diff --git a/apps/frontend/src/store/report_intake.ts b/apps/frontend/src/store/report_intake.ts index bd231f1fdb..256191f278 100644 --- a/apps/frontend/src/store/report_intake.ts +++ b/apps/frontend/src/store/report_intake.ts @@ -14,6 +14,7 @@ import { ConveyorResults as ConveyorResultsMapper, CycloneDXSBOMResults, DBProtectMapper, + DependencyTrackMapper, fingerprint, FortifyMapper, GosecMapper, @@ -286,6 +287,8 @@ export class InspecIntake extends VuexModule { return new AnchoreGrypeMapper(convertOptions.data).toHdf(); case INPUT_TYPES.NEUVECTOR: return new NeuVectorMapper(convertOptions.data).toHdf(); + case INPUT_TYPES.DEPENDENCY_TRACK: + return new DependencyTrackMapper(convertOptions.data).toHdf(); default: return SnackbarModule.failure( `Invalid file uploaded (${filename}), no fingerprints matched.` diff --git a/libs/hdf-converters/README.md b/libs/hdf-converters/README.md index b3d9ef67f0..412fb2fc14 100644 --- a/libs/hdf-converters/README.md +++ b/libs/hdf-converters/README.md @@ -15,26 +15,27 @@ OHDF Converters supplies several methods to convert various types of security to 7. [**conveyor-mapper**] - Conveyor JSON file 8. [**cyclonedx-sbom-mapper**] - CycloneDX SBOM JSON file 9. [**dbprotect-mapper**] - DBProtect report in "Check Results Details" XML format -10. [**fortify-mapper**] - Fortify results FVDL file -11. [**gosec-mapper**] - gosec results JSON file -12. [**ionchannel-mapper**] - SBOM data from Ion Channel -13. [**jfrog-xray-mapper**] - JFrog Xray results JSON file -14. [**msft-secure-mapper**] - Microsoft Secure Score results file -15. [**nessus-mapper**] - Nessus XML results file -16. [**netsparker-mapper**] - Netsparker XML results file -17. [**neuvector-mapper**] - NeuVector JSON results file -18. [**nikto-mapper**] - Nikto results JSON file -19. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file -20. [**sarif-mapper**] - SARIF JSON file -21. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object -22. [**snyk-mapper**] - Snyk results JSON file -23. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API -24. [**splunk-mapper**] - Splunk instance -25. [**trufflehog-mapper**] - Trufflehog results json file -26. [**twistlock-mapper**] - Twistlock CLI output file -27. [**veracode-mapper**] - Veracode Scan Results XML file -28. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report -29. [**zap-mapper**] - OWASP ZAP results JSON +10. [**dependency-track-mapper**] - OWASP Dependency-Track Finding Packaging Format (FPF) +11. [**fortify-mapper**] - Fortify results FVDL file +12. [**gosec-mapper**] - gosec results JSON file +13. [**ionchannel-mapper**] - SBOM data from Ion Channel +14. [**jfrog-xray-mapper**] - JFrog Xray results JSON file +15. [**msft-secure-mapper**] - Microsoft Secure Score results file +16. [**nessus-mapper**] - Nessus XML results file +17. [**netsparker-mapper**] - Netsparker XML results file +18. [**neuvector-mapper**] - NeuVector JSON results file +19. [**nikto-mapper**] - Nikto results JSON file +20. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file +21. [**sarif-mapper**] - SARIF JSON file +22. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object +23. [**snyk-mapper**] - Snyk results JSON file +24. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API +25. [**splunk-mapper**] - Splunk instance +26. [**trufflehog-mapper**] - Trufflehog results json file +27. [**twistlock-mapper**] - Twistlock CLI output file +28. [**veracode-mapper**] - Veracode Scan Results XML file +29. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report +30. [**zap-mapper**] - OWASP ZAP results JSON ### NOTICE diff --git a/libs/hdf-converters/index.ts b/libs/hdf-converters/index.ts index ef8d41093e..c897eb337c 100644 --- a/libs/hdf-converters/index.ts +++ b/libs/hdf-converters/index.ts @@ -22,6 +22,7 @@ export * from './src/converters-from-hdf/xccdf/reverse-xccdf-mapper'; export * from './src/conveyor-mapper'; export * from './src/cyclonedx-sbom-mapper'; export * from './src/dbprotect-mapper'; +export * from './src/dependency-track-mapper'; export * from './src/fortify-mapper'; export * from './src/gosec-mapper'; export * from './src/ionchannel-mapper'; diff --git a/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-default-withraw.json b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-default-withraw.json new file mode 100644 index 0000000000..4c0e33a532 --- /dev/null +++ b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-default-withraw.json @@ -0,0 +1,253 @@ +{ + "platform": { + "name": "Dependency-Track", + "release": "1.1 4.5.0", + "target_id": "http://dtrack.example.org" + }, + "version": "2.10.3", + "statistics": {}, + "profiles": [ + { + "name": "ca4f2da9-0fad-4a13-92d7-f627f3168a56", + "version": "1.0", + "title": "Acme Example", + "summary": "A sample application", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption ('Resource Exhaustion')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "b815b581-fec1-4374-a871-68862a8f8d52", + "componentName": "timespan", + "componentGroup": "", + "componentVersion": "2.3.0", + "componentLatestVersion": "3.2.0", + "componentPurl": "pkg:npm/timespan@2.3.0", + "componentCpe": "", + "componentProject": "", + "vulnerabilityUuid": "115b80bb-46c4-41d1-9f10-8a175d4abb46", + "vulnerabilitySource": "NPM", + "vulnerabilityVulnId": "533", + "vulnerabilityTitle": "Regular Expression Denial of Service", + "vulnerabilitySubtitle": "timespan", + "vulnerabilityAliases": "\"\"", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": "", + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "attributionAnalyzerIdentity": "", + "attributionAttributedOn": "", + "attributionAlternateIdentifier": "", + "attributionReferenceUrl": "", + "analysisState": "NOT_SET", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/timespan@2.3.0 - Regular Expression Denial of Service", + "id": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46", + "desc": "Affected versions of `timespan`...", + "descriptions": [ + { + "data": "Affected versions of `timespan`...", + "label": "check" + }, + { + "data": "No direct patch is available...", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"uuid\": \"b815b581-fec1-4374-a871-68862a8f8d52\",\n \"name\": \"timespan\",\n \"version\": \"2.3.0\",\n \"purl\": \"pkg:npm/timespan@2.3.0\",\n \"latestVersion\": \"3.2.0\"\n },\n \"vulnerability\": {\n \"uuid\": \"115b80bb-46c4-41d1-9f10-8a175d4abb46\",\n \"source\": \"NPM\",\n \"vulnId\": \"533\",\n \"title\": \"Regular Expression Denial of Service\",\n \"subtitle\": \"timespan\",\n \"severity\": \"LOW\",\n \"severityRank\": 3,\n \"cweId\": 400,\n \"cweName\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\"\n }\n ],\n \"description\": \"Affected versions of `timespan`...\",\n \"recommendation\": \"No direct patch is available...\"\n },\n \"analysis\": {\n \"state\": \"NOT_SET\",\n \"isSuppressed\": false\n },\n \"matrix\": \"ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "No direct patch is available...", + "start_time": "2022-02-18T23:31:42Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption ('Resource Exhaustion')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "979f87f5-eaf5-4095-9d38-cde17bf9228e", + "componentName": "uglify-js", + "componentGroup": "", + "componentVersion": "2.4.24", + "componentLatestVersion": "", + "componentPurl": "pkg:npm/uglify-js@2.4.24", + "componentCpe": "", + "componentProject": "", + "vulnerabilityUuid": "701a3953-666b-4b7a-96ca-e1e6a3e1def3", + "vulnerabilitySource": "NPM", + "vulnerabilityVulnId": "48", + "vulnerabilityTitle": "Regular Expression Denial of Service", + "vulnerabilitySubtitle": "uglify-js", + "vulnerabilityAliases": "[\n {\n \"cveId\": \"CVE-2022-2053\",\n \"ghsaId\": \"GHSA-95rf-557x-44g5\"\n }\n]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": "", + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "attributionAnalyzerIdentity": "", + "attributionAttributedOn": "", + "attributionAlternateIdentifier": "", + "attributionReferenceUrl": "", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/uglify-js@2.4.24 - Regular Expression Denial of Service", + "id": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3", + "desc": "Versions of `uglify-js` prior to...", + "descriptions": [ + { + "data": "Versions of `uglify-js` prior to...", + "label": "check" + }, + { + "data": "Update to version 2.6.0 or later.", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"uuid\": \"979f87f5-eaf5-4095-9d38-cde17bf9228e\",\n \"name\": \"uglify-js\",\n \"version\": \"2.4.24\",\n \"purl\": \"pkg:npm/uglify-js@2.4.24\"\n },\n \"vulnerability\": {\n \"uuid\": \"701a3953-666b-4b7a-96ca-e1e6a3e1def3\",\n \"source\": \"NPM\",\n \"vulnId\": \"48\",\n \"aliases\": [\n {\n \"cveId\": \"CVE-2022-2053\",\n \"ghsaId\": \"GHSA-95rf-557x-44g5\"\n }\n ],\n \"title\": \"Regular Expression Denial of Service\",\n \"subtitle\": \"uglify-js\",\n \"severity\": \"LOW\",\n \"severityRank\": 3,\n \"cweId\": 400,\n \"cweName\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\"\n }\n ],\n \"description\": \"Versions of `uglify-js` prior to...\",\n \"recommendation\": \"Update to version 2.6.0 or later.\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "Update to version 2.6.0 or later.", + "start_time": "2022-02-18T23:31:42Z" + } + ] + } + ], + "sha256": "5bbda4b1d386b05957e95e2701d9cf675ecec96aa07ca3e043edd565794c8277" + } + ], + "passthrough": { + "raw": { + "version": "1.1", + "meta": { + "application": "Dependency-Track", + "version": "4.5.0", + "timestamp": "2022-02-18T23:31:42Z", + "baseUrl": "http://dtrack.example.org" + }, + "project": { + "uuid": "ca4f2da9-0fad-4a13-92d7-f627f3168a56", + "name": "Acme Example", + "version": "1.0", + "description": "A sample application" + }, + "findings": [ + { + "component": { + "uuid": "b815b581-fec1-4374-a871-68862a8f8d52", + "name": "timespan", + "version": "2.3.0", + "purl": "pkg:npm/timespan@2.3.0", + "latestVersion": "3.2.0" + }, + "vulnerability": { + "uuid": "115b80bb-46c4-41d1-9f10-8a175d4abb46", + "source": "NPM", + "vulnId": "533", + "title": "Regular Expression Denial of Service", + "subtitle": "timespan", + "severity": "LOW", + "severityRank": 3, + "cweId": 400, + "cweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "cwes": [ + { + "cweId": 400, + "name": "Uncontrolled Resource Consumption ('Resource Exhaustion')" + } + ], + "description": "Affected versions of `timespan`...", + "recommendation": "No direct patch is available..." + }, + "analysis": { + "state": "NOT_SET", + "isSuppressed": false + }, + "matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46" + }, + { + "component": { + "uuid": "979f87f5-eaf5-4095-9d38-cde17bf9228e", + "name": "uglify-js", + "version": "2.4.24", + "purl": "pkg:npm/uglify-js@2.4.24" + }, + "vulnerability": { + "uuid": "701a3953-666b-4b7a-96ca-e1e6a3e1def3", + "source": "NPM", + "vulnId": "48", + "aliases": [ + { + "cveId": "CVE-2022-2053", + "ghsaId": "GHSA-95rf-557x-44g5" + } + ], + "title": "Regular Expression Denial of Service", + "subtitle": "uglify-js", + "severity": "LOW", + "severityRank": 3, + "cweId": 400, + "cweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "cwes": [ + { + "cweId": 400, + "name": "Uncontrolled Resource Consumption ('Resource Exhaustion')" + } + ], + "description": "Versions of `uglify-js` prior to...", + "recommendation": "Update to version 2.6.0 or later." + }, + "analysis": { + "isSuppressed": false + }, + "matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3" + } + ] + } + } +} \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-default.json b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-default.json new file mode 100644 index 0000000000..c69693e50c --- /dev/null +++ b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-default.json @@ -0,0 +1,165 @@ +{ + "platform": { + "name": "Dependency-Track", + "release": "1.1 4.5.0", + "target_id": "http://dtrack.example.org" + }, + "version": "2.10.3", + "statistics": {}, + "profiles": [ + { + "name": "ca4f2da9-0fad-4a13-92d7-f627f3168a56", + "version": "1.0", + "title": "Acme Example", + "summary": "A sample application", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption ('Resource Exhaustion')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "b815b581-fec1-4374-a871-68862a8f8d52", + "componentName": "timespan", + "componentGroup": "", + "componentVersion": "2.3.0", + "componentLatestVersion": "3.2.0", + "componentPurl": "pkg:npm/timespan@2.3.0", + "componentCpe": "", + "componentProject": "", + "vulnerabilityUuid": "115b80bb-46c4-41d1-9f10-8a175d4abb46", + "vulnerabilitySource": "NPM", + "vulnerabilityVulnId": "533", + "vulnerabilityTitle": "Regular Expression Denial of Service", + "vulnerabilitySubtitle": "timespan", + "vulnerabilityAliases": "\"\"", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": "", + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "attributionAnalyzerIdentity": "", + "attributionAttributedOn": "", + "attributionAlternateIdentifier": "", + "attributionReferenceUrl": "", + "analysisState": "NOT_SET", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/timespan@2.3.0 - Regular Expression Denial of Service", + "id": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46", + "desc": "Affected versions of `timespan`...", + "descriptions": [ + { + "data": "Affected versions of `timespan`...", + "label": "check" + }, + { + "data": "No direct patch is available...", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"uuid\": \"b815b581-fec1-4374-a871-68862a8f8d52\",\n \"name\": \"timespan\",\n \"version\": \"2.3.0\",\n \"purl\": \"pkg:npm/timespan@2.3.0\",\n \"latestVersion\": \"3.2.0\"\n },\n \"vulnerability\": {\n \"uuid\": \"115b80bb-46c4-41d1-9f10-8a175d4abb46\",\n \"source\": \"NPM\",\n \"vulnId\": \"533\",\n \"title\": \"Regular Expression Denial of Service\",\n \"subtitle\": \"timespan\",\n \"severity\": \"LOW\",\n \"severityRank\": 3,\n \"cweId\": 400,\n \"cweName\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\"\n }\n ],\n \"description\": \"Affected versions of `timespan`...\",\n \"recommendation\": \"No direct patch is available...\"\n },\n \"analysis\": {\n \"state\": \"NOT_SET\",\n \"isSuppressed\": false\n },\n \"matrix\": \"ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "No direct patch is available...", + "start_time": "2022-02-18T23:31:42Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption ('Resource Exhaustion')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "979f87f5-eaf5-4095-9d38-cde17bf9228e", + "componentName": "uglify-js", + "componentGroup": "", + "componentVersion": "2.4.24", + "componentLatestVersion": "", + "componentPurl": "pkg:npm/uglify-js@2.4.24", + "componentCpe": "", + "componentProject": "", + "vulnerabilityUuid": "701a3953-666b-4b7a-96ca-e1e6a3e1def3", + "vulnerabilitySource": "NPM", + "vulnerabilityVulnId": "48", + "vulnerabilityTitle": "Regular Expression Denial of Service", + "vulnerabilitySubtitle": "uglify-js", + "vulnerabilityAliases": "[\n {\n \"cveId\": \"CVE-2022-2053\",\n \"ghsaId\": \"GHSA-95rf-557x-44g5\"\n }\n]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": "", + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "attributionAnalyzerIdentity": "", + "attributionAttributedOn": "", + "attributionAlternateIdentifier": "", + "attributionReferenceUrl": "", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/uglify-js@2.4.24 - Regular Expression Denial of Service", + "id": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3", + "desc": "Versions of `uglify-js` prior to...", + "descriptions": [ + { + "data": "Versions of `uglify-js` prior to...", + "label": "check" + }, + { + "data": "Update to version 2.6.0 or later.", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"uuid\": \"979f87f5-eaf5-4095-9d38-cde17bf9228e\",\n \"name\": \"uglify-js\",\n \"version\": \"2.4.24\",\n \"purl\": \"pkg:npm/uglify-js@2.4.24\"\n },\n \"vulnerability\": {\n \"uuid\": \"701a3953-666b-4b7a-96ca-e1e6a3e1def3\",\n \"source\": \"NPM\",\n \"vulnId\": \"48\",\n \"aliases\": [\n {\n \"cveId\": \"CVE-2022-2053\",\n \"ghsaId\": \"GHSA-95rf-557x-44g5\"\n }\n ],\n \"title\": \"Regular Expression Denial of Service\",\n \"subtitle\": \"uglify-js\",\n \"severity\": \"LOW\",\n \"severityRank\": 3,\n \"cweId\": 400,\n \"cweName\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\"\n }\n ],\n \"description\": \"Versions of `uglify-js` prior to...\",\n \"recommendation\": \"Update to version 2.6.0 or later.\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "Update to version 2.6.0 or later.", + "start_time": "2022-02-18T23:31:42Z" + } + ] + } + ], + "sha256": "5bbda4b1d386b05957e95e2701d9cf675ecec96aa07ca3e043edd565794c8277" + } + ], + "passthrough": {} +} \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-info-vulnerability.json b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-info-vulnerability.json new file mode 100644 index 0000000000..eced65f37d --- /dev/null +++ b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-info-vulnerability.json @@ -0,0 +1,95 @@ +{ + "platform": { + "name": "Dependency-Track", + "release": "1.1 4.5.0", + "target_id": "http://dtrack.example.org" + }, + "version": "2.10.3", + "statistics": {}, + "profiles": [ + { + "name": "ca4f2da9-0fad-4a13-92d7-f627f3168a56", + "version": "1.0", + "title": "Acme Example", + "summary": "A sample application", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption ('Resource Exhaustion')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "b815b581-fec1-4374-a871-68862a8f8d52", + "componentName": "timespan", + "componentGroup": "", + "componentVersion": "2.3.0", + "componentLatestVersion": "3.2.0", + "componentPurl": "pkg:npm/timespan@2.3.0", + "componentCpe": "", + "componentProject": "", + "vulnerabilityUuid": "115b80bb-46c4-41d1-9f10-8a175d4abb46", + "vulnerabilitySource": "NPM", + "vulnerabilityVulnId": "533", + "vulnerabilityTitle": "Regular Expression Denial of Service", + "vulnerabilitySubtitle": "timespan", + "vulnerabilityAliases": "\"\"", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": "", + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 4, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "attributionAnalyzerIdentity": "", + "attributionAttributedOn": "", + "attributionAlternateIdentifier": "", + "attributionReferenceUrl": "", + "analysisState": "NOT_SET", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/timespan@2.3.0 - Regular Expression Denial of Service", + "id": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46", + "desc": "Affected versions of `timespan`...", + "descriptions": [ + { + "data": "Affected versions of `timespan`...", + "label": "check" + }, + { + "data": "No direct patch is available...", + "label": "fix" + } + ], + "impact": 0, + "code": "{\n \"component\": {\n \"uuid\": \"b815b581-fec1-4374-a871-68862a8f8d52\",\n \"name\": \"timespan\",\n \"version\": \"2.3.0\",\n \"purl\": \"pkg:npm/timespan@2.3.0\",\n \"latestVersion\": \"3.2.0\"\n },\n \"vulnerability\": {\n \"uuid\": \"115b80bb-46c4-41d1-9f10-8a175d4abb46\",\n \"source\": \"NPM\",\n \"vulnId\": \"533\",\n \"title\": \"Regular Expression Denial of Service\",\n \"subtitle\": \"timespan\",\n \"severity\": \"INFO\",\n \"severityRank\": 4,\n \"cweId\": 400,\n \"cweName\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption ('Resource Exhaustion')\"\n }\n ],\n \"description\": \"Affected versions of `timespan`...\",\n \"recommendation\": \"No direct patch is available...\"\n },\n \"analysis\": {\n \"state\": \"NOT_SET\",\n \"isSuppressed\": false\n },\n \"matrix\": \"ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "No direct patch is available...", + "start_time": "2022-02-18T23:31:42Z" + } + ] + } + ], + "sha256": "622bd835e1e685774362d29f65c680b95f8ae9c3eb28ddc1a5bcabe518188e11" + } + ], + "passthrough": {} +} \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-no-vulnerabilities.json b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-no-vulnerabilities.json new file mode 100644 index 0000000000..3be7e0475a --- /dev/null +++ b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-no-vulnerabilities.json @@ -0,0 +1,24 @@ +{ + "platform": { + "name": "Dependency-Track", + "release": "1.2 4.10.1", + "target_id": "" + }, + "version": "2.10.3", + "statistics": {}, + "profiles": [ + { + "name": "d0646cf1-2415-4edd-a787-3c11d04f983d", + "version": "1.0", + "title": "laravel", + "summary": "", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [], + "sha256": "fb6daf2c4cf58a0e4b8110781af700cc0c8d8e9bd2fd9d7879eb0d74f9ac09de" + } + ], + "passthrough": {} +} \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-optional-attributes.json b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-optional-attributes.json new file mode 100644 index 0000000000..b5bed645c9 --- /dev/null +++ b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-optional-attributes.json @@ -0,0 +1,3961 @@ +{ + "platform": { + "name": "Dependency-Track", + "release": "1.2 4.10.1", + "target_id": "" + }, + "version": "2.10.3", + "statistics": {}, + "profiles": [ + { + "name": "5840398e-605b-4326-9184-74e0e7c2a081", + "version": "1.0", + "title": "dropwizard", + "summary": "", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cweIds": [ + 552 + ], + "cweNames": [ + "Files or Directories Accessible to External Parties" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "adf3b141-216d-4134-938c-2cf712193921", + "componentName": "guava", + "componentGroup": "com.google.guava", + "componentVersion": "24.1.1-jre", + "componentLatestVersion": "33.1.0-jre", + "componentPurl": "pkg:maven/com.google.guava/guava@24.1.1-jre?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "bb2646ad-ce2f-4562-812d-2009fd43c772", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-2976", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.1, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00045, + "vulnerabilityEpssPercentile": 0.13314, + "vulnerabilityCweId": 552, + "vulnerabilityCweName": "Files or Directories Accessible to External Parties", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:40.996", + "attributionAlternateIdentifier": "CVE-2023-2976", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.google.guava/guava@24.1.1-jre?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:adf3b141-216d-4134-938c-2cf712193921:bb2646ad-ce2f-4562-812d-2009fd43c772", + "desc": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n", + "descriptions": [ + { + "data": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"33.1.0-jre\",\n \"name\": \"guava\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.google.guava/guava@24.1.1-jre?type=jar\",\n \"uuid\": \"adf3b141-216d-4134-938c-2cf712193921\",\n \"version\": \"24.1.1-jre\",\n \"group\": \"com.google.guava\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-2976\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:40.996\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.1,\n \"vulnId\": \"CVE-2023-2976\",\n \"aliases\": [],\n \"cweId\": 552,\n \"description\": \"Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\\n\\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\\n\\n\",\n \"epssScore\": 0.00045,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 552,\n \"name\": \"Files or Directories Accessible to External Parties\",\n \"id\": 0\n }\n ],\n \"uuid\": \"bb2646ad-ce2f-4562-812d-2009fd43c772\",\n \"severityRank\": 1,\n \"cweName\": \"Files or Directories Accessible to External Parties\",\n \"epssPercentile\": 0.13314\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:adf3b141-216d-4134-938c-2cf712193921:bb2646ad-ce2f-4562-812d-2009fd43c772\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 732 + ], + "cweNames": [ + "Incorrect Permission Assignment for Critical Resource" + ], + "nist": [ + "AC-3" + ], + "cci": [ + "CCI-000213" + ], + "componentUuid": "adf3b141-216d-4134-938c-2cf712193921", + "componentName": "guava", + "componentGroup": "com.google.guava", + "componentVersion": "24.1.1-jre", + "componentLatestVersion": "33.1.0-jre", + "componentPurl": "pkg:maven/com.google.guava/guava@24.1.1-jre?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "c0892871-5e2b-4f83-95fd-52b9c762f23a", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-8908", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 2.1, + "vulnerabilityCvssV3BaseScore": 3.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": 0.0006, + "vulnerabilityEpssPercentile": 0.237, + "vulnerabilityCweId": 732, + "vulnerabilityCweName": "Incorrect Permission Assignment for Critical Resource", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.018", + "attributionAlternateIdentifier": "CVE-2020-8908", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.google.guava/guava@24.1.1-jre?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:adf3b141-216d-4134-938c-2cf712193921:c0892871-5e2b-4f83-95fd-52b9c762f23a", + "desc": "A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.\n\n", + "descriptions": [ + { + "data": "A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.\n\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"latestVersion\": \"33.1.0-jre\",\n \"name\": \"guava\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.google.guava/guava@24.1.1-jre?type=jar\",\n \"uuid\": \"adf3b141-216d-4134-938c-2cf712193921\",\n \"version\": \"24.1.1-jre\",\n \"group\": \"com.google.guava\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-8908\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.018\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"LOW\",\n \"cvssV3BaseScore\": 3.3,\n \"vulnId\": \"CVE-2020-8908\",\n \"aliases\": [],\n \"cweId\": 732,\n \"description\": \"A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.\\n\\n\",\n \"epssScore\": 0.0006,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 732,\n \"name\": \"Incorrect Permission Assignment for Critical Resource\",\n \"id\": 0\n }\n ],\n \"uuid\": \"c0892871-5e2b-4f83-95fd-52b9c762f23a\",\n \"severityRank\": 3,\n \"cweName\": \"Incorrect Permission Assignment for Critical Resource\",\n \"epssPercentile\": 0.237,\n \"cvssV2BaseScore\": 2.1\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:adf3b141-216d-4134-938c-2cf712193921:c0892871-5e2b-4f83-95fd-52b9c762f23a\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "36fe1129-dd7a-472b-b532-c285fe194704", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2019-16942", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 7.5, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.00404, + "vulnerabilityEpssPercentile": 0.7328, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.047", + "attributionAlternateIdentifier": "CVE-2019-16942", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2019-16942?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:36fe1129-dd7a-472b-b532-c285fe194704", + "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", + "descriptions": [ + { + "data": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2019-16942\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.047\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2019-16942?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2019-16942\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.\",\n \"epssScore\": 0.00404,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"36fe1129-dd7a-472b-b532-c285fe194704\",\n \"severityRank\": 0,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.7328,\n \"cvssV2BaseScore\": 7.5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:36fe1129-dd7a-472b-b532-c285fe194704\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "27ab6cf4-3273-42b4-ae69-ef8a0ead5813", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2019-16943", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 6.8, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.00404, + "vulnerabilityEpssPercentile": 0.7328, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.05", + "attributionAlternateIdentifier": "CVE-2019-16943", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2019-16943?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:27ab6cf4-3273-42b4-ae69-ef8a0ead5813", + "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", + "descriptions": [ + { + "data": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2019-16943\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.05\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2019-16943?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2019-16943\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.\",\n \"epssScore\": 0.00404,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"27ab6cf4-3273-42b4-ae69-ef8a0ead5813\",\n \"severityRank\": 0,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.7328,\n \"cvssV2BaseScore\": 6.8\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:27ab6cf4-3273-42b4-ae69-ef8a0ead5813\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "357335a8-1f6f-4e1f-840b-cef1e1f4f029", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2019-17531", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 6.8, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.00784, + "vulnerabilityEpssPercentile": 0.81055, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.06", + "attributionAlternateIdentifier": "CVE-2019-17531", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2019-17531?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:357335a8-1f6f-4e1f-840b-cef1e1f4f029", + "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", + "descriptions": [ + { + "data": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2019-17531\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.06\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2019-17531?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2019-17531\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\",\n \"epssScore\": 0.00784,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"357335a8-1f6f-4e1f-840b-cef1e1f4f029\",\n \"severityRank\": 0,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.81055,\n \"cvssV2BaseScore\": 6.8\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:357335a8-1f6f-4e1f-840b-cef1e1f4f029\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 611 + ], + "cweNames": [ + "Improper Restriction of XML External Entity Reference" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "5ded34b0-06d1-44da-b109-4bad4e98aa01", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-25649", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00359, + "vulnerabilityEpssPercentile": 0.71729, + "vulnerabilityCweId": 611, + "vulnerabilityCweName": "Improper Restriction of XML External Entity Reference", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.069", + "attributionAlternateIdentifier": "CVE-2020-25649", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-25649?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:5ded34b0-06d1-44da-b109-4bad4e98aa01", + "desc": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", + "descriptions": [ + { + "data": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-25649\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.069\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-25649?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2020-25649\",\n \"aliases\": [],\n \"cweId\": 611,\n \"description\": \"A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.\",\n \"epssScore\": 0.00359,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 611,\n \"name\": \"Improper Restriction of XML External Entity Reference\",\n \"id\": 0\n }\n ],\n \"uuid\": \"5ded34b0-06d1-44da-b109-4bad4e98aa01\",\n \"severityRank\": 1,\n \"cweName\": \"Improper Restriction of XML External Entity Reference\",\n \"epssPercentile\": 0.71729,\n \"cvssV2BaseScore\": 5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:5ded34b0-06d1-44da-b109-4bad4e98aa01\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 787 + ], + "cweNames": [ + "Out-of-bounds Write" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "5eddfb79-9d3d-4c52-83f7-641004472d4f", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-36518", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00218, + "vulnerabilityEpssPercentile": 0.5927, + "vulnerabilityCweId": 787, + "vulnerabilityCweName": "Out-of-bounds Write", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.076", + "attributionAlternateIdentifier": "CVE-2020-36518", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:5eddfb79-9d3d-4c52-83f7-641004472d4f", + "desc": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.", + "descriptions": [ + { + "data": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-36518\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.076\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2020-36518\",\n \"aliases\": [],\n \"cweId\": 787,\n \"description\": \"jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.\",\n \"epssScore\": 0.00218,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 787,\n \"name\": \"Out-of-bounds Write\",\n \"id\": 0\n }\n ],\n \"uuid\": \"5eddfb79-9d3d-4c52-83f7-641004472d4f\",\n \"severityRank\": 1,\n \"cweName\": \"Out-of-bounds Write\",\n \"epssPercentile\": 0.5927,\n \"cvssV2BaseScore\": 5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:5eddfb79-9d3d-4c52-83f7-641004472d4f\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "96c8b7ec-6ebf-4bd9-98eb-6409629c5479", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-42003", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.083", + "attributionAlternateIdentifier": "CVE-2022-42003", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-42003?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:96c8b7ec-6ebf-4bd9-98eb-6409629c5479", + "desc": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", + "descriptions": [ + { + "data": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-42003\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.083\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-42003?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"severityRank\": 1,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"vulnId\": \"CVE-2022-42003\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"96c8b7ec-6ebf-4bd9-98eb-6409629c5479\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:96c8b7ec-6ebf-4bd9-98eb-6409629c5479\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a", + "componentName": "jackson-databind", + "componentGroup": "com.fasterxml.jackson.core", + "componentVersion": "2.9.10", + "componentLatestVersion": "2.17.0", + "componentPurl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "652dbe30-f681-47a3-8d41-3f83c4a570a6", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-42004", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.086", + "attributionAlternateIdentifier": "CVE-2022-42004", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-42004?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:652dbe30-f681-47a3-8d41-3f83c4a570a6", + "desc": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", + "descriptions": [ + { + "data": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.17.0\",\n \"name\": \"jackson-databind\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10?type=jar\",\n \"uuid\": \"0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a\",\n \"version\": \"2.9.10\",\n \"group\": \"com.fasterxml.jackson.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-42004\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.086\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-42004?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"severityRank\": 1,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"vulnId\": \"CVE-2022-42004\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"652dbe30-f681-47a3-8d41-3f83c4a570a6\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:0ba815f6-1c3e-4b6b-a154-f4c6bdcca93a:652dbe30-f681-47a3-8d41-3f83c4a570a6\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 79 + ], + "cweNames": [ + "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "6f118da8-0dcd-41fd-9245-dee1f98c6376", + "componentName": "hibernate-validator", + "componentGroup": "org.hibernate", + "componentVersion": "5.4.3.Final", + "componentLatestVersion": "8.0.1.Final", + "componentPurl": "pkg:maven/org.hibernate/hibernate-validator@5.4.3.Final?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "3d6b18a1-a9af-4f8a-81f9-298472b7fb06", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2019-10219", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4.3, + "vulnerabilityCvssV3BaseScore": 6.1, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00232, + "vulnerabilityEpssPercentile": 0.60676, + "vulnerabilityCweId": 79, + "vulnerabilityCweName": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.118", + "attributionAlternateIdentifier": "CVE-2019-10219", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2019-10219?component-type=maven&component-name=org.hibernate%2Fhibernate-validator&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.hibernate/hibernate-validator@5.4.3.Final?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:6f118da8-0dcd-41fd-9245-dee1f98c6376:3d6b18a1-a9af-4f8a-81f9-298472b7fb06", + "desc": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", + "descriptions": [ + { + "data": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"8.0.1.Final\",\n \"name\": \"hibernate-validator\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.hibernate/hibernate-validator@5.4.3.Final?type=jar\",\n \"uuid\": \"6f118da8-0dcd-41fd-9245-dee1f98c6376\",\n \"version\": \"5.4.3.Final\",\n \"group\": \"org.hibernate\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2019-10219\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.118\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2019-10219?component-type=maven&component-name=org.hibernate%2Fhibernate-validator&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.1,\n \"vulnId\": \"CVE-2019-10219\",\n \"aliases\": [],\n \"cweId\": 79,\n \"description\": \"A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.\",\n \"epssScore\": 0.00232,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 79,\n \"name\": \"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"3d6b18a1-a9af-4f8a-81f9-298472b7fb06\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\",\n \"epssPercentile\": 0.60676,\n \"cvssV2BaseScore\": 4.3\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:6f118da8-0dcd-41fd-9245-dee1f98c6376:3d6b18a1-a9af-4f8a-81f9-298472b7fb06\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 20 + ], + "cweNames": [ + "Improper Input Validation" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "6f118da8-0dcd-41fd-9245-dee1f98c6376", + "componentName": "hibernate-validator", + "componentGroup": "org.hibernate", + "componentVersion": "5.4.3.Final", + "componentLatestVersion": "8.0.1.Final", + "componentPurl": "pkg:maven/org.hibernate/hibernate-validator@5.4.3.Final?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "931d9df5-6f46-4acd-bc13-e958b25573a2", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-10693", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00139, + "vulnerabilityEpssPercentile": 0.48704, + "vulnerabilityCweId": 20, + "vulnerabilityCweName": "Improper Input Validation", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.128", + "attributionAlternateIdentifier": "CVE-2020-10693", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-10693?component-type=maven&component-name=org.hibernate%2Fhibernate-validator&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.hibernate/hibernate-validator@5.4.3.Final?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:6f118da8-0dcd-41fd-9245-dee1f98c6376:931d9df5-6f46-4acd-bc13-e958b25573a2", + "desc": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", + "descriptions": [ + { + "data": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"8.0.1.Final\",\n \"name\": \"hibernate-validator\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.hibernate/hibernate-validator@5.4.3.Final?type=jar\",\n \"uuid\": \"6f118da8-0dcd-41fd-9245-dee1f98c6376\",\n \"version\": \"5.4.3.Final\",\n \"group\": \"org.hibernate\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-10693\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.128\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-10693?component-type=maven&component-name=org.hibernate%2Fhibernate-validator&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2020-10693\",\n \"aliases\": [],\n \"cweId\": 20,\n \"description\": \"A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\",\n \"epssScore\": 0.00139,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 20,\n \"name\": \"Improper Input Validation\",\n \"id\": 0\n }\n ],\n \"uuid\": \"931d9df5-6f46-4acd-bc13-e958b25573a2\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Input Validation\",\n \"epssPercentile\": 0.48704,\n \"cvssV2BaseScore\": 5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:6f118da8-0dcd-41fd-9245-dee1f98c6376:931d9df5-6f46-4acd-bc13-e958b25573a2\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 917 + ], + "cweNames": [ + "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "293eb581-83c4-4bc6-acd6-2b6d35d8baee", + "componentName": "javax.el", + "componentGroup": "org.glassfish", + "componentVersion": "3.0.0", + "componentLatestVersion": "3.0.1-b12", + "componentPurl": "pkg:maven/org.glassfish/javax.el@3.0.0?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "7e35cf80-119f-438b-b22d-402c939d8321", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-28170", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00089, + "vulnerabilityEpssPercentile": 0.36785, + "vulnerabilityCweId": 917, + "vulnerabilityCweName": "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.145", + "attributionAlternateIdentifier": "CVE-2021-28170", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-28170?component-type=maven&component-name=org.glassfish%2Fjavax.el&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.glassfish/javax.el@3.0.0?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:293eb581-83c4-4bc6-acd6-2b6d35d8baee:7e35cf80-119f-438b-b22d-402c939d8321", + "desc": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", + "descriptions": [ + { + "data": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"3.0.1-b12\",\n \"name\": \"javax.el\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.glassfish/javax.el@3.0.0?type=jar\",\n \"uuid\": \"293eb581-83c4-4bc6-acd6-2b6d35d8baee\",\n \"version\": \"3.0.0\",\n \"group\": \"org.glassfish\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-28170\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.145\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-28170?component-type=maven&component-name=org.glassfish%2Fjavax.el&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2021-28170\",\n \"aliases\": [],\n \"cweId\": 917,\n \"description\": \"In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.\",\n \"epssScore\": 0.00089,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 917,\n \"name\": \"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"7e35cf80-119f-438b-b22d-402c939d8321\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')\",\n \"epssPercentile\": 0.36785,\n \"cvssV2BaseScore\": 5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:293eb581-83c4-4bc6-acd6-2b6d35d8baee:7e35cf80-119f-438b-b22d-402c939d8321\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 74 + ], + "cweNames": [ + "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "ff810945-c556-480d-b11a-d2a6ea85ebc8", + "componentName": "dropwizard-validation", + "componentGroup": "io.dropwizard", + "componentVersion": "1.3.15", + "componentLatestVersion": "5.0.0-alpha.1", + "componentPurl": "pkg:maven/io.dropwizard/dropwizard-validation@1.3.15?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "4ace7186-9d12-446d-b742-92e9dfdfb3b2", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-11002", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 9, + "vulnerabilityCvssV3BaseScore": 8.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.04159, + "vulnerabilityEpssPercentile": 0.9201, + "vulnerabilityCweId": 74, + "vulnerabilityCweName": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.16", + "attributionAlternateIdentifier": "CVE-2020-11002", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-11002?component-type=maven&component-name=io.dropwizard%2Fdropwizard-validation&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/io.dropwizard/dropwizard-validation@1.3.15?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:ff810945-c556-480d-b11a-d2a6ea85ebc8:4ace7186-9d12-446d-b742-92e9dfdfb3b2", + "desc": "dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.", + "descriptions": [ + { + "data": "dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"5.0.0-alpha.1\",\n \"name\": \"dropwizard-validation\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/io.dropwizard/dropwizard-validation@1.3.15?type=jar\",\n \"uuid\": \"ff810945-c556-480d-b11a-d2a6ea85ebc8\",\n \"version\": \"1.3.15\",\n \"group\": \"io.dropwizard\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-11002\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.16\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-11002?component-type=maven&component-name=io.dropwizard%2Fdropwizard-validation&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 8.8,\n \"vulnId\": \"CVE-2020-11002\",\n \"aliases\": [],\n \"cweId\": 74,\n \"description\": \"dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.\",\n \"epssScore\": 0.04159,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 74,\n \"name\": \"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"4ace7186-9d12-446d-b742-92e9dfdfb3b2\",\n \"severityRank\": 1,\n \"cweName\": \"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\",\n \"epssPercentile\": 0.9201,\n \"cvssV2BaseScore\": 9\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:ff810945-c556-480d-b11a-d2a6ea85ebc8:4ace7186-9d12-446d-b742-92e9dfdfb3b2\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 74 + ], + "cweNames": [ + "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "ff810945-c556-480d-b11a-d2a6ea85ebc8", + "componentName": "dropwizard-validation", + "componentGroup": "io.dropwizard", + "componentVersion": "1.3.15", + "componentLatestVersion": "5.0.0-alpha.1", + "componentPurl": "pkg:maven/io.dropwizard/dropwizard-validation@1.3.15?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "47855242-f7d3-4829-99f3-e0acf1ddf837", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-5245", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 9, + "vulnerabilityCvssV3BaseScore": 8.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00432, + "vulnerabilityEpssPercentile": 0.74082, + "vulnerabilityCweId": 74, + "vulnerabilityCweName": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.166", + "attributionAlternateIdentifier": "CVE-2020-5245", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-5245?component-type=maven&component-name=io.dropwizard%2Fdropwizard-validation&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/io.dropwizard/dropwizard-validation@1.3.15?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:ff810945-c556-480d-b11a-d2a6ea85ebc8:47855242-f7d3-4829-99f3-e0acf1ddf837", + "desc": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.", + "descriptions": [ + { + "data": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"5.0.0-alpha.1\",\n \"name\": \"dropwizard-validation\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/io.dropwizard/dropwizard-validation@1.3.15?type=jar\",\n \"uuid\": \"ff810945-c556-480d-b11a-d2a6ea85ebc8\",\n \"version\": \"1.3.15\",\n \"group\": \"io.dropwizard\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-5245\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.166\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-5245?component-type=maven&component-name=io.dropwizard%2Fdropwizard-validation&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 8.8,\n \"vulnId\": \"CVE-2020-5245\",\n \"aliases\": [],\n \"cweId\": 74,\n \"description\": \"Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.\",\n \"epssScore\": 0.00432,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 74,\n \"name\": \"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"47855242-f7d3-4829-99f3-e0acf1ddf837\",\n \"severityRank\": 1,\n \"cweName\": \"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\",\n \"epssPercentile\": 0.74082,\n \"cvssV2BaseScore\": 9\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:ff810945-c556-480d-b11a-d2a6ea85ebc8:47855242-f7d3-4829-99f3-e0acf1ddf837\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 776 + ], + "cweNames": [ + "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "285cbd92-3f1b-4ef1-9044-a416276d0939", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2017-18640", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.01874, + "vulnerabilityEpssPercentile": 0.88163, + "vulnerabilityCweId": 776, + "vulnerabilityCweName": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.18", + "attributionAlternateIdentifier": "CVE-2017-18640", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2017-18640?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:285cbd92-3f1b-4ef1-9044-a416276d0939", + "desc": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", + "descriptions": [ + { + "data": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2017-18640\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.18\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2017-18640?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2017-18640\",\n \"aliases\": [],\n \"cweId\": 776,\n \"description\": \"The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.\",\n \"epssScore\": 0.01874,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 776,\n \"name\": \"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"285cbd92-3f1b-4ef1-9044-a416276d0939\",\n \"severityRank\": 1,\n \"cweName\": \"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')\",\n \"epssPercentile\": 0.88163,\n \"cvssV2BaseScore\": 5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:285cbd92-3f1b-4ef1-9044-a416276d0939\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "81e42aed-d565-40e2-9cb9-dc6ac823126e", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-1471", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.00811, + "vulnerabilityEpssPercentile": 0.81397, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.19", + "attributionAlternateIdentifier": "CVE-2022-1471", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-1471?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:81e42aed-d565-40e2-9cb9-dc6ac823126e", + "desc": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n", + "descriptions": [ + { + "data": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-1471\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.19\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-1471?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2022-1471\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\\n\",\n \"epssScore\": 0.00811,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"81e42aed-d565-40e2-9cb9-dc6ac823126e\",\n \"severityRank\": 0,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.81397\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:81e42aed-d565-40e2-9cb9-dc6ac823126e\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 776 + ], + "cweNames": [ + "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "6c9e13ea-74a0-44f8-b584-0c6b59330cf3", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-25857", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 776, + "vulnerabilityCweName": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.194", + "attributionAlternateIdentifier": "CVE-2022-25857", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-25857?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:6c9e13ea-74a0-44f8-b584-0c6b59330cf3", + "desc": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", + "descriptions": [ + { + "data": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-25857\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.194\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-25857?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"severityRank\": 1,\n \"cweName\": \"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')\",\n \"vulnId\": \"CVE-2022-25857\",\n \"aliases\": [],\n \"cweId\": 776,\n \"description\": \"The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 776,\n \"name\": \"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"6c9e13ea-74a0-44f8-b584-0c6b59330cf3\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:6c9e13ea-74a0-44f8-b584-0c6b59330cf3\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 787 + ], + "cweNames": [ + "Out-of-bounds Write" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "5e90220f-03a1-441b-a87b-3b3e2d3e9cdc", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-38749", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 6.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 787, + "vulnerabilityCweName": "Out-of-bounds Write", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.205", + "attributionAlternateIdentifier": "CVE-2022-38749", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-38749?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:5e90220f-03a1-441b-a87b-3b3e2d3e9cdc", + "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", + "descriptions": [ + { + "data": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-38749\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.205\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-38749?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.5,\n \"severityRank\": 2,\n \"cweName\": \"Out-of-bounds Write\",\n \"vulnId\": \"CVE-2022-38749\",\n \"aliases\": [],\n \"cweId\": 787,\n \"description\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 787,\n \"name\": \"Out-of-bounds Write\",\n \"id\": 0\n }\n ],\n \"uuid\": \"5e90220f-03a1-441b-a87b-3b3e2d3e9cdc\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:5e90220f-03a1-441b-a87b-3b3e2d3e9cdc\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 787 + ], + "cweNames": [ + "Out-of-bounds Write" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "ce8d331c-ec1b-4c54-be6e-9ce58cc3aa25", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-38750", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 5.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 787, + "vulnerabilityCweName": "Out-of-bounds Write", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.211", + "attributionAlternateIdentifier": "CVE-2022-38750", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-38750?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:ce8d331c-ec1b-4c54-be6e-9ce58cc3aa25", + "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", + "descriptions": [ + { + "data": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-38750\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.211\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-38750?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.5,\n \"severityRank\": 2,\n \"cweName\": \"Out-of-bounds Write\",\n \"vulnId\": \"CVE-2022-38750\",\n \"aliases\": [],\n \"cweId\": 787,\n \"description\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 787,\n \"name\": \"Out-of-bounds Write\",\n \"id\": 0\n }\n ],\n \"uuid\": \"ce8d331c-ec1b-4c54-be6e-9ce58cc3aa25\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:ce8d331c-ec1b-4c54-be6e-9ce58cc3aa25\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 787 + ], + "cweNames": [ + "Out-of-bounds Write" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "e90177c4-5913-4a33-bf02-b907372b5c5b", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-38751", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 6.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 787, + "vulnerabilityCweName": "Out-of-bounds Write", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.214", + "attributionAlternateIdentifier": "CVE-2022-38751", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-38751?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:e90177c4-5913-4a33-bf02-b907372b5c5b", + "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", + "descriptions": [ + { + "data": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-38751\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.214\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-38751?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.5,\n \"severityRank\": 2,\n \"cweName\": \"Out-of-bounds Write\",\n \"vulnId\": \"CVE-2022-38751\",\n \"aliases\": [],\n \"cweId\": 787,\n \"description\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 787,\n \"name\": \"Out-of-bounds Write\",\n \"id\": 0\n }\n ],\n \"uuid\": \"e90177c4-5913-4a33-bf02-b907372b5c5b\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:e90177c4-5913-4a33-bf02-b907372b5c5b\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 787 + ], + "cweNames": [ + "Out-of-bounds Write" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "dc1234ab-bb88-497e-bb3c-0d4f6fef97e7", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-38752", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 6.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 787, + "vulnerabilityCweName": "Out-of-bounds Write", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.218", + "attributionAlternateIdentifier": "CVE-2022-38752", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:dc1234ab-bb88-497e-bb3c-0d4f6fef97e7", + "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", + "descriptions": [ + { + "data": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-38752\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.218\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.5,\n \"severityRank\": 2,\n \"cweName\": \"Out-of-bounds Write\",\n \"vulnId\": \"CVE-2022-38752\",\n \"aliases\": [],\n \"cweId\": 787,\n \"description\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 787,\n \"name\": \"Out-of-bounds Write\",\n \"id\": 0\n }\n ],\n \"uuid\": \"dc1234ab-bb88-497e-bb3c-0d4f6fef97e7\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:dc1234ab-bb88-497e-bb3c-0d4f6fef97e7\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 787 + ], + "cweNames": [ + "Out-of-bounds Write" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2b90f04e-c71b-4a10-a619-9bb98aaaa9ff", + "componentName": "snakeyaml", + "componentGroup": "org.yaml", + "componentVersion": "1.23", + "componentLatestVersion": "2.2", + "componentPurl": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "f2d2bd9a-0e2f-4107-a2d0-9372f50e2602", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-41854", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 6.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 787, + "vulnerabilityCweName": "Out-of-bounds Write", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.224", + "attributionAlternateIdentifier": "CVE-2022-41854", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-41854?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.yaml/snakeyaml@1.23?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:f2d2bd9a-0e2f-4107-a2d0-9372f50e2602", + "desc": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", + "descriptions": [ + { + "data": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2\",\n \"name\": \"snakeyaml\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml@1.23?type=jar\",\n \"uuid\": \"2b90f04e-c71b-4a10-a619-9bb98aaaa9ff\",\n \"version\": \"1.23\",\n \"group\": \"org.yaml\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-41854\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.224\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-41854?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.5,\n \"severityRank\": 2,\n \"cweName\": \"Out-of-bounds Write\",\n \"vulnId\": \"CVE-2022-41854\",\n \"aliases\": [],\n \"cweId\": 787,\n \"description\": \"Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 787,\n \"name\": \"Out-of-bounds Write\",\n \"id\": 0\n }\n ],\n \"uuid\": \"f2d2bd9a-0e2f-4107-a2d0-9372f50e2602\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2b90f04e-c71b-4a10-a619-9bb98aaaa9ff:f2d2bd9a-0e2f-4107-a2d0-9372f50e2602\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "7e2eaccb-70f1-4d52-b605-17b9c9049bf0", + "componentName": "logback-core", + "componentGroup": "ch.qos.logback", + "componentVersion": "1.2.3", + "componentLatestVersion": "1.5.3", + "componentPurl": "pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "2edf3945-6687-40b7-a389-a2c54fb35623", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-6378", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00046, + "vulnerabilityEpssPercentile": 0.14827, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.24", + "attributionAlternateIdentifier": "CVE-2023-6378", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:7e2eaccb-70f1-4d52-b605-17b9c9049bf0:2edf3945-6687-40b7-a389-a2c54fb35623", + "desc": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", + "descriptions": [ + { + "data": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"1.5.3\",\n \"name\": \"logback-core\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar\",\n \"uuid\": \"7e2eaccb-70f1-4d52-b605-17b9c9049bf0\",\n \"version\": \"1.2.3\",\n \"group\": \"ch.qos.logback\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-6378\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.24\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2023-6378\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"A serialization vulnerability in logback receiver component part of \\nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \\nattack by sending poisoned data.\\n\\n\",\n \"epssScore\": 0.00046,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"2edf3945-6687-40b7-a389-a2c54fb35623\",\n \"severityRank\": 1,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.14827\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:7e2eaccb-70f1-4d52-b605-17b9c9049bf0:2edf3945-6687-40b7-a389-a2c54fb35623\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "7e2eaccb-70f1-4d52-b605-17b9c9049bf0", + "componentName": "logback-core", + "componentGroup": "ch.qos.logback", + "componentVersion": "1.2.3", + "componentLatestVersion": "1.5.3", + "componentPurl": "pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "3ed852c3-4a25-480b-9f36-dbd8b75c8e28", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-42550", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 8.5, + "vulnerabilityCvssV3BaseScore": 6.6, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.01555, + "vulnerabilityEpssPercentile": 0.86905, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.247", + "attributionAlternateIdentifier": "CVE-2021-42550", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-42550?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:7e2eaccb-70f1-4d52-b605-17b9c9049bf0:3ed852c3-4a25-480b-9f36-dbd8b75c8e28", + "desc": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", + "descriptions": [ + { + "data": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"1.5.3\",\n \"name\": \"logback-core\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar\",\n \"uuid\": \"7e2eaccb-70f1-4d52-b605-17b9c9049bf0\",\n \"version\": \"1.2.3\",\n \"group\": \"ch.qos.logback\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-42550\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.247\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-42550?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.6,\n \"vulnId\": \"CVE-2021-42550\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.\",\n \"epssScore\": 0.01555,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"3ed852c3-4a25-480b-9f36-dbd8b75c8e28\",\n \"severityRank\": 2,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.86905,\n \"cvssV2BaseScore\": 8.5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:7e2eaccb-70f1-4d52-b605-17b9c9049bf0:3ed852c3-4a25-480b-9f36-dbd8b75c8e28\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "e03a4b88-a83e-4558-8fe5-87f232d3ce08", + "componentName": "logback-classic", + "componentGroup": "ch.qos.logback", + "componentVersion": "1.2.3", + "componentLatestVersion": "1.5.3", + "componentPurl": "pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "2edf3945-6687-40b7-a389-a2c54fb35623", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-6378", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00046, + "vulnerabilityEpssPercentile": 0.14827, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.251", + "attributionAlternateIdentifier": "CVE-2023-6378", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-classic&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:e03a4b88-a83e-4558-8fe5-87f232d3ce08:2edf3945-6687-40b7-a389-a2c54fb35623", + "desc": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", + "descriptions": [ + { + "data": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"1.5.3\",\n \"name\": \"logback-classic\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar\",\n \"uuid\": \"e03a4b88-a83e-4558-8fe5-87f232d3ce08\",\n \"version\": \"1.2.3\",\n \"group\": \"ch.qos.logback\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-6378\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.251\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-classic&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2023-6378\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"A serialization vulnerability in logback receiver component part of \\nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \\nattack by sending poisoned data.\\n\\n\",\n \"epssScore\": 0.00046,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"2edf3945-6687-40b7-a389-a2c54fb35623\",\n \"severityRank\": 1,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.14827\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:e03a4b88-a83e-4558-8fe5-87f232d3ce08:2edf3945-6687-40b7-a389-a2c54fb35623\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "e03a4b88-a83e-4558-8fe5-87f232d3ce08", + "componentName": "logback-classic", + "componentGroup": "ch.qos.logback", + "componentVersion": "1.2.3", + "componentLatestVersion": "1.5.3", + "componentPurl": "pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "3ed852c3-4a25-480b-9f36-dbd8b75c8e28", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-42550", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 8.5, + "vulnerabilityCvssV3BaseScore": 6.6, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.01555, + "vulnerabilityEpssPercentile": 0.86905, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.254", + "attributionAlternateIdentifier": "CVE-2021-42550", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-42550?component-type=maven&component-name=ch.qos.logback%2Flogback-classic&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:e03a4b88-a83e-4558-8fe5-87f232d3ce08:3ed852c3-4a25-480b-9f36-dbd8b75c8e28", + "desc": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", + "descriptions": [ + { + "data": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"1.5.3\",\n \"name\": \"logback-classic\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar\",\n \"uuid\": \"e03a4b88-a83e-4558-8fe5-87f232d3ce08\",\n \"version\": \"1.2.3\",\n \"group\": \"ch.qos.logback\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-42550\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.254\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-42550?component-type=maven&component-name=ch.qos.logback%2Flogback-classic&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.6,\n \"vulnId\": \"CVE-2021-42550\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.\",\n \"epssScore\": 0.01555,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"3ed852c3-4a25-480b-9f36-dbd8b75c8e28\",\n \"severityRank\": 2,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.86905,\n \"cvssV2BaseScore\": 8.5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:e03a4b88-a83e-4558-8fe5-87f232d3ce08:3ed852c3-4a25-480b-9f36-dbd8b75c8e28\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "68ba06bb-e70e-4018-80bf-bdf3afe59942", + "componentName": "jetty-util", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-util@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "d794d36d-8d74-4e2c-b156-d8630443d3c4", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-26048", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00132, + "vulnerabilityEpssPercentile": 0.47579, + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.265", + "attributionAlternateIdentifier": "CVE-2023-26048", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-26048?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-util&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-util@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:68ba06bb-e70e-4018-80bf-bdf3afe59942:d794d36d-8d74-4e2c-b156-d8630443d3c4", + "desc": "Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).", + "descriptions": [ + { + "data": "Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-util\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-util@9.4.18.v20190429?type=jar\",\n \"uuid\": \"68ba06bb-e70e-4018-80bf-bdf3afe59942\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-26048\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.265\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-26048?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-util&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2023-26048\",\n \"aliases\": [],\n \"cweId\": 400,\n \"description\": \"Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).\",\n \"epssScore\": 0.00132,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"d794d36d-8d74-4e2c-b156-d8630443d3c4\",\n \"severityRank\": 2,\n \"cweName\": \"Uncontrolled Resource Consumption\",\n \"epssPercentile\": 0.47579\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:68ba06bb-e70e-4018-80bf-bdf3afe59942:d794d36d-8d74-4e2c-b156-d8630443d3c4\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [], + "cweNames": [], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "2ab254c7-39a1-41d1-bea2-640994c7217b", + "componentName": "jetty-server", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "9b3baefd-daa2-467d-b224-34b0f7789b94", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-27218", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5.8, + "vulnerabilityCvssV3BaseScore": 4.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.01203, + "vulnerabilityEpssPercentile": 0.84931, + "vulnerabilityCweId": "", + "vulnerabilityCweName": "", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.274", + "attributionAlternateIdentifier": "CVE-2020-27218", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-27218?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:9b3baefd-daa2-467d-b224-34b0f7789b94", + "desc": "In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.", + "descriptions": [ + { + "data": "In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-server\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar\",\n \"uuid\": \"2ab254c7-39a1-41d1-bea2-640994c7217b\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-27218\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.274\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-27218?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 4.8,\n \"severityRank\": 2,\n \"vulnId\": \"CVE-2020-27218\",\n \"aliases\": [],\n \"epssPercentile\": 0.84931,\n \"cvssV2BaseScore\": 5.8,\n \"description\": \"In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.\",\n \"epssScore\": 0.01203,\n \"source\": \"NVD\",\n \"uuid\": \"9b3baefd-daa2-467d-b224-34b0f7789b94\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:9b3baefd-daa2-467d-b224-34b0f7789b94\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 613 + ], + "cweNames": [ + "Insufficient Session Expiration" + ], + "nist": [ + "AC-12" + ], + "cci": [ + "CCI-002361" + ], + "componentUuid": "2ab254c7-39a1-41d1-bea2-640994c7217b", + "componentName": "jetty-server", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "66ac5ee3-83f8-43cd-87c5-199689e32ac0", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-34428", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 3.6, + "vulnerabilityCvssV3BaseScore": 3.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": 0.00152, + "vulnerabilityEpssPercentile": 0.50609, + "vulnerabilityCweId": 613, + "vulnerabilityCweName": "Insufficient Session Expiration", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.279", + "attributionAlternateIdentifier": "CVE-2021-34428", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-34428?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:66ac5ee3-83f8-43cd-87c5-199689e32ac0", + "desc": "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.", + "descriptions": [ + { + "data": "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-server\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar\",\n \"uuid\": \"2ab254c7-39a1-41d1-bea2-640994c7217b\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-34428\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.279\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-34428?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"LOW\",\n \"cvssV3BaseScore\": 3.5,\n \"vulnId\": \"CVE-2021-34428\",\n \"aliases\": [],\n \"cweId\": 613,\n \"description\": \"For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.\",\n \"epssScore\": 0.00152,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 613,\n \"name\": \"Insufficient Session Expiration\",\n \"id\": 0\n }\n ],\n \"uuid\": \"66ac5ee3-83f8-43cd-87c5-199689e32ac0\",\n \"severityRank\": 3,\n \"cweName\": \"Insufficient Session Expiration\",\n \"epssPercentile\": 0.50609,\n \"cvssV2BaseScore\": 3.6\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:66ac5ee3-83f8-43cd-87c5-199689e32ac0\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 20 + ], + "cweNames": [ + "Improper Input Validation" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2ab254c7-39a1-41d1-bea2-640994c7217b", + "componentName": "jetty-server", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "5bdf735d-591e-484e-8f54-dcd220512734", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-2047", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4, + "vulnerabilityCvssV3BaseScore": 2.7, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": 0.00086, + "vulnerabilityEpssPercentile": 0.35247, + "vulnerabilityCweId": 20, + "vulnerabilityCweName": "Improper Input Validation", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.284", + "attributionAlternateIdentifier": "CVE-2022-2047", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-2047?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:5bdf735d-591e-484e-8f54-dcd220512734", + "desc": "In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.", + "descriptions": [ + { + "data": "In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-server\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar\",\n \"uuid\": \"2ab254c7-39a1-41d1-bea2-640994c7217b\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-2047\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.284\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-2047?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"LOW\",\n \"cvssV3BaseScore\": 2.7,\n \"vulnId\": \"CVE-2022-2047\",\n \"aliases\": [],\n \"cweId\": 20,\n \"description\": \"In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.\",\n \"epssScore\": 0.00086,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 20,\n \"name\": \"Improper Input Validation\",\n \"id\": 0\n }\n ],\n \"uuid\": \"5bdf735d-591e-484e-8f54-dcd220512734\",\n \"severityRank\": 3,\n \"cweName\": \"Improper Input Validation\",\n \"epssPercentile\": 0.35247,\n \"cvssV2BaseScore\": 4\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:5bdf735d-591e-484e-8f54-dcd220512734\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2ab254c7-39a1-41d1-bea2-640994c7217b", + "componentName": "jetty-server", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "d794d36d-8d74-4e2c-b156-d8630443d3c4", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-26048", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00132, + "vulnerabilityEpssPercentile": 0.47579, + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.288", + "attributionAlternateIdentifier": "CVE-2023-26048", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-26048?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:d794d36d-8d74-4e2c-b156-d8630443d3c4", + "desc": "Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).", + "descriptions": [ + { + "data": "Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-server\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar\",\n \"uuid\": \"2ab254c7-39a1-41d1-bea2-640994c7217b\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-26048\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.288\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-26048?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2023-26048\",\n \"aliases\": [],\n \"cweId\": 400,\n \"description\": \"Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).\",\n \"epssScore\": 0.00132,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"d794d36d-8d74-4e2c-b156-d8630443d3c4\",\n \"severityRank\": 2,\n \"cweName\": \"Uncontrolled Resource Consumption\",\n \"epssPercentile\": 0.47579\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:d794d36d-8d74-4e2c-b156-d8630443d3c4\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 200 + ], + "cweNames": [ + "Exposure of Sensitive Information to an Unauthorized Actor" + ], + "nist": [ + "SC-8" + ], + "cci": [ + "CCI-002418" + ], + "componentUuid": "2ab254c7-39a1-41d1-bea2-640994c7217b", + "componentName": "jetty-server", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "4df611c8-45b5-4aa2-b179-8fd291b16bae", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-26049", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00118, + "vulnerabilityEpssPercentile": 0.4502, + "vulnerabilityCweId": 200, + "vulnerabilityCweName": "Exposure of Sensitive Information to an Unauthorized Actor", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.291", + "attributionAlternateIdentifier": "CVE-2023-26049", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-26049?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:4df611c8-45b5-4aa2-b179-8fd291b16bae", + "desc": "Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.", + "descriptions": [ + { + "data": "Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-server\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429?type=jar\",\n \"uuid\": \"2ab254c7-39a1-41d1-bea2-640994c7217b\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-26049\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.291\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-26049?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2023-26049\",\n \"aliases\": [],\n \"cweId\": 200,\n \"description\": \"Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\\\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\\\"b; JSESSIONID=1337; c=d\\\"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.\",\n \"epssScore\": 0.00118,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 200,\n \"name\": \"Exposure of Sensitive Information to an Unauthorized Actor\",\n \"id\": 0\n }\n ],\n \"uuid\": \"4df611c8-45b5-4aa2-b179-8fd291b16bae\",\n \"severityRank\": 2,\n \"cweName\": \"Exposure of Sensitive Information to an Unauthorized Actor\",\n \"epssPercentile\": 0.4502\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:2ab254c7-39a1-41d1-bea2-640994c7217b:4df611c8-45b5-4aa2-b179-8fd291b16bae\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "872abe6b-dbf9-46c6-8d80-8039c06d9c02", + "componentName": "jetty-http", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "8f6feed0-346d-4c8f-933e-2554bd10d540", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-27223", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4.3, + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.03039, + "vulnerabilityEpssPercentile": 0.90774, + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.299", + "attributionAlternateIdentifier": "CVE-2020-27223", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-27223?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:8f6feed0-346d-4c8f-933e-2554bd10d540", + "desc": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.", + "descriptions": [ + { + "data": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-http\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar\",\n \"uuid\": \"872abe6b-dbf9-46c6-8d80-8039c06d9c02\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-27223\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.299\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-27223?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2020-27223\",\n \"aliases\": [],\n \"cweId\": 400,\n \"description\": \"In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.\",\n \"epssScore\": 0.03039,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"8f6feed0-346d-4c8f-933e-2554bd10d540\",\n \"severityRank\": 2,\n \"cweName\": \"Uncontrolled Resource Consumption\",\n \"epssPercentile\": 0.90774,\n \"cvssV2BaseScore\": 4.3\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:8f6feed0-346d-4c8f-933e-2554bd10d540\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 20 + ], + "cweNames": [ + "Improper Input Validation" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "872abe6b-dbf9-46c6-8d80-8039c06d9c02", + "componentName": "jetty-http", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "5bdf735d-591e-484e-8f54-dcd220512734", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-2047", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4, + "vulnerabilityCvssV3BaseScore": 2.7, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 3, + "vulnerabilityEpssScore": 0.00086, + "vulnerabilityEpssPercentile": 0.35247, + "vulnerabilityCweId": 20, + "vulnerabilityCweName": "Improper Input Validation", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.301", + "attributionAlternateIdentifier": "CVE-2022-2047", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-2047?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:5bdf735d-591e-484e-8f54-dcd220512734", + "desc": "In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.", + "descriptions": [ + { + "data": "In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-http\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar\",\n \"uuid\": \"872abe6b-dbf9-46c6-8d80-8039c06d9c02\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-2047\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.301\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-2047?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"LOW\",\n \"cvssV3BaseScore\": 2.7,\n \"vulnId\": \"CVE-2022-2047\",\n \"aliases\": [],\n \"cweId\": 20,\n \"description\": \"In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.\",\n \"epssScore\": 0.00086,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 20,\n \"name\": \"Improper Input Validation\",\n \"id\": 0\n }\n ],\n \"uuid\": \"5bdf735d-591e-484e-8f54-dcd220512734\",\n \"severityRank\": 3,\n \"cweName\": \"Improper Input Validation\",\n \"epssPercentile\": 0.35247,\n \"cvssV2BaseScore\": 4\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:5bdf735d-591e-484e-8f54-dcd220512734\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "872abe6b-dbf9-46c6-8d80-8039c06d9c02", + "componentName": "jetty-http", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "d794d36d-8d74-4e2c-b156-d8630443d3c4", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-26048", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00132, + "vulnerabilityEpssPercentile": 0.47579, + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.304", + "attributionAlternateIdentifier": "CVE-2023-26048", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-26048?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:d794d36d-8d74-4e2c-b156-d8630443d3c4", + "desc": "Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).", + "descriptions": [ + { + "data": "Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-http\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar\",\n \"uuid\": \"872abe6b-dbf9-46c6-8d80-8039c06d9c02\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-26048\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.304\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-26048?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2023-26048\",\n \"aliases\": [],\n \"cweId\": 400,\n \"description\": \"Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).\",\n \"epssScore\": 0.00132,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"d794d36d-8d74-4e2c-b156-d8630443d3c4\",\n \"severityRank\": 2,\n \"cweName\": \"Uncontrolled Resource Consumption\",\n \"epssPercentile\": 0.47579\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:d794d36d-8d74-4e2c-b156-d8630443d3c4\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 130 + ], + "cweNames": [ + "Improper Handling of Length Parameter Inconsistency" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "872abe6b-dbf9-46c6-8d80-8039c06d9c02", + "componentName": "jetty-http", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "0850bfb8-26ab-4ae1-af47-83213b84f9b5", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-40167", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.0006, + "vulnerabilityEpssPercentile": 0.24021, + "vulnerabilityCweId": 130, + "vulnerabilityCweName": "Improper Handling of Length Parameter Inconsistency", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.309", + "attributionAlternateIdentifier": "CVE-2023-40167", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-40167?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:0850bfb8-26ab-4ae1-af47-83213b84f9b5", + "desc": "Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.", + "descriptions": [ + { + "data": "Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-http\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http@9.4.18.v20190429?type=jar\",\n \"uuid\": \"872abe6b-dbf9-46c6-8d80-8039c06d9c02\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-40167\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.309\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-40167?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-http&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"vulnId\": \"CVE-2023-40167\",\n \"aliases\": [],\n \"cweId\": 130,\n \"description\": \"Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.\",\n \"epssScore\": 0.0006,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 130,\n \"name\": \"Improper Handling of Length Parameter Inconsistency\",\n \"id\": 0\n }\n ],\n \"uuid\": \"0850bfb8-26ab-4ae1-af47-83213b84f9b5\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Handling of Length Parameter Inconsistency\",\n \"epssPercentile\": 0.24021\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:872abe6b-dbf9-46c6-8d80-8039c06d9c02:0850bfb8-26ab-4ae1-af47-83213b84f9b5\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 755 + ], + "cweNames": [ + "Improper Handling of Exceptional Conditions" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "467cf79a-13c0-4eef-96b6-cc2d1315f973", + "componentName": "jetty-io", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "12.0.8", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-io@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "66011bff-4a77-444c-b067-85644c5521cd", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-28165", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 7.8, + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.80243, + "vulnerabilityEpssPercentile": 0.98235, + "vulnerabilityCweId": 755, + "vulnerabilityCweName": "Improper Handling of Exceptional Conditions", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.316", + "attributionAlternateIdentifier": "CVE-2021-28165", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-28165?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-io&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-io@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:467cf79a-13c0-4eef-96b6-cc2d1315f973:66011bff-4a77-444c-b067-85644c5521cd", + "desc": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.", + "descriptions": [ + { + "data": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"12.0.8\",\n \"name\": \"jetty-io\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-io@9.4.18.v20190429?type=jar\",\n \"uuid\": \"467cf79a-13c0-4eef-96b6-cc2d1315f973\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-28165\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.316\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-28165?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-io&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2021-28165\",\n \"aliases\": [],\n \"cweId\": 755,\n \"description\": \"In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.\",\n \"epssScore\": 0.80243,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 755,\n \"name\": \"Improper Handling of Exceptional Conditions\",\n \"id\": 0\n }\n ],\n \"uuid\": \"66011bff-4a77-444c-b067-85644c5521cd\",\n \"severityRank\": 1,\n \"cweName\": \"Improper Handling of Exceptional Conditions\",\n \"epssPercentile\": 0.98235,\n \"cvssV2BaseScore\": 7.8\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:467cf79a-13c0-4eef-96b6-cc2d1315f973:66011bff-4a77-444c-b067-85644c5521cd\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 668 + ], + "cweNames": [ + "Exposure of Resource to Wrong Sphere" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "bcc2a6bb-200d-486e-811f-4d966896fb3a", + "componentName": "jersey-common", + "componentGroup": "org.glassfish.jersey.core", + "componentVersion": "2.25.1", + "componentLatestVersion": "4.0.0-M1", + "componentPurl": "pkg:maven/org.glassfish.jersey.core/jersey-common@2.25.1?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "828a8a71-23a5-430f-86ae-1fc62a565334", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-28168", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 2.1, + "vulnerabilityCvssV3BaseScore": 5.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00044, + "vulnerabilityEpssPercentile": 0.08732, + "vulnerabilityCweId": 668, + "vulnerabilityCweName": "Exposure of Resource to Wrong Sphere", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.326", + "attributionAlternateIdentifier": "CVE-2021-28168", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-28168?component-type=maven&component-name=org.glassfish.jersey.core%2Fjersey-common&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.glassfish.jersey.core/jersey-common@2.25.1?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:bcc2a6bb-200d-486e-811f-4d966896fb3a:828a8a71-23a5-430f-86ae-1fc62a565334", + "desc": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.", + "descriptions": [ + { + "data": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"4.0.0-M1\",\n \"name\": \"jersey-common\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.glassfish.jersey.core/jersey-common@2.25.1?type=jar\",\n \"uuid\": \"bcc2a6bb-200d-486e-811f-4d966896fb3a\",\n \"version\": \"2.25.1\",\n \"group\": \"org.glassfish.jersey.core\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-28168\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.326\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-28168?component-type=maven&component-name=org.glassfish.jersey.core%2Fjersey-common&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.5,\n \"vulnId\": \"CVE-2021-28168\",\n \"aliases\": [],\n \"cweId\": 668,\n \"description\": \"Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\",\n \"epssScore\": 0.00044,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 668,\n \"name\": \"Exposure of Resource to Wrong Sphere\",\n \"id\": 0\n }\n ],\n \"uuid\": \"828a8a71-23a5-430f-86ae-1fc62a565334\",\n \"severityRank\": 2,\n \"cweName\": \"Exposure of Resource to Wrong Sphere\",\n \"epssPercentile\": 0.08732,\n \"cvssV2BaseScore\": 2.1\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:bcc2a6bb-200d-486e-811f-4d966896fb3a:828a8a71-23a5-430f-86ae-1fc62a565334\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [], + "cweNames": [], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "cd24dc97-3584-4218-a2e2-dc1628f18085", + "componentName": "jetty-webapp", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "963e49c3-78b1-4408-8462-df747f11cafd", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-27216", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4.4, + "vulnerabilityCvssV3BaseScore": 7, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00072, + "vulnerabilityEpssPercentile": 0.29414, + "vulnerabilityCweId": "", + "vulnerabilityCweName": "", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.364", + "attributionAlternateIdentifier": "CVE-2020-27216", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-27216?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-webapp&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:cd24dc97-3584-4218-a2e2-dc1628f18085:963e49c3-78b1-4408-8462-df747f11cafd", + "desc": "In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.", + "descriptions": [ + { + "data": "In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"jetty-webapp\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.18.v20190429?type=jar\",\n \"uuid\": \"cd24dc97-3584-4218-a2e2-dc1628f18085\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-27216\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.364\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-27216?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-webapp&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7,\n \"severityRank\": 1,\n \"vulnId\": \"CVE-2020-27216\",\n \"aliases\": [],\n \"epssPercentile\": 0.29414,\n \"cvssV2BaseScore\": 4.4,\n \"description\": \"In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\",\n \"epssScore\": 0.00072,\n \"source\": \"NVD\",\n \"uuid\": \"963e49c3-78b1-4408-8462-df747f11cafd\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:cd24dc97-3584-4218-a2e2-dc1628f18085:963e49c3-78b1-4408-8462-df747f11cafd\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [], + "cweNames": [], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd", + "componentName": "jetty-servlets", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "ce3867a6-ce8b-4da6-bec1-c1257a0115c4", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-28169", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00436, + "vulnerabilityEpssPercentile": 0.74245, + "vulnerabilityCweId": "", + "vulnerabilityCweName": "", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.376", + "attributionAlternateIdentifier": "CVE-2021-28169", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-28169?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-servlets&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd:ce3867a6-ce8b-4da6-bec1-c1257a0115c4", + "desc": "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.", + "descriptions": [ + { + "data": "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"jetty-servlets\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.18.v20190429?type=jar\",\n \"uuid\": \"d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-28169\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.376\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-28169?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-servlets&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"severityRank\": 2,\n \"vulnId\": \"CVE-2021-28169\",\n \"aliases\": [],\n \"epssPercentile\": 0.74245,\n \"cvssV2BaseScore\": 5,\n \"description\": \"For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.\",\n \"epssScore\": 0.00436,\n \"source\": \"NVD\",\n \"uuid\": \"ce3867a6-ce8b-4da6-bec1-c1257a0115c4\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd:ce3867a6-ce8b-4da6-bec1-c1257a0115c4\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 149 + ], + "cweNames": [ + "Improper Neutralization of Quoting Syntax" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd", + "componentName": "jetty-servlets", + "componentGroup": "org.eclipse.jetty", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "bed6cd7d-6f4e-4957-9703-5ccaa04997a8", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-36479", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 4.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00055, + "vulnerabilityEpssPercentile": 0.21067, + "vulnerabilityCweId": 149, + "vulnerabilityCweName": "Improper Neutralization of Quoting Syntax", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.382", + "attributionAlternateIdentifier": "CVE-2023-36479", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-36479?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-servlets&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd:bed6cd7d-6f4e-4957-9703-5ccaa04997a8", + "desc": "Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.\n", + "descriptions": [ + { + "data": "Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"jetty-servlets\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.18.v20190429?type=jar\",\n \"uuid\": \"d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-36479\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.382\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-36479?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-servlets&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 4.3,\n \"vulnId\": \"CVE-2023-36479\",\n \"aliases\": [],\n \"cweId\": 149,\n \"description\": \"Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.\\n\",\n \"epssScore\": 0.00055,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 149,\n \"name\": \"Improper Neutralization of Quoting Syntax\",\n \"id\": 0\n }\n ],\n \"uuid\": \"bed6cd7d-6f4e-4957-9703-5ccaa04997a8\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Neutralization of Quoting Syntax\",\n \"epssPercentile\": 0.21067\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:d4ca5a6f-3a55-4f8d-8cdc-10c3b8f39fcd:bed6cd7d-6f4e-4957-9703-5ccaa04997a8\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 732 + ], + "cweNames": [ + "Incorrect Permission Assignment for Critical Resource" + ], + "nist": [ + "AC-3" + ], + "cci": [ + "CCI-000213" + ], + "componentUuid": "bee3b1ea-7a3e-49c1-bb38-07ba82da02a0", + "componentName": "junit", + "componentGroup": "junit", + "componentVersion": "4.12", + "componentLatestVersion": "4.13.2", + "componentPurl": "pkg:maven/junit/junit@4.12?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "95e8cf75-7b31-43b6-af1c-bcf3a92dea3d", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-15250", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 1.9, + "vulnerabilityCvssV3BaseScore": 5.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00066, + "vulnerabilityEpssPercentile": 0.27539, + "vulnerabilityCweId": 732, + "vulnerabilityCweName": "Incorrect Permission Assignment for Critical Resource", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.412", + "attributionAlternateIdentifier": "CVE-2020-15250", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-15250?component-type=maven&component-name=junit%2Fjunit&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/junit/junit@4.12?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:bee3b1ea-7a3e-49c1-bb38-07ba82da02a0:95e8cf75-7b31-43b6-af1c-bcf3a92dea3d", + "desc": "In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "descriptions": [ + { + "data": "In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"4.13.2\",\n \"name\": \"junit\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/junit/junit@4.12?type=jar\",\n \"uuid\": \"bee3b1ea-7a3e-49c1-bb38-07ba82da02a0\",\n \"version\": \"4.12\",\n \"group\": \"junit\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-15250\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.412\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-15250?component-type=maven&component-name=junit%2Fjunit&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.5,\n \"vulnId\": \"CVE-2020-15250\",\n \"aliases\": [],\n \"cweId\": 732,\n \"description\": \"In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.\",\n \"epssScore\": 0.00066,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 732,\n \"name\": \"Incorrect Permission Assignment for Critical Resource\",\n \"id\": 0\n }\n ],\n \"uuid\": \"95e8cf75-7b31-43b6-af1c-bcf3a92dea3d\",\n \"severityRank\": 2,\n \"cweName\": \"Incorrect Permission Assignment for Critical Resource\",\n \"epssPercentile\": 0.27539,\n \"cvssV2BaseScore\": 1.9\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:bee3b1ea-7a3e-49c1-bb38-07ba82da02a0:95e8cf75-7b31-43b6-af1c-bcf3a92dea3d\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 89 + ], + "cweNames": [ + "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "9c322d19-384d-4260-a5ca-a40ff0ca0bfd", + "componentName": "hibernate-core", + "componentGroup": "org.hibernate", + "componentVersion": "5.2.18.Final", + "componentLatestVersion": "6.5.0.CR1", + "componentPurl": "pkg:maven/org.hibernate/hibernate-core@5.2.18.Final?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "8d87b7c1-ea64-417b-a6c7-d358120ad29b", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2019-14900", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4, + "vulnerabilityCvssV3BaseScore": 6.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00104, + "vulnerabilityEpssPercentile": 0.41338, + "vulnerabilityCweId": 89, + "vulnerabilityCweName": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.441", + "attributionAlternateIdentifier": "CVE-2019-14900", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2019-14900?component-type=maven&component-name=org.hibernate%2Fhibernate-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.hibernate/hibernate-core@5.2.18.Final?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:9c322d19-384d-4260-a5ca-a40ff0ca0bfd:8d87b7c1-ea64-417b-a6c7-d358120ad29b", + "desc": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", + "descriptions": [ + { + "data": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"6.5.0.CR1\",\n \"name\": \"hibernate-core\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.hibernate/hibernate-core@5.2.18.Final?type=jar\",\n \"uuid\": \"9c322d19-384d-4260-a5ca-a40ff0ca0bfd\",\n \"version\": \"5.2.18.Final\",\n \"group\": \"org.hibernate\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2019-14900\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.441\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2019-14900?component-type=maven&component-name=org.hibernate%2Fhibernate-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.5,\n \"vulnId\": \"CVE-2019-14900\",\n \"aliases\": [],\n \"cweId\": 89,\n \"description\": \"A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\",\n \"epssScore\": 0.00104,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 89,\n \"name\": \"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"8d87b7c1-ea64-417b-a6c7-d358120ad29b\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\",\n \"epssPercentile\": 0.41338,\n \"cvssV2BaseScore\": 4\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:9c322d19-384d-4260-a5ca-a40ff0ca0bfd:8d87b7c1-ea64-417b-a6c7-d358120ad29b\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 89 + ], + "cweNames": [ + "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "9c322d19-384d-4260-a5ca-a40ff0ca0bfd", + "componentName": "hibernate-core", + "componentGroup": "org.hibernate", + "componentVersion": "5.2.18.Final", + "componentLatestVersion": "6.5.0.CR1", + "componentPurl": "pkg:maven/org.hibernate/hibernate-core@5.2.18.Final?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "86ba00c8-42e0-4805-8a82-ff725a7b1501", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-25638", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5.8, + "vulnerabilityCvssV3BaseScore": 7.4, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00352, + "vulnerabilityEpssPercentile": 0.71442, + "vulnerabilityCweId": 89, + "vulnerabilityCweName": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.445", + "attributionAlternateIdentifier": "CVE-2020-25638", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-25638?component-type=maven&component-name=org.hibernate%2Fhibernate-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.hibernate/hibernate-core@5.2.18.Final?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:9c322d19-384d-4260-a5ca-a40ff0ca0bfd:86ba00c8-42e0-4805-8a82-ff725a7b1501", + "desc": "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", + "descriptions": [ + { + "data": "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"6.5.0.CR1\",\n \"name\": \"hibernate-core\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.hibernate/hibernate-core@5.2.18.Final?type=jar\",\n \"uuid\": \"9c322d19-384d-4260-a5ca-a40ff0ca0bfd\",\n \"version\": \"5.2.18.Final\",\n \"group\": \"org.hibernate\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-25638\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.445\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-25638?component-type=maven&component-name=org.hibernate%2Fhibernate-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.4,\n \"vulnId\": \"CVE-2020-25638\",\n \"aliases\": [],\n \"cweId\": 89,\n \"description\": \"A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\",\n \"epssScore\": 0.00352,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 89,\n \"name\": \"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"86ba00c8-42e0-4805-8a82-ff725a7b1501\",\n \"severityRank\": 1,\n \"cweName\": \"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\",\n \"epssPercentile\": 0.71442,\n \"cvssV2BaseScore\": 5.8\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:9c322d19-384d-4260-a5ca-a40ff0ca0bfd:86ba00c8-42e0-4805-8a82-ff725a7b1501\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 611 + ], + "cweNames": [ + "Improper Restriction of XML External Entity Reference" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "de708d9a-0b21-44f6-a3dc-caa1c3574daf", + "componentName": "dom4j", + "componentGroup": "org.dom4j", + "componentVersion": "2.1.1", + "componentLatestVersion": "2.1.4", + "componentPurl": "pkg:maven/org.dom4j/dom4j@2.1.1?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "c539c604-e519-428a-ab6b-126907da5962", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-10683", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 7.5, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.00664, + "vulnerabilityEpssPercentile": 0.79249, + "vulnerabilityCweId": 611, + "vulnerabilityCweName": "Improper Restriction of XML External Entity Reference", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.463", + "attributionAlternateIdentifier": "CVE-2020-10683", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-10683?component-type=maven&component-name=org.dom4j%2Fdom4j&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.dom4j/dom4j@2.1.1?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:de708d9a-0b21-44f6-a3dc-caa1c3574daf:c539c604-e519-428a-ab6b-126907da5962", + "desc": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", + "descriptions": [ + { + "data": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.1.4\",\n \"name\": \"dom4j\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.dom4j/dom4j@2.1.1?type=jar\",\n \"uuid\": \"de708d9a-0b21-44f6-a3dc-caa1c3574daf\",\n \"version\": \"2.1.1\",\n \"group\": \"org.dom4j\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-10683\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.463\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-10683?component-type=maven&component-name=org.dom4j%2Fdom4j&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2020-10683\",\n \"aliases\": [],\n \"cweId\": 611,\n \"description\": \"dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.\",\n \"epssScore\": 0.00664,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 611,\n \"name\": \"Improper Restriction of XML External Entity Reference\",\n \"id\": 0\n }\n ],\n \"uuid\": \"c539c604-e519-428a-ab6b-126907da5962\",\n \"severityRank\": 0,\n \"cweName\": \"Improper Restriction of XML External Entity Reference\",\n \"epssPercentile\": 0.79249,\n \"cvssV2BaseScore\": 7.5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:de708d9a-0b21-44f6-a3dc-caa1c3574daf:c539c604-e519-428a-ab6b-126907da5962\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [], + "cweNames": [], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "893b55c6-8b80-4729-bb5d-dc95b1801691", + "componentName": "httpclient", + "componentGroup": "org.apache.httpcomponents", + "componentVersion": "4.5.7", + "componentLatestVersion": "4.5.14", + "componentPurl": "pkg:maven/org.apache.httpcomponents/httpclient@4.5.7?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "f14d3101-833f-4bc3-a8e8-6156582528f5", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2020-13956", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 5.3, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00162, + "vulnerabilityEpssPercentile": 0.5203, + "vulnerabilityCweId": "", + "vulnerabilityCweName": "", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.477", + "attributionAlternateIdentifier": "CVE-2020-13956", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2020-13956?component-type=maven&component-name=org.apache.httpcomponents%2Fhttpclient&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.apache.httpcomponents/httpclient@4.5.7?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:893b55c6-8b80-4729-bb5d-dc95b1801691:f14d3101-833f-4bc3-a8e8-6156582528f5", + "desc": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", + "descriptions": [ + { + "data": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"4.5.14\",\n \"name\": \"httpclient\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient@4.5.7?type=jar\",\n \"uuid\": \"893b55c6-8b80-4729-bb5d-dc95b1801691\",\n \"version\": \"4.5.7\",\n \"group\": \"org.apache.httpcomponents\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2020-13956\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.477\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2020-13956?component-type=maven&component-name=org.apache.httpcomponents%2Fhttpclient&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.3,\n \"severityRank\": 2,\n \"vulnId\": \"CVE-2020-13956\",\n \"aliases\": [],\n \"epssPercentile\": 0.5203,\n \"cvssV2BaseScore\": 5,\n \"description\": \"Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.\",\n \"epssScore\": 0.00162,\n \"source\": \"NVD\",\n \"uuid\": \"f14d3101-833f-4bc3-a8e8-6156582528f5\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:893b55c6-8b80-4729-bb5d-dc95b1801691:f14d3101-833f-4bc3-a8e8-6156582528f5\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 611 + ], + "cweNames": [ + "Improper Restriction of XML External Entity Reference" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "6dfcf1da-5ee2-487c-9440-74daac6a795d", + "componentName": "liquibase-core", + "componentGroup": "org.liquibase", + "componentVersion": "3.6.3", + "componentLatestVersion": "4.27.0", + "componentPurl": "pkg:maven/org.liquibase/liquibase-core@3.6.3?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "e5733c1d-c810-4577-91d5-fb9ce95469b6", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-0839", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 7.5, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.00697, + "vulnerabilityEpssPercentile": 0.79842, + "vulnerabilityCweId": 611, + "vulnerabilityCweName": "Improper Restriction of XML External Entity Reference", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.901", + "attributionAlternateIdentifier": "CVE-2022-0839", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-0839?component-type=maven&component-name=org.liquibase%2Fliquibase-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.liquibase/liquibase-core@3.6.3?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:6dfcf1da-5ee2-487c-9440-74daac6a795d:e5733c1d-c810-4577-91d5-fb9ce95469b6", + "desc": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.", + "descriptions": [ + { + "data": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"4.27.0\",\n \"name\": \"liquibase-core\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.liquibase/liquibase-core@3.6.3?type=jar\",\n \"uuid\": \"6dfcf1da-5ee2-487c-9440-74daac6a795d\",\n \"version\": \"3.6.3\",\n \"group\": \"org.liquibase\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-0839\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.901\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-0839?component-type=maven&component-name=org.liquibase%2Fliquibase-core&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2022-0839\",\n \"aliases\": [],\n \"cweId\": 611,\n \"description\": \"Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.\",\n \"epssScore\": 0.00697,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 611,\n \"name\": \"Improper Restriction of XML External Entity Reference\",\n \"id\": 0\n }\n ],\n \"uuid\": \"e5733c1d-c810-4577-91d5-fb9ce95469b6\",\n \"severityRank\": 0,\n \"cweName\": \"Improper Restriction of XML External Entity Reference\",\n \"epssPercentile\": 0.79842,\n \"cvssV2BaseScore\": 7.5\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:6dfcf1da-5ee2-487c-9440-74daac6a795d:e5733c1d-c810-4577-91d5-fb9ce95469b6\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [], + "cweNames": [], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "6127f236-909c-484e-a729-23e518f727f5", + "componentName": "http2-server", + "componentGroup": "org.eclipse.jetty.http2", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty.http2/http2-server@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "1e59666d-13cd-442a-931b-ef58ac4effe9", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-2048", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00148, + "vulnerabilityEpssPercentile": 0.50077, + "vulnerabilityCweId": "", + "vulnerabilityCweName": "", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.908", + "attributionAlternateIdentifier": "CVE-2022-2048", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-2048?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty.http2/http2-server@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:6127f236-909c-484e-a729-23e518f727f5:1e59666d-13cd-442a-931b-ef58ac4effe9", + "desc": "In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.", + "descriptions": [ + { + "data": "In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"http2-server\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-server@9.4.18.v20190429?type=jar\",\n \"uuid\": \"6127f236-909c-484e-a729-23e518f727f5\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty.http2\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-2048\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.908\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-2048?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-server&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"severityRank\": 1,\n \"vulnId\": \"CVE-2022-2048\",\n \"aliases\": [],\n \"epssPercentile\": 0.50077,\n \"cvssV2BaseScore\": 5,\n \"description\": \"In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.\",\n \"epssScore\": 0.00148,\n \"source\": \"NVD\",\n \"uuid\": \"1e59666d-13cd-442a-931b-ef58ac4effe9\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:6127f236-909c-484e-a729-23e518f727f5:1e59666d-13cd-442a-931b-ef58ac4effe9\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [], + "cweNames": [], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f", + "componentName": "http2-common", + "componentGroup": "org.eclipse.jetty.http2", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "7a385896-242a-404e-86de-52c511dba9d3", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2024-22201", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": "", + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 5, + "vulnerabilityEpssScore": 0.00045, + "vulnerabilityEpssPercentile": 0.13314, + "vulnerabilityCweId": "", + "vulnerabilityCweName": "", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.915", + "attributionAlternateIdentifier": "CVE-2024-22201", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2024-22201?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-common&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f:7a385896-242a-404e-86de-52c511dba9d3", + "desc": "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.\n\n", + "descriptions": [ + { + "data": "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.\n\n", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"http2-common\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.18.v20190429?type=jar\",\n \"uuid\": \"fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty.http2\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2024-22201\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.915\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2024-22201?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-common&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"UNASSIGNED\",\n \"severityRank\": 5,\n \"vulnId\": \"CVE-2024-22201\",\n \"aliases\": [],\n \"epssPercentile\": 0.13314,\n \"description\": \"Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.\\n\\n\",\n \"epssScore\": 0.00045,\n \"source\": \"NVD\",\n \"uuid\": \"7a385896-242a-404e-86de-52c511dba9d3\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f:7a385896-242a-404e-86de-52c511dba9d3\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f", + "componentName": "http2-common", + "componentGroup": "org.eclipse.jetty.http2", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "6be8f767-ea9c-4360-8b50-9c0bd0e53291", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-44487", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.70585, + "vulnerabilityEpssPercentile": 0.97964, + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.921", + "attributionAlternateIdentifier": "CVE-2023-44487", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-44487?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-common&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f:6be8f767-ea9c-4360-8b50-9c0bd0e53291", + "desc": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "descriptions": [ + { + "data": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"http2-common\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.18.v20190429?type=jar\",\n \"uuid\": \"fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty.http2\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-44487\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.921\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-44487?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-common&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2023-44487\",\n \"aliases\": [],\n \"cweId\": 400,\n \"description\": \"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\",\n \"epssScore\": 0.70585,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"6be8f767-ea9c-4360-8b50-9c0bd0e53291\",\n \"severityRank\": 1,\n \"cweName\": \"Uncontrolled Resource Consumption\",\n \"epssPercentile\": 0.97964\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:fd87ac06-8d4b-4aae-86fd-fcb94fa24d6f:6be8f767-ea9c-4360-8b50-9c0bd0e53291\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 190, + 400 + ], + "cweNames": [ + "Integer Overflow or Wraparound", + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "c682c202-46f5-46c3-b640-94c7339a83cb", + "componentName": "http2-hpack", + "componentGroup": "org.eclipse.jetty.http2", + "componentVersion": "9.4.18.v20190429", + "componentLatestVersion": "11.0.20", + "componentPurl": "pkg:maven/org.eclipse.jetty.http2/http2-hpack@9.4.18.v20190429?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "29a3411c-9db4-4246-8aa4-6926c518e7b8", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-36478", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00249, + "vulnerabilityEpssPercentile": 0.64302, + "vulnerabilityCweId": 190, + "vulnerabilityCweName": "Integer Overflow or Wraparound", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.925", + "attributionAlternateIdentifier": "CVE-2023-36478", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-36478?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-hpack&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/org.eclipse.jetty.http2/http2-hpack@9.4.18.v20190429?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:c682c202-46f5-46c3-b640-94c7339a83cb:29a3411c-9db4-4246-8aa4-6926c518e7b8", + "desc": "Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to\nexceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295\nwill overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.", + "descriptions": [ + { + "data": "Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to\nexceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295\nwill overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"11.0.20\",\n \"name\": \"http2-hpack\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-hpack@9.4.18.v20190429?type=jar\",\n \"uuid\": \"c682c202-46f5-46c3-b640-94c7339a83cb\",\n \"version\": \"9.4.18.v20190429\",\n \"group\": \"org.eclipse.jetty.http2\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-36478\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.925\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-36478?component-type=maven&component-name=org.eclipse.jetty.http2%2Fhttp2-hpack&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2023-36478\",\n \"aliases\": [],\n \"cweId\": 190,\n \"description\": \"Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to\\nexceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295\\nwill overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.\",\n \"epssScore\": 0.00249,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 190,\n \"name\": \"Integer Overflow or Wraparound\",\n \"id\": 0\n },\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"29a3411c-9db4-4246-8aa4-6926c518e7b8\",\n \"severityRank\": 1,\n \"cweName\": \"Integer Overflow or Wraparound\",\n \"epssPercentile\": 0.64302\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:c682c202-46f5-46c3-b640-94c7339a83cb:29a3411c-9db4-4246-8aa4-6926c518e7b8\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 295 + ], + "cweNames": [ + "Improper Certificate Validation" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "935e5762-3d18-4d69-bd50-2c306f6bfeba", + "componentName": "amqp-client", + "componentGroup": "com.rabbitmq", + "componentVersion": "4.4.1", + "componentLatestVersion": "5.20.0", + "componentPurl": "pkg:maven/com.rabbitmq/amqp-client@4.4.1?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "9cdbf741-6dc8-40c4-9c0e-368d0cb90e20", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2018-11087", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4.3, + "vulnerabilityCvssV3BaseScore": 5.9, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.00128, + "vulnerabilityEpssPercentile": 0.46815, + "vulnerabilityCweId": 295, + "vulnerabilityCweName": "Improper Certificate Validation", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.936", + "attributionAlternateIdentifier": "CVE-2018-11087", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2018-11087?component-type=maven&component-name=com.rabbitmq%2Famqp-client&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.rabbitmq/amqp-client@4.4.1?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:935e5762-3d18-4d69-bd50-2c306f6bfeba:9cdbf741-6dc8-40c4-9c0e-368d0cb90e20", + "desc": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", + "descriptions": [ + { + "data": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"5.20.0\",\n \"name\": \"amqp-client\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.rabbitmq/amqp-client@4.4.1?type=jar\",\n \"uuid\": \"935e5762-3d18-4d69-bd50-2c306f6bfeba\",\n \"version\": \"4.4.1\",\n \"group\": \"com.rabbitmq\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2018-11087\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.936\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2018-11087?component-type=maven&component-name=com.rabbitmq%2Famqp-client&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 5.9,\n \"vulnId\": \"CVE-2018-11087\",\n \"aliases\": [],\n \"cweId\": 295,\n \"description\": \"Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.\",\n \"epssScore\": 0.00128,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 295,\n \"name\": \"Improper Certificate Validation\",\n \"id\": 0\n }\n ],\n \"uuid\": \"9cdbf741-6dc8-40c4-9c0e-368d0cb90e20\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Certificate Validation\",\n \"epssPercentile\": 0.46815,\n \"cvssV2BaseScore\": 4.3\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:935e5762-3d18-4d69-bd50-2c306f6bfeba:9cdbf741-6dc8-40c4-9c0e-368d0cb90e20\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 400 + ], + "cweNames": [ + "Uncontrolled Resource Consumption" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "935e5762-3d18-4d69-bd50-2c306f6bfeba", + "componentName": "amqp-client", + "componentGroup": "com.rabbitmq", + "componentVersion": "4.4.1", + "componentLatestVersion": "5.20.0", + "componentPurl": "pkg:maven/com.rabbitmq/amqp-client@4.4.1?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "acfb6a38-4676-4618-a04b-1b544d2da97f", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2023-46120", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": 0.00208, + "vulnerabilityEpssPercentile": 0.58127, + "vulnerabilityCweId": 400, + "vulnerabilityCweName": "Uncontrolled Resource Consumption", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.942", + "attributionAlternateIdentifier": "CVE-2023-46120", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2023-46120?component-type=maven&component-name=com.rabbitmq%2Famqp-client&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.rabbitmq/amqp-client@4.4.1?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:935e5762-3d18-4d69-bd50-2c306f6bfeba:acfb6a38-4676-4618-a04b-1b544d2da97f", + "desc": "The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.", + "descriptions": [ + { + "data": "The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"latestVersion\": \"5.20.0\",\n \"name\": \"amqp-client\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.rabbitmq/amqp-client@4.4.1?type=jar\",\n \"uuid\": \"935e5762-3d18-4d69-bd50-2c306f6bfeba\",\n \"version\": \"4.4.1\",\n \"group\": \"com.rabbitmq\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2023-46120\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.942\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2023-46120?component-type=maven&component-name=com.rabbitmq%2Famqp-client&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"vulnId\": \"CVE-2023-46120\",\n \"aliases\": [],\n \"cweId\": 400,\n \"description\": \"The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.\",\n \"epssScore\": 0.00208,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 400,\n \"name\": \"Uncontrolled Resource Consumption\",\n \"id\": 0\n }\n ],\n \"uuid\": \"acfb6a38-4676-4618-a04b-1b544d2da97f\",\n \"severityRank\": 1,\n \"cweName\": \"Uncontrolled Resource Consumption\",\n \"epssPercentile\": 0.58127\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:935e5762-3d18-4d69-bd50-2c306f6bfeba:acfb6a38-4676-4618-a04b-1b544d2da97f\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 502 + ], + "cweNames": [ + "Deserialization of Untrusted Data" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "c846ae6f-ffbd-4624-8285-a96b898cc3e0", + "componentName": "h2", + "componentGroup": "com.h2database", + "componentVersion": "1.4.197", + "componentLatestVersion": "2.2.224", + "componentPurl": "pkg:maven/com.h2database/h2@1.4.197?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "52af1744-fdc6-4bfc-a3e2-7dfbb491a39b", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2021-42392", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 10, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": 0.5181, + "vulnerabilityEpssPercentile": 0.97514, + "vulnerabilityCweId": 502, + "vulnerabilityCweName": "Deserialization of Untrusted Data", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.952", + "attributionAlternateIdentifier": "CVE-2021-42392", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2021-42392?component-type=maven&component-name=com.h2database%2Fh2&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.h2database/h2@1.4.197?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:c846ae6f-ffbd-4624-8285-a96b898cc3e0:52af1744-fdc6-4bfc-a3e2-7dfbb491a39b", + "desc": "The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.", + "descriptions": [ + { + "data": "The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2.224\",\n \"name\": \"h2\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.h2database/h2@1.4.197?type=jar\",\n \"uuid\": \"c846ae6f-ffbd-4624-8285-a96b898cc3e0\",\n \"version\": \"1.4.197\",\n \"group\": \"com.h2database\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2021-42392\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.952\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2021-42392?component-type=maven&component-name=com.h2database%2Fh2&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"vulnId\": \"CVE-2021-42392\",\n \"aliases\": [],\n \"cweId\": 502,\n \"description\": \"The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.\",\n \"epssScore\": 0.5181,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 502,\n \"name\": \"Deserialization of Untrusted Data\",\n \"id\": 0\n }\n ],\n \"uuid\": \"52af1744-fdc6-4bfc-a3e2-7dfbb491a39b\",\n \"severityRank\": 0,\n \"cweName\": \"Deserialization of Untrusted Data\",\n \"epssPercentile\": 0.97514,\n \"cvssV2BaseScore\": 10\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:c846ae6f-ffbd-4624-8285-a96b898cc3e0:52af1744-fdc6-4bfc-a3e2-7dfbb491a39b\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 88 + ], + "cweNames": [ + "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "c846ae6f-ffbd-4624-8285-a96b898cc3e0", + "componentName": "h2", + "componentGroup": "com.h2database", + "componentVersion": "1.4.197", + "componentLatestVersion": "2.2.224", + "componentPurl": "pkg:maven/com.h2database/h2@1.4.197?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "043f6051-9c33-4b4e-8623-f27c794ea4eb", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-23221", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 10, + "vulnerabilityCvssV3BaseScore": 9.8, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": "", + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 88, + "vulnerabilityCweName": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.957", + "attributionAlternateIdentifier": "CVE-2022-23221", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-23221?component-type=maven&component-name=com.h2database%2Fh2&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.h2database/h2@1.4.197?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:c846ae6f-ffbd-4624-8285-a96b898cc3e0:043f6051-9c33-4b4e-8623-f27c794ea4eb", + "desc": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", + "descriptions": [ + { + "data": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.9, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2.224\",\n \"name\": \"h2\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.h2database/h2@1.4.197?type=jar\",\n \"uuid\": \"c846ae6f-ffbd-4624-8285-a96b898cc3e0\",\n \"version\": \"1.4.197\",\n \"group\": \"com.h2database\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-23221\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.957\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-23221?component-type=maven&component-name=com.h2database%2Fh2&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"CRITICAL\",\n \"cvssV3BaseScore\": 9.8,\n \"severityRank\": 0,\n \"cweName\": \"Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')\",\n \"vulnId\": \"CVE-2022-23221\",\n \"aliases\": [],\n \"cvssV2BaseScore\": 10,\n \"cweId\": 88,\n \"description\": \"H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 88,\n \"name\": \"Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"043f6051-9c33-4b4e-8623-f27c794ea4eb\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:c846ae6f-ffbd-4624-8285-a96b898cc3e0:043f6051-9c33-4b4e-8623-f27c794ea4eb\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 59 + ], + "cweNames": [ + "Improper Link Resolution Before File Access ('Link Following')" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "c846ae6f-ffbd-4624-8285-a96b898cc3e0", + "componentName": "h2", + "componentGroup": "com.h2database", + "componentVersion": "1.4.197", + "componentLatestVersion": "2.2.224", + "componentPurl": "pkg:maven/com.h2database/h2@1.4.197?type=jar", + "componentCpe": "", + "componentProject": "5840398e-605b-4326-9184-74e0e7c2a081", + "vulnerabilityUuid": "f1e79bb6-80d9-4696-bf11-9718862c2f0b", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2018-14335", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 4, + "vulnerabilityCvssV3BaseScore": 6.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": 0.0121, + "vulnerabilityEpssPercentile": 0.84975, + "vulnerabilityCweId": 59, + "vulnerabilityCweName": "Improper Link Resolution Before File Access ('Link Following')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:29:41.962", + "attributionAlternateIdentifier": "CVE-2018-14335", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2018-14335?component-type=maven&component-name=com.h2database%2Fh2&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:maven/com.h2database/h2@1.4.197?type=jar", + "id": "5840398e-605b-4326-9184-74e0e7c2a081:c846ae6f-ffbd-4624-8285-a96b898cc3e0:f1e79bb6-80d9-4696-bf11-9718862c2f0b", + "desc": "An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.", + "descriptions": [ + { + "data": "An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"component\": {\n \"latestVersion\": \"2.2.224\",\n \"name\": \"h2\",\n \"project\": \"5840398e-605b-4326-9184-74e0e7c2a081\",\n \"purl\": \"pkg:maven/com.h2database/h2@1.4.197?type=jar\",\n \"uuid\": \"c846ae6f-ffbd-4624-8285-a96b898cc3e0\",\n \"version\": \"1.4.197\",\n \"group\": \"com.h2database\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2018-14335\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:29:41.962\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2018-14335?component-type=maven&component-name=com.h2database%2Fh2&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"MEDIUM\",\n \"cvssV3BaseScore\": 6.5,\n \"vulnId\": \"CVE-2018-14335\",\n \"aliases\": [],\n \"cweId\": 59,\n \"description\": \"An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.\",\n \"epssScore\": 0.0121,\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 59,\n \"name\": \"Improper Link Resolution Before File Access ('Link Following')\",\n \"id\": 0\n }\n ],\n \"uuid\": \"f1e79bb6-80d9-4696-bf11-9718862c2f0b\",\n \"severityRank\": 2,\n \"cweName\": \"Improper Link Resolution Before File Access ('Link Following')\",\n \"epssPercentile\": 0.84975,\n \"cvssV2BaseScore\": 4\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"5840398e-605b-4326-9184-74e0e7c2a081:c846ae6f-ffbd-4624-8285-a96b898cc3e0:f1e79bb6-80d9-4696-bf11-9718862c2f0b\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:32:17Z" + } + ] + } + ], + "sha256": "56cfc8cbb2458a0c47e8194d772ead3a33b50fece89271bbd959687c0eb48dd5" + } + ], + "passthrough": {} +} \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-with-attributions.json b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-with-attributions.json new file mode 100644 index 0000000000..62d75389f5 --- /dev/null +++ b/libs/hdf-converters/sample_jsons/dependency_track_mapper/hdf-with-attributions.json @@ -0,0 +1,4765 @@ +{ + "platform": { + "name": "Dependency-Track", + "release": "1.2 4.10.1", + "target_id": "" + }, + "version": "2.10.3", + "statistics": {}, + "profiles": [ + { + "name": "75512646-e558-47a4-9cc3-0be806bf3482", + "version": "1.0", + "title": "protonmail-webclient", + "summary": "", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cweIds": [ + 1333 + ], + "cweNames": [ + "Inefficient Regular Expression Complexity" + ], + "nist": [ + "SA-11", + "RA-5" + ], + "cci": [ + "CCI-003173", + "CCI-001643" + ], + "componentUuid": "2d964faa-c9c3-4669-900e-0ea3de1a9282", + "componentName": "angular", + "componentGroup": "", + "componentVersion": "1.8.0", + "componentLatestVersion": "1.8.3", + "componentPurl": "pkg:npm/angular@1.8.0", + "componentCpe": "", + "componentProject": "75512646-e558-47a4-9cc3-0be806bf3482", + "vulnerabilityUuid": "bf868742-0913-4a88-8dbc-1f6dbaf4b575", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-25844", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": 5, + "vulnerabilityCvssV3BaseScore": 7.5, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 1, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 1333, + "vulnerabilityCweName": "Inefficient Regular Expression Complexity", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:50:40.893", + "attributionAlternateIdentifier": "CVE-2022-25844", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-25844?component-type=npm&component-name=angular&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/angular@1.8.0", + "id": "75512646-e558-47a4-9cc3-0be806bf3482:2d964faa-c9c3-4669-900e-0ea3de1a9282:bf868742-0913-4a88-8dbc-1f6dbaf4b575", + "desc": "The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.", + "descriptions": [ + { + "data": "The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.", + "label": "check" + }, + { + "data": "", + "label": "fix" + } + ], + "impact": 0.7, + "code": "{\n \"component\": {\n \"name\": \"angular\",\n \"project\": \"75512646-e558-47a4-9cc3-0be806bf3482\",\n \"purl\": \"pkg:npm/angular@1.8.0\",\n \"uuid\": \"2d964faa-c9c3-4669-900e-0ea3de1a9282\",\n \"version\": \"1.8.0\",\n \"latestVersion\": \"1.8.3\"\n },\n \"attribution\": {\n \"alternateIdentifier\": \"CVE-2022-25844\",\n \"analyzerIdentity\": \"OSSINDEX_ANALYZER\",\n \"attributedOn\": \"2024-04-04 03:50:40.893\",\n \"referenceUrl\": \"https://ossindex.sonatype.org/vulnerability/CVE-2022-25844?component-type=npm&component-name=angular&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1\"\n },\n \"vulnerability\": {\n \"severity\": \"HIGH\",\n \"cvssV3BaseScore\": 7.5,\n \"severityRank\": 1,\n \"cweName\": \"Inefficient Regular Expression Complexity\",\n \"vulnId\": \"CVE-2022-25844\",\n \"aliases\": [],\n \"cvssV2BaseScore\": 5,\n \"cweId\": 1333,\n \"description\": \"The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.\",\n \"source\": \"NVD\",\n \"cwes\": [\n {\n \"cweId\": 1333,\n \"name\": \"Inefficient Regular Expression Complexity\",\n \"id\": 0\n }\n ],\n \"uuid\": \"bf868742-0913-4a88-8dbc-1f6dbaf4b575\"\n },\n \"analysis\": {\n \"isSuppressed\": false\n },\n \"matrix\": \"75512646-e558-47a4-9cc3-0be806bf3482:2d964faa-c9c3-4669-900e-0ea3de1a9282:bf868742-0913-4a88-8dbc-1f6dbaf4b575\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-04-04T03:51:19Z" + } + ] + }, + { + "tags": { + "cweIds": [ + 79 + ], + "cweNames": [ + "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "nist": [ + "SI-10" + ], + "cci": [ + "CCI-001310" + ], + "componentUuid": "2d964faa-c9c3-4669-900e-0ea3de1a9282", + "componentName": "angular", + "componentGroup": "", + "componentVersion": "1.8.0", + "componentLatestVersion": "1.8.3", + "componentPurl": "pkg:npm/angular@1.8.0", + "componentCpe": "", + "componentProject": "75512646-e558-47a4-9cc3-0be806bf3482", + "vulnerabilityUuid": "6df429d1-4b4f-4b4f-b395-e88a92fb9614", + "vulnerabilitySource": "NVD", + "vulnerabilityVulnId": "CVE-2022-25869", + "vulnerabilityTitle": "", + "vulnerabilitySubtitle": "", + "vulnerabilityAliases": "[]", + "vulnerabilityCvssV2BaseScore": "", + "vulnerabilityCvssV3BaseScore": 6.1, + "vulnerabilityOwaspLikelihoodScore": "", + "vulnerabilityOwaspTechnicalImpactScore": "", + "vulnerabilityOwaspBusinessImpactScore": "", + "vulnerabilitySeverityRank": 2, + "vulnerabilityEpssScore": "", + "vulnerabilityEpssPercentile": "", + "vulnerabilityCweId": 79, + "vulnerabilityCweName": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "attributionAnalyzerIdentity": "OSSINDEX_ANALYZER", + "attributionAttributedOn": "2024-04-04 03:50:40.904", + "attributionAlternateIdentifier": "CVE-2022-25869", + "attributionReferenceUrl": "https://ossindex.sonatype.org/vulnerability/CVE-2022-25869?component-type=npm&component-name=angular&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1", + "analysisState": "", + "analysisIsSuppressed": "" + }, + "refs": [], + "source_location": {}, + "title": "pkg:npm/angular@1.8.0", + "id": "75512646-e558-47a4-9cc3-0be806bf3482:2d964faa-c9c3-4669-900e-0ea3de1a9282:6df429d1-4b4f-4b4f-b395-e88a92fb9614", + "desc": "All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of