Created
July 15, 2019 11:57
-
-
Save andreluizf/82d037f03802f73c77423af88857e6ff to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count"Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jasperreports-emp-6.4.0.5.jar,/home/user/.m2/repository/net/sf/jasperreports/jasperreports/emp-6.4.0.5/jasperreports-emp-6.4.0.5.jar,JasperReports Library,GNU Lesser General Public License: http://jasperreports.sourceforge.net/license.html,27ee5162e86f3b8554c1e7c2fa3cef85,bb7d23696424ceaacfc5ffba6dd0617ff8fa3d9c,pkg:maven/net.sf.jasperreports/jasperreports@emp-6.4.0.5,cpe:2.3:a:tibco:jasperreports_library:6.4.0.5:*:*:*:*:*:*:*,CVE-2017-5529,null,"JasperReports library components contain an information disclosure vulnerability. This vulnerability includes the theoretical disclosure of any accessible information from the host file system. Affects TIBCO JasperReports Library Community Edition (versions 6.4.0 and below), TIBCO JasperReports Library for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO JasperReports Professional (versions 6.2.1 and below, and 6.3.0), TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.3.0 and below), TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.3.0 and below), and TIBCO Jaspersoft Studio for ActiveMatrix BPM (versions 6.2.0 and below).",OSSINDEX,"","","",MEDIUM,6.5,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N,HIGH,26 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jasperreports-emp-6.4.0.5.jar,/home/user/.m2/repository/net/sf/jasperreports/jasperreports/emp-6.4.0.5/jasperreports-emp-6.4.0.5.jar,JasperReports Library,GNU Lesser General Public License: http://jasperreports.sourceforge.net/license.html,27ee5162e86f3b8554c1e7c2fa3cef85,bb7d23696424ceaacfc5ffba6dd0617ff8fa3d9c,pkg:maven/net.sf.jasperreports/jasperreports@emp-6.4.0.5,cpe:2.3:a:tibco:jasperreports_library:6.4.0.5:*:*:*:*:*:*:*,CVE-2017-5532,Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),"A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below.",NVD,LOW,3.5,/AV:N/AC:M/Au:S/C:N/I:N/A:N,MEDIUM,5.4,/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N,HIGH,26 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jasperreports-emp-6.4.0.5.jar,/home/user/.m2/repository/net/sf/jasperreports/jasperreports/emp-6.4.0.5/jasperreports-emp-6.4.0.5.jar,JasperReports Library,GNU Lesser General Public License: http://jasperreports.sourceforge.net/license.html,27ee5162e86f3b8554c1e7c2fa3cef85,bb7d23696424ceaacfc5ffba6dd0617ff8fa3d9c,pkg:maven/net.sf.jasperreports/jasperreports@emp-6.4.0.5,cpe:2.3:a:tibco:jasperreports_library:6.4.0.5:*:*:*:*:*:*:*,CVE-2018-18809,Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),"The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.",NVD,MEDIUM,4.0,/AV:N/AC:L/Au:S/C:P/I:P/A:N,MEDIUM,6.5,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N,HIGH,26 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jasperreports-emp-6.4.0.5.jar,/home/user/.m2/repository/net/sf/jasperreports/jasperreports/emp-6.4.0.5/jasperreports-emp-6.4.0.5.jar,JasperReports Library,GNU Lesser General Public License: http://jasperreports.sourceforge.net/license.html,27ee5162e86f3b8554c1e7c2fa3cef85,bb7d23696424ceaacfc5ffba6dd0617ff8fa3d9c,pkg:maven/net.sf.jasperreports/jasperreports@emp-6.4.0.5,cpe:2.3:a:tibco:jasperreports_library:6.4.0.5:*:*:*:*:*:*:*,CVE-2018-5429,"Permissions, Privileges, and Access Controls","A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.",NVD,MEDIUM,6.5,/AV:N/AC:L/Au:S/C:P/I:P/A:P,HIGH,8.8,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,26 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2016-5425,"Permissions, Privileges, and Access Controls","The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.",NVD,HIGH,7.2,/AV:L/AC:L/Au:N/C:C/I:C/A:C,HIGH,7.8,/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2017-15706,Improperly Implemented Security Check for Standard,"As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:N/I:N/A:N,MEDIUM,5.3,/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2018-11784,URL Redirection to Untrusted Site ('Open Redirect'),"When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.",NVD,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:N/I:N/A:N,MEDIUM,4.3,/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2018-1304,7PK - Security Features,"The URL pattern of """" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.",NVD,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:P/I:P/A:N,MEDIUM,5.9,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2018-1305,Improper Access Control,"Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.",NVD,MEDIUM,4.0,/AV:N/AC:L/Au:S/C:P/I:P/A:N,MEDIUM,6.5,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2018-1336,Uncontrolled Resource Consumption ('Resource Exhaustion'),"An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:N/I:N/A:P,HIGH,7.5,/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2018-8014,7PK - Security Features,"The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,CRITICAL,9.8,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2018-8034,Improper Certificate Validation,"The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:P/A:N,HIGH,7.5,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2019-0221,Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),"The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.",NVD,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:N/I:N/A:N,MEDIUM,6.1,/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-api-7.0.82.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-api/7.0.82/tomcat-api-7.0.82.jar,Definition of interfaces shared by Catalina and Jasper,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",3c2c7dfb0c3801fb04bbd4ba7882505f,78ba4e353c34f8890062087a8d25f7580e6172be,pkg:maven/org.apache.tomcat/tomcat-api@7.0.82,"cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:7.0.82:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:7.0.82:*:*:*:*:*:*:*",CVE-2019-0232,Improper Input Validation,"When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).",NVD,HIGH,9.3,/AV:N/AC:M/Au:N/C:C/I:C/A:C,HIGH,8.1,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,20 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-jasper-8.5.38.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-jasper/8.5.38/tomcat-jasper-8.5.38.jar,Tomcats JSP Parser,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",46c34a61268023ce83cc07d14ea440ba,e1747507c493d422e2f58cde90e6d1604df2d072,pkg:maven/org.apache.tomcat/tomcat-jasper@8.5.38,"cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.38:*:*:*:*:*:*:*",CVE-2016-5425,"Permissions, Privileges, and Access Controls","The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.",NVD,HIGH,7.2,/AV:L/AC:L/Au:N/C:C/I:C/A:C,HIGH,7.8,/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,22 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-jasper-8.5.38.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-jasper/8.5.38/tomcat-jasper-8.5.38.jar,Tomcats JSP Parser,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",46c34a61268023ce83cc07d14ea440ba,e1747507c493d422e2f58cde90e6d1604df2d072,pkg:maven/org.apache.tomcat/tomcat-jasper@8.5.38,"cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.38:*:*:*:*:*:*:*",CVE-2019-0221,Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),"The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.",NVD,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:N/I:N/A:N,MEDIUM,6.1,/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N,HIGH,22 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-jasper-8.5.38.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-jasper/8.5.38/tomcat-jasper-8.5.38.jar,Tomcats JSP Parser,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",46c34a61268023ce83cc07d14ea440ba,e1747507c493d422e2f58cde90e6d1604df2d072,pkg:maven/org.apache.tomcat/tomcat-jasper@8.5.38,"cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.38:*:*:*:*:*:*:*",CVE-2019-0232,Improper Input Validation,"When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).",NVD,HIGH,9.3,/AV:N/AC:M/Au:N/C:C/I:C/A:C,HIGH,8.1,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,22 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",tomcat-jasper-8.5.38.jar,/home/user/.m2/repository/org/apache/tomcat/tomcat-jasper/8.5.38/tomcat-jasper-8.5.38.jar,Tomcats JSP Parser,"Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",46c34a61268023ce83cc07d14ea440ba,e1747507c493d422e2f58cde90e6d1604df2d072,pkg:maven/org.apache.tomcat/tomcat-jasper@8.5.38,"cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:8.5.38:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.38:*:*:*:*:*:*:*",CVE-2019-10072,Uncontrolled Resource Consumption ('Resource Exhaustion'),The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.,NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:N/I:N/A:P,HIGH,7.5,/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,22 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",wss4j-1.6.19.jar,/home/user/.m2/repository/org/apache/ws/security/wss4j/1.6.19/wss4j-1.6.19.jar,"The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.","The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",924bee104f7c4d2d98a51acbf793b8f7,2d4d36b6a423aa14fd0a57a52ec8f25d3d5dc19a,pkg:maven/org.apache.ws.security/wss4j@1.6.19,cpe:2.3:a:apache:wss4j:1.6.19:*:*:*:*:*:*:*,CWE-327: Use of a Broken or Risky Cryptographic Algorithm,Use of a Broken or Risky Cryptographic Algorithm,The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.,OSSINDEX,"","","","","","",HIGH,40 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",xalan-2.7.1.jar,/home/user/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,"Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.","",d43aad24f2c143b675292ccfef487f9c,75f1d83ce27bab5f29fff034fc74aa9f7266f22a,pkg:maven/xalan/xalan@2.7.1,cpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:*,CVE-2014-0107,"Permissions, Privileges, and Access Controls","The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,"","","",HIGH,65 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",serializer-2.7.1.jar,/home/user/.m2/repository/xalan/serializer/2.7.1/serializer-2.7.1.jar,"Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input SAX events.","",a6b64dfe58229bdd810263fa0cc54cff,4b4b18df434451249bb65a63f2fb69e215a6a020,pkg:maven/xalan/serializer@2.7.1,cpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:*,CVE-2014-0107,"Permissions, Privileges, and Access Controls","The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,"","","",HIGH,31 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",xercesImpl-2.10.0.jar,/home/user/.m2/repository/xerces/xercesImpl/2.10.0/xercesImpl-2.10.0.jar,"Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual. Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.","The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",6c433248d569dd471e5d2237cc31df8b,9161654d2afe7f9063455f02ccca8e4ec2787222,pkg:maven/xerces/xercesImpl@2.10.0,cpe:2.3:a:apache:xerces2_java:2.10.0:*:*:*:*:*:*:*,CVE-2012-0881,Resource Management Errors,"Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.",NVD,HIGH,7.8,/AV:N/AC:L/Au:N/C:N/I:N/A:C,HIGH,7.5,/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,74 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",mysql-connector-java-5.1.47.jar,/home/user/.m2/repository/mysql/mysql-connector-java/5.1.47/mysql-connector-java-5.1.47.jar,MySQL JDBC Type 4 driver,"The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html",9602475e1169fd75e0604cc49e75ef30,9de4159aaf2d08817a276610b8114a825fca6cfd,pkg:maven/mysql/mysql-connector-java@5.1.47,"cpe:2.3:a:oracle:connector\/j:5.1.47:*:*:*:*:*:*:*, cpe:2.3:a:oracle:mysql_connector\/j:5.1.47:*:*:*:*:*:*:*",CVE-2018-3258,Improper Access Control,"Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",NVD,MEDIUM,6.5,/AV:N/AC:L/Au:S/C:P/I:P/A:P,HIGH,8.8,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,38 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",mysql-connector-java-5.1.47.jar,/home/user/.m2/repository/mysql/mysql-connector-java/5.1.47/mysql-connector-java-5.1.47.jar,MySQL JDBC Type 4 driver,"The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html",9602475e1169fd75e0604cc49e75ef30,9de4159aaf2d08817a276610b8114a825fca6cfd,pkg:maven/mysql/mysql-connector-java@5.1.47,"cpe:2.3:a:oracle:connector\/j:5.1.47:*:*:*:*:*:*:*, cpe:2.3:a:oracle:mysql_connector\/j:5.1.47:*:*:*:*:*:*:*",CVE-2019-2692,Improper Input Validation,"Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).",NVD,LOW,3.5,/AV:L/AC:H/Au:S/C:P/I:P/A:P,MEDIUM,6.3,/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H,HIGH,38 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jackson-databind-2.9.8.jar,/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,General data-binding functionality for Jackson: works on core streaming API,http://www.apache.org/licenses/LICENSE-2.0.txt,39271d9bb1cb7ec563925953b1fa9ff7,11283f21cc480aa86c4df7a0a3243ec508372ed2,pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,"cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*",CVE-2019-12086,Information Exposure,"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:P/A:N,HIGH,7.5,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,41 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jackson-databind-2.9.8.jar,/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,General data-binding functionality for Jackson: works on core streaming API,http://www.apache.org/licenses/LICENSE-2.0.txt,39271d9bb1cb7ec563925953b1fa9ff7,11283f21cc480aa86c4df7a0a3243ec508372ed2,pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,"cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*",CVE-2019-12384,Deserialization of Untrusted Data,"FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.",NVD,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:P/I:P/A:N,MEDIUM,5.9,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,41 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",jackson-databind-2.9.8.jar,/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,General data-binding functionality for Jackson: works on core streaming API,http://www.apache.org/licenses/LICENSE-2.0.txt,39271d9bb1cb7ec563925953b1fa9ff7,11283f21cc480aa86c4df7a0a3243ec508372ed2,pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,"cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*",CVE-2019-12814,Information Exposure,"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.",NVD,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:P/I:P/A:N,MEDIUM,5.9,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,41 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-web-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-web/4.2.11.RELEASE/spring-security-web-4.2.11.RELEASE.jar,spring-security-web,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",66aff23949d845e5bcac1f62578d1272,714f2fe9c43b8b3111d953d2fb57273bdffa32bc,pkg:maven/org.springframework.security/spring-security-web@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,CVE-2018-1258,Improper Authorization,Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.,NVD,MEDIUM,6.5,/AV:N/AC:L/Au:S/C:P/I:P/A:P,HIGH,8.8,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-web-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-web/4.2.11.RELEASE/spring-security-web-4.2.11.RELEASE.jar,spring-security-web,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",66aff23949d845e5bcac1f62578d1272,714f2fe9c43b8b3111d953d2fb57273bdffa32bc,pkg:maven/org.springframework.security/spring-security-web@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,CVE-2019-11272,Credentials Management,"Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ""null"".",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,HIGH,7.3,/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-web-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-web/4.2.11.RELEASE/spring-security-web-4.2.11.RELEASE.jar,spring-security-web,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",66aff23949d845e5bcac1f62578d1272,714f2fe9c43b8b3111d953d2fb57273bdffa32bc,pkg:maven/org.springframework.security/spring-security-web@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,CVE-2019-3795,Insufficient Entropy in PRNG,"Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:P/A:N,MEDIUM,5.3,/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-core-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-core/4.2.11.RELEASE/spring-security-core-4.2.11.RELEASE.jar,spring-security-core,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",8486030d416338326f8f67be5438159c,94833c81d0df9a66bf6dd27baf17b73d6ac85d73,pkg:maven/org.springframework.security/spring-security-core@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,BREACH attack possible in CSRF tokens,null,> The CSRF tokens generated by Spring are vulnerable to a BREACH attack. > > ... > > This only occurs when you turn on CSRF protection in Spring and also have HTTP compression enabled somewhere in your web server stack. > > -- [github.com](https://github.com/spring-projects/spring-security/issues/4001),OSSINDEX,"","","","","","",HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-core-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-core/4.2.11.RELEASE/spring-security-core-4.2.11.RELEASE.jar,spring-security-core,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",8486030d416338326f8f67be5438159c,94833c81d0df9a66bf6dd27baf17b73d6ac85d73,pkg:maven/org.springframework.security/spring-security-core@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,CVE-2018-1258,Improper Authorization,Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.,NVD,MEDIUM,6.5,/AV:N/AC:L/Au:S/C:P/I:P/A:P,HIGH,8.8,/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-core-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-core/4.2.11.RELEASE/spring-security-core-4.2.11.RELEASE.jar,spring-security-core,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",8486030d416338326f8f67be5438159c,94833c81d0df9a66bf6dd27baf17b73d6ac85d73,pkg:maven/org.springframework.security/spring-security-core@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,CVE-2019-11272,Credentials Management,"Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ""null"".",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,HIGH,7.3,/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-core-4.2.11.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/spring-security-core/4.2.11.RELEASE/spring-security-core-4.2.11.RELEASE.jar,spring-security-core,"The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",8486030d416338326f8f67be5438159c,94833c81d0df9a66bf6dd27baf17b73d6ac85d73,pkg:maven/org.springframework.security/spring-security-core@4.2.11.RELEASE,cpe:2.3:a:pivotal_software:spring_security:4.2.11.release:*:*:*:*:*:*:*,CVE-2019-3795,Insufficient Entropy in PRNG,"Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:P/A:N,MEDIUM,5.3,/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",myfaces-impl-1.2.12.jar,/home/user/.m2/repository/org/apache/myfaces/core/myfaces-impl/1.2.12/myfaces-impl-1.2.12.jar,The private implementation classes of the Apache MyFaces Core JSF/1.2 Implementation,http://www.apache.org/licenses/LICENSE-2.0.txt,ee715229830f0c011456df235eb3713b,43d3fcfe8350e987d61bbae4560bd4598414c2b7,pkg:maven/org.apache.myfaces.core/myfaces-impl@1.2.12,cpe:2.3:a:apache:myfaces:1.2.12:*:*:*:*:*:*:*,CVE-2016-5019,null,"CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.",OSSINDEX,"","","",CRITICAL,9.8,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,37 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-awt-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-awt-util/1.6-1/batik-awt-util-1.6-1.jar,Batik AWT Utilities,"",04013947d519c13fd4d82355cb496552,590750cc8d6a1ba0189b437172b6444578d79c99,pkg:maven/batik/batik-awt-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2015-0250,null,"XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. <a href=""http://cwe.mitre.org/data/definitions/611.html"">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>",NVD,MEDIUM,6.4,/AV:N/AC:L/Au:N/C:P/I:P/A:P,"","","",HIGH,19 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-awt-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-awt-util/1.6-1/batik-awt-util-1.6-1.jar,Batik AWT Utilities,"",04013947d519c13fd4d82355cb496552,590750cc8d6a1ba0189b437172b6444578d79c99,pkg:maven/batik/batik-awt-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2017-5662,Improper Restriction of XML External Entity Reference ('XXE'),"In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",NVD,HIGH,7.9,/AV:N/AC:M/Au:S/C:C/I:C/A:C,HIGH,7.3,/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H,HIGH,19 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-awt-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-awt-util/1.6-1/batik-awt-util-1.6-1.jar,Batik AWT Utilities,"",04013947d519c13fd4d82355cb496552,590750cc8d6a1ba0189b437172b6444578d79c99,pkg:maven/batik/batik-awt-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2018-8013,Deserialization of Untrusted Data,"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,CRITICAL,9.8,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,19 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-util/1.6-1/batik-util-1.6-1.jar,Batik Utilities,"",4a137ce0ce2f8eb24823b55ebb26cb24,7bea0185bb630bca235ffa904b1a03e8a4786a45,pkg:maven/batik/batik-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2015-0250,null,"XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. <a href=""http://cwe.mitre.org/data/definitions/611.html"">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>",NVD,MEDIUM,6.4,/AV:N/AC:L/Au:N/C:P/I:P/A:P,"","","",HIGH,18 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-util/1.6-1/batik-util-1.6-1.jar,Batik Utilities,"",4a137ce0ce2f8eb24823b55ebb26cb24,7bea0185bb630bca235ffa904b1a03e8a4786a45,pkg:maven/batik/batik-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2017-5662,Improper Restriction of XML External Entity Reference ('XXE'),"In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",NVD,HIGH,7.9,/AV:N/AC:M/Au:S/C:C/I:C/A:C,HIGH,7.3,/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H,HIGH,18 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-util/1.6-1/batik-util-1.6-1.jar,Batik Utilities,"",4a137ce0ce2f8eb24823b55ebb26cb24,7bea0185bb630bca235ffa904b1a03e8a4786a45,pkg:maven/batik/batik-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2018-8013,Deserialization of Untrusted Data,"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,CRITICAL,9.8,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,18 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-gui-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-gui-util/1.6-1/batik-gui-util-1.6-1.jar,Batik GUI Utilities,"",ae269162b7ba35074694eeef6455c5d5,4891720f542bac354d72f259ec930cab7329d1f8,pkg:maven/batik/batik-gui-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2015-0250,null,"XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. <a href=""http://cwe.mitre.org/data/definitions/611.html"">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>",NVD,MEDIUM,6.4,/AV:N/AC:L/Au:N/C:P/I:P/A:P,"","","",HIGH,21 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-gui-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-gui-util/1.6-1/batik-gui-util-1.6-1.jar,Batik GUI Utilities,"",ae269162b7ba35074694eeef6455c5d5,4891720f542bac354d72f259ec930cab7329d1f8,pkg:maven/batik/batik-gui-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2017-5662,Improper Restriction of XML External Entity Reference ('XXE'),"In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",NVD,HIGH,7.9,/AV:N/AC:M/Au:S/C:C/I:C/A:C,HIGH,7.3,/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H,HIGH,21 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-gui-util-1.6-1.jar,/home/user/.m2/repository/batik/batik-gui-util/1.6-1/batik-gui-util-1.6-1.jar,Batik GUI Utilities,"",ae269162b7ba35074694eeef6455c5d5,4891720f542bac354d72f259ec930cab7329d1f8,pkg:maven/batik/batik-gui-util@1.6-1,cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*,CVE-2018-8013,Deserialization of Untrusted Data,"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,CRITICAL,9.8,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,21 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",spring-security-oauth2-2.3.5.RELEASE.jar,/home/user/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.5.RELEASE/spring-security-oauth2-2.3.5.RELEASE.jar,Module for providing OAuth2 support to Spring Security,"",9f05200993c401cb5d8366a5558d9fbb,7969f5363398d6d3788bef1740b2ab9509043d51,pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.5.RELEASE,cpe:2.3:a:pivotal:spring_security_oauth:2.3.5.release:*:*:*:*:*:*:*,CVE-2019-11269,null,"Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.",OSSINDEX,"","","",MEDIUM,5.4,/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N,HIGH,28 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",opensaml-2.6.4.jar,/home/user/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar,The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).,Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt,70e20154abc9a94e230b5679e3603e5a,de2c742b770bd58328fd05ebd9d9efc85f79d88c,pkg:maven/org.opensaml/opensaml@2.6.4,cpe:2.3:a:shibboleth:opensaml:2.6.4:*:*:*:*:*:*:*,CVE-2015-1796,null,"The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.",OSSINDEX,MEDIUM,4.3,/AV:N/AC:M/Au:N/C:N/I:P/A:N,"","","",HIGH,43 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",openws-1.5.5.jar,/home/user/.m2/repository/org/opensaml/openws/1.5.5/openws-1.5.5.jar,"The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include classes for creating and reading SOAP messages, transport-independent clients for connecting to web services, and various transports for use with those clients.","",547c0863915e05f700f1cbf6a828b2b5,c1ff4e462c98514bc1ee75df8f6baf6337c83c0c,pkg:maven/org.opensaml/openws@1.5.5,cpe:2.3:a:shibboleth:opensaml:1.5.5:*:*:*:*:*:*:*,CVE-2013-6440,Information Exposure,"The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:P/A:N,"","","",HIGH,34 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",openws-1.5.5.jar,/home/user/.m2/repository/org/opensaml/openws/1.5.5/openws-1.5.5.jar,"The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include classes for creating and reading SOAP messages, transport-independent clients for connecting to web services, and various transports for use with those clients.","",547c0863915e05f700f1cbf6a828b2b5,c1ff4e462c98514bc1ee75df8f6baf6337c83c0c,pkg:maven/org.opensaml/openws@1.5.5,cpe:2.3:a:shibboleth:opensaml:1.5.5:*:*:*:*:*:*:*,CVE-2017-16853,Improper Verification of Cryptographic Signature,"The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.",NVD,MEDIUM,6.8,/AV:N/AC:M/Au:N/C:P/I:P/A:P,HIGH,8.1,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,34 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",bsh-core-2.0b4.jar,/home/user/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar,BeanShell core,"",bab431f0908fde87034f0c34c6cf1e30,495e25a99e29970ffe8ba0b1d551e1d1a9991fc1,pkg:maven/org.beanshell/bsh-core@2.0b4,cpe:2.3:a:beanshell:beanshell:2.0.b4:*:*:*:*:*:*:*,CVE-2016-2510,null,"BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.",OSSINDEX,"","","",HIGH,8.1,/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,21 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-css-1.8.jar,/home/user/.m2/repository/org/apache/xmlgraphics/batik-css/1.8/batik-css-1.8.jar,"","The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",958c61e42f99ef67d3c91dcb57defc4d,2b3f22cc65702a0821b7f0178d055282a1cdde59,pkg:maven/org.apache.xmlgraphics/batik-css@1.8,cpe:2.3:a:apache:batik:1.8:*:*:*:*:*:*:*,CVE-2017-5662,Improper Restriction of XML External Entity Reference ('XXE'),"In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",NVD,HIGH,7.9,/AV:N/AC:M/Au:S/C:C/I:C/A:C,HIGH,7.3,/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H,HIGH,28 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",batik-css-1.8.jar,/home/user/.m2/repository/org/apache/xmlgraphics/batik-css/1.8/batik-css-1.8.jar,"","The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",958c61e42f99ef67d3c91dcb57defc4d,2b3f22cc65702a0821b7f0178d055282a1cdde59,pkg:maven/org.apache.xmlgraphics/batik-css@1.8,cpe:2.3:a:apache:batik:1.8:*:*:*:*:*:*:*,CVE-2018-8013,Deserialization of Untrusted Data,"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,CRITICAL,9.8,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGH,28 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",antisamy-1.5.7.jar,/home/user/.m2/repository/org/owasp/antisamy/antisamy/1.5.7/antisamy-1.5.7.jar,"A library for performing fast, configurable cleansing of HTML coming from untrusted sources.",BSD 3: https://opensource.org/licenses/BSD-3-Clause,a9bb347374e4cff55b022a66960bdd48,6fbfe2c8e95d21a99cfd2acc242fd47ea8458e1b,pkg:maven/org.owasp.antisamy/antisamy@1.5.7,cpe:2.3:a:antisamy_project:antisamy:1.5.7:*:*:*:*:*:*:*,CVE-2018-1000643,null,** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.,OSSINDEX,"","","",MEDIUM,6.1,/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N,HIGH,22 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",axis2-1.6.1.jar,/home/user/.m2/repository/org/apache/axis2/axis2/1.6.1/axis2-1.6.1.jar,"","",9e961c7e7eb82e3344ebf1ecaa62b119,b784cfe5801fd0cd1e80b7ceea015d58f0e5b672,pkg:maven/org.apache.axis2/axis2@1.6.1,cpe:2.3:a:apache:axis2:1.6.1:*:*:*:*:*:*:*,CVE-2012-5785,Improper Input Validation,"Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",NVD,MEDIUM,5.8,/AV:N/AC:M/Au:N/C:P/I:P/A:N,"","","",HIGH,25 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",ajax4jsf-1.0.6.jar: prototype.js,/home/user/.m2/repository/net/java/dev/ajax4jsf/ajax4jsf/1.0.6/ajax4jsf-1.0.6.jar/org/ajax4jsf/framework/resource/scripts/prototype.js,"","",e7f9458f7c403710b89db949fbc8f77e,c6fd52308aea39c9bdfb4bcfe72936948f4b01c5,pkg:javascript/prototypejs@1.4.0,"",CVE-2008-7220,null,"Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make ""cross-site ajax requests"" via unknown vectors.",NVD,HIGH,7.5,/AV:N/AC:L/Au:N/C:P/I:P/A:P,"","","",HIGHEST,3 | |
| Sistema,"Fri, 12 Jul 2019 17:04:19 -0300",emp-commons-crypto-1.0.0-dist.zip: jasypt-1.7.1-lite.jar,/home/user/.m2/repository/com/emp/tec/emp-commons-crypto/1.0.0/emp-commons-crypto-1.0.0-dist.zip/emp-commons-crypto-1.0.0/jasypt-1.7.1-lite.jar,"","",96905377ac710128c85b400c70dbb623,5ba7ec76161973e707abec118abafbb571c44635,"",cpe:2.3:a:jasypt_project:jasypt:1.7.1:*:*:*:*:*:*:*,CVE-2014-9970,Information Exposure,jasypt before 1.9.2 allows a timing attack against the password hash comparison.,NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:P/A:N,HIGH,7.5,/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,"",5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment