Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: spring-i18n-support-pom

com.namics.oss.spring.support.i18n:spring-i18n-support-pom:1.1.2

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE Coordinates Highest Severity CVE Count CPE Confidence Evidence Count
javax.inject-1.jar javax.inject:javax.inject:1    0 20
commons-lang-2.6.jar commons-lang:commons-lang:2.6    0 34
commons-collections-3.2.2.jar cpe:/a:apache:commons_collections:3.2.2 commons-collections:commons-collections:3.2.2    0 Low 40
commons-fileupload-1.3.2.jar cpe:/a:apache:commons_fileupload:1.3.2 commons-fileupload:commons-fileupload:1.3.2  High 1 Highest 40
commons-io-2.5.jar commons-io:commons-io:2.5    0 40
commons-logging-1.2.jar commons-logging:commons-logging:1.2    0 36
spring-core-4.3.12.RELEASE.jar cpe:/a:pivotal_software:spring_framework:4.3.12
cpe:/a:pivotal:spring_framework:4.3.12 		org.springframework:spring-core:4.3.12.RELEASE  High 8 Highest 28
slf4j-api-1.7.21.jar cpe:/a:slf4j:slf4j:1.7.21 org.slf4j:slf4j-api:1.7.21    0 Low 31
javax.servlet-api-3.1.0.jar javax.servlet:javax.servlet-api:3.1.0    0 36
jsp-api-2.2.jar javax.servlet.jsp:jsp-api:2.2    0 22
jstl-1.2.jar javax.servlet:jstl:1.2    0 19
jackson-core-2.8.10.jar cpe:/a:fasterxml:jackson:2.8.10 com.fasterxml.jackson.core:jackson-core:2.8.10    0 Low 39
jackson-annotations-2.8.0.jar cpe:/a:fasterxml:jackson:2.8.0 com.fasterxml.jackson.core:jackson-annotations:2.8.0    0 Highest 39
jackson-databind-2.8.10.jar cpe:/a:fasterxml:jackson-databind:2.8.10
cpe:/a:fasterxml:jackson:2.8.10 		com.fasterxml.jackson.core:jackson-databind:2.8.10  High 3 Highest 39
commons-codec-1.10.jar commons-codec:commons-codec:1.10    0 38
commons-collections4-4.1.jar cpe:/a:apache:commons_collections:4.1 org.apache.commons:commons-collections4:4.1    0 Low 39
poi-3.15.jar cpe:/a:apache:poi:3.15 org.apache.poi:poi:3.15    0 Low 28
stax-api-1.0.1.jar cpe:/a:st_project:st:1.0.1 stax:stax-api:1.0.1  Medium 1 Low 22
xmlbeans-2.6.0.jar org.apache.xmlbeans:xmlbeans:2.6.0    0 24
curvesapi-1.04.jar com.github.virtuald:curvesapi:1.04    0 21
spring-boot-1.5.8.RELEASE.jar cpe:/a:pivotal_software:spring_boot:1.5.8 org.springframework.boot:spring-boot:1.5.8.RELEASE  High 2 Highest 32
logback-core-1.1.11.jar cpe:/a:logback:logback:1.1.11 ch.qos.logback:logback-core:1.1.11    0 Low 30
jcl-over-slf4j-1.7.25.jar cpe:/a:slf4j:slf4j:1.7.25 org.slf4j:jcl-over-slf4j:1.7.25    0 Low 31
jul-to-slf4j-1.7.25.jar cpe:/a:slf4j:slf4j:1.7.25 org.slf4j:jul-to-slf4j:1.7.25    0 Low 30
log4j-over-slf4j-1.7.25.jar cpe:/a:slf4j:slf4j:1.7.25 org.slf4j:log4j-over-slf4j:1.7.25    0 Low 31
snakeyaml-1.17.jar org.yaml:snakeyaml:1.17    0 27
tomcat-annotations-api-8.5.23.jar cpe:/a:apache_software_foundation:tomcat:8.5.23
cpe:/a:apache_tomcat:apache_tomcat:8.5.23
cpe:/a:apache:tomcat:8.5.23 		org.apache.tomcat:tomcat-annotations-api:8.5.23  High 10 Highest 19
tomcat-embed-core-8.5.23.jar cpe:/a:apache_software_foundation:tomcat:8.5.23
cpe:/a:apache_tomcat:apache_tomcat:8.5.23
cpe:/a:apache:tomcat:8.5.23 		org.apache.tomcat.embed:tomcat-embed-core:8.5.23  High 7 Highest 21
tomcat-embed-el-8.5.23.jar cpe:/a:apache_software_foundation:tomcat:8.5.23 org.apache.tomcat.embed:tomcat-embed-el:8.5.23    0 Low 21
validation-api-1.1.0.Final.jar javax.validation:validation-api:1.1.0.Final    0 22
jboss-logging-3.3.1.Final.jar org.jboss.logging:jboss-logging:3.3.1.Final    0 42
classmate-1.3.4.jar com.fasterxml:classmate:1.3.4    0 45
hibernate-validator-5.3.5.Final.jar cpe:/a:hibernate:hibernate_validator:5.3.5 org.hibernate:hibernate-validator:5.3.5.Final    0 Low 34
ognl-3.0.8.jar cpe:/a:ognl_project:ognl:3.0.8 ognl:ognl:3.0.8  Medium 1 Low 22
javassist-3.21.0-GA.jar org.javassist:javassist:3.21.0-GA    0 29
unbescape-1.1.0.RELEASE.jar org.unbescape:unbescape:1.1.0.RELEASE    0 34
thymeleaf-2.1.5.RELEASE.jar org.thymeleaf:thymeleaf:2.1.5.RELEASE    0 27
thymeleaf-spring4-2.1.5.RELEASE.jar org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE    0 27
groovy-2.4.12.jar cpe:/a:apache:groovy:2.4.12 org.codehaus.groovy:groovy:2.4.12    0 Low 36
thymeleaf-layout-dialect-1.4.0.jar nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0    0 23
h2-1.4.192.jar cpe:/a:h2database:h2:1.4.192 com.h2database:h2:1.4.192    0 Low 25
android-json-0.0.20131108.vaadin1.jar cpe:/a:android:android_sdk:0.0.201311 com.vaadin.external.google:android-json:0.0.20131108.vaadin1    0 Low 26
spring-data-commons-1.13.8.RELEASE.jar org.springframework.data:spring-data-commons:1.13.8.RELEASE    0 26
aspectjrt-1.8.11.jar org.aspectj:aspectjrt:1.8.11    0 21
spring-data-jpa-1.11.8.RELEASE.jar org.springframework.data:spring-data-jpa:1.11.8.RELEASE    0 30
ehcache-core-2.6.11.jar net.sf.ehcache:ehcache-core:2.6.11    0 19
hibernate-jpa-2.1-api-1.0.0.Final.jar org.hibernate.javax.persistence:hibernate-jpa-2.1-api:1.0.0.Final    0 24
antlr-2.7.7.jar antlr:antlr:2.7.7    0 18
jboss-transaction-api_1.2_spec-1.0.1.Final.jar org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:1.0.1.Final    0 38
jandex-2.0.3.Final.jar org.jboss:jandex:2.0.3.Final    0 38
dom4j-1.6.1.jar cpe:/a:dom4j_project:dom4j:1.6.1 dom4j:dom4j:1.6.1  Medium 1 Highest 31
hibernate-commons-annotations-5.0.1.Final.jar org.hibernate.common:hibernate-commons-annotations:5.0.1.Final    0 30
hibernate-core-5.2.11.Final.jar org.hibernate:hibernate-core:5.2.11.Final    0 37
ehcache-core-2.6.11.jar: sizeof-agent.jar net.sf.ehcache:sizeof-agent:1.0.1   0 26

Dependencies

javax.inject-1.jar

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

commons-lang-2.6.jar

Description:  Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

commons-collections-3.2.2.jar

Description: Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

commons-fileupload-1.3.2.jar

Description:  The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
MD5: f76891c36a08e87e3f806d3a83fcb4bc
SHA1: 5d7491ed6ebd02b6a8d2305f8e6b7fe5dbd95f72
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

commons-io-2.5.jar

Description:  The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

commons-logging-1.2.jar

Description: Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

spring-core-4.3.12.RELEASE.jar

Description: Spring Core

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/travis/.m2/repository/org/springframework/spring-core/4.3.12.RELEASE/spring-core-4.3.12.RELEASE.jar
MD5: 01ab7f742861c65f7339acba6333326c
SHA1: 4cebc69478c6d350dbd5af28e3db7d5694f416e3
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

CVE-2018-11039  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 Security Features

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Vulnerable Software & Versions: (show all)

slf4j-api-1.7.21.jar

Description: The slf4j API

File Path: /home/travis/.m2/repository/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
MD5: c9be56284a92dcb2576679282eff80bf
SHA1: 139535a69a4239db087de9bab0bee568bf8e0b70
Referenced In Projects/Scopes:

  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

javax.servlet-api-3.1.0.jar

Description: Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/travis/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
Referenced In Project/Scope: spring-i18n-support-web:provided

Identifiers

jsp-api-2.2.jar

File Path: /home/travis/.m2/repository/javax/servlet/jsp/jsp-api/2.2/jsp-api-2.2.jar
MD5: dd575c153ec55c650d2a66aefc5ba9d3
SHA1: 5bf0c26ef77df58c7c28be2d9d52246f2b437a54
Referenced In Project/Scope: spring-i18n-support-web:provided

Identifiers

jstl-1.2.jar

File Path: /home/travis/.m2/repository/javax/servlet/jstl/1.2/jstl-1.2.jar
MD5: 51e15f798e69358cb893e38c50596b9b
SHA1: 74aca283cd4f4b4f3e425f5820cda58f44409547
Referenced In Projects/Scopes:

  • spring-i18n-support-starter:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

jackson-core-2.8.10.jar

Description: Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.10/jackson-core-2.8.10.jar
MD5: de528504165730b13b66f461a85b341e
SHA1: eb21a035c66ad307e66ec8fce37f5d50fd62d039
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

jackson-annotations-2.8.0.jar

Description: Core annotations used for value types, used by Jackson data binding package.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.8.0/jackson-annotations-2.8.0.jar
MD5: 288e6537849f0c63e76409b515c4fbe4
SHA1: 45b426f7796b741035581a176744d91090e2e6fb
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

jackson-databind-2.8.10.jar

Description: General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
MD5: a3562f755da926bdae53d13c4f7687e9
SHA1: f7b83cb2bc4b88d53961e749e1ad32f49ef017b7
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

CVE-2017-17485  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

CVE-2018-5968  

Severity: Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Vulnerable Software & Versions: (show all)

CVE-2018-7489  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

commons-codec-1.10.jar

Description:  The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

commons-collections4-4.1.jar

Description: The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/apache/commons/commons-collections4/4.1/commons-collections4-4.1.jar
MD5: 45af6a8e5b51d5945de6c7411e290bd1
SHA1: a4cf4688fe1c7e3a63aa636cc96d013af537768e
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

poi-3.15.jar

Description: Apache POI - Java API To Access Microsoft Format Files

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/apache/poi/poi/3.15/poi-3.15.jar
MD5: 180cd5f6f178cbedd00316d44a42a171
SHA1: 965bba8899988008bb2341e300347de62aad5391
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

  • cpe: cpe:/a:apache:poi:3.15   Confidence:Low   
  • maven: org.apache.poi:poi:3.15    Confidence:Highest

stax-api-1.0.1.jar

Description: StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

  • cpe: cpe:/a:st_project:st:1.0.1   Confidence:Low   
  • maven: stax:stax-api:1.0.1    Confidence:Highest

CVE-2017-16224  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").

Vulnerable Software & Versions:

xmlbeans-2.6.0.jar

Description: XmlBeans main jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar
MD5: 6591c08682d613194dacb01e95c78c2c
SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

curvesapi-1.04.jar

Description: Implementation of various mathematical curves that define themselves over a set of control points. The API is written in Java. The curves supported are: Bezier, B-Spline, Cardinal Spline, Catmull-Rom Spline, Lagrange, Natural Cubic Spline, and NURBS.

License:

BSD License: http://opensource.org/licenses/BSD-3-Clause
File Path: /home/travis/.m2/repository/com/github/virtuald/curvesapi/1.04/curvesapi-1.04.jar
MD5: 0dcbd9b7e498d1118c920d1d55046743
SHA1: 3386abf821719bc89c7685f9eaafaf4a842f0199
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support:compile
  • spring-i18n-support-web:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

spring-boot-1.5.8.RELEASE.jar

Description: Spring Boot

File Path: /home/travis/.m2/repository/org/springframework/boot/spring-boot/1.5.8.RELEASE/spring-boot-1.5.8.RELEASE.jar
MD5: 675be87ce49c0b8ace3ebfcf984c11e8
SHA1: 748ebde51761e12627ad23d064024f342b18f9b4
Referenced In Projects/Scopes:

  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

CVE-2017-8046  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Vulnerable Software & Versions: (show all)

logback-core-1.1.11.jar

Description: logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/travis/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar
MD5: cc7a8deacd26b0aa2668779ce2721c0f
SHA1: 88b8df40340eed549fb07e2613879bf6b006704d
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

jcl-over-slf4j-1.7.25.jar

Description: JCL 1.2 implemented over SLF4J

File Path: /home/travis/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.25/jcl-over-slf4j-1.7.25.jar
MD5: 56b22adc639b09b2e917f42d68b26600
SHA1: f8c32b13ff142a513eeb5b6330b1588dcb2c0461
Referenced In Projects/Scopes:

  • spring-i18n-support:runtime
  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

jul-to-slf4j-1.7.25.jar

Description: JUL to SLF4J bridge

File Path: /home/travis/.m2/repository/org/slf4j/jul-to-slf4j/1.7.25/jul-to-slf4j-1.7.25.jar
MD5: ab28124cb05fec600f2ffe37b94629e0
SHA1: 0af5364cd6679bfffb114f0dec8a157aaa283b76
Referenced In Projects/Scopes:

  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

log4j-over-slf4j-1.7.25.jar

Description: Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.25/log4j-over-slf4j-1.7.25.jar
MD5: fb818c7981d842875905587a61f2b942
SHA1: a87bb47468f47ee7aabbd54f93e133d4215769c3
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

snakeyaml-1.17.jar

Description: YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
MD5: ab621c3cee316236ad04a6f0fe4dd17c
SHA1: 7a27ea250c5130b2922b86dea63cbb1cc10a660c
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:runtime
  • spring-i18n-support-samples-xml:runtime
  • spring-i18n-support-samples-starter:runtime

Identifiers

tomcat-annotations-api-8.5.23.jar

Description: Annotations Package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/apache/tomcat/tomcat-annotations-api/8.5.23/tomcat-annotations-api-8.5.23.jar
MD5: a176f33b5656eb44675aacb1f50e8468
SHA1: aaf17df9fe0240e9e9d5375d24d5f177174b73d9
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

CVE-2016-5425  

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

Vulnerable Software & Versions:

CVE-2016-6325  

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

Vulnerable Software & Versions:

CVE-2017-15706  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-358 Improperly Implemented Security Check for Standard

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

Vulnerable Software & Versions: (show all)

CVE-2017-6056  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Vulnerable Software & Versions:

CVE-2018-1304  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

CVE-2018-8037  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Vulnerable Software & Versions: (show all)

tomcat-embed-core-8.5.23.jar

Description: Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
MD5: ae9430c1a4fc4d0d8eee4f33f2f4da00
SHA1: 79261793a47f507890ee08f749b9d81774e4f7f0
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

CVE-2017-15706  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-358 Improperly Implemented Security Check for Standard

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

CVE-2018-8037  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Vulnerable Software & Versions: (show all)

tomcat-embed-el-8.5.23.jar

Description: Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.23/tomcat-embed-el-8.5.23.jar
MD5: caf0fdf8c1a9d5dddb25d1d8f5c09442
SHA1: 98d979cde444dffa6d434c8377d0123b2dfa614c
Referenced In Projects/Scopes:
  • spring-i18n-support-starter:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

validation-api-1.1.0.Final.jar

Description:  Bean Validation API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

jboss-logging-3.3.1.Final.jar

Description: The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/jboss/logging/jboss-logging/3.3.1.Final/jboss-logging-3.3.1.Final.jar
MD5: 93cf8945ff84aaf9f0ed9a76991338fb
SHA1: c46217ab74b532568c0ed31dc599db3048bd1b67
Referenced In Projects/Scopes:
  • spring-i18n-support:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

classmate-1.3.4.jar

Description: Library for introspecting types with full generic information including resolving of field and method types.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/com/fasterxml/classmate/1.3.4/classmate-1.3.4.jar
MD5: 1e2e0fcc510753882683417e01895242
SHA1: 03d5f48f10bbe4eb7bd862f10c0583be2e0053c6
Referenced In Projects/Scopes:
  • spring-i18n-support:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

hibernate-validator-5.3.5.Final.jar

Description: Hibernate's Bean Validation (JSR-303) reference implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/hibernate/hibernate-validator/5.3.5.Final/hibernate-validator-5.3.5.Final.jar
MD5: bd241d9104768ad5ef698d58534c0bce
SHA1: 0622a9bcef2eed6d41b5b8e0662c36212009e375
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

ognl-3.0.8.jar

Description: OGNL - Object Graph Navigation Library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/ognl/ognl/3.0.8/ognl-3.0.8.jar
MD5: 6f2969f0eb541a6f4ecfa15faa8155d7
SHA1: 37e1aebfde7eb7baebc9ad4f85116ef9009c5fc5
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

  • cpe: cpe:/a:ognl_project:ognl:3.0.8   Confidence:Low   
  • maven: ognl:ognl:3.0.8    Confidence:Highest

CVE-2016-3093  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

Vulnerable Software & Versions: (show all)

javassist-3.21.0-GA.jar

Description:  Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /home/travis/.m2/repository/org/javassist/javassist/3.21.0-GA/javassist-3.21.0-GA.jar
MD5: 3dba2305f842c2891df0a0926e18bcfa
SHA1: 598244f595db5c5fb713731eddbb1c91a58d959b
Referenced In Projects/Scopes:
  • spring-i18n-support:compile
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

unbescape-1.1.0.RELEASE.jar

Description: Advanced yet easy-to-use escape/unescape library for Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/unbescape/unbescape/1.1.0.RELEASE/unbescape-1.1.0.RELEASE.jar
MD5: 9bccbc680238d9352156891cf53b96b4
SHA1: ab0db4fe0a6fa89fb8da2a40008a4e63a7f3f5b9
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

thymeleaf-2.1.5.RELEASE.jar

Description: XML/XHTML/HTML5 template engine for Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/thymeleaf/thymeleaf/2.1.5.RELEASE/thymeleaf-2.1.5.RELEASE.jar
MD5: a7e95d2915820f069a220b66ba65232f
SHA1: 513bffa3daaac277460c1a0a2dccb228fa40569e
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

thymeleaf-spring4-2.1.5.RELEASE.jar

Description: XML/XHTML/HTML5 template engine for Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/thymeleaf/thymeleaf-spring4/2.1.5.RELEASE/thymeleaf-spring4-2.1.5.RELEASE.jar
MD5: 3fd4f26581a703c6a8a698356d14216a
SHA1: 74cb9028e99597b5d71a98e919fd531a7fc290b4
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

groovy-2.4.12.jar

Description: Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/codehaus/groovy/groovy/2.4.12/groovy-2.4.12.jar
MD5: 873d89f2fe8ef387da7a9190f6735c8f
SHA1: a43be367110c491787219f1c128b5b5fc54f1e70
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

thymeleaf-layout-dialect-1.4.0.jar

Description: A dialect for Thymeleaf that allows you to use layout/decorator templates to style your content.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/1.4.0/thymeleaf-layout-dialect-1.4.0.jar
MD5: c7f68cea0796caf11585998f3bbe858f
SHA1: 08d7810c069ed1534b9631fb1e85c35973546086
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:compile
  • spring-i18n-support-samples-starter:compile

Identifiers

h2-1.4.192.jar

Description: H2 Database Engine

License:

MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html
File Path: /home/travis/.m2/repository/com/h2database/h2/1.4.192/h2-1.4.192.jar
MD5: 8e161053d21949a13e0918550cd5d2ca
SHA1: 1106492605db135523d2817881cdf029d9292afa
Referenced In Projects/Scopes:
  • spring-i18n-support-samples-xml:runtime
  • spring-i18n-support-samples-starter:runtime

Identifiers

  • cpe: cpe:/a:h2database:h2:1.4.192   Confidence:Low   
  • maven: com.h2database:h2:1.4.192    Confidence:Highest

android-json-0.0.20131108.vaadin1.jar

Description:    JSON (JavaScript Object Notation) is a lightweight data-interchange format. This is the org.json compatible Android implementation extracted from the Android SDK  

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/travis/.m2/repository/com/vaadin/external/google/android-json/0.0.20131108.vaadin1/android-json-0.0.20131108.vaadin1.jar
MD5: 10612241a9cc269501a7a2b8a984b949
SHA1: fa26d351fe62a6a17f5cda1287c1c6110dec413f
Referenced In Project/Scope: spring-i18n-support-starter:compile

Identifiers

spring-data-commons-1.13.8.RELEASE.jar

File Path: /home/travis/.m2/repository/org/springframework/data/spring-data-commons/1.13.8.RELEASE/spring-data-commons-1.13.8.RELEASE.jar
MD5: 41b6ce6edafc9db13a523c78b3c4e19a
SHA1: 2853e3c38e02d42529f6c8b247d7bace40c25642
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

aspectjrt-1.8.11.jar

Description: The runtime needed to execute a program using AspectJ

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/travis/.m2/repository/org/aspectj/aspectjrt/1.8.11/aspectjrt-1.8.11.jar
MD5: 166f90f29e3500174638bada09d75178
SHA1: 8810071477b9700a180350b331a8f3a8707b2f16
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

spring-data-jpa-1.11.8.RELEASE.jar

Description: Spring Data module for JPA repositories.

File Path: /home/travis/.m2/repository/org/springframework/data/spring-data-jpa/1.11.8.RELEASE/spring-data-jpa-1.11.8.RELEASE.jar
MD5: edace70f681e79388d3376995f5ca123
SHA1: d674b8407de3d2998c106557fd6a6665de2bc217
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

ehcache-core-2.6.11.jar

Description: This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /home/travis/.m2/repository/net/sf/ehcache/ehcache-core/2.6.11/ehcache-core-2.6.11.jar
MD5: 81840aace00ec514154d6dac91ba43e5
SHA1: fae7f84a5ffabe1b814e40190650c0ad5aeda5b1
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

hibernate-jpa-2.1-api-1.0.0.Final.jar

Description: Clean-room definition of JPA APIs intended for use in developing Hibernate JPA implementation. See README.md for details

License:

Eclipse Public License (EPL), Version 1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License (EDL), Version 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/travis/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.1-api/1.0.0.Final/hibernate-jpa-2.1-api-1.0.0.Final.jar
MD5: 01b091825023c97fdfd6d2bceebe03ff
SHA1: 5e731d961297e5a07290bfaf3db1fbc8bbbf405a
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

antlr-2.7.7.jar

Description:  A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html
File Path: /home/travis/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

jboss-transaction-api_1.2_spec-1.0.1.Final.jar

Description: The Java Transaction 1.2 API classes

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: /home/travis/.m2/repository/org/jboss/spec/javax/transaction/jboss-transaction-api_1.2_spec/1.0.1.Final/jboss-transaction-api_1.2_spec-1.0.1.Final.jar
MD5: 4d3a6329aa429d92e7bf0c2d34302660
SHA1: 4441f144a2a1f46ed48fcc6b476a4b6295e6d524
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

jandex-2.0.3.Final.jar

Description: Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/travis/.m2/repository/org/jboss/jandex/2.0.3.Final/jandex-2.0.3.Final.jar
MD5: 77db6e55da888349f5466d2dcf150b14
SHA1: bfc4d6257dbff7a33a357f0de116be6ff951d849
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

dom4j-1.6.1.jar

Description: dom4j: the flexible XML framework for Java

File Path: /home/travis/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

CVE-2018-1000632  

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Vulnerable Software & Versions: (show all)

hibernate-commons-annotations-5.0.1.Final.jar

Description: Common reflection code used in support of annotation processing

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/travis/.m2/repository/org/hibernate/common/hibernate-commons-annotations/5.0.1.Final/hibernate-commons-annotations-5.0.1.Final.jar
MD5: 2a9d6f5a4ece96557bc4300ecc4486fb
SHA1: 71e1cff3fcb20d3b3af4f3363c3ddb24d33c6879
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

hibernate-core-5.2.11.Final.jar

Description: The core O/RM functionality as provided by Hibernate

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/travis/.m2/repository/org/hibernate/hibernate-core/5.2.11.Final/hibernate-core-5.2.11.Final.jar
MD5: e3f79bc4af31070146442d0649598a9e
SHA1: c7bc35a9caccb66f6b7209849c5feab8241abb76
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

ehcache-core-2.6.11.jar: sizeof-agent.jar

File Path: /home/travis/.m2/repository/net/sf/ehcache/ehcache-core/2.6.11/ehcache-core-2.6.11.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
Referenced In Project/Scope: spring-i18n-support:compile

Identifiers

  • maven: net.sf.ehcache:sizeof-agent:1.0.1   Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the Node Security Platform.