Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: TheseFoolishThings :: Examples :: DCI :: Persistence JPA

it.tidalwave.thesefoolishthings:it-tidalwave-thesefoolishthings-examples-dci-persistence-jpa:3.2-ALPHA-16

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
HikariCP-4.0.3.jarpkg:maven/com.zaxxer/HikariCP@4.0.3 036
antlr-2.7.7.jarpkg:maven/antlr/antlr@2.7.7 023
aspectjrt-1.9.6.jarpkg:maven/org.aspectj/aspectjrt@1.9.6 023
byte-buddy-1.11.22.jarpkg:maven/net.bytebuddy/byte-buddy@1.11.22 026
byte-buddy-1.11.22.jar (shaded: net.bytebuddy:byte-buddy-dep:1.11.22)pkg:maven/net.bytebuddy/byte-buddy-dep@1.11.22 09
classmate-1.5.1.jarpkg:maven/com.fasterxml/classmate@1.5.1 047
h2-2.1.214.jarcpe:2.3:a:h2database:h2:2.1.214:*:*:*:*:*:*:*pkg:maven/com.h2database/h2@2.1.214HIGH1Highest38
h2-2.1.214.jar: data.zip: table.js 00
h2-2.1.214.jar: data.zip: tree.js 00
hibernate-commons-annotations-5.1.2.Final.jarpkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final 039
hibernate-core-5.6.3.Final.jarcpe:2.3:a:hibernate:hibernate_orm:5.6.3:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 0Low40
istack-commons-runtime-3.0.12.jarcpe:2.3:a:oracle:java_se:3.0.12:*:*:*:*:*:*:*pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 0Low37
it-tidalwave-role-3.2-ALPHA-16.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-role@3.2-ALPHA-16 023
it-tidalwave-role-spring-3.2-ALPHA-16.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-role-spring@3.2-ALPHA-16 025
it-tidalwave-thesefoolishthings-examples-data-3.2-ALPHA-16.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-thesefoolishthings-examples-data@3.2-ALPHA-16 025
it-tidalwave-util-3.2-ALPHA-16.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-util@3.2-ALPHA-16 023
it-tidalwave-util-test-3.2-ALPHA-16.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-util-test@3.2-ALPHA-16 025
jakarta.activation-1.2.2.jarcpe:2.3:a:oracle:java_se:1.2.2:*:*:*:*:*:*:*pkg:maven/com.sun.activation/jakarta.activation@1.2.2 0Low37
jakarta.annotation-api-1.3.5.jarpkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 032
jakarta.persistence-api-2.2.3.jarpkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3 031
jakarta.transaction-api-1.3.3.jarcpe:2.3:a:oracle:projects:1.3.3:*:*:*:*:*:*:*pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3 0Low39
jakarta.xml.bind-api-2.3.3.jarpkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3 034
jandex-2.2.3.Final.jarpkg:maven/org.jboss/jandex@2.2.3.Final 045
java-diff-utils-4.9.jarcpe:2.3:a:utils_project:utils:4.9:*:*:*:*:*:*:*pkg:maven/io.github.java-diff-utils/java-diff-utils@4.9MEDIUM1Highest22
javax.annotation-api-1.3.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.3.2 039
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 019
jaxb-runtime-2.3.5.jarcpe:2.3:a:oracle:java_se:2.3.5:*:*:*:*:*:*:*pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 0Low48
jboss-logging-3.4.2.Final.jarpkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 047
jcl-over-slf4j-1.7.30.jarcpe:2.3:a:apache:commons_net:1.7.30:*:*:*:*:*:*:*pkg:maven/org.slf4j/jcl-over-slf4j@1.7.30MEDIUM1Low33
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
jul-to-slf4j-1.7.30.jarpkg:maven/org.slf4j/jul-to-slf4j@1.7.30 028
log4j-api-2.17.0.jarcpe:2.3:a:apache:log4j:2.17.0:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0MEDIUM1Highest46
logback-core-1.2.3.jarcpe:2.3:a:qos:logback:1.2.3:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.2.3MEDIUM1Highest32
lombok-1.18.22.jarpkg:maven/org.projectlombok/lombok@1.18.22 024
slf4j-api-1.7.30.jarpkg:maven/org.slf4j/slf4j-api@1.7.30 029
snakeyaml-1.29.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.29:*:*:*:*:*:*:*
cpe:2.3:a:yaml_project:yaml:1.29:*:*:*:*:*:*:*
pkg:maven/org.yaml/snakeyaml@1.29HIGH9Highest28
spotbugs-annotations-3.1.9.jarpkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.9 021
spring-boot-2.6.2.jarcpe:2.3:a:vmware:spring_boot:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:2.6.2:*:*:*:*:*:*:*
pkg:maven/org.springframework.boot/spring-boot@2.6.2CRITICAL12Highest30
spring-core-5.3.14.jarcpe:2.3:a:pivotal_software:spring_framework:5.3.14:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:5.3.14:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:5.3.14:*:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@5.3.14CRITICAL6Highest31
spring-data-commons-2.6.0.jarcpe:2.3:a:pivotal_software:spring_data_commons:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:2.6.0:*:*:*:*:*:*:*
pkg:maven/org.springframework.data/spring-data-commons@2.6.0CRITICAL12Highest30
spring-data-jpa-2.6.0.jarcpe:2.3:a:pivotal_software:spring_data_jpa:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:2.6.0:*:*:*:*:*:*:*
pkg:maven/org.springframework.data/spring-data-jpa@2.6.0CRITICAL12Highest32
txw2-2.3.5.jarpkg:maven/org.glassfish.jaxb/txw2@2.3.5 035

Dependencies

HikariCP-4.0.3.jar

Description:

Ultimate JDBC Connection Pool

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/zaxxer/HikariCP/4.0.3/HikariCP-4.0.3.jar
MD5: e725642926105cd1bbf4ad7fdff5d5a9
SHA1: 107cbdf0db6780a065f895ae9d8fbf3bb0e1c21f
SHA256:7c024aeff1c1063576d74453513f9de6447d8e624d17f8e27f30a2e97688c6c9
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

antlr-2.7.7.jar

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.
  

License:

BSD License: http://www.antlr.org/license.html
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

aspectjrt-1.9.6.jar

Description:

The runtime needed to execute a program using AspectJ

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/aspectj/aspectjrt/1.9.6/aspectjrt-1.9.6.jar
MD5: 391f9257f19b84b45eb79a1878b9600a
SHA1: 1651849d48659e5703adc2599e694bf67b8c3fc4
SHA256:20c785678cbb4ee045914daf83da25f98a16071177dfa0e3451326723dfb4705
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

byte-buddy-1.11.22.jar

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/net/bytebuddy/byte-buddy/1.11.22/byte-buddy-1.11.22.jar
MD5: a3f78063338fae42edff11c2d7503a76
SHA1: 8b4c7fa5562a09da1c2a9ab0873cb51f5034d83f
SHA256:d95656262ebce2fbff31b8c041af7170ad8a3cee843cec8f75cdb21f20b4bd96
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

byte-buddy-1.11.22.jar (shaded: net.bytebuddy:byte-buddy-dep:1.11.22)

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with a remaining dependency onto ASM.
        You should never depend on this module without repackaging Byte Buddy and ASM into your own namespace.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/net/bytebuddy/byte-buddy/1.11.22/byte-buddy-1.11.22.jar/META-INF/maven/net.bytebuddy/byte-buddy-dep/pom.xml
MD5: 8855d3bb1ab593992da3a9a255b93031
SHA1: d278d77d994f02da86d5216f5b7e4663915645cf
SHA256:814bae0b13923f8fea2e78128b044c862e9c61b83bfa42f72c25b4d34b81f4e5
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

classmate-1.5.1.jar

Description:

Library for introspecting types with full generic information
        including resolving of field and method types.
    

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/fasterxml/classmate/1.5.1/classmate-1.5.1.jar
MD5: e91fcd30ba329fd1b0b6dc5321fd067c
SHA1: 3fe0bed568c62df5e89f4f174c101eab25345b6c
SHA256:aab4de3006808c09d25dd4ff4a3611cfb63c95463cfd99e73d2e1680d229a33b
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

h2-2.1.214.jar

Description:

H2 Database Engine

License:

MPL 2.0: https://www.mozilla.org/en-US/MPL/2.0/
EPL 1.0: https://opensource.org/licenses/eclipse-1.0.php
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/h2database/h2/2.1.214/h2-2.1.214.jar
MD5: 93628fb706e682dd989f697394039025
SHA1: d5c2005c9e3279201e12d4776c948578b16bf8b2
SHA256:d623cdc0f61d218cf549a8d09f1c391ff91096116b22e2475475fce4fbe72bd0
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2022-45868  

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
CWE-312 Cleartext Storage of Sensitive Information

CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

h2-2.1.214.jar: data.zip: table.js

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/h2database/h2/2.1.214/h2-2.1.214.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: 1c37e9e03787c821410ce684efa8feb7
SHA1: 3377bc4afb4fa0aeaa4fff9098ebb4446fa5be99
SHA256:07e1b3fc6feb8a8713b6659fc047cd9177d85b22f4bb0fa857be1c81786db701
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

  • None

h2-2.1.214.jar: data.zip: tree.js

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/h2database/h2/2.1.214/h2-2.1.214.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 4303428a5a49c1ae6c87a5dde9b4c9c3
SHA1: 9bca06117ddee5657dbe89eea197372128fe56e9
SHA256:1d5c4ba3b1a5dfcfe250fba716b55a9a7d0ffe624fc480713ff782c4d671836f
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

  • None

hibernate-commons-annotations-5.1.2.Final.jar

Description:

Common reflection code used in support of annotation processing

License:

GNU Library General Public License v2.1 or later: http://www.opensource.org/licenses/LGPL-2.1
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/hibernate/common/hibernate-commons-annotations/5.1.2.Final/hibernate-commons-annotations-5.1.2.Final.jar
MD5: 2a2490b3eb8e7585a6a899d27d7ed43f
SHA1: e59ffdbc6ad09eeb33507b39ffcf287679a498c8
SHA256:1c7ce712b2679fea0a5441eb02a04144297125b768944819be0765befb996275
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

hibernate-core-5.6.3.Final.jar

Description:

Hibernate's core ORM functionality

License:

GNU Library General Public License v2.1 or later: https://www.opensource.org/licenses/LGPL-2.1
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/hibernate/hibernate-core/5.6.3.Final/hibernate-core-5.6.3.Final.jar
MD5: 7f938eeda4bf347377081bb556c0632f
SHA1: a2420e0a2c9c168c029584aecf6a5b9a2475cd10
SHA256:e535a9df6892d3fe5abf696490b3b0781e9fa2c0c9d0d1f9b8c88ad38d2000c5
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

istack-commons-runtime-3.0.12.jar

Description:

istack common utility code

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/sun/istack/istack-commons-runtime/3.0.12/istack-commons-runtime-3.0.12.jar
MD5: 1952bd76321f8580cfaa57e332a68287
SHA1: cbbe1a62b0cc6c85972e99d52aaee350153dc530
SHA256:27d85fc134c9271d5c79d3300fc4669668f017e72409727c428f54f2417f04cd
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

it-tidalwave-role-3.2-ALPHA-16.jar

Description:

        Roles are a powerful way for designing complex behaviours while keeping good practices such as Single Responsibility, Dependency Inversion and
        Interface Segregation.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-role/3.2-ALPHA-16/it-tidalwave-role-3.2-ALPHA-16.jar
MD5: 4a2ebe447a334c40c742a7d55bb358da
SHA1: c7b3fe358ecf5b510eeb0c932b971e7cfdc80c72
SHA256:38fc0404cbe8bee69294af8f94e953031c7ecf2c3120d7ccce94f7cecf4a8613
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

it-tidalwave-role-spring-3.2-ALPHA-16.jar

Description:

        Specific Spring support for DCI roles.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-role-spring/3.2-ALPHA-16/it-tidalwave-role-spring-3.2-ALPHA-16.jar
MD5: 92564119a8d4715b6d325af94b7017cd
SHA1: 4c93726223410031e1812d144dda8caa97ada783
SHA256:f92befb2a586057c67255a5e1acd1c38b69f63837d022fdce8eea2149011af78
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

it-tidalwave-thesefoolishthings-examples-data-3.2-ALPHA-16.jar

Description:

        This module provides sample data structures used by other examples.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-thesefoolishthings-examples-data/3.2-ALPHA-16/it-tidalwave-thesefoolishthings-examples-data-3.2-ALPHA-16.jar
MD5: 1875524e274435c58d988703e40ab02d
SHA1: 09f858495de082a83ed07aabde440c70db76ffd2
SHA256:dd7c10cdd2bcbde80d5b67d16beb5f94378985ec8126923a045d71c7ced3daea
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

it-tidalwave-util-3.2-ALPHA-16.jar

Description:

        A collection of common utilities.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-util/3.2-ALPHA-16/it-tidalwave-util-3.2-ALPHA-16.jar
MD5: 58ce84ca8d3c7f4f134aae9ef8c6257d
SHA1: b77607c76abc700ac06f70116db5f10b2b1ab529
SHA256:1edfee48a50192338291035990c6a20d290c53d9322b9a16760107609eb7fab7
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

it-tidalwave-util-test-3.2-ALPHA-16.jar

Description:

        Miscellaneous utilities for testing.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-util-test/3.2-ALPHA-16/it-tidalwave-util-test-3.2-ALPHA-16.jar
MD5: 8983299b10a9abc5e1e67afc47987403
SHA1: 215c8723ee6322644ce0791246fe6a3676221145
SHA256:9ed9784f1c4044a11dc7a6ca023ae0572bdc8c4fdf53765d4d76d51e40d61f72
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jakarta.activation-1.2.2.jar

Description:

Jakarta Activation

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/sun/activation/jakarta.activation/1.2.2/jakarta.activation-1.2.2.jar
MD5: 0b8bee3bf29b9a015f8b992035581a7c
SHA1: 74548703f9851017ce2f556066659438019e7eb5
SHA256:02156773e4ae9d048d14a56ad35d644bee9f1052a791d072df3ded3c656e6e1a
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:runtime

Identifiers

jakarta.annotation-api-1.3.5.jar

Description:

Jakarta Annotations API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
MD5: 8b165cf58df5f8c2a222f637c0a07c97
SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d
SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jakarta.persistence-api-2.2.3.jar

Description:

Jakarta Persistence 2.2 API jar

License:

Eclipse Public License v. 2.0: http://www.eclipse.org/legal/epl-2.0
Eclipse Distribution License v. 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/jakarta/persistence/jakarta.persistence-api/2.2.3/jakarta.persistence-api-2.2.3.jar
MD5: e0a655f398f8e68e0afebb0f71fba4e5
SHA1: 8f6ea5daedc614f07a3654a455660145286f024e
SHA256:0c2d73ab36ad24eeed6e0bea928e9d0ef771de8df689e23b7754d366dda27c53
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jakarta.transaction-api-1.3.3.jar

Description:

Jakarta Transactions

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/jakarta/transaction/jakarta.transaction-api/1.3.3/jakarta.transaction-api-1.3.3.jar
MD5: cc45726045cc9a0728f803f9db4c90c4
SHA1: c4179d48720a1e87202115fbed6089bdc4195405
SHA256:0b02a194dd04ee2e192dc9da9579e10955dd6e8ac707adfc91d92f119b0e67ab
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jakarta.xml.bind-api-2.3.3.jar

Description:

Jakarta XML Binding API 2.3 Design Specification

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/jakarta/xml/bind/jakarta.xml.bind-api/2.3.3/jakarta.xml.bind-api-2.3.3.jar
MD5: 61286918ca0192e9f87d1358aef718dd
SHA1: 48e3b9cfc10752fba3521d6511f4165bea951801
SHA256:c04539f472e9a6dd0c7685ea82d677282269ab8e7baca2e14500e381e0c6cec5
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jandex-2.2.3.Final.jar

Description:

Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/jboss/jandex/2.2.3.Final/jandex-2.2.3.Final.jar
MD5: 721b5868cfbb718dd97facc96929dde8
SHA1: d3865101f0666b63586683bd811d754517f331ab
SHA256:0544d55ec0cb378fd8f3b20e66277f893f3094cb67e71a1ec0cce6ce150f83b3
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

java-diff-utils-4.9.jar

Description:

The DiffUtils library for computing diffs, applying patches, generationg side-by-side view in Java.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/io/github/java-diff-utils/java-diff-utils/4.9/java-diff-utils-4.9.jar
MD5: 6a4c9c3c4f2a61ff97b38c9f7bac91fa
SHA1: 3ec791c5aa74a72fb499ae8d9547abe27b637b0f
SHA256:2dcf8710d0a453d8fa56c6d76bc4f16f86ec5de8eb7155f17ebff595c0c64aa0
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2021-4277  

A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.
CWE-330 Use of Insufficiently Random Values

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

javax.annotation-api-1.3.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/javax/annotation/javax.annotation-api/1.3.2/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256:e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jaxb-runtime-2.3.5.jar

Description:

JAXB (JSR 222) Reference Implementation

License:

http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/glassfish/jaxb/jaxb-runtime/2.3.5/jaxb-runtime-2.3.5.jar
MD5: 2d3790292a30333a14b7fb1143864a9c
SHA1: a169a961a2bb9ac69517ec1005e451becf5cdfab
SHA256:4a25453756d08be89c6537cc26fea237677ab99eea857ce1bcb84346715cfae4
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jboss-logging-3.4.2.Final.jar

Description:

The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/jboss/logging/jboss-logging/3.4.2.Final/jboss-logging-3.4.2.Final.jar
MD5: b050c93a9bfbcd28546cec7511a82e9a
SHA1: e517b8a93dd9962ed5481345e4d262fdd47c4217
SHA256:804d824c9144561ef85a626e453b90a9ce81c103c3910851e057d79ed84c2e38
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jcl-over-slf4j-1.7.30.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/slf4j/jcl-over-slf4j/1.7.30/jcl-over-slf4j-1.7.30.jar
MD5: 69ad224b2feb6f86554fe8997b9c3d4b
SHA1: cd92524ea19d27e5b94ecd251e1af729cffdfe15
SHA256:71e9ee37b9e4eb7802a2acc5f41728a4cf3915e7483d798db3b4ff2ec8847c50
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

jul-to-slf4j-1.7.30.jar

Description:

JUL to SLF4J bridge

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/slf4j/jul-to-slf4j/1.7.30/jul-to-slf4j-1.7.30.jar
MD5: f2c78cb93d70dc5dea0c50f36ace09c1
SHA1: d58bebff8cbf70ff52b59208586095f467656c30
SHA256:bbcbfdaa72572255c4f85207a9bfdb24358dc993e41252331bd4d0913e4988b9
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

log4j-api-2.17.0.jar

Description:

The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar
MD5: 935fcbd8c8273c0a4f1652de53493050
SHA1: bbd791e9c8c9421e45337c4fe0a10851c086e36c
SHA256:ab9cadc80e234580e3f3c8c18644314fccd4b3cd3f7085d4e934866cb561b95d
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2021-44832  

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (8.5)
  • Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: MEDIUM (6.6)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

logback-core-1.2.3.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
MD5: 841fc80c6edff60d947a3872a2db4d45
SHA1: 864344400c3d4d92dfeb0a305dc87d953677c03c
SHA256:5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:runtime

Identifiers

CVE-2021-42550  

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (8.5)
  • Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: MEDIUM (6.6)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

lombok-1.18.22.jar

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: https://projectlombok.org/LICENSE
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/projectlombok/lombok/1.18.22/lombok-1.18.22.jar
MD5: 30905901647fe0ebb06fb20ee8a638bf
SHA1: 9c08ea24c6eb714e2d6170e8122c069a0ba9aacf
SHA256:ecef1581411d7a82cc04281667ee0bac5d7c0a5aae74cfc38430396c91c31831
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:provided

Identifiers

slf4j-api-1.7.30.jar

Description:

The slf4j API

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.jar
MD5: f8be00da99bc4ab64c79ab1e2be7cb7c
SHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922c
SHA256:cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

snakeyaml-1.29.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar
MD5: 5bdf841bc5abda0507fa5ce91c44cc86
SHA1: 6d0cdafb2010f1297e574656551d7145240f6e25
SHA256:89c5f029811b08c878f0b81dbb05e9626624c1fda4087a26871101e499a217ab
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2021-4235  

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-1471 (OSSINDEX)  

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (9.8)
  • Vector: /AV:N/AC:L/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.yaml:snakeyaml:1.29:*:*:*:*:*:*:*

CVE-2022-25857  

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-3064  

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38749  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38750  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38751  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-38752  

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-41854  

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

spotbugs-annotations-3.1.9.jar

Description:

Annotations the SpotBugs tool supports

License:

GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/com/github/spotbugs/spotbugs-annotations/3.1.9/spotbugs-annotations-3.1.9.jar
MD5: 56a1a81d69b6a111161bbce0e6dea26a
SHA1: 2ef5127efcc1a899aab8c66d449a631c9a99c469
SHA256:68c7c46b4299e94837e236ae742f399901a950fe910fe3ca710026753b5dd2e1
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

spring-boot-2.6.2.jar

Description:

Spring Boot

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/springframework/boot/spring-boot/2.6.2/spring-boot-2.6.2.jar
MD5: fb8e372b32de62fcb54e31bad9272b43
SHA1: bbf59f411320da665411692359ff511315d0ff91
SHA256:7e3071eb3f944ae041beff9dcfec3b8b4792c39a4c54868fb874d2e91cfd21f9
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2013-4152  

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2016-1000027  

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-core-5.3.14.jar

Description:

Spring Core

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/springframework/spring-core/5.3.14/spring-core-5.3.14.jar
MD5: b9d1f2454c4b7d94c058026d272dfc3c
SHA1: d87ad19f9d8b9a3f1a143db5a2be34c61751aaa2
SHA256:00ffcfb2671e0c8cab33f75939c97e04127fcfd2e0670032c59b6f48d791b772
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2016-1000027  

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22971  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-data-commons-2.6.0.jar

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/springframework/data/spring-data-commons/2.6.0/spring-data-commons-2.6.0.jar
MD5: bcf27a3e9c58cf484184ae6dda921b55
SHA1: 5a9afaa6e0a4cd74183a794f467c9b4a546b4cbe
SHA256:2d784e87491b762789a7d77969e61603902e77033d9b526d8898ebc84fe8f0a1
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2013-4152  

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2016-1000027  

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-data-jpa-2.6.0.jar

Description:

Spring Data module for JPA repositories.

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/springframework/data/spring-data-jpa/2.6.0/spring-data-jpa-2.6.0.jar
MD5: 50ddb96bd3bc08acf0376939595c6a9a
SHA1: bd08ea8db76c7c82397307dda2e253180c31b7ec
SHA256:4107be1cca55f9a1ac60959354db1ede4c33587c223a22303ee4e48187d4a415
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers

CVE-2013-4152  

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2016-1000027  

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

txw2-2.3.5.jar

Description:

        TXW is a library that allows you to write XML documents.
    

File Path: /home/fritz/.mountpoints/LocalData/Business/Tidalwave/Projects/WorkAreas/Tidalwave/tidalwave.bitbucket.io/repository/org/glassfish/jaxb/txw2/2.3.5/txw2-2.3.5.jar
MD5: 67005a4cf5ee9cfd82edec1bdbecb32b
SHA1: ec8930fa62e7b1758b1664d135f50c7abe86a4a3
SHA256:7d75ea1151367fb66287011d9941715f645922932554acba0c5ac3aec67fb01f
Referenced In Project/Scope:TheseFoolishThings :: Examples :: DCI :: Persistence JPA:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.