I'm a Java Backend Developer ☕ | Web Developer 🖥 | IoT Enthusiast 🤖 | I like the player 🎮 ... 🍺٩ (˘◡˘)
wallanpsantos / ecossistemas Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21344
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-59jw-jqf4-3wq3
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: ecossistemas/hr-oauth/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar,/home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Publish Date: 2019-11-18
URL: CVE-2019-10172
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172
Release Date: 2020-02-10
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1
Step up your Open Source Security Game with WhiteSource here
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.3.9.RELEASE/spring-security-web-5.3.9.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.3.9.RELEASE/spring-security-web-5.3.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
CSRF tokens in Spring Security through 5.4.6 are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.
Publish Date: 2016-08-02
URL: WS-2016-7107
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Module for providing OAuth2 support to Spring Security
Library home page: http://static.springframework.org/spring-security/oauth
Path to dependency file: ecossistemas/hr-oauth/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).
Publish Date: 2019-03-07
URL: CVE-2019-3778
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2019-3778
Release Date: 2019-02-21
Fix Resolution: 2.0.17,2.1.4,2.2.4,2.3.5
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21342
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hvv8-336g-rx3m
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in base branch: develop
XStream is vulnerable to a Remote Command Execution attack before version 1.4.17. The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
Publish Date: 2021-03-31
URL: CVE-2021-29505
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7chv-rrw6-w6fc
Release Date: 2021-03-31
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.17
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Publish Date: 2020-12-16
URL: CVE-2020-26258
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4cch-wxpw-8p28
Release Date: 2020-12-16
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21341
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2p3x-qw9c-25hh
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: ecossistemas/hr-oauth/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar,/home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://access.redhat.com/errata/RHSA-2019:2938
Release Date: 2019-10-01
Fix Resolution: JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-databind:2.9.9
Step up your Open Source Security Game with WhiteSource here
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@f933e5e
Release Date: 2019-09-26
Fix Resolution: 3.0.24
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21345
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hwpc-8xqv-jvj4
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21348
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-56p8-3fh9-4cvq
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21343
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-74cv-f58x-f9wf
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
Base Score Metrics:
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@33a2853
Release Date: 2019-05-30
Fix Resolution: 3.0.24
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21347
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qpfq-ph7r-qv6f
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21346
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4hrm-m67v-5cxr
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21350
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43gc-mjxg-gvrq
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
Module for providing OAuth2 support to Spring Security
Library home page: http://static.springframework.org/spring-security/oauth
Path to dependency file: ecossistemas/hr-oauth/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.
Publish Date: 2019-06-12
URL: CVE-2019-11269
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2019-11269
Release Date: 2019-06-11
Fix Resolution: 2.3.6, 2.2.5, 2.1.5, 2.0.18
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21351
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hrcp-8f3q-4w2c
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Publish Date: 2020-12-16
URL: CVE-2020-26259
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jfvx-7wrx-43fh
Release Date: 2020-12-16
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15
Step up your Open Source Security Game with WhiteSource here
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: ecossistemas/hr-oauth/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
Dependency Hierarchy:
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21349
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f6hm-88x3-mfjv
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.