8cd87f3e28c49d4947361b4c6f66757cc25
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.owasp.dependency-check/uber/pom.xml
MD5: 2c67a7108125ede340218e9deba58e82
SHA1: 52fb11f0fc1666a343aa5c5ea0f756ba54934c1f
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\junit4-ant-2.0.13.jar\META-INF/maven/commons-io/commons-io/pom.xml
MD5: 55cd2592053f21df9e9bda556fb1a997
SHA1: 8d5ab37f6f72fbba8052e21013c49eddc32fa724
Description: Simple is a high performance XML serialization and configuration framework for Java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\junit4-ant-2.0.13.jar\META-INF/maven/org.simpleframework/simple-xml/pom.xml
Description: Integration of Hibernate with JBossCache 3.x (though 2.x sould work as well)
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-jbosscache/pom.xml
MD5: 339d8af2672ed9e1bef0e04649a33f46
SHA1: ef975161e9c45b177283d9105220f791ed512aea
Description: Integration of Hibernate with Infinispan
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-infinispan/pom.xml
MD5: 2cc34e9876b4c73c4d9876e784e78e5d
SHA1: bd2454348c57618c3e02b329a6822d5979d3c871
Description: Hibernate JUnit test utilities
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-testing/pom.xml
MD5: 6cad956c9362f77504bf2d9aaf1731ee
SHA1: b8710fde765268f33442497aace2848f4fa986f4
Description: Integration of Hibernate with OSCache
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-oscache/pom.xml
MD5: 97443939f6f7e9c45375397aac16e0b9
SHA1: 4aadcf3391317e2a62332e9fd801b8284c3d985c
Description: Integration of Hibernate with SwarmCache
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-swarmcache/pom.xml
MD5: 6e1b739de3e65236403d0eb82db58243
SHA1: aa700e6e775c476182a1e1ad0f15c63cdb537fe0
Description: C3P0-based implementation of the Hibernate ConnectionProvder contract
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-c3p0/pom.xml
MD5: 301251db8497b5100b7d6e9efb0afc44
SHA1: 55119c84a43a9af05482e077ab241cacd1910d93
Description: Proxool-based implementation of the Hibernate ConnectionProvder contract
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-proxool/pom.xml
MD5: d1749afd6014c4465a13a87583429af2
SHA1: 5a4af64267474034f5d844e6a0af599aea7b746f
Description: Hibernate Entity Manager
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-entitymanager/pom.xml
MD5: 68c7e92964df6fab1e9082d29a78d9c4
SHA1: 38d087e745fa330ad03fd5ab3e2d029845913de7
Description: Support for entity auditing
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\hibernate3.jar\META-INF/maven/org.hibernate/hibernate-envers/pom.xml
MD5: 897a79ec7b20d46002f0bbc441ed1ca9
SHA1: 02094fd8813c1b0b43b0e4d36df791ea80cfced1
Description:
Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/commons-io/commons-io/pom.xml
MD5: 92beb726a369cb3ce2503796f98e2f3b
SHA1: d30e29bee45e6da52a776266a460f10b51ceca98
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.dropwizard/dropwizard-core/pom.xml
MD5: 818fd048671bd58716cd687cdcd79ba4
SHA1: 905a71014bc2ba9e893107268ba8227528f31617
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.sun.jersey/jersey-core/pom.xml
MD5: ff77b5aceaf6d73a121bcb471444f071
SHA1: e1c1339fa2c342aa5a24dcdd3658c00a2139263a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.sun.jersey/jersey-server/pom.xml
MD5: 07a7be16c32692944c7fe8dcc8685d3c
SHA1: baffe4cdc261e43b5e727d47a5f92691a473ca78
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.sun.jersey/jersey-servlet/pom.xml
MD5: ed005c0838de5f8a6e0fe6ef31b827a0
SHA1: f1c4462e1f967afe6c150b3955b72c71780e2916
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-core/pom.xml
MD5: 726812bd630cb75b3cadf40346c669e9
SHA1: c04a80a736ae29268265e22aa7e21dea68c63d1b
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-servlet/pom.xml
MD5: f71c2da1da38a5d505d892c2fe6022d2
SHA1: 838aaae3f56141a6e35e87003d90f1c7132f839c
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-jetty/pom.xml
MD5: 994485bf6db4621a698290e213f0838e
SHA1: 3d4c7ee060f83ca829ee3ef22900e3af49579f53
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-log4j/pom.xml
MD5: 72b71c62a25ec1c934d7b1463fe9790d
SHA1: 66c0601572c4ea1df2aa24e69ff0a7c16a42623b
Description: Apache Log4j 1.2
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/log4j/log4j/pom.xml
Description:
A set of class providing Metrics integration for Jersey, the reference JAX-
implementation.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-jersey/pom.xml
MD5: 0b751b9e702fbd84c41644d71ba55862
SHA1: 8f90c99a87e2e1c67a1056c387bbe3ff1e92f2aa
Description:
A dependency-less package of just the annotations used by other Metrics modules.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.yammer.metrics/metrics-annotation/pom.xml
MD5: fac7425f6b8789ee45f7a7ad56711af0
SHA1: f28c170c7fbff96de88602d1d11afd9b618e6c59
Description: The slf4j API
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.slf4j/slf4j-api/pom.xml
MD5: d000b772974fbe3ad9e1a68ad8f484e7
SHA1: 93c66c9afd6cf7b91bd4ecf38a60ca48fc5f2078
Description:
The slf4j log4j-12 binding
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.slf4j/slf4j-log4j12/pom.xml
MD5: 228315739fc30a7eb2403bcc8aaca619
SHA1: ab93dfaa2fb9619d91fb31a64bb65802b56ed0fb
Description:
JUL to SLF4J bridge
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.slf4j/jul-to-slf4j/pom.xml
MD5: ae2b577066d99bea42b1e1f2f0aaf45d
SHA1: bd08211dd5fa0ab44a0a3b04c1ec0c5f67348334
Description: The core jetty server artifact.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: 55a7034666834be8a62b8db044ac8d70
SHA1: a9ae16cb473f1797940dd58ed3d5541c88b34396
Description: Asynchronous API
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml
MD5: 74919244c9ca106d221f23a832e1076d
SHA1: b59985a1ba1b93fbbd5d90b6ff5ed9f44cc91ac7
Description: Jetty Servlet Container
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: e662a30ea722c442a57a83c478fd7d7e
SHA1: 4a2d357d991aff1ee18e617b7c1076dbcfe89986
Description: Jetty security infrastructure
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: 266a3467a1d03bce12e34fda16dfa615
SHA1: 53b54057b58ae7d3c4c12b520b048889a2c28ad8
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: f1b6db43b8a499e66ddf58c8165714a5
SHA1: 885e6e766ec3452c085324a9759de5ad8a1c8971
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 941c55f8ac0d6c14971d20be7b60ec19
SHA1: f8f0907153f891113bdee011063e540d7d57a496
Description: Utility classes for Jetty
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: c147343fa7f11c15a5f99ddf8a830b20
SHA1: 9a86a0c493d3834471b7a03e174a9f4d469cbd98
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
This project is a complete packaging of all the Guava libraries
into a single jar. Individual portions of Guava can be used
by downloading the appropriate module and its dependencies.
Guava (complete) has only one code dependency - javax.annotation,
per the JSR-305 spec.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.google.guava/guava/pom.xml
MD5: 76e749cc3e65c708116326959af90f64
SHA1: b7f1e532b79c7e1c09849c89460798d9a7c59eaf
Description:
Hibernate's Bean Validation (JSR-303) reference implementation.
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.hibernate/hibernate-validator/pom.xml
MD5: 80f5387c7495664fc4ba31138829b0b8
SHA1: 02ae7dae4450b00f78d8bc458590221e7401eee7
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
Vulnerable Software & Versions: (show all)
Description: Library for working with the Java 5 type system
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/com.googlecode.jtype/jtype/pom.xml
Description:
Bean Validation (JSR-303) API.
License:
Apache License, Version 2.0: license.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/javax.validation/validation-api/pom.xml
Description: YAML 1.1 parser and emitter for Java
License:
Apache License Version 2.0: LICENSE.txtFile Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\uber-1.0-SNAPSHOT.jar\META-INF/maven/org.yaml/snakeyaml/pom.xml
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\3rdparty\ffmpeg\ffmpeg_version.cmake:libavformat
MD5: 47c336385aec534dee9a316f3ac04773
SHA1: ae482b25e3e5a0d96304d10e7b6d97d18ccac2f6
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\3rdparty\ffmpeg\ffmpeg_version.cmake:libavutil
MD5: 47c336385aec534dee9a316f3ac04773
SHA1: ea896539e3ef6e4936d8e76060c6479cb094b2fb
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\3rdparty\ffmpeg\ffmpeg_version.cmake:libswscale
MD5: 47c336385aec534dee9a316f3ac04773
SHA1: 9139f866ffe06bf309a8441cac5c9718962919fe
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\cmake\opencv\3rdparty\ffmpeg\ffmpeg_version.cmake:libavresample
MD5: 47c336385aec534dee9a316f3ac04773
SHA1: 7df0c82e00e86d400fdb009403f118fbf4bd609f
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:classpreloader/classpreloader
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 46793a86e4afd796833355ad7645974f7cf04229
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:danielstjules/stringy
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 86d91a8e27a6071f90194a4b94aa7bc96025437f
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:dnoegel/php-xdg-base-dir
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 68be9e876c29b2904ad74f21a27e5151da864e8e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:doctrine/inflector
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 26a4639d70b9e76f7f480f7d3c68a1e36e169217
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:jakub-onderka/php-console-color
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 8865be0ad38837c20a2cf2c6a7c213042455bb62
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:jakub-onderka/php-console-highlighter
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: ebec2129dd0621f41111126bf2697903a99c5841
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:jeremeamia/SuperClosure
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 24557dc330071d84603f4ef882af6a2a9305771b
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:laravel/framework
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: a57e010848bbb7f7dfbace7437a161b8fe048cf6
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:laravel/laravel
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 1d93d6b870d351561fce5a90b9046172420eb7e4
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:league/flysystem
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 63a9d9bd21d69cf18c093eb0fe57f30a323672e2
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:monolog/monolog
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: b0e99548430ffc4272a40663c2eb8e59fbfeda87
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:mtdowling/cron-expression
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 3b17d2ae8b30e3cd4c83ebfa95aa5edc1620a32c
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:nesbot/carbon
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 9248633a780786b3a763397b792b2f7c349ca770
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:nikic/php-parser
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: ea900c93fea5fd4ebac7239801adac01d2313bcd
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:psr/log
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 4d863dabe431c2908fc9ab54299a7439a43aa76c
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:psy/psysh
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 63af3901e1da6fa356f8086ede860d3fd01bf2b4
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:swiftmailer/swiftmailer
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: fb1c5cdbdea7ba5c129954799200c9921f98aa72
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/console
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 23a7232db4e2bae46eb44e77ce583d078d0d8e91
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/css-selector
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 4cc0e75ca5f2773f594e7490fbb43e176b0f6be9
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/debug
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: d3f3f153afafcba9083bf0805bf2542e0c6c6c7b
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/dom-crawler
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 28aa18b089bd6cf04a10901c0a0649510dd773da
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/event-dispatcher
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 640703fa46f9ef1ef3195a4c2a62015053328270
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/finder
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 738dcc3213406c287da1449dbace2721df5d8edd
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/http-foundation
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 25cd052bd3e1f15d0c34d5de85a4fd5022a3c0d9
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/http-kernel
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 1c48b57b83555de86fb7834381282da2ff7c6d77
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/process
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 6685376d87e56ddfcb013d0cfcb0d6ec9d02cd7e
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/routing
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: d84c27353c5a0ad3c00488a26a9321b105daeb0a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/translation
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 6a20965382e221407c72e5eab3235b501460fb8a
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:symfony/var-dumper
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: 4f02c9143f31c80ede21311664ffa7fd1486fa92
File Path: C:\Users\jerem\projects\DependencyCheck\dependency-check-core\target\test-classes\composer.lock:vlucas/phpdotenv
MD5: a4846582d3f217ac97801948bf8c496c
SHA1: dda525c6d1d319b956e10a825e9c4b58285fff02