wallanpsantos / ecossistemas Goto Github PK

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-59jw-jqf4-3wq3

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: ecossistemas/hr-oauth/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar,/home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

• spring-cloud-starter-oauth2-2.2.5.RELEASE.jar (Root Library)
  • spring-security-oauth2-autoconfigure-2.1.2.RELEASE.jar
    • spring-security-oauth2-2.3.4.RELEASE.jar
      • ❌ jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Publish Date: 2019-11-18

URL: CVE-2019-10172

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172

Release Date: 2020-02-10

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1

Vulnerable Library - spring-security-web-5.3.9.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.3.9.RELEASE/spring-security-web-5.3.9.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.3.9.RELEASE/spring-security-web-5.3.9.RELEASE.jar

Dependency Hierarchy:

• spring-cloud-starter-oauth2-2.2.5.RELEASE.jar (Root Library)
  • spring-security-oauth2-autoconfigure-2.1.2.RELEASE.jar
    • spring-security-oauth2-2.3.4.RELEASE.jar
      • ❌ spring-security-web-5.3.9.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

CSRF tokens in Spring Security through 5.4.6 are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.

Publish Date: 2016-08-02

URL: WS-2016-7107

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - spring-security-oauth2-2.3.4.RELEASE.jar

Module for providing OAuth2 support to Spring Security

Library home page: http://static.springframework.org/spring-security/oauth

Path to dependency file: ecossistemas/hr-oauth/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar

Dependency Hierarchy:

• spring-cloud-starter-oauth2-2.2.5.RELEASE.jar (Root Library)
  • spring-security-oauth2-autoconfigure-2.1.2.RELEASE.jar
    • ❌ spring-security-oauth2-2.3.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

Publish Date: 2019-03-07

URL: CVE-2019-3778

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2019-3778

Release Date: 2019-02-21

Fix Resolution: 2.0.17,2.1.4,2.2.4,2.3.5

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21342

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hvv8-336g-rx3m

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

XStream is vulnerable to a Remote Command Execution attack before version 1.4.17. The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Publish Date: 2021-03-31

URL: CVE-2021-29505

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7chv-rrw6-w6fc

Release Date: 2021-03-31

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.17

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Publish Date: 2020-12-16

URL: CVE-2020-26258

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-4cch-wxpw-8p28

Release Date: 2020-12-16

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21341

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2p3x-qw9c-25hh

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: ecossistemas/hr-oauth/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar,/home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

• spring-cloud-starter-oauth2-2.2.5.RELEASE.jar (Root Library)
  • spring-security-oauth2-autoconfigure-2.1.2.RELEASE.jar
    • spring-security-oauth2-2.3.4.RELEASE.jar
      • ❌ jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://access.redhat.com/errata/RHSA-2019:2938

Release Date: 2019-10-01

Fix Resolution: JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-databind:2.9.9

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

• maven-compiler-plugin-3.8.1.jar (Root Library)
  • maven-artifact-3.0.jar
    • ❌ plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2016-05-07

URL: WS-2016-7062

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-utils@f933e5e

Release Date: 2019-09-26

Fix Resolution: 3.0.24

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21345

CVSS 3 Score Details (9.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hwpc-8xqv-jvj4

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21348

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-56p8-3fh9-4cvq

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-74cv-f58x-f9wf

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

• maven-compiler-plugin-3.8.1.jar (Root Library)
  • maven-artifact-3.0.jar
    • ❌ plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2016-05-07

URL: WS-2016-7057

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-utils@33a2853

Release Date: 2019-05-30

Fix Resolution: 3.0.24

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21347

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qpfq-ph7r-qv6f

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21346

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hrm-m67v-5cxr

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21350

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-43gc-mjxg-gvrq

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - spring-security-oauth2-2.3.4.RELEASE.jar

Module for providing OAuth2 support to Spring Security

Library home page: http://static.springframework.org/spring-security/oauth

Path to dependency file: ecossistemas/hr-oauth/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.3.4.RELEASE/spring-security-oauth2-2.3.4.RELEASE.jar

Dependency Hierarchy:

• spring-cloud-starter-oauth2-2.2.5.RELEASE.jar (Root Library)
  • spring-security-oauth2-autoconfigure-2.1.2.RELEASE.jar
    • ❌ spring-security-oauth2-2.3.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.

Publish Date: 2019-06-12

URL: CVE-2019-11269

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2019-11269

Release Date: 2019-06-11

Fix Resolution: 2.3.6, 2.2.5, 2.1.5, 2.0.18

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21351

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hrcp-8f3q-4w2c

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: ecossistemas/hr-api-gateway-zuul/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

• maven-compiler-plugin-3.8.1.jar (Root Library)
  • maven-artifact-3.0.jar
    • ❌ plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

Publish Date: 2018-01-03

URL: CVE-2017-1000487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487

Release Date: 2018-01-03

Fix Resolution: 3.0.16

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Publish Date: 2020-12-16

URL: CVE-2020-26259

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-jfvx-7wrx-43fh

Release Date: 2020-12-16

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15

Vulnerable Libraries - commons-io-2.2.jar, commons-io-2.4.jar

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: commons-io:commons-io:2.7

Vulnerable Library - xstream-1.4.14.jar

Library home page: http://x-stream.github.io

Path to dependency file: ecossistemas/hr-eurekaserver/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar

Dependency Hierarchy:

• spring-cloud-starter-netflix-eureka-client-2.2.8.RELEASE.jar (Root Library)
  • eureka-client-1.10.11.jar
    • ❌ xstream-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: e15b11f25c09db87ec8d05d57b6e62f1bb4856a0

Found in base branch: develop

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21349

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f6hm-88x3-mfjv

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16