Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: C:\Users\Jacques\.gradle\caches\2.13\workerMain\gradle-worker.jar
MD5: 63551621b0fb9164ae68e6c1d12a4c9b
SHA1: 207adcc738ee4a3c7c1573d1d641caba5528cc27
File Path: C:\Users\Jacques\.gradle\caches\jars-1\7vtkp6w261ws02y77joixi7ndajlbub\external-system-rt.jar
MD5: 405ead053cbc3e545b55049886446fb1
SHA1: 437e330704fc14d4b926dc162072d4b7e18b1a33
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\jars-1\87eo0lrvp84r6dbxjq018wy66es2era\guava-jdk5-17.0.jar
File Path: C:\Users\Jacques\.gradle\caches\jars-1\acy2hmjc6t9jwgdrus7fvhlrgr8ck33\gradle-base-services-2.13.jar
MD5: a471f761a37b2643746397001080a546
SHA1: 58afd9d37cb2a71346c1c47138b6ee9edcf004af
File Path: C:\Users\Jacques\.gradle\caches\jars-1\giufvf78y70nrw73u397pp8t0wp0vme\gradle-tooling-extension-api.jar
MD5: e65b13a9a09653853c74a4e1eb263537
SHA1: 8d74680cb95fd2cf3c46e021540323e6c2df1916
File Path: C:\Users\Jacques\.gradle\caches\jars-1\lf0frkzozf2t7in9a1zlwqqrn297vas\gradle-core-2.13.jar
MD5: 34669939361cc5edfcb913509594fd3f
SHA1: b758e5b15228ffce56c5874cdf906dc3203ebb34
File Path: C:\Users\Jacques\.gradle\caches\jars-1\nbo60g34apaec1q8xggue4jcl8ramo6\builder-model-1.5.0-beta2.jar
MD5: a0eb683ae8653d4703785c64d2818825
SHA1: c7aca8a84561d15f80f73981332092c8ff6afc46
File Path: C:\Users\Jacques\.gradle\caches\jars-1\ppfop2fjqtjbk4kegqzeeqmrbje51pv\velocity.jar
MD5: 644d4ec44e8a7b8cf83dab5dedeb6317
SHA1: dc11bcf13620bf26db19f68572dfd18e612901f3
File Path: C:\Users\Jacques\.gradle\caches\jars-1\tntzak4u4pdej31tcc0s4ega143nn\gradle-tooling-api-2.13.jar
MD5: 4c2f28945e5bdcd726add789a1103aa5
SHA1: 003228c75aa7f370464f73195ecae53bd8337483
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\antlr\antlr\2.7.6\cf4f67dae5df4f9932ae7810f4548ef3e14dd35e\antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
Description:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\antlr\antlr\2.7.7\83cd2cd674a217ade95a4bb83a8a14f351f48bd0\antlr-2.7.7.jar
Description: AOP Alliance
License:
Public DomainFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\aopalliance\aopalliance\1.0\235ba8b489512805ac13a8f9ea77a1ca5ebe3e8\aopalliance-1.0.jar
Description: The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
License:
Apache License: http://www.apache.org/licenses/LICENSE-2.0File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\apache-httpclient\commons-httpclient\3.1\964cd74171f427720480efdec40a7c7f6e58426a\commons-httpclient-3.1.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Vulnerable Software & Versions: (show all)
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\apache-xerces\resolver\2.9.1\3d0f97750b3a03e0971831566067754ba4bfd68c\resolver-2.9.1.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
Description:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\apache-xerces\xercesImpl\2.9.1\7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6\xercesImpl-2.9.1.jar
MD5: f807f86d7d9db25edbfc782aca7ca2a9
SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\asm\asm-attrs\1.5.3\911ca40cdb527969ee47dc6f782425d94a36b510\asm-attrs-1.5.3.jar
MD5: 2f222ca7499ed5bc49fe25a1182c59f7
SHA1: 911ca40cdb527969ee47dc6f782425d94a36b510
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\asm\asm\1.5.3\63a2715c39c9e97f88fe371d4441a1b3493d74f9\asm-1.5.3.jar
MD5: ea4119d1471fc3c1af6b216815bd666c
SHA1: 63a2715c39c9e97f88fe371d4441a1b3493d74f9
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\asm\asm\3.1\c157def142714c544bdea2e6144645702adf7097\asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\aspectj\aspectjrt\1.5.3\80e9fde0223721baefb5df5f251888cc2456ed6\aspectjrt-1.5.3.jar
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\aspectj\aspectjweaver\1.5.3\4040e72d0dda6e9a03d879835cd3f70f19284c34\aspectjweaver-1.5.3.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\avalon-framework\avalon-framework-impl\4.2.0\4da1db18947eb6950abb7ad79253011b9aec0e48\avalon-framework-impl-4.2.0.jar
MD5: 5c1f8f5c8c6c043538fc4ea038c2aaf6
SHA1: 4da1db18947eb6950abb7ad79253011b9aec0e48
Description: Dawid Kurzyniec's backport of JSR 166
License:
Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\backport-util-concurrent\backport-util-concurrent\3.1\682f7ac17fed79e92f8e87d8455192b63376347b\backport-util-concurrent-3.1.jar
Description: The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.4. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. If the S/MIME API is used, the JavaMail API and the Java activation framework will also be needed.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\bouncycastle\bcmail-jdk14\138\14ff2dfec8578f5f6838c4d6a77a86789afe5382\bcmail-jdk14-138.jar
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.4.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\bouncycastle\bcprov-jdk14\138\de366c3243a586eb3c0e2bcde1ed9bb1bfb985ff\bcprov-jdk14-138.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\bouncycastle\bouncycastle-jce-jdk13\112\106e97a5ad7a57aa2cbc48074db80225d3c0972a\bouncycastle-jce-jdk13-112.jar
MD5: eeb940217876bcd83a55d799ee5db7ca
SHA1: 106e97a5ad7a57aa2cbc48074db80225d3c0972a
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\bsf\bsf\2.4.0\658f324024bb473c4d15d18b855676fa817353e9\bsf-2.4.0.jar
MD5: 16e82d858c648962fb5c959f21959039
SHA1: 658f324024bb473c4d15d18b855676fa817353e9
Description:
c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources,
including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\c3p0\c3p0\0.9.1.1\302704f30c6e7abb7a0457f7771739e03c973e80\c3p0-0.9.1.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\cglib\cglib\2.1_3\d3851e366b9fe8b7d8215de0f9eb980b359d8de0\cglib-2.1_3.jar
MD5: ce1dce4a5f6865fb88d4c7c2728b78ed
SHA1: d3851e366b9fe8b7d8215de0f9eb980b359d8de0
Description:
The XMP Library for Java is based on the C++ XMPCore library
and the API is similar.
License:
The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.adobe.xmp\xmpcore\5.1.2\55615fa2582424e38705487d1d3969af8554f637\xmpcore-5.1.2.jar
Description: A Java framework to parse command line options with annotations.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.beust\jcommander\1.35\47592e181b0bdbbeb63029e08c5e74f6803c4edd\jcommander-1.35.jar
Description: High Performance Primitive Collections.
Fundamental data structures (maps, sets, lists, stacks, queues) generated for
combinations of object and primitive types to conserve JVM memory and speed
up execution.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.carrotsearch\hppc\0.5.2\74bcc9d152a928a4ea9ac59a5b45850bf00cd4e\hppc-0.5.2.jar
MD5: 835da0007c0756055b5934d09a0d9cb0
SHA1: 074bcc9d152a928a4ea9ac59a5b45850bf00cd4e
Description: Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.drewnoakes\metadata-extractor\2.8.0\c771dba842e459b704081212c66182eb351728de\metadata-extractor-2.8.0.jar
Description: Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-annotations\2.4.0\d6a66c7a5f01cf500377bd669507a08cfeba882a\jackson-annotations-2.4.0.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: Core Jackson abstractions, basic JSON streaming API implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-core\2.5.4\a57a2df1a23ca1ee32f129173ba7f5feaa9ac24\jackson-core-2.5.4.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-databind\2.4.2\8e31266a272ad25ac4c089734d93e8d811652c1f\jackson-databind-2.4.2.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.dataformat\jackson-dataformat-smile\2.5.4\db0c5f1b6e16cb5f5e0505abfcd4b36f3e8bfdc6\jackson-dataformat-smile-2.5.4.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: rar decompression library in plain java
License:
UnRar License: https://raw.github.com/junrar/junrar/master/license.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.github.junrar\junrar\0.7\18cc717b85af0b12ba922abf415c2ff4716f8219\junrar-0.7.jar
Description: JSR305 Annotations for Findbugs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.google.code.findbugs\jsr305\3.0.0\5871fb60dc68d67da54a663c3fd636a10a532948\jsr305-3.0.0.jar
Description: Google Gson library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.google.code.gson\gson\2.2.4\a60a5e993c98c864010053cb901b7eab25306568\gson-2.2.4.jar
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.google.guava\guava\19.0\6ce200f6b23222af3d8abb6b6459e6c44f4bb0e9\guava-19.0.jar
Description:
Protocol Buffers are a way of encoding structured data in an efficient yet
extensible format.
License:
New BSD license: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.google.protobuf\protobuf-java\2.5.0\a10732c76bfacdbd633a7eb0f7968b1059a65dfa\protobuf-java-2.5.0.jar
Description: Core barcode encoding/decoding library
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.google.zxing\core\3.2.1\2287494d4f5f9f3a9a2bb6980e3f32053721b315\core-3.2.1.jar
MD5: 45e31fec1bebd17da546cf7ec329d87b
SHA1: 2287494d4f5f9f3a9a2bb6980e3f32053721b315
Description:
A high performance version of java.util.LinkedHashMap for use as a software cache.
License:
Apache: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.googlecode.concurrentlinkedhashmap\concurrentlinkedhashmap-lru\1.2\4316d710b6619ffe210c98deb2b0893587dad454\concurrentlinkedhashmap-lru-1.2.jar
Description: A simple Java toolkit for JSON
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.googlecode.json-simple\json-simple\1.1.1\c9ad4a0850ab676c5c64461a05ca524cdfff59f1\json-simple-1.1.1.jar
Description: Java port of universalchardet
License:
Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.googlecode.juniversalchardet\juniversalchardet\1.0.3\cd49678784c46aa8789c060538e0154013bb421b\juniversalchardet-1.0.3.jar
Description: A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.googlecode.mp4parser\isoparser\1.0.2\6d9a5c5814ec67178dd1d5a25bae874d4697a5b8\isoparser-1.0.2.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.googlecode.owasp-java-html-sanitizer\owasp-java-html-sanitizer\20160628.1\bf17ddc1f7c0b37157f59fa0d32a46e47b07efb3\owasp-java-html-sanitizer-20160628.1.jar
MD5: 2ff61c91fec416dc80c2d984bce7254d
SHA1: bf17ddc1f7c0b37157f59fa0d32a46e47b07efb3
Description: An add-on to the Jackcess library for handling encryption in MS Access files.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.healthmarketscience.jackcess\jackcess-encrypt\2.1.1\555958b9ecf65524341c08b7fab98cc79416ca60\jackcess-encrypt-2.1.1-sources.jar
MD5: 67d71518d287541c8cee86e5fade0c41
SHA1: 555958b9ecf65524341c08b7fab98cc79416ca60
Description: An add-on to the Jackcess library for handling encryption in MS Access files.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.healthmarketscience.jackcess\jackcess-encrypt\2.1.1\effacd7133ab76ee54c0488dd952b177bfeb85a3\jackcess-encrypt-2.1.1.jar
Description: A pure Java library for reading from and writing to MS Access databases.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.healthmarketscience.jackcess\jackcess\2.1.2\b7f61fbb78919cb851868ce177d8fe626a6b4370\jackcess-2.1.2.jar
Description:
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
providing Unicode and Globalization support
License:
ICU License: http://source.icu-project.org/repos/icu/icu/trunk/LICENSEFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.ibm.icu\icu4j\57.1\198ea005f41219f038f4291f0b0e9f3259730e92\icu4j-57.1.jar
Description: XML Builder is a utility that creates simple XML documents using relatively sparse Java code
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.jamesmurty.utils\java-xmlbuilder\0.4\ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf\java-xmlbuilder-0.4.jar
Description: JSch is a pure Java implementation of SSH2
License:
BSD: http://www.jcraft.com/jsch/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.jcraft\jsch\0.1.42\a86104b0f2e0c0bab5b0df836065823a99b5e334\jsch-0.1.42.jar
Description: iText, a free Java-PDF library
License:
Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.lowagie\itext\2.1.7\892bfb3e97074a61123b3b2d7caa2db112750864\itext-2.1.7.jar
Description: A library to read PST files with java, without need for external libraries.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.pff\java-libpst\0.8.1\ad31986653dac9cb5132ea5b2999c20b4b286255\java-libpst-0.8.1.jar
Description: Utility classes for ROME projects
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.rometools\rome-utils\1.5.1\3a3d6473a2f5d55fb31bf6c269af963fdea13b54\rome-utils-1.5.1.jar
MD5: ba0f0958cbbacd734b383038c3dcb0ef
SHA1: 3a3d6473a2f5d55fb31bf6c269af963fdea13b54
Description: All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.rometools\rome\1.5.1\cc3489f066749bede7fc81f4e80c0d8c9534a210\rome-1.5.1.jar
MD5: 07039d4b871513942d0495311947275f
SHA1: cc3489f066749bede7fc81f4e80c0d8c9534a210
Description:
Spatial4j is a general purpose spatial / geospatial ASL licensed open-source Java library. It's
core capabilities are 3-fold: to provide common geospatially-aware shapes, to provide distance
calculations and other math, and to read shapes in WKT format.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.spatial4j\spatial4j\0.4.1\4234d12b1ba4d4b539fb3e29edd948a99539d9eb\spatial4j-0.4.1.jar
Description: Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.jersey\jersey-core\1.9\8341846f18187013bb9e27e46b7ee00a6395daf4\jersey-core-1.9.jar
Description: Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.jersey\jersey-json\1.9\1aa73e1896bcc7013fed247157d7f676226eb432\jersey-json-1.9.jar
Description: Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.jersey\jersey-server\1.9\3a6ea7cc5e15c824953f9f3ece2201b634d90d18\jersey-server-1.9.jar
Description: JavaMail API
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.mail\javax.mail\1.5.1\9724dd44f1abbba99c9858aa05fc91d53f59e7a5\javax.mail-1.5.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.syndication\com.springsource.com.sun.syndication\0.9.0\2c8daab3471d3060d115cdcf4af2a88cb04744c1\com.springsource.com.sun.syndication-0.9.0.jar
MD5: 1c5121f30c06d4ec0d5c68dc5e119929
SHA1: 2c8daab3471d3060d115cdcf4af2a88cb04744c1
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.xml.bind\jaxb-impl\2.1.9\9c137963871ba7296643806b01083e4cf1703769\jaxb-impl-2.1.9.jar
MD5: 8f7f2e5ceca330ebfeea5db52a891f8f
SHA1: 9c137963871ba7296643806b01083e4cf1703769
Description: JAXB (JSR 222) reference implementation
License:
CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.xml.bind\jaxb-impl\2.2.3-1\56baae106392040a45a06d4a41099173425da1e6\jaxb-impl-2.2.3-1.jar
Description: Data structure which allows accurate estimation of quantiles and related rank statistics
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.tdunning\t-digest\3.1\451ed219688aed5821a789428fd5e10426d11312\t-digest-3.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.thoughtworks.paranamer\paranamer\2.3\4a85963a752c0a2f715c3924bfc686865e7e1bc6\paranamer-2.3.jar
MD5: e3060bebfe449abeb277e77c4c3388cb
SHA1: 4a85963a752c0a2f715c3924bfc686865e7e1bc6
Description: XStream is a serialization library from Java objects to XML and back.
License:
http://x-stream.github.io/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.thoughtworks.xstream\xstream\1.4.9\c43f6e6bfa79b56e04a8898a923c3cf7144dd460\xstream-1.4.9.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-beanutils\commons-beanutils-core\1.8.3\75812698e5e859f2cb587c622c4cdfcd61676426\commons-beanutils-core-1.8.3.jar
MD5: 944f66e681239c8353e8497920f1e5d3
SHA1: 75812698e5e859f2cb587c622c4cdfcd61676426
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
Description: Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-beanutils\commons-beanutils\1.9.2\7a87d845ad3a155297e8f67d9008f4c1e5656b71\commons-beanutils-1.9.2.jar
Description:
Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-cli\commons-cli\1.3.1\1303efbc4b181e5a58bf2e967dc156a3132b97c0\commons-cli-1.3.1.jar
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-codec\commons-codec\1.10\4b95f4897fa13f2cd904aee711aeafc0c5295cd8\commons-codec-1.10.jar
Description: Types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-collections\commons-collections\3.2.2\8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5\commons-collections-3.2.2.jar
Description:
Tools to assist in the reading of configuration/preferences files in
various formats
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-configuration\commons-configuration\1.6\32cadde23955d7681b0d94a2715846d20b425235\commons-configuration-1.6.jar
Description:
Apache Commons Daemon software provides an alternative invocation mechanism for unix-daemon-like Java code.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-daemon\commons-daemon\1.0.13\750856a1fdb3ddf721ccf73c3518e4211cffc3a3\commons-daemon-1.0.13.jar
Description:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-digester\commons-digester\1.8.1\3dec9b9c7ea9342d4dbe8c38560080d85b44a015\commons-digester-1.8.1.jar
Description: The Apache Commons Discovery component is about discovering, or finding,
implementations for pluggable interfaces.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-discovery\commons-discovery\0.5\3a8ac816bbe02d2f88523ef22cbf2c4abd71d6a8\commons-discovery-0.5.jar
Description: JSP 2.0 Expression Language Interpreter Implementation
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-el\commons-el\1.0\1df2c042b3f2de0124750241ac6c886dbfa2cc2c\commons-el-1.0.jar
Description:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-fileupload\commons-fileupload\1.3.1\c621b54583719ac0310404463d6d99db27e1052c\commons-fileupload-1.3.1.jar
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-io\commons-io\2.4\b1b6ea3b7e4aa4f492509a4952029cd8e48019ad\commons-io-2.4.jar
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-lang\commons-lang\2.6\ce1edb914c94ebc388f086c6827e8bdeec71ac2\commons-lang-2.6.jar
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-logging\commons-logging-api\1.1\7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322\commons-logging-api-1.1.jar
Description: Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-logging\commons-logging\1.2\4bfc12adfe4842bf07b657f0369c4cb522955686\commons-logging-1.2.jar
Description:
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-net\commons-net\3.3\cd0d5510908225f76c5fe5a3f1df4fa44866f81e\commons-net-3.3.jar
Description:
Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\commons-validator\commons-validator\1.5.1\86d05a46e8f064b300657f751b5a98c62807e2a0\commons-validator-1.5.1.jar
Description: The boilerpipe library provides algorithms to detect and remove the surplus "clutter" (boilerplate, templates) around the main textual content of a web page.
The library already provides specific strategies for common tasks (for example: news article extraction) and may also be easily extended for individual problem settings.
Extracting content is very fast (milliseconds), just needs the input document (no global or site-level information required) and is usually quite accurate.
Boilerpipe is a Java library written by Christian Kohlschütter. It is released under the Apache License 2.0.
The algorithms used by the library are based on (and extending) some concepts of the paper "Boilerplate Detection using Shallow Text Features" by Christian Kohlschütter et al., presented at WSDM 2010 -- The Third ACM International Conference on Web Search and Data Mining New York City, NY USA.
License:
Apache License 2.0File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\de.l3s.boilerpipe\boilerpipe\1.1.0\f62cb75ed52455a9e68d1d05b84c500673340eb2\boilerpipe-1.1.0.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\de.odysseus.juel\juel-impl\2.2.7\97958467acef4c2b230b72354a4eefc66628dd99\juel-impl-2.2.7.jar
MD5: c5d7a62edafb5706b6beadbbcfd8f57d
SHA1: 97958467acef4c2b230b72354a4eefc66628dd99
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\de.odysseus.juel\juel-spi\2.2.7\ca146332a93720784f24a5a24bb71c6d545133bd\juel-spi-2.2.7.jar
MD5: a4df3c8482a97ae937081b7d0ab407bb
SHA1: ca146332a93720784f24a5a24bb71c6d545133bd
Description: dom4j: the flexible XML framework for Java
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\dom4j\dom4j\1.6.1\5d3ccc056b6f056dbf0dddfdf43894b9065a8f94\dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
Description:
The NetCDF-Java Library is a Java interface to NetCDF files,
as well as to many other types of scientific data formats.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\edu.ucar\cdm\4.5.5\af1748a3d024069cb7fd3fc2591efe806c914589\cdm-4.5.5.jar
MD5: 7770c86aabbd0ec5e12ed1f0600d5492
SHA1: af1748a3d024069cb7fd3fc2591efe806c914589
Description:
Decoder for the GRIB format.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\edu.ucar\grib\4.5.5\cfe552910e9a8d57ce71134796abb281a74ead16\grib-4.5.5.jar
MD5: 0cb80276d8ea89cacc1d5632dbf39fe9
SHA1: cfe552910e9a8d57ce71134796abb281a74ead16
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\edu.ucar\httpservices\4.5.5\ee5f217be599e5e03f7f0e55e03f9e721a154f62\httpservices-4.5.5.jar
MD5: c5207827b8b7e6045b2af7e1e8c5b1d4
SHA1: ee5f217be599e5e03f7f0e55e03f9e721a154f62
Description: Fork of jpeg2k code from https://code.google.com/p/jj2000/.
This is a dependency for support of compression in Grib2 files in netCDF-java and TDS.
We welcome bug fixes and other contributions to this code.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\edu.ucar\jj2000\5.2\b857c9bdf12fe17d8ef98218eaa39e6a0c6ff493\jj2000-5.2.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\edu.ucar\netcdf4\4.5.5\675d63ecc857c50dd50858011b670160aa30b62\netcdf4-4.5.5.jar
MD5: 5f14df469295650fd65748a003c9ba56
SHA1: 0675d63ecc857c50dd50858011b670160aa30b62
Description: The ucar.units Java package is for decoding and encoding
formatted unit specifications (e.g. "m/s"), converting numeric values
between compatible units (e.g. between "m/s" and "knot"), and for
performing arithmetic operations on units (e.g. dividing one unit by
another, raising a unit to a power).
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\edu.ucar\udunits\4.5.5\d8c8d65ade13666eedcf764889c69321c247f153\udunits-4.5.5.jar
MD5: 025ffadf77de73601443c8262c995df0
SHA1: d8c8d65ade13666eedcf764889c69321c247f153
Description: A Java library for the automatic stimulation and testing of web applications.
License:
MIT License: http://httpunit.sourceforge.net/doc/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\httpunit\httpunit\1.7\2030058ecce7aea03442cd5b40782ab94e1008f5\httpunit-1.7.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\io.netty\netty-all\4.0.23.Final\294104aaf1781d6a56a07d561e792c5d0c95f45\netty-all-4.0.23.Final.jar
MD5: 4725826ca7ba3713db6748ee8f3906c3
SHA1: 0294104aaf1781d6a56a07d561e792c5d0c95f45
Description:
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\io.netty\netty\3.7.0.Final\7a8c35599c68c0bf383df74469aa3e03d9aca87\netty-3.7.0.Final.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jakarta-regexp\jakarta-regexp\1.4\ea514a179ac1dd7e81c7e6594468b9b9910d298\jakarta-regexp-1.4.jar
MD5: 5d8b8c601c21b37aa6142d38f45c0297
SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298
Description:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.activation\activation\1.1\e6cb541461c2834bdea3eb920f1884d1eb508b50\activation-1.1.jar
Description: Common Annotations for the JavaTM Platform API
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.annotation\javax.annotation-api\1.2\479c1e06db31c432330183f5cae684163f186146\javax.annotation-api-1.2.jar
Description: Expression Language 3.0 API
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.el\javax.el-api\3.0.1-b04\8c0c970b8deae5054ff0bf4b17979c8181a506d3\javax.el-api-3.0.1-b04.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description:
JSR-275 specifies Java packages for the programmatic handling
of physical quantities and their expression as numbers of units.
License:
Specification License: LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.measure\jsr-275\0.9.3\ab2fb094fc5297ae5636ef6ed0d6051d5a656588\jsr-275-0.9.3.jar
Description:
The Enterprise JavaBeans architecture is a component architecture for the development and deployment of component-based business applications.
The purpose of Enterprise JavaBeans (EJB) 3.0 is to improve the EJB architecture by reducing its complexity from the developer's point of view.
License:
Common Development and Distribution License (CDDL) v1.0: http://www.sun.com/cddl/cddl.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.persistence\persistence-api\1.0\5725f57873e05e068803e2bf9d5a8ea3740ffec5\persistence-api-1.0.jar
Description: Java.net - The Source for Java Technology Collaboration
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.servlet.jsp\javax.servlet.jsp-api\2.3.0\3795334f4306b194003e16dfba4111a0467a49bd\javax.servlet.jsp-api-2.3.0.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.servlet.jsp\jsp-api\2.1\63f943103f250ef1f3a4d5e94d145a0f961f5316\jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
Description: Java(TM) Servlet 3.1 API Design Specification
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.servlet\javax.servlet-api\3.1.0\3cd63d075497751784b2fa84be59432f4905bf7c\javax.servlet-api-3.1.0.jar
Description:
Java Servlet technology provides Web developers with a simple, consistent mechanism for extending the functionality of a Web server and for accessing existing business systems.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.servlet\servlet-api\2.3\137a24e9f62973f01f16dd23fc1b5a9964fd9ef\servlet-api-2.3.jar
MD5: c097f777c6fd453277c6891b3bb4dc09
SHA1: 0137a24e9f62973f01f16dd23fc1b5a9964fd9ef
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.servlet\servlet-api\2.4\3fc542fe8bb8164e8d3e840fe7403bc0518053c0\servlet-api-2.4.jar
MD5: f6cf3fde0b992589ed3d87fa9674015f
SHA1: 3fc542fe8bb8164e8d3e840fe7403bc0518053c0
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.servlet\servlet-api\2.5\5959582d97d8b61f4d154ca9e495aafd16726e34\servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Network Security Services (NSS) in Sun Java System Web Server 6.0 before SP 10 and ONE Application Server 7 before Update 3, when SSLv2 is enabled, allows remote authenticated users to cause a denial of service (application crash) via unspecified vectors. NOTE: due to lack of details from the vendor, it is unclear whether this is related to vector 1 in CVE-2006-5201 or CVE-2006-3127.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Cross-site scripting (XSS) vulnerability in Sun ONE Application Server 7 before Update 9, Java System Application Server 7 2004Q2 before Update 5, and Java System Application Server Enterprise Edition 8.1 2005 Q1 allows remote attackers to inject arbitrary HTML or web script via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cross-site scripting (XSS) vulnerability in Sun ONE Web Server 6.0 SP9 and earlier, Java System Web Server 6.1 SP4 and earlier, Sun ONE Application Server 7 Platform and Standard Edition Update 6 and earlier, and Java System Application Server 7 2004Q2 Standard and Enterprise Edition Update 2 and earlier, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving error messages.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.transaction\jta\1.0.1B\3dd157a4f4fe115ac5d165d6c21463d0ce9e3c7b\jta-1.0.1B.jar
MD5: c6e3e528816227b97f6b21f709641f8f
SHA1: 3dd157a4f4fe115ac5d165d6c21463d0ce9e3c7b
Description: Java API for RESTful Web Services (JAX-RS)
License:
CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.ws.rs\javax.ws.rs-api\2.0.1\104e9c2b5583cfcfeac0402316221648d6d8ea6b\javax.ws.rs-api-2.0.1.jar
License:
CDDL License
: http://www.opensource.org/licenses/cddl1.php
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.ws.rs\jsr311-api\1.1.1\59033da2a1afd56af1ac576750a8d0b1830d59e6\jsr311-api-1.1.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.xml.bind\jaxb-api\2.1\b2dfeed54ac106bcd714ba59c1f52ef9167d56e\jaxb-api-2.1.jar
MD5: 63f750861245626b7338e2d2e6a33068
SHA1: 0b2dfeed54ac106bcd714ba59c1f52ef9167d56e
Description:
JAXB (JSR 222) API
License:
CDDL 1.1: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.xml.bind\jaxb-api\2.2.2\aeb3021ca93dde265796d82015beecdcff95bf09\jaxb-api-2.2.2.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description:
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.xml.stream\stax-api\1.0-2\d6337b0de8b25e53e81b922352fbea9f9f57ba0b\stax-api-1.0-2.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javax.xml\xmldsig\1.0\9312ad67022b4dec8df8689d0b7dbac9cd612525\xmldsig-1.0.jar
MD5: 563644fef6e9f3c8c5d78b84b4a5b95a
SHA1: 9312ad67022b4dec8df8689d0b7dbac9cd612525
Description: Javolution - Java Solution for Real-Time and Embedded Systems.
This project uses template classes to generates java code for various versions
of the Java run-time (e.g. J2ME, 1.4, GCJ, 1.5). The default maven compilation
builds executable for Java 1.5+ (parameterized classes).
For others targets the ant script should be used directly (e.g. "ant j2me").
License:
BSD License: http://javolution.org/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\javolution\javolution\5.4.3\383567a5f18a325f9b96096f6a903ee80741480\javolution-5.4.3.jar
Description: Jaxen is a universal Java XPath engine.
License:
http://jaxen.codehaus.org/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jaxen\jaxen\1.1.6\3f8c36d9a0578e8e98f030c662b69888b1430ac0\jaxen-1.1.6.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jdom\jdom\1.0\a2ac1cd690ab4c80defe7f9bce14d35934c35cec\jdom-1.0.jar
MD5: 0b8f97de82fc9529b1028a77125ce4f8
SHA1: a2ac1cd690ab4c80defe7f9bce14d35934c35cec
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jline\jline\0.9.94\7ac7b49164e4f9d250309c70caee645151b87e46\jline-0.9.94-sources.jar\jline\jline32.dll
MD5: b3d9a08ff70440ba3638a325512f2cd8
SHA1: 67a55d8f8ca4937d784d4334e554770adc2a1079
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jline\jline\0.9.94\7ac7b49164e4f9d250309c70caee645151b87e46\jline-0.9.94-sources.jar\jline\jline64.dll
MD5: d2f7b0db1231aac1846a857f5c0c4f2c
SHA1: e297e4e990ce820e64d41f3f27b9be90283f3f96
Description: JLine is a java library for reading and editing user input in console applications. It features tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to chain to other console applications.
License:
BSD: LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jline\jline\0.9.94\99a18e9a44834afdebc467294e1138364c207402\jline-0.9.94.jar
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\joda-time\joda-time\2.2\a5f29a7acaddea3f4af307e8cf2d0cc82645fd7d\joda-time-2.2.jar
Description: JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM parser for real-world HTML.
License:
Java HTML Tidy License: http://svn.sourceforge.net/viewvc/*checkout*/jtidy/trunk/jtidy/LICENSE.txt?revision=95File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jtidy\jtidy\4aug2000r7-dev\2aecd44e0c3a7fdcf0ec19f7c58f37a07798f01f\jtidy-4aug2000r7-dev.jar
Description:
JUnit is a regression testing framework written by Erich Gamma and Kent Beck.
It is used by the developer who implements unit tests in Java.
License:
Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\junit\junit-dep\4.10\64417b3bafdecd366afa514bd5beeae6c1f85ece\junit-dep-4.10.jar
Description:
JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
License:
Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\junit\junit\3.8.2\7e4cde26b53a9a0e3fe5b00d1dbbc7cc1d46060\junit-3.8.2.jar
Description: JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
License:
Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\junit\junit\4.12\2973d150c0dc1fefe998f834810d68f278ea58ec\junit-4.12.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\jython\jython\2.1\1a48518889a7efc4b34ebce7103d40e3b72b0965\jython-2.1.jar
MD5: 67ff310143c9a3f2236ab53fac824cec
SHA1: 1a48518889a7efc4b34ebce7103d40e3b72b0965
Description: Apache Log4j 1.2
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\log4j\log4j\1.2.17\5af35056b4d257e4b64b9e8069c0746e8b08629f\log4j-1.2.17.jar
Description: MySQL JDBC Type 4 driver
License:
The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\mysql\mysql-connector-java\5.1.36\6bb5861f44c21c775ee713a438e5bc493c095f7a\mysql-connector-java-5.1.36.jar
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3 (AV:N/AC:L/Au:M/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.0 (AV:L/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to Server Install.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5.29 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.63 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Types.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8 (AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.30, has unspecified impact and attack vectors, a different vulnerability than CVE-2012-0553.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.6 (AV:L/AC:L/Au:N/C:C/I:C/A:N)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows local users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote attackers to affect availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.65 and earlier and 5.5.27 and earlier allows remote authenticated users to affect availability, related to GIS Extension.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB Plugin.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Full Text Search.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows local users to affect confidentiality via unknown vectors related to Server Installation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Protocol.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.1.x before 5.1.63 and 5.5.x before 5.5.24 allows remote authenticated users to cause a denial of service (mysqld crash) via vectors related to incorrect calculation and a sort order index.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
MySQL 5.1.x before 5.1.62 and 5.5.x before 5.5.22 allows remote authenticated users to cause a denial of service (assertion failure and mysqld abort) by deleting a record and using HANDLER READ NEXT.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote attackers to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.19 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.5.20 and possibly other versions including 5.5.x before 5.5.22 and 5.1.x before 5.1.62, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VulnDisco Pack Professional 9.17. NOTE: as of 20120224, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. NOTE: due to lack of details, it is not clear whether this issue is a duplicate of CVE-2012-0492 or another CVE.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.60 and earlier, and 5.5.19 and earlier, allows remote authenticated users to affect availability, related to MyISAM.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.28, has unspecified impact and attack vectors, a different vulnerability than CVE-2013-1492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier and 5.5.23 and earlier allows remote authenticated users to affect availability, related to GIS Extension.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.0 (AV:L/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0101.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0102.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.7 (AV:N/AC:H/Au:M/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL 5.1 before 5.1.51 allows remote authenticated users to cause a denial of service (server crash) by calling the PolyFromWKB function with Well-Known Binary (WKB) data containing a crafted number of (1) line strings or (2) line points.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (infinite loop) via multiple invocations of a (1) prepared statement or (2) stored procedure that creates a query with nested JOIN statements.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a query that uses the (1) GREATEST or (2) LEAST function with a mixed list of numeric and LONGBLOB arguments, which is not properly handled when the function's result is "processed using an intermediate temporary table."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier, probably triggering a use-after-free error when a copied object is modified in a way that also affects the original object.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (assertion failure and server crash) via vectors related to view preparation, pre-evaluation of LIKE predicates, and IN Optimizers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (mysqld server crash) by performing a user-variable assignment in a logical expression that is calculated and stored in a temporary table for GROUP BY, then causing the expression value to be used after the table is created, which causes the expression to be re-evaluated instead of accessing its value from the table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via vectors related to "materializing a derived table that required a temporary table for grouping" and "user variable assignments."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2) GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet when a LOAD DATA INFILE request generates SQL errors, which allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a crafted request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using the HANDLER interface and performing "alternate reads from two indexes on a table," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by creating temporary tables with nullable columns while using InnoDB, which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via certain arguments to the BINLOG command, which triggers an access of uninitialized memory, as demonstrated by valgrind.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (crash) via (1) IN or (2) CASE operations with NULL arguments that are explicitly specified or indirectly provided by the WITH ROLLUP modifier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
storage/innobase/dict/dict0crea.c in mysqld in Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (assertion failure) by modifying the (1) innodb_file_format or (2) innodb_file_per_table configuration parameters for the InnoDB storage engine, then executing a DDL statement.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.carlosgsouza\gradle-console\1.0.1\95f35a92513097a67d97a1d232c9e6a5b6a4ede7\gradle-console-1.0.1.jar
MD5: d9e63438c5a0e099c348432ec784651d
SHA1: 95f35a92513097a67d97a1d232c9e6a5b6a4ede7
Description:
A Java library for reading and writing iCalendar (*.ics) files
License:
iCal4j - License: LICENSEFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.fortuna.ical4j\ical4j\1.0-rc3-atlassian-11\cc4aa02f5cc8773876aad173517d20438b1b60ea\ical4j-1.0-rc3-atlassian-11.jar
Description: JetS3t is a free, open-source Java toolkit and application suite for Amazon Simple Storage Service (Amazon S3), Amazon CloudFront content delivery network, and Google Storage for Developers.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.java.dev.jets3t\jets3t\0.9.0\792bc96ee7e57b89f472aa0cb5a31015b9f59c96\jets3t-0.9.0.jar
Description: Java Native Access
License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html ASL, version 2: http://www.apache.org/licenses/File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: 06b2f1f909d2436dff20d7a668ef26a9
SHA1: bd1bdda9a91f3b0d9067e323f7394bef933f81f6
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: 05a72ada9247aeb114a9ef01a394b6c4
SHA1: 8b32cc82740fc62afdf5ea211f1ca8bb72269bbf
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.jcip\jcip-annotations\1.0\afba4942caaeaf46aab0b976afd57cc7c181467e\jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
Description:
Barcode4J is a flexible generator for barcodes written in Java inclusive
extensions to support Apache FOP 0.93 and later.
License:
ASF 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.barcode4j\barcode4j-fop-ext-complete\2.0\614831d9979b920163ff617fa6994e6a645c091f\barcode4j-fop-ext-complete-2.0.jar
Description:
Dozer is a powerful, yet simple Java Bean to Java Bean mapper that recursively copies data from one object to
another
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.dozer\dozer\4.2.1\f14481f31dc60bccb2107e1342ee09205f1a0c9\dozer-4.2.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.ehcache\ehcache-core\2.6.2\1c03312f7cfdbe966f92524d3536255ff74d5d45\ehcache-core-2.6.2-sources.jar\net\sf\ehcache\pool\sizeof\sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
Description: This is the ehcache core module. Pair it with other modules for added functionality.
License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.ehcache\ehcache-core\2.6.2\3baecd92015a9f8fe4cf51c8b5d3a5bddcdd3e86\ehcache-core-2.6.2.jar
Description:
ehcache is a pure Java, in-process cache with the following features:
1. Fast.
2. Simple.
3. Multiple eviction policies: LRU, LFU and FIFO.
4. Caches can be in memory or on disk.
5. Disk Stores can be persistent between VM restarts.
6. Distributed caching using multicast and RMI, with a pluggable API.
7. Cache and CacheManager listeners
8. Supports multiple Caches per CacheManager, and multiple CacheManagers per application.
9. Acts as a pluggable cache for Hibernate 3.1, 3 and 2.1.
10. Small foot print. Both in terms of size and memory requirements.
11. Minimal dependencies apart from J2SE.
12. Fully documented. See the online Documentation and the online JavaDoc.
13. Comprehensive Test Coverage. See the clover test report.
14. Available under the Apache 1.1 license. EHCache's copyright and licensing has been reviewed and approved by the Apache Software Foundation, making EHCache suitable for use in Apache projects.
15. Production tested. EHCache is used on a large and very busy eCommerce site.
16. Web caching, pull-through caches and other common caching implementations are provided in the ehcache-constructs module.
License:
The Apache Software License, Version 2.0: http://ehcache.sourceforge.net/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.ehcache\ehcache\1.2.3\461752b4e3d73a5815737df243782ac70112b489\ehcache-1.2.3.jar
Description:
Simple java library for transforming an Object to another Object.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.ezmorph\ezmorph\0.9.1\e88c9db9ae31156673858a47db5368553651b0f6\ezmorph-0.9.1.jar
Description:
JWNL is an API for accessing WordNet-style relational dictionaries. It also provides
functionality beyond data access, such as relationship discovery and morphological
processing.
License:
BSD 3-Clause License: http://jwordnet.svn.sourceforge.net/svnroot/jwordnet/trunk/jwnl/license.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sf.jwordnet\jwnl\1.3.3\7108e5b6a8875fe0488d942238575407c7ab8649\jwnl-1.3.3.jar
Description:
Matlab's MAT-file I/O API in JAVA. Supports Matlab 5 MAT-flie format reading and writing. Written in pure JAVA.
License:
BSD: http://www.linfo.org/bsdlicense.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sourceforge.jmatio\jmatio\1.0\df72993ea17d34c3bacd983558d2970a866abaf6\jmatio-1.0.jar
Description: An HTML parser and tag balancer.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\net.sourceforge.nekohtml\nekohtml\1.9.16\61e35204e5a8fdb864152f84e2e3b33ab56f50ab\nekohtml-1.9.16.jar
Description: OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects.
License:
BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\ognl\ognl\2.6.9\fad9692184899994e977b647998f9fa4a9cfec35\ognl-2.6.9.jar
Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.antlr\antlr-runtime\3.5\baa82bff19059401e90e1b90020beb9c96305d7\antlr-runtime-3.5.jar
MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc
SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
Description: StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.antlr\stringtemplate\3.2.1\59ec8083721eae215c6f3caee944c410d2be34de\stringtemplate-3.2.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant-apache-bsf\1.9.0\996470c20c515b964aff7939d2e3bf0d3f91edc4\ant-apache-bsf-1.9.0.jar
MD5: 9c5a516f80f08874ecf08bbb90440e09
SHA1: 996470c20c515b964aff7939d2e3bf0d3f91edc4
Description: contains JUnit 4.x support
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant-junit4\1.9.7\3df6072f139ab9c1d861b9f3b1e554e522980758\ant-junit4-1.9.7.jar
MD5: c123173d23f3943f3d57fb62443af0ef
SHA1: 3df6072f139ab9c1d861b9f3b1e554e522980758
Description: contains the junit and junirreport tasks
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant-junit\1.9.0\cc83eb94ddcef9c12d5ede5feac3f31a3d320e82\ant-junit-1.9.0.jar
MD5: 99a7567e995ab2591d0cd7c3349f02e2
SHA1: cc83eb94ddcef9c12d5ede5feac3f31a3d320e82
Description: contains the junit and junirreport tasks
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant-junit\1.9.7\12629dc0fe3bc89199f83c1cbf7f844f2d0801de\ant-junit-1.9.7.jar
MD5: d2aea68c381c3f5ba9267d6e487283b2
SHA1: 12629dc0fe3bc89199f83c1cbf7f844f2d0801de
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant-launcher\1.9.0\a76484a4e3a893dd0ee018afef34f74df8e4ef6c\ant-launcher-1.9.0.jar
MD5: aa065e042ee374e7d97bcaf814cdcb8c
SHA1: a76484a4e3a893dd0ee018afef34f74df8e4ef6c
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant-launcher\1.9.7\224857a490283e72da13ffe3082dea62c558ec76\ant-launcher-1.9.7.jar
MD5: f099489fbe6cc9665cb690b4b03cf48c
SHA1: 224857a490283e72da13ffe3082dea62c558ec76
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant\1.9.0\d667bc2c030a338720bfcf794d2189ea5c663b9e\ant-1.9.0.jar
MD5: f95c303d8ebed1503e22571f9214acab
SHA1: d667bc2c030a338720bfcf794d2189ea5c663b9e
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ant\ant\1.9.7\3b2a10512ee6537d3852c9b693a0284dcab5de68\ant-1.9.7.jar
MD5: a14502c25ee6bc76c4614315845b29e9
SHA1: 3b2a10512ee6537d3852c9b693a0284dcab5de68
Description: Avalon Framework API
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.avalon.framework\avalon-framework-api\4.3.1\2dacadeb49bc14420990b1f28897d46f96e2181d\avalon-framework-api-4.3.1.jar
MD5: 7c543869a7eb2bad323a54e873973acf
SHA1: 2dacadeb49bc14420990b1f28897d46f96e2181d
Description: Avalon Framework Implementation
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.avalon.framework\avalon-framework-impl\4.3.1\2d5f5a07fd14513ce6d7a7bfaff69419c26dbd0b\avalon-framework-impl-4.3.1.jar
MD5: 004ac42a2cda8c444451ef187b24284f
SHA1: 2d5f5a07fd14513ce6d7a7bfaff69419c26dbd0b
Description: Avro core components
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.avro\avro\1.7.4\416e7030879814f52845b97f04bb50ecd1cef372\avro-1.7.4.jar
MD5: de02dfb1f5880c0b422f215ffcaa3379
SHA1: 416e7030879814f52845b97f04bb50ecd1cef372
Description: Axis2 Data Binding module
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-adb\1.7.1\d8edf562fcc63de3560652335a42966d8393422f\axis2-adb-1.7.1.jar
MD5: 589dec2be2ee200ccc05d3daf41afa70
SHA1: d8edf562fcc63de3560652335a42966d8393422f
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description: Core Parts of Axis2. This includes Axis2 engine, Client API, Addressing support, etc.,
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-kernel\1.7.1\839abf2a83ab7aa225e4d4f8dd4236803ef977a0\axis2-kernel-1.7.1.jar
MD5: 70f2a2bb541d649a4e943ee47fc2388a
SHA1: 839abf2a83ab7aa225e4d4f8dd4236803ef977a0
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description: This inclues all the available transports in Axis2
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-transport-http\1.7.1\54b345d733908b3fc830ac87ede303ec2b7d8c3b\axis2-transport-http-1.7.1.jar
MD5: 58ea78d154f92057c9644f21e99e91c8
SHA1: 54b345d733908b3fc830ac87ede303ec2b7d8c3b
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description: This inclues all the available transports in Axis2
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-transport-local\1.7.1\cfda1532e74015dd978b3d046b19a2749ac300b1\axis2-transport-local-1.7.1.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description:
An implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.axis\axis\1.4\94a9ce681a42d0352b3ad22659f67835e560d107\axis-1.4.jar
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.bsf\com.springsource.org.apache.bsf\2.4.0\a0c2e39a76078191c3738a2f32fad251d680d5d9\com.springsource.org.apache.bsf-2.4.0.jar
MD5: 655b35c590f94e9e8d3f8b1efa787d2a
SHA1: a0c2e39a76078191c3738a2f32fad251d680d5d9
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\com.springsource.org.apache.commons.logging\1.1.1\7657caf2c78e1d79c74d36f2ae128a115f7cc180\com.springsource.org.apache.commons.logging-1.1.1.jar
MD5: 8c9b8640b3b3821b8260294026c3864f
SHA1: 7657caf2c78e1d79c74d36f2ae128a115f7cc180
Description: The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-collections4\4.1\a4cf4688fe1c7e3a63aa636cc96d013af537768e\commons-collections4-4.1.jar
Description:
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-compress\1.11\f43ce4c878078cbcfbb061353aa672a4c8e81443\commons-compress-1.11.jar
Description:
The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-csv\1.1\1eeeb118cab7ec49c9a10b478356eff108d5e87e\commons-csv-1.1.jar
Description: Apache Commons DBCP software implements Database Connection Pooling
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-dbcp2\2.1.1\c4f4a76171671ccf293be8995a498eab7fa8ed24\commons-dbcp2-2.1.1.jar
Description: Apache Commons DBCP software implements Database Connection Pooling
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-dbcp2\2.1\95d4eab4b67874f452a69fe84e89f2952c6c27f6\commons-dbcp2-2.1.jar
Description: Apache Commons Exec is a library to reliably execute external processes from within the JVM.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-exec\1.3\8dfb9facd0830a27b1b5f29f84593f0aeee7773b\commons-exec-1.3.jar
Description: The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-math3\3.1.1\6719d757a98ff24a83d9d727bef9cec83f59b6e1\commons-math3-3.1.1.jar
Description: Apache Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-pool2\2.3\62a559a025fd890c30364296ece14643ba9c8c5b\commons-pool2-2.3.jar
Description: Apache Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-pool2\2.4.2\e5f4f28f19d57716fbc3989d7a357ebf1e454fea\commons-pool2-2.4.2.jar
Description: VFS is a Virtual File System library.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-vfs2\2.0\b5af3b9c96b060d77c68fa5ac9384b402dd58013\commons-vfs2-2.0.jar
Description: Low-level API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.curator\curator-client\2.7.1\a591dfc085db3e9d4d480381cc7e6ae8a26b34af\curator-client-2.7.1.jar
Description: High-level API that greatly simplifies using ZooKeeper.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.curator\curator-framework\2.7.1\8c7b1eeb78e43bb91ea737111ba3dec0512be876\curator-framework-2.7.1.jar
Description: All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.curator\curator-recipes\2.7.1\a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa\curator-recipes-2.7.1.jar
Description: Apache CXF Core
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-core\3.0.3\d1c97f02c6ca0bab8b3c5315237c510523b86310\cxf-core-3.0.3.jar
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF, possibly 2.6.0, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Apache CXF Runtime JAX-RS Frontend
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-rt-frontend-jaxrs\3.0.3\284a35801aef259c0d61edb938865b5b125403ac\cxf-rt-frontend-jaxrs-3.0.3.jar
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF, possibly 2.6.0, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Apache CXF JAX-RS Client
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-rt-rs-client\3.0.3\45eabb80eb52ac54111c71e0d6f34c9c93f99b0d\cxf-rt-rs-client-3.0.3.jar
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF, possibly 2.6.0, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Apache CXF Runtime HTTP Transport
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-rt-transports-http\3.0.3\d0fe9957966496bcc9550dddfbe5100d84105d75\cxf-rt-transports-http-3.0.3.jar
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF, possibly 2.6.0, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.derby\derby\10.11.1.1\df4b50061e8e4c348ce243b921f53ee63ba9bbe1\derby-10.11.1.1.jar
MD5: afe613d20dabc4eae9b025375adb7e84
SHA1: df4b50061e8e4c348ce243b921f53ee63ba9bbe1
Description: ASN.1 API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.directory.api\api-asn1-api\1.0.0-M20\5e6486ffa3125ba44dc410ead166e1d6ba8ac76d\api-asn1-api-1.0.0-M20.jar
Description: Utilities shared across this top level project
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.directory.api\api-util\1.0.0-M20\a871abf060b3cf83fc6dc4d7e3d151fce50ac3cb\api-util-1.0.0-M20.jar
Description: Internationalization of errors and other messages
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.directory.server\apacheds-i18n\2.0.0-M15\71c61c84683152ec2a6a65f3f96fe534e304fa22\apacheds-i18n-2.0.0-M15.jar
Description: The Kerberos protocol encoder/decoder module
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.directory.server\apacheds-kerberos-codec\2.0.0-M15\1c16e4e477183641c5f0dd5cdecd27ec331bacb5\apacheds-kerberos-codec-2.0.0-M15.jar
Description: Apache Geronimo Transaction Manager
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.components\geronimo-transaction\3.1.1\1cfdfcff3cd6a805be401946ab14213b0bad9cb4\geronimo-transaction-3.1.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-activation_1.0.2_spec\1.0\6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656\geronimo-activation_1.0.2_spec-1.0.jar
MD5: a2ef03bac800790452eb400259ac10e1
SHA1: 6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656
Description: Java Activation Spec API 1.1
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-activation_1.1_spec\1.1\f15af1b53fba7f23ce5e9de4fb57a88585aa9eee\geronimo-activation_1.1_spec-1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-j2ee-connector_1.5_spec\2.0.0\1da837af8f5bf839ab48352f3dbfd6c4ecedc232\geronimo-j2ee-connector_1.5_spec-2.0.0.jar
Description: Java 2 Connector Architecture API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-j2ee-connector_1.6_spec\1.0\a1a1cb635415af603ffba27987ffcd3422fb7801\geronimo-j2ee-connector_1.6_spec-1.0.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jaxr_1.0_spec\1.0\f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f\geronimo-jaxr_1.0_spec-1.0.jar
MD5: b75db39f775cfafb56eba304745d85ab
SHA1: f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jaxrpc_1.1_spec\1.1\b0b1d499b5c7f53ed65fa1aadd6cfaf743480e1b\geronimo-jaxrpc_1.1_spec-1.1.jar
MD5: ee8d28584b602a03da5f9b4c068b2d53
SHA1: b0b1d499b5c7f53ed65fa1aadd6cfaf743480e1b
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jms_1.1_spec\1.1.1\c872b46c601d8dc03633288b81269f9e42762cea\geronimo-jms_1.1_spec-1.1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jta_1.1_spec\1.1.1\aabab3165b8ea936b9360abbf448459c0d04a5a4\geronimo-jta_1.1_spec-1.1.1.jar
Description: SOAP AA for Java 1.3
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-saaj_1.3_spec\1.1\be6e6fc49ca84631f7c47a04d5438e193db54d7c\geronimo-saaj_1.3_spec-1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-stax-api_1.0_spec\1.0.1\1c171093a8b43aa550c6050ac441abe713ebb4f2\geronimo-stax-api_1.0_spec-1.0.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-ws-metadata_2.0_spec\1.1.2\7be9f049b4f0f0cf045675be5a0ff709d57cbc6a\geronimo-ws-metadata_2.0_spec-1.1.2.jar
Description: Apache Hadoop Annotations
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-annotations\2.6.0\8cd40a4cde2b77e6edc1ab3bb55706d626ae8b2d\hadoop-annotations-2.6.0.jar
MD5: 047c69d6862bde3e0a6d0b9574e9d6d5
SHA1: 8cd40a4cde2b77e6edc1ab3bb55706d626ae8b2d
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop Annotations
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-annotations\2.7.2\80693ef2884927ee3c5464a7539fcfa4af382e14\hadoop-annotations-2.7.2.jar
MD5: 56e87afd2bf0d893ccb41142cacd6608
SHA1: 80693ef2884927ee3c5464a7539fcfa4af382e14
Description: Apache Hadoop Auth - Java HTTP SPNEGO
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-auth\2.6.0\b0b8dec23a84ac8a0d00fbd69a87d320724ae34a\hadoop-auth-2.6.0.jar
MD5: 092f736dfec15aed947aa800f19c62fa
SHA1: b0b8dec23a84ac8a0d00fbd69a87d320724ae34a
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop Auth - Java HTTP SPNEGO
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-auth\2.7.2\bf613cfec06a1f3d3a91d7f82f9e4af75bc01f72\hadoop-auth-2.7.2.jar
MD5: 3aa98787a5b66b696c315ff78d61b355
SHA1: bf613cfec06a1f3d3a91d7f82f9e4af75bc01f72
Description: Apache Hadoop Common
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-common\2.6.0\a3f6d9827e9813a0fb286ebc0d3ae8cffed17105\hadoop-common-2.6.0.jar
MD5: a2364849e2a815bf4ba6dd8892a29714
SHA1: a3f6d9827e9813a0fb286ebc0d3ae8cffed17105
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop Common
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-common\2.7.2\422eb48913fa6f81835b3192c97a576505b6c192\hadoop-common-2.7.2.jar
MD5: 8046d8c1f63ce2a6b1d331825c504f8b
SHA1: 422eb48913fa6f81835b3192c97a576505b6c192
Description: Apache Hadoop HDFS
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-hdfs\2.6.0\9e25d4ea9daab5d0b7fbbe1749790aef3280ff35\hadoop-hdfs-2.6.0.jar
MD5: b63926b0ff939dfa8c5722d776138bca
SHA1: 9e25d4ea9daab5d0b7fbbe1749790aef3280ff35
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop HDFS
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-hdfs\2.7.2\3c304b3d9227fbf8af8bc1cab013271538c3cf0a\hadoop-hdfs-2.7.2.jar
MD5: f7db56210c32714e003e96127cef4caa
SHA1: 3c304b3d9227fbf8af8bc1cab013271538c3cf0a
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.1.0-incubating\f73606e7c9ede5802335c290bf47490ad6d51df3\htrace-core-3.1.0-incubating.jar
MD5: c49a4662d691a09eed10e0a35dd73299
SHA1: f73606e7c9ede5802335c290bf47490ad6d51df3
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: Core Jackson abstractions, basic JSON streaming API implementation
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.1.0-incubating\f73606e7c9ede5802335c290bf47490ad6d51df3\htrace-core-3.1.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
MD5: b5ed6cb7f987a4da86141638b1538d81
SHA1: ed8235ea6d84480833675e709b415bde24ce25f7
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: General data-binding functionality for Jackson: works on core streaming API
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.1.0-incubating\f73606e7c9ede5802335c290bf47490ad6d51df3\htrace-core-3.1.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
MD5: d3f7afe903419aa0c03f9cf8682e1a69
SHA1: 3c0d06b6c0a9f4135fcf5c5557c751c0cd066c0c
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description:
Apache HttpComponents HttpClient - Cache
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpclient-cache\4.4.1\6c9ba9c38bca8742d5745bb27bcd4b9c7542ea24\httpclient-cache-4.4.1.jar
MD5: 5d79921ccafc2a735f6c4186a3366e9e
SHA1: 6c9ba9c38bca8742d5745bb27bcd4b9c7542ea24
Description:
Apache HttpComponents Client
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpclient\4.4.1\16d0bc512222f1253ee6b64d389c84e22f697f0\httpclient-4.4.1.jar
MD5: 38f9399922142fc9538d690dbaae7e2e
SHA1: 016d0bc512222f1253ee6b64d389c84e22f697f0
Description:
Apache HttpComponents Core (blocking I/O)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpcore\4.4.1\f5aa318bda4c6c8d688c9d00b90681dcd82ce636\httpcore-4.4.1.jar
MD5: 27bf6d5323a86a6115b607ce82512d6c
SHA1: f5aa318bda4c6c8d688c9d00b90681dcd82ce636
Description:
Apache HttpComponents HttpClient - MIME coded entities
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpmime\4.4.1\2f8757f5ac5e38f46c794e5229d1f3c522e9b1df\httpmime-4.4.1.jar
MD5: 678b75d71032e823480a41123b6b3ce2
SHA1: 2f8757f5ac5e38f46c794e5229d1f3c522e9b1df
Description: Java stream based MIME message parser
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.james\apache-mime4j-core\0.7.2\a81264fe0265ebe8fd1d8128aad06dc320de6eef\apache-mime4j-core-0.7.2.jar
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.
Vulnerable Software & Versions:
Description: Java MIME Document Object Model
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.james\apache-mime4j-dom\0.7.2\1c289aa264548a0a1f1b43685a9cb2ab23f67287\apache-mime4j-dom-0.7.2.jar
Description: The Apache Log4j 1.x Compatibility API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-1.2-api\2.3\68cabf6c9f54a78b3393f59e6995bed5025f9acb\log4j-1.2-api-2.3.jar
Description: The Apache Log4j API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-api\2.3\8d85ef2675d1b45fe78adad021f809bdf12f2eeb\log4j-api-2.3.jar
Description: The Apache Log4j Implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-core\2.3\58a3e964db5307e30650817c5daac1e8c8ede648\log4j-core-2.3.jar
Description: The Apache Log4j NoSQL appenders to databases such as MongoDB and CouchDB
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-nosql\2.3\dde88c324edf7ab0f9b120592b9d38f0046ae366\log4j-nosql-2.3.jar
Description: The Apache Log4j SLF4J API binding to Log4j 2 Core
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-slf4j-impl\2.3\57868006655a34050ad39e78c5b12aa9c74927f7\log4j-slf4j-impl-2.3.jar
Description: Additional Analyzers
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-analyzers-common\5.3.1\bd804dbc1b8f7941018926e940d20d1016b36c4c\lucene-analyzers-common-5.3.1.jar
MD5: 8c29e03ee7acf85716501e91a15321be
SHA1: bd804dbc1b8f7941018926e940d20d1016b36c4c
Description:
Lucene Kuromoji Japanese Morphological Analyzer
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-analyzers-kuromoji\5.3.1\56dc1408e7f98ae569ed17aa02451cb624e88d5f\lucene-analyzers-kuromoji-5.3.1.jar
MD5: 2a661e759f75273347b7e04dd3d666fb
SHA1: 56dc1408e7f98ae569ed17aa02451cb624e88d5f
Description:
Provides phonetic encoding via Commons Codec.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-analyzers-phonetic\5.3.1\78943ef1718e73973bde9da105885566ad0e07f1\lucene-analyzers-phonetic-5.3.1.jar
MD5: 529a4272b3455fb69a9fc540add2cb09
SHA1: 78943ef1718e73973bde9da105885566ad0e07f1
Description:
Codecs for older versions of Lucene.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-backward-codecs\5.3.1\380603f537317a78f9d9b7421bc2ac87586cb9a1\lucene-backward-codecs-5.3.1.jar
MD5: 195d7917cd4078cee52eebecdb167797
SHA1: 380603f537317a78f9d9b7421bc2ac87586cb9a1
Description:
Codecs and postings formats for Apache Lucene.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-codecs\5.3.1\5ce45a220258f1d92d8fcdba4dbbb43e4f035835\lucene-codecs-5.3.1.jar
MD5: e7a51a4509ad2837c401fc83fd5645f7
SHA1: 5ce45a220258f1d92d8fcdba4dbbb43e4f035835
Description: Apache Lucene Java Core
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-core\5.3.1\36860653d7e09790ada96aeb1970b4ca396ac5d7\lucene-core-5.3.1.jar
MD5: c485f41387fceb3ee1df4c527aff9829
SHA1: 36860653d7e09790ada96aeb1970b4ca396ac5d7
Description:
Dynamically computed values to sort/facet/search on based on a pluggable grammar.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-expressions\5.3.1\2e45ba271969611bc3071b19cd164d6986f85825\lucene-expressions-5.3.1.jar
MD5: 864a09977dea28681d198d63b7da5ea5
SHA1: 2e45ba271969611bc3071b19cd164d6986f85825
Description: Lucene Grouping Module
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-grouping\5.3.1\92a68afa9b7be5cbc35ca99f23003dfebc940aa7\lucene-grouping-5.3.1.jar
MD5: 8bc44800a541192958bc7ab5cf16b132
SHA1: 92a68afa9b7be5cbc35ca99f23003dfebc940aa7
Description:
This is the highlighter for apache lucene java
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-highlighter\5.3.1\dd655be794feb9c42981b5c01b9f7f38e8b7f39e\lucene-highlighter-5.3.1.jar
MD5: 397a6f8aed3b8af8fbc4ea361764aaa6
SHA1: dd655be794feb9c42981b5c01b9f7f38e8b7f39e
Description: Lucene Join Module
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-join\5.3.1\88f828205c9dfb328c3e0f600010665e1934e495\lucene-join-5.3.1.jar
MD5: 884410c82522134d1b218b53032c8e60
SHA1: 88f828205c9dfb328c3e0f600010665e1934e495
Description:
High-performance single-document index to compare against Query
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-memory\5.3.1\7d120aa207de0c422132b951585691e5afa645e\lucene-memory-5.3.1.jar
MD5: 671893c9b394b6ee50b920c83c596bd9
SHA1: 07d120aa207de0c422132b951585691e5afa645e
Description: Miscellaneous Lucene extensions
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-misc\5.3.1\7891bbc18b372135c2a52b471075b0bdf5f110ec\lucene-misc-5.3.1.jar
MD5: 81c0ce56e57f27bf53283dddb8ae7301
SHA1: 7891bbc18b372135c2a52b471075b0bdf5f110ec
Description: Lucene Queries Module
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-queries\5.3.1\305665b15a8b9b7840c1b804d1cb694b4177e035\lucene-queries-5.3.1.jar
MD5: 232b7d1ba5073a6fbb659565abdc8e38
SHA1: 305665b15a8b9b7840c1b804d1cb694b4177e035
Description: Lucene QueryParsers module
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-queryparser\5.3.1\bef0e2ac5b196dbab9d0b7c8cc8196b7ef5dd056\lucene-queryparser-5.3.1.jar
MD5: e732b911e970ff66b9821df604a4f005
SHA1: bef0e2ac5b196dbab9d0b7c8cc8196b7ef5dd056
Description: Lucene Sandbox
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-sandbox\5.3.1\2ab2b12bf7bec88b879423898bd32067e3655fa3\lucene-sandbox-5.3.1.jar
MD5: e8a9ce2b4d9a0a4ce22befb6a1d02a6e
SHA1: 2ab2b12bf7bec88b879423898bd32067e3655fa3
Description:
Lucene Spatial shapes implemented using 3D planar geometry
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-spatial3d\5.3.1\c0af329dfdbff3aa88b8370bc74e9a9ee1df5a6b\lucene-spatial3d-5.3.1.jar
MD5: 9de1bafd87027f3413c2cf6695e94f37
SHA1: c0af329dfdbff3aa88b8370bc74e9a9ee1df5a6b
Description:
Spatial Strategies for Apache Lucene
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-spatial\5.3.1\1b7fc73a7e24f40cb80cdc87d382fc73f6b8c2be\lucene-spatial-5.3.1.jar
MD5: 2a08625eca709f859e6bbec8860e3107
SHA1: 1b7fc73a7e24f40cb80cdc87d382fc73f6b8c2be
Description: Lucene Suggest Module
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-suggest\5.3.1\3da861f35aeefa786574aecec3272ea5924e45b8\lucene-suggest-5.3.1.jar
MD5: 04585b35e85220c6a420a4831b9b2233
SHA1: 3da861f35aeefa786574aecec3272ea5924e45b8
Description: The SCM API provides mechanisms to manage all SCM tools.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.maven.scm\maven-scm-api\1.4\e294693ce217bd6f470b728127854e6ca787fd29\maven-scm-api-1.4.jar
MD5: bc840a6620ec3d3c56ce58b10076cef4
SHA1: e294693ce217bd6f470b728127854e6ca787fd29
Description: Common library for SCM SVN Provider.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.maven.scm\maven-scm-provider-svn-commons\1.4\54bc1dc24c5d205b4d251a83f4ea63808c21a628\maven-scm-provider-svn-commons-1.4.jar
MD5: 09e3cb24fa48c3d6427e1d2b79b42d26
SHA1: 54bc1dc24c5d205b4d251a83f4ea63808c21a628
Description: Executable library for SCM SVN Provider.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.maven.scm\maven-scm-provider-svnexe\1.4\b3213b40157b701ba079b738baac391e41418c18\maven-scm-provider-svnexe-1.4.jar
MD5: 6624c9c3324f88619205c2b8c60e583b
SHA1: b3213b40157b701ba079b738baac391e41418c18
Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.neethi\neethi\3.0.3\ee37a38bbf9f355ee88ba554a85c9220b75ba500\neethi-3.0.3.jar
Description: The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.opennlp\opennlp-maxent\3.0.3\55e39e6b46e71f35229cdd6950e72d8cce3b5fd4\opennlp-maxent-3.0.3.jar
Description: The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.opennlp\opennlp-tools\1.5.3\826d34168b0e4870c9f599ed7f2b8fee4194ba3b\opennlp-tools-1.5.3.jar
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.pdfbox\fontbox\1.8.12\272ab4b5d0fd99dce8d03c8b5befd393385d79c2\fontbox-1.8.12.jar
Description:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.pdfbox\jempbox\1.8.12\426450c573c19f6f2c751a7a52c11931b712c9f6\jempbox-1.8.12.jar
Description:
The Apache PDFBox library is an open source Java tool for working with PDF documents.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.pdfbox\pdfbox\1.8.12\5491c1dc61748ee106237b9a8b81ca3aa8ef81bf\pdfbox-1.8.12.jar
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.poi\poi-ooxml-schemas\3.13\56fb0b9f3ffc3d7f7fc9b59e17b5fa2c3ab921e7\poi-ooxml-schemas-3.13.jar
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.poi\poi-ooxml\3.13\c364a8f5422d613e3a56db3b4b889f2989d7ee73\poi-ooxml-3.13.jar
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.poi\poi-scratchpad\3.13\9d763275e6c7fa05d47e2581606748669e88c55\poi-scratchpad-3.13.jar
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.poi\poi\3.14\fad7ae6d2e59c59ffdb45f1981500babfa765180\poi-3.14.jar
Description:
Apache XML Security supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. As of version 1.4,
the Java library supports the standard Java API JSR-105: XML Digital
Signature APIs.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.santuario\xmlsec\1.4.3\22629b7c6b25352c25be97d0839460fef58ec533\xmlsec-1.4.3.jar
Description: This OSGi bundle wraps ${pkgArtifactId} ${pkgVersion} jar file.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.servicemix.bundles\org.apache.servicemix.bundles.xpp3\1.1.4c_7\5200d5cddccc804c6e321dbf828d1f9efbf9daea\org.apache.servicemix.bundles.xpp3-1.1.4c_7.jar
Description: Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.shiro\shiro-core\1.2.5\89aebf96f29eb0d4171c67d5e03787e6ed6e84fb\shiro-core-1.2.5.jar
Description:
Implementations of metadata derived from ISO 19115. This module provides both an implementation
of the metadata interfaces defined in GeoAPI, and a framework for handling those metadata through
Java reflection.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.sis.core\sis-metadata\0.5\1bbd65e52d27b61c64944b9275c44ccd79f267a7\sis-metadata-0.5.jar
Description:
Implementations of Coordinate Reference Systems (CRS),
conversion and transformation services derived from ISO 19111.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.sis.core\sis-referencing\0.5\377246c70fd858346fab8a0e554bed3b3cfcde70\sis-referencing-0.5.jar
Description:
Miscellaneous utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.sis.core\sis-utility\0.5\aaea81deda0e3c7ca2602e7fb9459bcc19894ecf\sis-utility-0.5.jar
Description:
Bridge between NetCDF Climate and Forecast (CF) convention and ISO 19115 metadata.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.sis.storage\sis-netcdf\0.5\2b416e4506caebe7df6dd21b878dae888e0eea39\sis-netcdf-0.5.jar
Description:
Provides the interfaces and base classes to be implemented by various storage formats.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.sis.storage\sis-storage\0.5\29d1ea6422b68fbfe1f1702f122019ae376ee2c8\sis-storage-0.5.jar
Description: Apache Solr Core
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.solr\solr-core\5.3.1\dacde184d486749c79f1cfcce456bae721ae6437\solr-core-5.3.1.jar
MD5: cff1dd172bebe55b046016c6ca2a59cd
SHA1: dacde184d486749c79f1cfcce456bae721ae6437
Description: Apache Solr Solrj
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.solr\solr-solrj\5.3.1\790150b27e005232510dda39afbbf32830842a9a\solr-solrj-5.3.1.jar
MD5: d687a4b162393a65d9aa57b8a1ed5118
SHA1: 790150b27e005232510dda39afbbf32830842a9a
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
includes the core facades for the Tika API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tika\tika-core\1.12\5ab95580d22fe1dee79cffbcd98bb509a32da09b\tika-core-1.12.jar
Description: Apache Tika is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tika\tika-parsers\1.12\ee3ad76cb3066ba6c11e2db6d48b5ef6842a9788\tika-parsers-1.12.jar
Description: Core Tomcat implementation
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-core\8.0.33\4e7f547fbb2c364cb5e02a58790c5fb89e31efed\tomcat-embed-core-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Core Tomcat implementation
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-websocket\8.0.33\be1f95e5d9ae00f9bc6138441d29cfe5c7c60256\tomcat-embed-websocket-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Adapters to plug in other logging frameworks in Tomcat
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.extras\tomcat-extras-juli-adapters\8.0.33\76c82071b5dec0b9a2891da07e04596780243933\tomcat-extras-juli-adapters-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Replacement for Tomcat Core Logging Package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.extras\tomcat-extras-juli\8.0.33\3ef654197732568e2568962d1b0ac6aef8a6bf7\tomcat-extras-juli-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Annotations Package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-annotations-api\8.0.33\9d9e4b67315fbc73f346dabff8d63b433464ab2b\tomcat-annotations-api-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Definition of interfaces shared by Catalina and Jasper
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-api\8.0.33\62142702a1ee607dff38f95a7a1d9c976f510f0\tomcat-api-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Tomcat High Availability Implementation
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-catalina-ha\8.0.33\850454212c5971327d29d27e3ad4787bc526f399\tomcat-catalina-ha-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Tomcat Servlet Engine Core Classes and Standard implementations
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-catalina\8.0.33\585795d972f59b19ed5a1ed94446b5a8750669c2\tomcat-catalina-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Tomcat Connectors and HTTP parser
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-coyote\8.0.33\4430c9a8d27d4025a5f5e4795d5755e0d3522844\tomcat-coyote-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Expression language package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-el-api\8.0.33\794cf8e8d615c6ac136835867aef2fee125bc74b\tomcat-el-api-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Jasper Expression Language Impl
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jasper-el\8.0.33\9e222fccf6067e10fb6911e1cf426d5b14d99079\tomcat-jasper-el-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Tomcats JSP Parser
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jasper\8.0.33\30525359ecc82c313a71e056adc917f952580f5e\tomcat-jasper-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Interface code to the native connector
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jni\8.0.33\99057ad36cbb2c54e02347142348b15b4fec6673\tomcat-jni-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: JSP package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jsp-api\8.0.33\896e782956999c2632b3caa0caeb711720f28d7a\tomcat-jsp-api-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Tomcat Core Logging Package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-juli\8.0.33\330aecfa895156cea91c576cb6609537152761f9\tomcat-juli-8.0.33.jar
Description: javax.servlet package
License:
Apache License, Version 2.0 and
Common Development And Distribution License (CDDL) Version 1.0
:
http://www.apache.org/licenses/LICENSE-2.0.txt and
http://www.opensource.org/licenses/cddl1.txt
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-servlet-api\8.0.33\cc2becc4bf29a7bfd0d7a4055552683d421859c5\tomcat-servlet-api-8.0.33.jarSeverity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Tomcat Group Communication Package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-tribes\8.0.33\5eea23acedd7e14fe5d4c10bc1653d203b434c02\tomcat-tribes-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description:
Common code shared by Catalina and Jasper for scanning JARS and processing
XML descriptors
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-util-scan\8.0.33\fe6f5cb85c3c13a84f38474cae0b674b3e6f3c6e\tomcat-util-scan-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Common code shared by multiple Tomcat components
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-util\8.0.33\43e398ba63953add8d93e3806bfd686fec02d8dc\tomcat-util-8.0.33.jar
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.woden\woden-core\1.0M10\ffed89bc39eb7fce6b74765b3417c6844d8003a2\woden-core-1.0M10.jar
Description: The Axiom API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-api\1.2.17\aaf2a6028822dd3d55a4221188ecb73d4c9e219a\axiom-api-1.2.17.jar
Description: An implementation of the Axiom API that also implements DOM.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-dom\1.2.17\27eca9d7db50e5c9201be40dce9aedf6aebc0f58\axiom-dom-1.2.17.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-dom\1.2.17\27eca9d7db50e5c9201be40dce9aedf6aebc0f58\axiom-dom-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/core-aspects/pom.xml
MD5: 578ca70e0a265fd5b1515eea14e67efb
SHA1: 42e8d4b4f2f941ab0b50240e6b096a1151221003
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-dom\1.2.17\27eca9d7db50e5c9201be40dce9aedf6aebc0f58\axiom-dom-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/dom-aspects/pom.xml
MD5: 3cefa1e3dafac627cae432d9485411fe
SHA1: 4d9748e9bb1a8e647833f7b4a3867daa94dc2ab3
Description: Contains aspects and implementation classes shared by LLOM and DOOM.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-dom\1.2.17\27eca9d7db50e5c9201be40dce9aedf6aebc0f58\axiom-dom-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/om-aspects/pom.xml
MD5: be5411f23abad2369eb94ad64622bb54
SHA1: 2e08c15bd701460f07711311fad5785ecf7ad861
Description:
Contains mixins for methods that are shared between DOM and Axiom.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-dom\1.2.17\27eca9d7db50e5c9201be40dce9aedf6aebc0f58\axiom-dom-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/shared-aspects/pom.xml
MD5: ea8a4489f8026ca7b879fae7de636afd
SHA1: bbe62a1404feb5cc8f9a7babbd7a12d50479144b
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-dom\1.2.17\27eca9d7db50e5c9201be40dce9aedf6aebc0f58\axiom-dom-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/xml-utils/pom.xml
MD5: 76d0bf22e109300e6a67875c5781f659
SHA1: dac902cf3a5280076d8a92fc9a421fe15e23a1e6
Description: The default implementation of the Axiom API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-impl\1.2.17\6df316d52cfd9efc4ee155b4dff0125769af1580\axiom-impl-1.2.17.jar
Description:
This is a small collection of utility classes, that allow high performance XML
processing based on SAX. Basically, it is assumed, that you are using an JAXP
1.1 compliant XML parser and nothing else. In particular, no dependency on the
javax.xml.transform package is introduced.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.commons.util\ws-commons-util\1.0.2\3f478e6def772c19d1053f61198fa1f6a6119238\ws-commons-util-1.0.2.jar
Description: Commons XMLSchema is a light weight schema object model that can be used to manipulate or
generate XML schema.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.ws.xmlschema\xmlschema-core\2.2.1\2eff1f3776590d4c51cc735eab2143c497329f2\xmlschema-core-2.2.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xalan\com.springsource.org.apache.xml.serializer\2.7.1\a5894329e5464857c3e0df52597d186bea0855e3\com.springsource.org.apache.xml.serializer-2.7.1.jar
MD5: 31cadf1234aeac4d635590582f7dc5e8
SHA1: a5894329e5464857c3e0df52597d186bea0855e3
Description: XmlBeans main jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlbeans\xmlbeans\2.6.0\29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87\xmlbeans-2.6.0.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-anim\1.8\68197dfa3643a906ba250025a03dc42e6efe2dec\batik-anim-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-awt-util\1.8\5cd7f97060cdfab0139e70504962d48ceee71ef2\batik-awt-util-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-bridge\1.8\4ab4110b0ed4650ef50d4a344f0ca5c027f3283a\batik-bridge-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-css\1.8\2b3f22cc65702a0821b7f0178d055282a1cdde59\batik-css-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-dom\1.8\4e696cf01cee52e8c4f86c842b5d8314e689209c\batik-dom-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-ext\1.8\8713f3238cfac337624a90c3ad7d45d7bc6fb1b5\batik-ext-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-extension\1.8\c5e9e1f07a65c89d2be92fd63e1b0f64357a46db\batik-extension-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-gvt\1.8\fbde4cd3c43001c162446cf43093d09fda346e11\batik-gvt-1.8.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-parser\1.8\86ec4ab0c828b570d0ccbeba14f85ac011a333f2\batik-parser-1.8.jar
MD5: 153e8de1747f7b02b29711d831e01ebd
SHA1: 86ec4ab0c828b570d0ccbeba14f85ac011a333f2
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-script\1.8\5bda6a9d45065b184c83c46b64d8002b4e0ab7c7\batik-script-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-svg-dom\1.8\97c9d00d08c849066d2359b0f1124f0e82b952c2\batik-svg-dom-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-svggen\1.8\c4684e18303e931845df704f9b9f6995fd770789\batik-svggen-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-transcoder\1.8\f330b3e9946ff21ddf3ea6d4f58ae44145cfd362\batik-transcoder-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-util\1.8\35dcd204f397d6976290ca48ffa0011ba9b7ef43\batik-util-1.8.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-xml\1.8\9bf0ee759fed1e3a2e4ad41819eac69ff4873732\batik-xml-1.8.jar
Description: Apache FOP (Formatting Objects Processor) is the world's first print formatter driven by XSL formatting objects (XSL-FO) and the world's first output independent formatter. It is a Java application that reads a formatting object (FO) tree and renders the resulting pages to a specified output. Output formats currently supported include PDF, PCL, PS, AFP, TIFF, PNG, SVG, XML (area tree representation), Print, AWT and TXT. The primary output target is PDF.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\fop\2.1\c78a1013a5de5b49a3fb1c6f3289940f44554cb6\fop-2.1.jar
Description:
Apache XML Graphics Commons is a library that consists of several reusable
components used by Apache Batik and Apache FOP. Many of these components
can easily be used separately outside the domains of SVG and XSL-FO.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\xmlgraphics-commons\2.1\b61132defe1df4e91c1eb0ddf544958c50d358b5\xmlgraphics-commons-2.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlrpc\xmlrpc-client\3.1.2\ca8c57a1c4abc23b75b15ad636b4d20274f021c2\xmlrpc-client-3.1.2.jar
MD5: b2da22fd59a0a6c8cf412f6f50d9880c
SHA1: ca8c57a1c4abc23b75b15ad636b4d20274f021c2
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlrpc\xmlrpc-common\3.1.2\a8b0084839aee2f48113b3dc2517b8022a5fbc0f\xmlrpc-common-3.1.2.jar
MD5: 4037cace113e54ff20222a43cdc4b65d
SHA1: a8b0084839aee2f48113b3dc2517b8022a5fbc0f
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.xmlrpc\xmlrpc-server\3.1.2\7e5123995d009129af3dfc663d2ec91c6541bf98\xmlrpc-server-3.1.2.jar
MD5: 04e884ead785a63e4ff8bc98f1f961f7
SHA1: 7e5123995d009129af3dfc663d2ec91c6541bf98
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.zookeeper\zookeeper\3.4.6\1b2502e29da1ebaade2357cd1de35a855fa3755\zookeeper-3.4.6.jar
Description: The runtime needed to execute a program using AspectJ
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.aspectj\aspectjrt\1.8.0\302d0fe0abba26bbf5f31c3cd5337b3125c744e3\aspectjrt-1.8.0.jar
Description: BeanShell core
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.beanshell\bsh-core\2.0b4\495e25a99e29970ffe8ba0b1d551e1d1a9991fc1\bsh-core-2.0b4.jar
MD5: bab431f0908fde87034f0c34c6cf1e30
SHA1: 495e25a99e29970ffe8ba0b1d551e1d1a9991fc1
Description: The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.bouncycastle\bcmail-jdk15on\1.52\4995a870400e1554d1c7ed2afcb5d198fae12db9\bcmail-jdk15on-1.52.jar
Description: The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.bouncycastle\bcpkix-jdk15on\1.52\b8ffac2bbc6626f86909589c8cc63637cc936504\bcpkix-jdk15on-1.52.jar
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.bouncycastle\bcprov-jdk15on\1.52\88a941faf9819d371e3174b5ed56a3f3f7d73269\bcprov-jdk15on-1.52.jar
Description: The Bouncy Castle Java API for handling the Time Stamp Protocol (TSP). This jar contains the TSP API for JDK 1.4. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.bouncycastle\bctsp-jdk14\1.38\4821122f8390d15f4b5ee652621e2a2bb1f1bf16\bctsp-jdk14-1.38.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
The OpenPGP PGP standard allows an attacker to determine the private signature key via a cryptanalytic attack in which the attacker alters the encrypted private key file and captures a single message signed with the signature key.
Vulnerable Software & Versions:
Description: TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.ccil.cowan.tagsoup\tagsoup\1.2.1\5584627487e984c03456266d3f8802eb85a9ce97\tagsoup-1.2.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codeartisans.thirdparties.swing\batik-all\1.8pre-r1084380\2898c85b844ad4db731d8dbd7bac395bece5bead\batik-all-1.8pre-r1084380.jar
MD5: 6b971c2c943d0d398744774c3df092bc
SHA1: 2898c85b844ad4db731d8dbd7bac395bece5bead
Description: Groovy: A powerful, dynamic language for the JVM
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.groovy\groovy-all\2.4.5\1730f61e9c9e59fd1b814371265334d7be0b8d2\groovy-all-2.4.5.jar
Description: Jackson is a high-performance JSON processor (parser, generator)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.jackson\jackson-core-asl\1.9.13\3c304d70f42f832e0a86d45bd437f692129299a4\jackson-core-asl-1.9.13.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: Jax-RS provider for JSON content type, based on
Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.jackson\jackson-jaxrs\1.8.3\3604ca9f572170e2ef5813141ec1f0e0100efd19\jackson-jaxrs-1.8.3.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: Data Mapper package is a high-performance data binding package
built on Jackson JSON processor
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.jackson\jackson-mapper-asl\1.9.13\1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7\jackson-mapper-asl-1.9.13.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.jackson\jackson-xc\1.8.3\1226667dcdb7c259b3ee07e112ed83446554516e\jackson-xc-1.8.3.jar
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
Vulnerable Software & Versions:
Description: A StAX implementation for JSON.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.jettison\jettison\1.1\1a01a2a1218fcf9faa2cc2a6ced025bdea687262\jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.plexus\plexus-utils\1.5.6\8fb6b798a4036048b3005e058553bf21a87802ed\plexus-utils-1.5.6.jar
MD5: d6070c2e77ca56adafa953215ddf744b
SHA1: 8fb6b798a4036048b3005e058553bf21a87802ed
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.plexus\plexus-utils\1.5.6\8fb6b798a4036048b3005e058553bf21a87802ed\plexus-utils-1.5.6.jar\META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml
MD5: 61795135733295c9aa438fda7b923db8
SHA1: 1074eabfbcbfb0decfe6f9ed0541668e114b9311
Description: tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.woodstox\stax2-api\3.1.4\ac19014b1e6a7c08aad07fe114af792676b685b7\stax2-api-3.1.4.jar
Description: Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codehaus.woodstox\woodstox-core-asl\4.4.1\84fee5eb1a4a1cefe65b6883c73b3fa83be3c1a1\woodstox-core-asl-4.4.1.jar
Description:
JHighlight is an embeddable pure Java syntax highlighting
library that supports Java, HTML, XHTML, XML and LZX
languages and outputs to XHTML.
It also supports RIFE templates tags and highlights them
clearly so that you can easily identify the difference
between your RIFE markup and the actual marked up source.
License:
CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.codelibs\jhighlight\1.0.2\992a8a8add10468930efc1f110f2895f68258a1e\jhighlight-1.0.2.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.dom4j\com.springsource.org.dom4j\1.6.1\a2b40587495fdcb0ad5b86993895311180ea2fd5\com.springsource.org.dom4j-1.6.1.jar
MD5: 25d7167765bd98b1b2127aea44331cb0
SHA1: a2b40587495fdcb0ad5b86993895311180ea2fd5
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\com.lowagie.text\2.1.7\18d4c7c2014447eacfd00c65c717b3cfc422407b\com.lowagie.text-2.1.7.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\javax.wsdl\1.5.1\29ec6b1964b05d6ff9728226d2a1e61fab3ac95c\javax.wsdl-1.5.1.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.bridge\1.6.0\e2db6eb9029356884f123a60e9b72a51919e9a6f\org.apache.batik.bridge-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.css\1.6.0\1e54558f0ad4b78f907f3461c14c7a7a91aecab2\org.apache.batik.css-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.dom.svg\1.6.0\ce507ddef394d6c6771bc8692c7db6afb1da4fa0\org.apache.batik.dom.svg-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.dom\1.6.0\e9fe8d31ea04c6cd566e35f61524e561821bbe57\org.apache.batik.dom-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.ext.awt\1.6.0\4df20bee143553a89b26bc06411eb4dcf44ec18e\org.apache.batik.ext.awt-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.parser\1.6.0\5e6dd459704dd6bd168f1b030cb739872e994339\org.apache.batik.parser-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.svggen\1.6.0\5cb65af57bdfd093c47b3cf7bc8bb57e10f5451\org.apache.batik.svggen-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.transcoder\1.6.0\fc5d9326a3195f15781d2fcea862ec1767e30ebf\org.apache.batik.transcoder-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.util.gui\1.6.0\6afa9107935bdeede0487c770bb0537b1a341c81\org.apache.batik.util.gui-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.util\1.6.0\74aafd6361820f7e67474e78b16fd4365d1a58a\org.apache.batik.util-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.xml\1.6.0\8b3fbec88190a39eae4de5088a1199f23526258e\org.apache.batik.xml-1.6.0.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.commons.codec\1.3.0\72c73f3729b4ca49dac8691fb5adb194e8595799\org.apache.commons.codec-1.3.0.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.xerces\2.9.0\615a1b724b88b81e8a040ec148fd25368f7b48e5\org.apache.xerces-2.9.0.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.xml.resolver\1.2.0\7c9c22053b04772e81dc62d665b202eeae82ae47\org.apache.xml.resolver-1.2.0.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.xml.serializer\2.7.1\a8508e22414c8e12cdfdc42b25a7c7efa4004556\org.apache.xml.serializer-2.7.1.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.mozilla.javascript\1.7.2\b520e18bd357a47deb2e902ce49533564236219b\org.mozilla.javascript-1.7.2.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.w3c.css.sac\1.3.0\8dfb0e08c19f3b47290096d27ab71ed4f2a5000a\org.w3c.css.sac-1.3.0.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.w3c.dom.smil\1.0.0\674bdda9162b48419741da833e445e190f33a58a\org.w3c.dom.smil-1.0.0.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.w3c.dom.svg\1.1.0\9c6413ed43b4e9ba56982a554e03bd012cc44ed9\org.w3c.dom.svg-1.1.0.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\Tidy\1\63b1e38f4ca630dbac3d2072cda2a9336914d10c\Tidy-1.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\com.ibm.icu\50.1.1.v201304230130\ff82137ba65f8676355452edc0ca57975d1b69f4\com.ibm.icu-50.1.1.v201304230130.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\javax.xml.stream\1.0.1.v201004272200\3a4f0067058e2aa9af1c6e463bc8a147a99681c0\javax.xml.stream-1.0.1.v201004272200.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.birt.runtime\4.4.1\d7f5495359184868842e469c1929109a0f69d87a\org.eclipse.birt.runtime-4.4.1.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.contenttype\3.4.200.v20130326-1255\9a032a98b4b139fa91522b10fdc61ffa9864414\org.eclipse.core.contenttype-3.4.200.v20130326-1255.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.expressions\3.4.500.v20130515-1343\97cc20cce87af191fc620562ab74b1cde95947fd\org.eclipse.core.expressions-3.4.500.v20130515-1343.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.filesystem\1.4.0.v20130514-1240\e26398a301d91db6516debe38664239481d4b309\org.eclipse.core.filesystem-1.4.0.v20130514-1240.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.jobs\3.6.0.v20140424-0053\e013c919510607d9c8ac5585b66ff4ee5e364ec9\org.eclipse.core.jobs-3.6.0.v20140424-0053.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.resources\3.9.1.v20140825-1431\24a0e4b809d9cb102e7bf8123a2844657b916090\org.eclipse.core.resources-3.9.1.v20140825-1431.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.resources\3.9.1.v20140825-1431\24a0e4b809d9cb102e7bf8123a2844657b916090\org.eclipse.core.resources-3.9.1.v20140825-1431.jar\ant_tasks\resources-ant.jar
MD5: 2e3d89f3c01f0deec05a4d04db4b67bd
SHA1: ac97fcd1a043208b58e6ec13c2708e5cbfdf9a55
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.runtime\3.9.0.v20130326-1255\47eedfa6e872020604db4b2e1949aa6ca273ac6a\org.eclipse.core.runtime-3.9.0.v20130326-1255.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.apache.derby.dbdefinition\1.0.2.v201107221459\be66d744ac0e8f011055c37eb6c0b0b8de2d0978\org.eclipse.datatools.connectivity.apache.derby.dbdefinition-1.0.2.v201107221459.jar
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.apache.derby\1.0.103.v201212070447\2257789d5761585d498d13bb2269c180c970f28d\org.eclipse.datatools.connectivity.apache.derby-1.0.103.v201212070447.jar
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.console.profile\1.0.10.v201109250955\2c338e35fc23603cea9ebaf5177a0c042f38eea1\org.eclipse.datatools.connectivity.console.profile-1.0.10.v201109250955.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.db.generic\1.0.1.v201107221459\4dd3c5554bea2302448e4201167e36e2bf11d383\org.eclipse.datatools.connectivity.db.generic-1.0.1.v201107221459.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.dbdefinition.genericJDBC\1.0.1.v201107221459\1ee4dc13d331d13f2be2f1cb1b62b789c25db9cc\org.eclipse.datatools.connectivity.dbdefinition.genericJDBC-1.0.1.v201107221459.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.consumer\3.2.6.v201305170644\45205c69d334dec54f76f8e2a5cacab8accde588\org.eclipse.datatools.connectivity.oda.consumer-3.2.6.v201305170644.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.design\3.3.6.v201212070447\bce1829458bb7c58200cb72c045d48e82702d0a8\org.eclipse.datatools.connectivity.oda.design-3.3.6.v201212070447.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.flatfile\3.1.8.v201403010906\3c62f783f8ac17aca5250f2a640dfd85c1df9178\org.eclipse.datatools.connectivity.oda.flatfile-3.1.8.v201403010906.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.profile\3.2.9.v201403131814\2f795c899dac80982e95c9e2d5413ef88031cdab\org.eclipse.datatools.connectivity.oda.profile-3.2.9.v201403131814.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda\3.4.3.v201405301249\91fa06c7a97275ea799fec9d557fc60def2e443d\org.eclipse.datatools.connectivity.oda-3.4.3.v201405301249.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.sqm.core\1.2.8.v201401230755\c0d3d79971a815a4db6c5b009ada4f0f1f44e043\org.eclipse.datatools.connectivity.sqm.core-1.2.8.v201401230755.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity\1.2.11.v201401230755\2e2f258cf40953e97423343786eed44aaef5e207\org.eclipse.datatools.connectivity-1.2.11.v201401230755.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.hsqldb.dbdefinition\1.0.0.v201107221502\aa3214296e97b4dfd14345acea23f2c92e992c36\org.eclipse.datatools.enablement.hsqldb.dbdefinition-1.0.0.v201107221502.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.hsqldb\1.0.0.v201107221502\5f987f4588c989290c038bd70460c36caa972c0b\org.eclipse.datatools.enablement.hsqldb-1.0.0.v201107221502.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.db2.luw.dbdefinition\1.0.4.v201107221502\7ba2ad3443244862426b20f2da73bb78c7223287\org.eclipse.datatools.enablement.ibm.db2.luw.dbdefinition-1.0.4.v201107221502.jar
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows remote authenticated users to modify, delete, or read arbitrary files via a pathname in the file field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5 (AV:L/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the Self Tuning Memory Manager (STMM) feature and the AUTOMATIC DATABASE_MEMORY setting are configured, allows local users to cause a denial of service (daemon crash) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allows remote authenticated users to cause a denial of service (trap) via unspecified vectors. NOTE: this might overlap CVE-2010-0462.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows remote attackers to cause a denial of service (service crash) via "malicious packets."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 8.1 before FP18 allows attackers to obtain unspecified access via a das command.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the Security component in IBM DB2 8.1 before FP18 on Unix platforms allows attackers to cause a denial of service (memory consumption) via unspecified vectors, related to private memory within the DB2 memory structure.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-287 Improper Authentication
The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
IBM DB2 9.1 before FP7 returns incorrect query results in certain situations related to the order of application of an INNER JOIN predicate and an OUTER JOIN predicate, which might allow attackers to obtain sensitive information via a crafted query.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The SORT/LIST SERVICES component in IBM DB2 9.1 before FP6 and 9.5 before FP2 writes sensitive information to the trace output, which allows attackers to obtain sensitive information by reading "PASSWORD-RELATED CONNECTION STRING KEYWORD VALUES."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
The Native Managed Provider for .NET component in IBM DB2 8 before FP17, 9.1 before FP6, and 9.5 before FP2, when a definer cannot maintain objects, preserves views and triggers without marking them inoperative or dropping them, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the SQLNLS_UNPADDEDCHARLEN function in the New Compiler (aka Starburst derived compiler) component in the server in IBM DB2 9.1 before FP6 allows attackers to cause a denial of service (segmentation violation and trap) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM DB2 UDB 8.1 before FixPak 16, 8.2 before FixPak 9, and 9.1 before FixPak 4a allows remote attackers to cause a denial of service (instance crash) via a crafted SQLJRA packet within a CONNECT/ATTACH data stream that simulates a V7 client connect/attach request.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
IBM DB2 UDB 8 before Fixpak 17 allows remote attackers to cause a denial of service (instance crash) via a crafted CONNECT/ATTACH data stream that simulates a V7 client connect/attach request. NOTE: this may overlap CVE-2008-3858. NOTE: this issue exists because of an incomplete fix for CVE-2008-3959.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the ADMIN_SP_C procedure (SYSPROC.ADMIN_SP_C) in IBM DB2 UDB before 8.2 Fixpak 16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unspecified attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
IBM DB2 UDB 9.1 before Fixpak 4 does not properly manage storage of a list containing authentication information, which might allow attackers to cause a denial of service (instance crash) or trigger memory corruption. NOTE: the vendor description of this issue is too vague to be certain that it is security-related.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
IBM DB2 Universal Database (UDB) Administration Server (DAS) 8 before Fix Pack 16 and 9 before Fix Pack 4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via modified pointer values in unspecified remote administration requests, which triggers memory corruption or other invalid memory access. NOTE: this might be the same issue as CVE-2008-0698.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) service in IBM DB2 9.x and earlier allow remote attackers to (1) execute arbitrary code via a crafted packet to the DB2JDS service on tcp/6789; and cause a denial of service via (2) an invalid LANG parameter or (2) a long packet that generates a "MemTree overflow."
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.db2.luw\1.0.2.v201107221502\3e9920ed389a8eba9ba8ce46d0c0e8ac6da5b41d\org.eclipse.datatools.enablement.ibm.db2.luw-1.0.2.v201107221502.jar
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows remote authenticated users to modify, delete, or read arbitrary files via a pathname in the file field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5 (AV:L/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the Self Tuning Memory Manager (STMM) feature and the AUTOMATIC DATABASE_MEMORY setting are configured, allows local users to cause a denial of service (daemon crash) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allows remote authenticated users to cause a denial of service (trap) via unspecified vectors. NOTE: this might overlap CVE-2010-0462.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows remote attackers to cause a denial of service (service crash) via "malicious packets."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 8.1 before FP18 allows attackers to obtain unspecified access via a das command.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the Security component in IBM DB2 8.1 before FP18 on Unix platforms allows attackers to cause a denial of service (memory consumption) via unspecified vectors, related to private memory within the DB2 memory structure.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-287 Improper Authentication
The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
IBM DB2 9.1 before FP7 returns incorrect query results in certain situations related to the order of application of an INNER JOIN predicate and an OUTER JOIN predicate, which might allow attackers to obtain sensitive information via a crafted query.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The SORT/LIST SERVICES component in IBM DB2 9.1 before FP6 and 9.5 before FP2 writes sensitive information to the trace output, which allows attackers to obtain sensitive information by reading "PASSWORD-RELATED CONNECTION STRING KEYWORD VALUES."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
The Native Managed Provider for .NET component in IBM DB2 8 before FP17, 9.1 before FP6, and 9.5 before FP2, when a definer cannot maintain objects, preserves views and triggers without marking them inoperative or dropping them, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the SQLNLS_UNPADDEDCHARLEN function in the New Compiler (aka Starburst derived compiler) component in the server in IBM DB2 9.1 before FP6 allows attackers to cause a denial of service (segmentation violation and trap) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM DB2 UDB 8.1 before FixPak 16, 8.2 before FixPak 9, and 9.1 before FixPak 4a allows remote attackers to cause a denial of service (instance crash) via a crafted SQLJRA packet within a CONNECT/ATTACH data stream that simulates a V7 client connect/attach request.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
IBM DB2 UDB 8 before Fixpak 17 allows remote attackers to cause a denial of service (instance crash) via a crafted CONNECT/ATTACH data stream that simulates a V7 client connect/attach request. NOTE: this may overlap CVE-2008-3858. NOTE: this issue exists because of an incomplete fix for CVE-2008-3959.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the ADMIN_SP_C procedure (SYSPROC.ADMIN_SP_C) in IBM DB2 UDB before 8.2 Fixpak 16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unspecified attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
IBM DB2 UDB 9.1 before Fixpak 4 does not properly manage storage of a list containing authentication information, which might allow attackers to cause a denial of service (instance crash) or trigger memory corruption. NOTE: the vendor description of this issue is too vague to be certain that it is security-related.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
IBM DB2 Universal Database (UDB) Administration Server (DAS) 8 before Fix Pack 16 and 9 before Fix Pack 4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via modified pointer values in unspecified remote administration requests, which triggers memory corruption or other invalid memory access. NOTE: this might be the same issue as CVE-2008-0698.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) service in IBM DB2 9.x and earlier allow remote attackers to (1) execute arbitrary code via a crafted packet to the DB2JDS service on tcp/6789; and cause a denial of service via (2) an invalid LANG parameter or (2) a long packet that generates a "MemTree overflow."
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.informix.dbdefinition\1.0.4.v201107221502\1587982c1ed42ca42e1fe02f1a3baf1faa4bcbb2\org.eclipse.datatools.enablement.ibm.informix.dbdefinition-1.0.4.v201107221502.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.informix\1.0.1.v201107221502\8c1d7354580604905a00c7d9acce3fbc5696b537\org.eclipse.datatools.enablement.ibm.informix-1.0.1.v201107221502.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.msft.sqlserver.dbdefinition\1.0.1.v201201240505\d18a0cca80deb6331f1caffea5abc8fa34e2060e\org.eclipse.datatools.enablement.msft.sqlserver.dbdefinition-1.0.1.v201201240505.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.msft.sqlserver\1.0.2.v201212120617\bff9658c0858cea81b373f1488274a1d9d200cc6\org.eclipse.datatools.enablement.msft.sqlserver-1.0.2.v201212120617.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.mysql.dbdefinition\1.0.4.v201109022331\7b1abc387591d4a9427bb13344243a220a5d751b\org.eclipse.datatools.enablement.mysql.dbdefinition-1.0.4.v201109022331.jar
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
sql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 allows remote authenticated users to cause a denial of service (crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table, as originally demonstrated using ORDER BY.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
Stack-based buffer overflow in the mysql_real_connect function in the MySql client library (libmysqlclient) 4.0.13 and earlier allows local users to execute arbitrary code via a long socket name, a different vulnerability than CVE-2001-1453.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.33 allows remote attackers to execute arbitrary code via a long drop database request.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
MySQL before 3.23.31 allows users with a MySQL account to use the SHOW GRANTS command to obtain the encrypted administrator password from the mysql.user table and possibly gain privileges via password cracking.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.31 allows attackers to cause a denial of service and possibly gain privileges.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot).
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.mysql\1.0.4.v201212120617\b8862d790cf4715ce8b1a5c54d9fa9ee2557154f\org.eclipse.datatools.enablement.mysql-1.0.4.v201212120617.jar
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
sql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 allows remote authenticated users to cause a denial of service (crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table, as originally demonstrated using ORDER BY.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
Stack-based buffer overflow in the mysql_real_connect function in the MySql client library (libmysqlclient) 4.0.13 and earlier allows local users to execute arbitrary code via a long socket name, a different vulnerability than CVE-2001-1453.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.33 allows remote attackers to execute arbitrary code via a long drop database request.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
MySQL before 3.23.31 allows users with a MySQL account to use the SHOW GRANTS command to obtain the encrypted administrator password from the mysql.user table and possibly gain privileges via password cracking.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.31 allows attackers to cause a denial of service and possibly gain privileges.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot).
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oda.ws\1.2.6.v201403131825\cc7814580f2fb5890c54681fec0f98b3e1386b51\org.eclipse.datatools.enablement.oda.ws-1.2.6.v201403131825.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oda.xml\1.2.5.v201305031101\b5be50518c251d4c022959aeb6f871d6fea33fcc\org.eclipse.datatools.enablement.oda.xml-1.2.5.v201305031101.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oracle.dbdefinition\1.0.103.v201206010214\af90f9d09101fb165a260896477c01385b6c8fd1\org.eclipse.datatools.enablement.oracle.dbdefinition-1.0.103.v201206010214.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oracle\1.0.0.v201107221506\5628f462cfa241fff7b11f1df4c21802f174dd08\org.eclipse.datatools.enablement.oracle-1.0.0.v201107221506.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.postgresql.dbdefinition\1.0.2.v201110070445\8021bc614192f060a880cc407aba8adcfea6fb7f\org.eclipse.datatools.enablement.postgresql.dbdefinition-1.0.2.v201110070445.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-200 Information Exposure
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.postgresql\1.1.1.v201205252207\ddd733b059a41aa86aceed5344d1b4799802f5c0\org.eclipse.datatools.enablement.postgresql-1.1.1.v201205252207.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-200 Information Exposure
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.dbdefinition\1.0.2.v201107221519\725b5a9cbd280b8e6c9a6fd32cbe44bf1aae10a3\org.eclipse.datatools.modelbase.dbdefinition-1.0.2.v201107221519.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.derby\1.0.0.v201107221519\93018a0f0e585dd4ceb70e849570d6143034273a\org.eclipse.datatools.modelbase.derby-1.0.0.v201107221519.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.sql.query\1.1.4.v201212120619\663bfc41efd6030a37f7e6e7baf3b259606c1bcc\org.eclipse.datatools.modelbase.sql.query-1.1.4.v201212120619.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.sql\1.0.6.v201208230744\731de727a1154c562038b045fa247716f68e93fe\org.eclipse.datatools.modelbase.sql-1.0.6.v201208230744.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.common\2.10.1.v20140901-1043\4a9dbfa87401190c710c16dcbbc7a2ea7cc3ff70\org.eclipse.emf.common-2.10.1.v20140901-1043.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.ecore.change\2.10.0.v20140901-1043\c42c134004940345d45bf8367dae63c871a2420f\org.eclipse.emf.ecore.change-2.10.0.v20140901-1043.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.ecore.xmi\2.10.1.v20140901-1043\2a524cbae6c0ad0410c89270eb928ad90f75c95e\org.eclipse.emf.ecore.xmi-2.10.1.v20140901-1043.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.ecore\2.10.1.v20140901-1043\2da5a93e1d6eb2b6f78f215accc3304209b26104\org.eclipse.emf.ecore-2.10.1.v20140901-1043.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf\2.6.0.v20140901-1055\11d8c54ef675a951256777a9f36ebf7e1646ffd6\org.eclipse.emf-2.6.0.v20140901-1055.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.app\1.3.100.v20130327-1442\cfe0deab8c3c4f4caea3767bc8bbaa4789b8f782\org.eclipse.equinox.app-1.3.100.v20130327-1442.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.common\3.6.200.v20130402-1505\550778d95ea4d5f2fee765e85eb799cec21067e0\org.eclipse.equinox.common-3.6.200.v20130402-1505.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.preferences\3.5.100.v20130422-1538\bc48b6b0c00898d5eb2cbd6024fc0235ae04f3d2\org.eclipse.equinox.preferences-3.5.100.v20130422-1538.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.registry\3.5.400.v20140428-1507\897775850f15e1595464bbff11562583b8132499\org.eclipse.equinox.registry-3.5.400.v20140428-1507.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.orbit.mongodb\2.10.1.v20130422-1135\98f0232dc80679a3f5c1effe15344dc7ceac98dc\org.eclipse.orbit.mongodb-2.10.1.v20130422-1135.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.osgi.services\3.3.100.v20130513-1956\1d73531fac5372870373a06193985611b1239f0c\org.eclipse.osgi.services-3.3.100.v20130513-1956.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.osgi\3.10.1.v20140909-1633\e6a47e8e3edaf8b3cf74a1d5540a9c91369fb28a\org.eclipse.osgi-3.10.1.v20140909-1633.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.update.configurator\3.3.200.v20130326-1319\4375455f2f0bd4f014e79758bbb3d4b7340e2943\org.eclipse.update.configurator-3.3.200.v20130326-1319.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\viewservlets\4.5.0\59c773f6cd138d08b18c47ed2c1581283f573fd\viewservlets-4.5.0.jar
Description: Eclipse JDT Core Batch Compiler
License:
Eclipse Public License v1.0: http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jdt.core.compiler\ecj\4.5\6ee0a678915ddac550d9187c896be6cb76f5cd2f\ecj-4.5.jar
Description: Asynchronous API
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-continuation\9.2.11.v20150529\75cdf86a2d808dde511360884fe090d74327886\jetty-continuation-9.2.11.v20150529.jar
Description: Jetty deployers
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-deploy\9.2.11.v20150529\5a302b965bae412e9a8fded5beccfde615d889a9\jetty-deploy-9.2.11.v20150529.jar
Description: Administrative parent pom for Jetty modules
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\9.2.11.v20150529\303ac0a8ee866eff197188d69b59d3bb2d7405f9\jetty-http-9.2.11.v20150529.jar
Description: Administrative parent pom for Jetty modules
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\9.2.11.v20150529\8d13b907fcc1bc190901f6842752fc6be8d406cf\jetty-io-9.2.11.v20150529.jar
Description: JMX management artifact for jetty.
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jmx\9.2.11.v20150529\6092ba81b8d1c1c88b160b8010b7f0bc7ecc5dec\jetty-jmx-9.2.11.v20150529.jar
Description: Jetty Rewrite Handler
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-rewrite\9.2.11.v20150529\7e019b21adfd7ac88bfaa4f0560f1d511b02b731\jetty-rewrite-9.2.11.v20150529.jar
Description: Jetty security infrastructure
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\9.2.11.v20150529\874b41038d29d0235926f306c8df6899d276922e\jetty-security-9.2.11.v20150529.jar
Description: The core jetty server artifact.
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\9.2.11.v20150529\bd80f760d08db7a1416342c13d470ba8c273ba66\jetty-server-9.2.11.v20150529.jar
Description: Jetty Servlet Container
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\9.2.11.v20150529\eaae94e6432866d7794b9547bc0cdaa423de54ba\jetty-servlet-9.2.11.v20150529.jar
Description: Utility Servlets from Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlets\9.2.11.v20150529\325fca6518de46cd8c860c2927c3a32fdeb05d6\jetty-servlets-9.2.11.v20150529.jar
Description: Utility classes for Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\9.2.11.v20150529\5f547da1eb601c2a4697ecfeb425f8f6961800c3\jetty-util-9.2.11.v20150529.jar
Description: Jetty web application support
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\9.2.11.v20150529\499880de6fe26368d4fe53a78b54764c6e34f083\jetty-webapp-9.2.11.v20150529.jar
Description: The jetty xml utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\9.2.11.v20150529\f3549e42db4330d90f52cf689699e2247308f986\jetty-xml-9.2.11.v20150529.jar
Description:
FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.freemarker\freemarker\2.3.24-incubating\2b741197704a2df0f0b11cadb7a9e54a5604b2a6\freemarker-2.3.24-incubating.jar
Description: An uber jar which contains all the leveldbjni platform libraries and dependencies
License:
http://www.opensource.org/licenses/BSD-3-ClauseFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.fusesource.leveldbjni\leveldbjni-all\1.8\707350a2eeb1fa2ed77a32ddb3893ed308e941db\leveldbjni-all-1.8.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.fusesource.leveldbjni\leveldbjni-all\1.8\707350a2eeb1fa2ed77a32ddb3893ed308e941db\leveldbjni-all-1.8.jar\META-INF\native\windows32\leveldbjni.dll
MD5: 551b9310a9ed358359296a89715df2f4
SHA1: bba450e93688b872b3fcaa31e8457950e97d8429
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.fusesource.leveldbjni\leveldbjni-all\1.8\707350a2eeb1fa2ed77a32ddb3893ed308e941db\leveldbjni-all-1.8.jar\META-INF\native\windows64\leveldbjni.dll
MD5: 4b6fa20009ca1eb556e752671461a3f2
SHA1: 978ca9c96c03eb220556ce5bc96c715f95a0967c
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.gagravarr\vorbis-java-core\0.6\71deedbdfe6a1b0dcadd6c5ae335e3e9b427524c\vorbis-java-core-0.6.jar
MD5: 724a557bf19d77f362b41f2796be158c
SHA1: 71deedbdfe6a1b0dcadd6c5ae335e3e9b427524c
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.gagravarr\vorbis-java-tika\0.6\be5b08ff4c45632975646f286a1d13e325bec59a\vorbis-java-tika-0.6.jar
MD5: 9906a3a825381c64756962ebe99df47b
SHA1: be5b08ff4c45632975646f286a1d13e325bec59a
Description:
QDox is a high speed, small footprint parser for extracting class/interface/method definitions from source files
complete with JavaDoc @tags. It is designed to be used by active code generators or documentation tools.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hamcrest\hamcrest-all\1.3\63a21ebc981131004ad02e0434e799fd7f3a8d5a\hamcrest-all-1.3.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hamcrest\hamcrest-core\1.1\860340562250678d1a344907ac75754e259cdb14\hamcrest-core-1.1.jar
MD5: b66d0c48e1f1dc54d4227db52512c15b
SHA1: 860340562250678d1a344907ac75754e259cdb14
Description:
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hamcrest\hamcrest-core\1.3\42a25dc3219429f0e5d060061f71acb49bf010a0\hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Description: Java Persistence API
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hibernate\ejb3-persistence\1.0.1.GA\f502b2c96c95e087435c79d3d6c9aa85bb1154bc\ejb3-persistence-1.0.1.GA.jar
MD5: d46c8f0555d95027269259dd04f6b10c
SHA1: f502b2c96c95e087435c79d3d6c9aa85bb1154bc
Description: Annotations metadata for Hibernate
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hibernate\hibernate-annotations\3.3.1.GA\2083b277c76037253189d17e68ba86d2da478440\hibernate-annotations-3.3.1.GA.jar
Description: Hibernate Commons Annotations is a utility project used by annotations based Hibernate sub-projects.
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hibernate\hibernate-commons-annotations\3.0.0.ga\c8f53732fe3b75935f0550bdc3ba92bc9345360f\hibernate-commons-annotations-3.0.0.ga.jar
Description: Relational Persistence for Java
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.hibernate\hibernate\3.2.6.ga\dd982c3d5c28c956aa4fa9112258cb3013606ddd\hibernate-3.2.6.ga.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.htrace\htrace-core\3.0.4\d7461828faf28411f37f8570d896292db277d838\htrace-core-3.0.4.jar
MD5: ddb872231eb1940a8f7d5b2b5d026b86
SHA1: d7461828faf28411f37f8570d896292db277d838
Description: Inspektr Core
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.inspektr\inspektr-core\0.7.0\1d6851b0970de19593e8cdcbf7e593ca5c2db324\inspektr-core-0.7.0.jar
MD5: 36528ac75d74ab43a13aad6055146d60
SHA1: 1d6851b0970de19593e8cdcbf7e593ca5c2db324
Description: jbzip2 is a Java bzip2 compression/decompression library. It can be used as a replacement for the Apache CBZip2InputStream / CBZip2OutputStream classes.
License:
MIT License (MIT): http://opensource.org/licenses/mit-license.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.itadaki\bzip2\0.9.1\47ca95f71e3ccae756c4a24354d48069c58f475c\bzip2-0.9.1.jar
Severity:
Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").
Vulnerable Software & Versions:
Description: CAS core
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jasig.cas\cas-server-core\3.3.5\c47163c27b1a7617af14182c168d2b5b54cdd66\cas-server-core-3.3.5.jar
MD5: 14e8ad0fdfb00b8213bfdd2c36304e59
SHA1: 0c47163c27b1a7617af14182c168d2b5b54cdd66
Description: Provides a general interface for accessing attributes for a person.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jasig.service\person-directory-api\1.5.0-RC5\a2f4804d335d3cfe6a4bb3407dcf9fb88d396700\person-directory-api-1.5.0-RC5.jar
MD5: 342160c7a8e7d47a934fc442503f219b
SHA1: a2f4804d335d3cfe6a4bb3407dcf9fb88d396700
Description: Provides implementations of the Person Directory API that have the capability of aggregating attributes from multiple data sources into a single view.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jasig.service\person-directory-impl\1.5.0-RC5\512831d6195409f9de30bcd06e1a3ce31fc4304f\person-directory-impl-1.5.0-RC5.jar
MD5: 05082275b6865cad22812017040483e2
SHA1: 512831d6195409f9de30bcd06e1a3ce31fc4304f
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jdom\com.springsource.org.jdom\1.0.0\32e7389479349a9d30cab805d83486b1e865aeaa\com.springsource.org.jdom-1.0.0.jar
MD5: 9741e6528d37b38ac5c953f3d1892aa4
SHA1: 32e7389479349a9d30cab805d83486b1e865aeaa
Description:
A complete, Java-based solution for accessing, manipulating,
and outputting XML data
License:
Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jdom\jdom2\2.0.4\4b65e55cc61b34bc634b25f0359d1242e4c519de\jdom2-2.0.4.jar
Description:
A complete, Java-based solution for accessing, manipulating,
and outputting XML data
License:
Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jdom\jdom\2.0.2\d06c71e0df0ac4b94deb737718580ccce22d92e8\jdom-2.0.2.jar
Description:
JSON is a light-weight, language independent, data interchange format.
See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There is a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
The license includes this restriction: "The software shall be used for good,
not evil." If your conscience cannot live with that, then choose a different
package.
The package compiles on Java 1.2 thru Java 1.4.
License:
The JSON License: http://json.org/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.json\json\20140107\d1ffca6e2482b002702c6a576166fd685e3370e3\json-20140107.jar
Description: jsoup HTML parser
License:
The MIT License: http://jsoup.com/licenseFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.jsoup\jsoup\1.7.2\d7e275ba05aa380ca254f72d0c0ffebaedc3adcf\jsoup-1.7.2.jar
Description: OSGi Version of Apache Commons Lang
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.lucee\commons-lang\2.6.0\df35f722d1b578d39fd9b101652cea5344e1ee2a\commons-lang-2.6.0.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.milyn\flute\1.3\b7d59dc172005598b55699b1a75605b13c14f1fd\flute-1.3.jar
MD5: 2f2e13cd3523c545dd1c4617b373692c
SHA1: b7d59dc172005598b55699b1a75605b13c14f1fd
Description: Utility classes for Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.mortbay.jetty\jetty-util\6.1.26\e5642fe0399814e1687d55a3862aa5a3417226a9\jetty-util-6.1.26.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Description: Jetty server core
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.mortbay.jetty\jetty\6.1.26\2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0\jetty-6.1.26.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Description: Noggit is the world's fastest streaming JSON parser for Java.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.noggit\noggit\0.6\fa94a59c44b39ee710f3c9451750119e432326c0\noggit-0.6.jar
Description:
The development community in building GIS solutions is sustaining an enormous level
of effort. The GeoAPI project aims to reduce duplication and increase interoperability
by providing neutral, interface-only APIs derived from OGC/ISO Standards.
License:
https://geoapi.svn.sourceforge.net/svnroot/geoapi/branches/3.0.x/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.opengis\geoapi\3.0.0\a04e0f361627fb33a140b5aa4c019741f905577\geoapi-3.0.0.jar
Description:
The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language
(SAML).
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.opensaml\opensaml\1.1b\21ec22368b6baa211a29887e162aa4cf9a8f3c60\opensaml-1.1b.jar
Severity:
High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-commons\4.1\f8b86f4ee6e02082f63a658e00eb5506821253c6\asm-commons-4.1.jar
MD5: 9a4b40374d11fcb2c5b1d2a4b789e91d
SHA1: f8b86f4ee6e02082f63a658e00eb5506821253c6
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-tree\4.1\51085abcc4cb6c6e1cb5551e6f999eb8e31c5b2d\asm-tree-4.1.jar
MD5: 84b820d478240edad27f2b3d3af229c6
SHA1: 51085abcc4cb6c6e1cb5551e6f999eb8e31c5b2d
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm\5.0.4\da08b8cce7bbf903602a25a3a163ae252435795\asm-5.0.4.jar
MD5: c8a73cdfdf802ab0220c860d590d0f84
SHA1: 0da08b8cce7bbf903602a25a3a163ae252435795
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.owasp.antisamy\antisamy\1.4.3\6bac1ebc43ac3db223f592ce904ac4c2f3ef26e5\antisamy-1.4.3.jar
MD5: 9c7777853e159535f4d510b4dc0a88a9
SHA1: 6bac1ebc43ac3db223f592ce904ac4c2f3ef26e5
Description: The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
License:
BSD: http://www.opensource.org/licenses/bsd-license.php Creative Commons 3.0 BY-SA: http://creativecommons.org/licenses/by-sa/3.0/File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.owasp.esapi\esapi\2.1.0\1892f47602b211ec72abc45df93a69c953a7ffba\esapi-2.1.0.jar
Description: Enterprise Job Scheduler
License:
http://www.apache.org/licenses/LICENSE-2.0.txt Apache Software License, Version 2.0File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.quartz-scheduler\quartz\2.2.0\2eb16fce055d5f3c9d65420f6fc4efd3a079a3d8\quartz-2.2.0.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.restlet.jee\org.restlet.ext.servlet\2.3.0\9303e20d0397c0304342943560c3a1693fd7ce7d\org.restlet.ext.servlet-2.3.0.jar
MD5: e81ab1a31fdd07ac02c576086201b2da
SHA1: 9303e20d0397c0304342943560c3a1693fd7ce7d
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.restlet.jee\org.restlet\2.3.0\4c5d184e23fa729726668a90dc7338d80c4e7e6f\org.restlet-2.3.0.jar
MD5: 33a94f74de95421b4938dfecb0029ab1
SHA1: 4c5d184e23fa729726668a90dc7338d80c4e7e6f
Description: JCL 1.1.1 implemented over SLF4J
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.slf4j\jcl-over-slf4j\1.7.7\56003dcd0a31deea6391b9e2ef2f2dc90b205a92\jcl-over-slf4j-1.7.7.jar
MD5: 32ad130f946ef0460af416397b7fc7b7
SHA1: 56003dcd0a31deea6391b9e2ef2f2dc90b205a92
Description: The slf4j API
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.12\8e20852d05222dc286bf1c71d78d0531e177c317\slf4j-api-1.7.12.jar
MD5: 68910bf95dbcf90ce5859128f0f75d1e
SHA1: 8e20852d05222dc286bf1c71d78d0531e177c317
Description: The slf4j API
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.21\139535a69a4239db087de9bab0bee568bf8e0b70\slf4j-api-1.7.21.jar
MD5: c9be56284a92dcb2576679282eff80bf
SHA1: 139535a69a4239db087de9bab0bee568bf8e0b70
Description: SLF4J LOG4J-12 Binding
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-log4j12\1.7.10\b3eeae7d1765f988a1f45ea81517191315c69c9e\slf4j-log4j12-1.7.10.jar
MD5: 77c1e048b5110a007dd5b8e808d76b1f
SHA1: b3eeae7d1765f988a1f45ea81517191315c69c9e
Description: Spring Framework: Beans
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-beans\2.5.6\449ea46b27426eb846611a90b2fb8b4dcf271191\spring-beans-2.5.6.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
Description: Spring Data Binding Framework
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-binding\1.0.6\c2789e5215ed30d4d9e06873097c8bab8ae97109\spring-binding-1.0.6.jar
Description: Spring Framework: Context Support
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-context-support\2.5.6.SEC01\3a88bce8e22a274f116d4fb3dcc936d088fff014\spring-context-support-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Spring Framework: Context
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-context\2.5.6.SEC01\30ab3c56aa2ca6d9e4a194a36ac0679df2fd108\spring-context-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Spring Core
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-core\4.2.3.RELEASE\3ed00dad7a16b2a28df9348294f6a67151f43cf6\spring-core-4.2.3.RELEASE.jar
Description: Spring Framework: JDBC
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-jdbc\2.5.6.SEC01\74f28b32f9678dd3093643a268af767ddfcc337d\spring-jdbc-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Spring Framework: ORM
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-orm\2.5.6.SEC01\255bd5a5d6d456792bb928e1cced60755f1fe513\spring-orm-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Spring TestContext Framework
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-test\4.2.3.RELEASE\d7c055b8fb1117ef75045679892228a4816cd80e\spring-test-4.2.3.RELEASE.jar
Description: Spring Framework: Transaction
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-tx\2.5.6.SEC01\4af6ff118eb394f804fe3a96f3e3f323a5de5ff6\spring-tx-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Spring Framework: Web
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-web\2.5.6.SEC01\6a5711a5a29cf25603892c2bace8bbe3bf062834\spring-web-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: Spring Web Flow
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-webflow\1.0.6\73a9cef54005fe7c23947f13300eb0e0bf0f265a\spring-webflow-1.0.6.jar
Description: Spring Framework: Web MVC
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.springframework\spring-webmvc\2.5.6.SEC01\1a48edcf8dcfc76882c821931eb0529db9af5d9b\spring-webmvc-2.5.6.SEC01.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: XZ data compression
License:
Public DomainFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.tukaani\xz\1.5\9c64274b7dbb65288237216e3fae7877fd3f2bee\xz-1.5.jar
Description: snappy-java: A fast compression/decompression library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.xerial.snappy\snappy-java\1.0.4.1\f88b89a5a21a466aeb0ecf0c063605bd584b4947\snappy-java-1.0.4.1.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.xerial.snappy\snappy-java\1.0.4.1\f88b89a5a21a466aeb0ecf0c063605bd584b4947\snappy-java-1.0.4.1.jar\org\xerial\snappy\native\Windows\amd64\snappyjava.dll
MD5: 09989290a9d23aa887ad3919c8daf6bd
SHA1: 1ca8cb25c14aa3574e1c2d362e11b97b889dc466
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.xerial.snappy\snappy-java\1.0.4.1\f88b89a5a21a466aeb0ecf0c063605bd584b4947\snappy-java-1.0.4.1.jar\org\xerial\snappy\native\Windows\x86\snappyjava.dll
MD5: 02d0731854ac1be878dc4d6e2555aa2d
SHA1: baf474b2ad0b6873e2d99764ea61dcb42f850e24
Description: Jackson Databind module for serializing and deserializing Java 8 java.util.Option objects.
This tool is forked from original source created by @realjenius
License:
Apache License, Version 2.0: license.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.zapodot\jackson-databind-java-optional\2.4.2\588266ff57165736149bc38e07f2875a4fe5969c\jackson-databind-java-optional-2.4.2.jar
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\oro\oro\2.0.8\5592374f834645c4ae250f4c9fbb314c9369d698\oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
Description: The PostgreSQL Driver JDBC4
License:
BSD License: http://jdbc.postgresql.org/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\postgresql\postgresql\9.0-801.jdbc4\153f2f92a786f12fc111d0111f709012df87c808\postgresql-9.0-801.jdbc4.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Vulnerable Software & Versions: (show all)
Description: The PostgreSQL Driver JDBC4
License:
BSD License: http://jdbc.postgresql.org/license.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\postgresql\postgresql\9.0-801.jdbc4\dbcd12f02b9527ab56b4ee7bd599d7a90999d260\postgresql-9.0-801.jdbc4-sources.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Vulnerable Software & Versions: (show all)
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\regexp\regexp\1.3\973df2b78b67bcd3144c3dbbb88da691065a3f8d\regexp-1.3.jar
MD5: 6dcdc325850e40b843cac2a25fb2121e
SHA1: 973df2b78b67bcd3144c3dbbb88da691065a3f8d
Description: StAX API is the standard java XML processing API defined by JSR-173
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\stax\stax-api\1.0.1\49c100caf72d658aca8e58bd74a4ba90fa2b0d70\stax-api-1.0.1.jar
Description: Woodstox is a high-performance XML processor that implements Stax (JSR-173) API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\woodstox\wstx-asl\3.2.7\252c7faae9ce98cb9c9d29f02db88f7373e7f407\wstx-asl-3.2.7.jar
Description: This is a small collection of classes, which are part of the Java 5 Core. In other words, you do not need this library, if you are running Java 5, or later. The Java 5 classes are used by projects like Apache JaxMe, Apache XML-RPC, or the the ws-common-utils.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\ws-commons-java5\ws-commons-java5\1.0.1\a6c8eaf64f49ca191a88d65fd9dc7d9def69cac0\ws-commons-java5-1.0.1.jar
Description: Java stub generator for WSDL
License:
CPL: http://www.opensource.org/licenses/cpl1.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\wsdl4j\wsdl4j\1.6.2\dec1669fb6801b7328e01ad72fc9e10b69ea06c1\wsdl4j-1.6.2.jar
Description:
Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
SAX events.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xalan\serializer\2.7.2\24247f3bb052ee068971393bdb83e04512bb1c3c\serializer-2.7.2.jar
MD5: e8325763fd4235f174ab7b72ed815db1
SHA1: 24247f3bb052ee068971393bdb83e04512bb1c3c
Description:
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xalan\xalan\2.7.2\d55d3f02a56ec4c25695fe67e1334ff8c2ecea23\xalan-2.7.2.jar
MD5: 6aa6607802502c8016b676f25f8e4873
SHA1: d55d3f02a56ec4c25695fe67e1334ff8c2ecea23
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xerces\xercesImpl\2.9.1\1136d197e2755bbde296ceee217ec5fe2917477b\xercesImpl-2.9.1.jar
MD5: da09b75b562ca9a8e9a535d2148be8e4
SHA1: 1136d197e2755bbde296ceee217ec5fe2917477b
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
File Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xml-apis\xml-apis-ext\1.3.04\41a8b86b358e87f3f13cf46069721719105aff66\xml-apis-ext-1.3.04.jar
MD5: bcb07d3b8d2397db7a3013b6465d347b
SHA1: 41a8b86b358e87f3f13cf46069721719105aff66
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt The SAX License: http://www.saxproject.org/copying.html The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zipFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xml-apis\xml-apis\1.4.01\3789d9fada2d3d458c4ba2de349d48780f381ee3\xml-apis-1.4.01.jar
Description: xmlenc Library
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xmlenc\xmlenc\0.52\d82554efbe65906d83b3d97bd7509289e9db561a\xmlenc-0.52.jar
License:
Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xmlpull\xmlpull\1.1.3.1\2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa\xmlpull-1.1.3.1.jar
Description: The XOM Dual Streaming/Tree API for Processing XML
License:
The GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xom\xom\1.2.5\4166493b9f04e91b858ba4150b28b4d197f8f8ea\xom-1.2.5.jar
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\xpp3\xpp3_min\1.1.4c\19d4e90b43059058f6e056f794f0ea4030d60b86\xpp3_min-1.1.4c.jar
Description: JavaMail API
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\com.sun.mail\javax.mail\1.5.1\9724dd44f1abbba99c9858aa05fc91d53f59e7a5\javax.mail-1.5.1.jar
CVE-2007-6059 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Description: Apache Geronimo Transaction Manager
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.geronimo.components\geronimo-transaction\3.1.1\1cfdfcff3cd6a805be401946ab14213b0bad9cb4\geronimo-transaction-3.1.1.jar
CVE-2008-0732 suppressed
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jacques\.gradle\caches\modules-2\files-2.1\org.apache.zookeeper\zookeeper\3.4.6\1b2502e29da1ebaade2357cd1de35a855fa3755\zookeeper-3.4.6.jar
CVE-2014-0085 suppressed
Severity:
Low
CVSS Score: 2.1
CWE: CWE-255 Credentials Management
Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
Vulnerable Software & Versions: (show all)