Coder Social home page Coder Social logo

qa-framework's Introduction

QA Framework

This repo uses Selenium web driver with Java for UI automation of xcov19.

Prerequisites

  1. Install java https://www.oracle.com/java/technologies/downloads/#jdk17-mac
$ java -version
java version "17.0.2" 2022-01-18 LTS
Java(TM) SE Runtime Environment (build 17.0.2+8-LTS-86)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.2+8-LTS-86, mixed mode, sharing)
  1. Install maven https://maven.apache.org/download.cgi
$ mvn -version
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /usr/local/Cellar/maven/3.8.4/libexec
Java version: 17.0.2, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk/17.0.2/libexec/openjdk.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac"

To start automation script

  1. Go to the project root directory
$ cd qa-framework
  1. Start the script
  $ mvn test
  1. Command to run a particular test class
$ mvn test -Dtest="classname"

Example:

$ mvn test -Dtest="com.xcov19.test.LoginValidation"
  1. Command to pass URL
$ mvn test -Durl=url

Example

mvn test -Durl=https://www.mycovidconnect.com/
  1. Command to create and pass URL in an environment variable
$ export URL="https://www.mycovidconnect.com/"

$ mvn test -Durl=$URL

Steps to setup using Eclipse

  1. Install Eclipse
  2. Create a workspace in your local. Workspace is nothing but a folder which is dedicated for all selenium files.
  3. Open Eclipse and switch to the newly created workspace.
  4. Copy all the files from git into your local.
  5. There is no need to add any drivers or libraries externally as we have created a Maven project and everything that is required, is available in pom.xml file of the project. ie dependancy code with the list of all jar files and libraries.

Project structure:

Consists of two main folders:

src/main/java

Consists of two packages:

  • com.XCOV19.generics: consists of classes and interfaces with all userdefined reusable methods.
  • com.XCOV19.pom: consists of all the POM(Page object model) classes (To be created by QA).
src/test/java

Consists of one package:

  • com.XCOV19.test: This package consists of all the test classes. Each test class is one test case (To be created by QA).

Steps to run the test classes on Eclipse

  • Right click on the project.
  • Click on TestNG.
  • Select convert to TestNG option.
  • Refresh the project. testng.xml file will be created with all the test classes within it.
  • Open the testng.xml file.
  • Click on Run as button available on the top menu bar.
  • Select TestNG suite and click on OK.

Steps to see the output

  • Click on the Test output folder.
  • Right click on emailable report and mouse hover on Open with.
  • Select web browser option. A detailed report with all passed and failed test cases is shown.

qa-framework's People

Contributors

akshathagujjar avatar codecakes avatar mend-bolt-for-github[bot] avatar

Stargazers

Tejas Gujjar avatar avatar

Watchers

James Cloos avatar Atul avatar avatar Tejas Gujjar avatar avatar

qa-framework's Issues

CVE-2022-36033 (Medium) detected in jsoup-1.13.1.jar

CVE-2022-36033 - Medium Severity Vulnerability

Vulnerable Library - jsoup-1.13.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • jsoup-1.13.1.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Publish Date: 2022-08-29

URL: CVE-2022-36033

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gp7f-rwcx-9369

Release Date: 2022-08-29

Fix Resolution: org.jsoup:jsoup:1.15.3

Step up your Open Source Security Game with Mend here

WS-2020-0408 (High) detected in netty-handler-4.1.43.Final.jar

WS-2020-0408 - High Severity Vulnerability

Vulnerable Library - netty-handler-4.1.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.43.Final/netty-handler-4.1.43.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-reactive-streams-2.0.4.jar
        • netty-handler-4.1.43.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution: io.netty:netty-all - 4.1.68.Final-redhat-00001,4.0.0.Final,4.1.67.Final-redhat-00002;io.netty:netty-handler - 4.1.68.Final-redhat-00001,4.1.67.Final-redhat-00001

Step up your Open Source Security Game with Mend here

CVE-2021-43797 (Medium) detected in netty-codec-http-4.1.47.Final.jar

CVE-2021-43797 - Medium Severity Vulnerability

Vulnerable Library - netty-codec-http-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.47.Final/netty-codec-http-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-codec-http-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.

Publish Date: 2021-12-09

URL: CVE-2021-43797

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution: io.netty:netty-codec-http:4.1.71.Final,io.netty:netty-all:4.1.71.Final

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of org.jsoup:jsoup:1.13.1

Vulnerabilities

DepShield reports that this application's usage of org.jsoup:jsoup:1.13.1 results in the following vulnerability(s):

Occurrences

org.jsoup:jsoup:1.13.1 is a transitive dependency introduced by the following direct dependency(s):

io.github.bonigarcia:webdrivermanager:4.2.2
        └─ org.jsoup:jsoup:1.13.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-13956 (Medium) detected in httpclient5-5.0.1.jar

CVE-2020-13956 - Medium Severity Vulnerability

Vulnerable Library - httpclient5-5.0.1.jar

Apache HttpComponents Client

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/client5/httpclient5/5.0.1/httpclient5-5.0.1.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • httpclient5-5.0.1.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 9.8) Vulnerability due to usage of org.codehaus.plexus:plexus-utils:2.0.4

Vulnerabilities

DepShield reports that this application's usage of org.codehaus.plexus:plexus-utils:2.0.4 results in the following vulnerability(s):

Occurrences

org.codehaus.plexus:plexus-utils:2.0.4 is a transitive dependency introduced by the following direct dependency(s):

org.apache.maven.plugins:maven-compiler-plugin:3.8.1
        └─ org.apache.maven:maven-artifact:3.0
              └─ org.codehaus.plexus:plexus-utils:2.0.4

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-41915 (Medium) detected in netty-codec-http-4.1.47.Final.jar - autoclosed

CVE-2022-41915 - Medium Severity Vulnerability

Vulnerable Library - netty-codec-http-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.47.Final/netty-codec-http-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-codec-http-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.

Publish Date: 2022-12-13

URL: CVE-2022-41915

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-13

Fix Resolution: io.netty:netty-codec-http:4.1.86.Final

Step up your Open Source Security Game with Mend here

CVE-2021-23926 (High) detected in xmlbeans-2.6.0.jar

CVE-2021-23926 - High Severity Vulnerability

Vulnerable Library - xmlbeans-2.6.0.jar

XmlBeans main jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar

Dependency Hierarchy:

  • poi-ooxml-3.17.jar (Root Library)
    • poi-ooxml-schemas-3.17.jar
      • xmlbeans-2.6.0.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Publish Date: 2021-01-14

URL: CVE-2021-23926

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23926

Release Date: 2021-01-14

Fix Resolution (org.apache.xmlbeans:xmlbeans): 3.0.0

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25647 (High) detected in gson-2.8.6.jar

CVE-2022-25647 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

Step up your Open Source Security Game with Mend here

WS-2021-0419 (High) detected in gson-2.8.6.jar

WS-2021-0419 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Step up your Open Source Security Game with Mend here

WS-2016-7057 (Medium) detected in plexus-utils-2.0.4.jar

WS-2016-7057 - Medium Severity Vulnerability

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

  • maven-compiler-plugin-3.8.1.jar (Root Library)
    • maven-artifact-3.0.jar
      • plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2016-05-07

URL: WS-2016-7057

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution: 3.0.24

Step up your Open Source Security Game with Mend here

CVE-2021-35515 (High) detected in commons-compress-1.20.jar

CVE-2021-35515 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • jarchivelib-1.1.0.jar
      • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

CVE-2022-4065 (High) detected in testng-6.14.3.jar

CVE-2022-4065 - High Severity Vulnerability

Vulnerable Library - testng-6.14.3.jar

A testing framework for the JVM

Library home page: http://testng.org

Path to dependency file: /pom.xml

Path to vulnerable library: /pository/org/testng/testng/6.14.3/testng-6.14.3.jar

Dependency Hierarchy:

  • testng-6.14.3.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

A vulnerability was found in cbeust testng. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. The name of the patch is 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-214027.

Publish Date: 2022-11-19

URL: CVE-2022-4065

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-19

Fix Resolution: 7.7.0

Step up your Open Source Security Game with Mend here

CVE-2021-35517 (High) detected in commons-compress-1.20.jar

CVE-2021-35517 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • jarchivelib-1.1.0.jar
      • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.5) Vulnerability due to usage of org.apache.poi:poi:3.17

Vulnerabilities

DepShield reports that this application's usage of org.apache.poi:poi:3.17 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-8908 (Low) detected in guava-28.2-jre.jar

CVE-2020-8908 - Low Severity Vulnerability

Vulnerable Library - guava-28.2-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/28.2-jre/guava-28.2-jre.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-chrome-driver-4.0.0-alpha-5.jar
      • guava-28.2-jre.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Step up your Open Source Security Game with Mend here

CVE-2021-36090 (High) detected in commons-compress-1.20.jar

CVE-2021-36090 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • jarchivelib-1.1.0.jar
      • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

CVE-2022-24329 (Medium) detected in kotlin-stdlib-1.3.61.jar

CVE-2022-24329 - Medium Severity Vulnerability

Vulnerable Library - kotlin-stdlib-1.3.61.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.3.61/kotlin-stdlib-1.3.61.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • okhttp-4.4.1.jar
        • kotlin-stdlib-1.3.61.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

Step up your Open Source Security Game with Mend here

The cookie preferences dropdown is open/ closed inconsistently.

Steps to reproduce:

  1. Click on the privacy policy link at the bottom of the page.
  2. Once the pop-up appears, click on the 'change your consent' button.
  3. User will now see the website cookies overlay with the 'show details' drop-down opened or closed sometimes. This has to be consistent.

Expected result: The show details drop-down must either be closed or opened and has to remain consistent.

CVE-2021-21290 (Medium) detected in netty-handler-4.1.43.Final.jar, netty-codec-http-4.1.47.Final.jar

CVE-2021-21290 - Medium Severity Vulnerability

Vulnerable Libraries - netty-handler-4.1.43.Final.jar, netty-codec-http-4.1.47.Final.jar

netty-handler-4.1.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.43.Final/netty-handler-4.1.43.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-reactive-streams-2.0.4.jar
        • netty-handler-4.1.43.Final.jar (Vulnerable Library)
netty-codec-http-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.47.Final/netty-codec-http-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-codec-http-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution: io.netty:netty-codec-http:4.1.59.Final

Step up your Open Source Security Game with Mend here

CVE-2021-35516 (High) detected in commons-compress-1.20.jar

CVE-2021-35516 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • jarchivelib-1.1.0.jar
      • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

DepShield encountered errors while building your project

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.

* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum

CVE-2022-4244 (Medium) detected in plexus-utils-2.0.4.jar

CVE-2022-4244 - Medium Severity Vulnerability

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

  • maven-compiler-plugin-3.8.1.jar (Root Library)
    • maven-artifact-3.0.jar
      • plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

CVE-2022-4244 codehaus-plexus: Directory Traversal

Publish Date: 2022-12-01

URL: CVE-2022-4244

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-01

Fix Resolution: org.codehaus.plexus:plexus-utils:3.0.24

Step up your Open Source Security Game with Mend here

CVE-2021-37137 (High) detected in netty-codec-4.1.47.Final.jar

CVE-2021-37137 - High Severity Vulnerability

Vulnerable Library - netty-codec-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.47.Final/netty-codec-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-codec-http-4.1.47.Final.jar
        • netty-codec-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final

Step up your Open Source Security Game with Mend here

CVE-2017-1000487 (High) detected in plexus-utils-2.0.4.jar

CVE-2017-1000487 - High Severity Vulnerability

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

  • maven-compiler-plugin-3.8.1.jar (Root Library)
    • maven-artifact-3.0.jar
      • plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

Publish Date: 2018-01-03

URL: CVE-2017-1000487

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487

Release Date: 2018-01-03

Fix Resolution: 3.0.16

Step up your Open Source Security Game with Mend here

CVE-2021-21295 (Medium) detected in netty-codec-http-4.1.47.Final.jar

CVE-2021-21295 - Medium Severity Vulnerability

Vulnerable Library - netty-codec-http-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.47.Final/netty-codec-http-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-codec-http-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Publish Date: 2021-03-09

URL: CVE-2021-21295

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wm47-8v5p-wjpj

Release Date: 2021-03-09

Fix Resolution: io.netty:netty-all:4.1.60;io.netty:netty-codec-http:4.1.60;io.netty:netty-codec-http2:4.1.60

Step up your Open Source Security Game with Mend here

CVE-2021-37136 (High) detected in netty-codec-4.1.47.Final.jar

CVE-2021-37136 - High Severity Vulnerability

Vulnerable Library - netty-codec-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.47.Final/netty-codec-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-codec-http-4.1.47.Final.jar
        • netty-codec-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final

Step up your Open Source Security Game with Mend here

CVE-2022-24823 (Medium) detected in netty-common-4.1.47.Final.jar

CVE-2022-24823 - Medium Severity Vulnerability

Vulnerable Library - netty-common-4.1.47.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.47.Final/netty-common-4.1.47.Final.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • netty-buffer-4.1.47.Final.jar
        • netty-common-4.1.47.Final.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 3.3) Vulnerability due to usage of com.google.guava:guava:28.2-jre

Vulnerabilities

DepShield reports that this application's usage of com.google.guava:guava:28.2-jre results in the following vulnerability(s):

Occurrences

com.google.guava:guava:28.2-jre is a transitive dependency introduced by the following direct dependency(s):

org.seleniumhq.selenium:selenium-java:4.0.0-alpha-5
        └─ org.seleniumhq.selenium:selenium-chrome-driver:4.0.0-alpha-5
              └─ com.google.guava:guava:28.2-jre

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.61.jar

CVE-2020-29582 - Medium Severity Vulnerability

Vulnerable Library - kotlin-stdlib-1.3.61.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.3.61/kotlin-stdlib-1.3.61.jar

Dependency Hierarchy:

  • selenium-java-4.0.0-alpha-5.jar (Root Library)
    • selenium-remote-driver-4.0.0-alpha-5.jar
      • okhttp-4.4.1.jar
        • kotlin-stdlib-1.3.61.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: 2021-02-03

URL: CVE-2020-29582

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqj8-47ch-rvvq

Release Date: 2021-02-03

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21

Step up your Open Source Security Game with Mend here

WS-2019-0379 (Medium) detected in commons-codec-1.10.jar

WS-2019-0379 - Medium Severity Vulnerability

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Dependency Hierarchy:

  • poi-3.17.jar (Root Library)
    • commons-codec-1.10.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Step up your Open Source Security Game with Mend here

CVE-2021-37714 (High) detected in jsoup-1.13.1.jar

CVE-2021-37714 - High Severity Vulnerability

Vulnerable Library - jsoup-1.13.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar

Dependency Hierarchy:

  • webdrivermanager-4.2.2.jar (Root Library)
    • jsoup-1.13.1.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: org.jsoup:jsoup:1.14.2

Step up your Open Source Security Game with Mend here

CVE-2022-29599 (High) detected in maven-shared-utils-3.2.1.jar

CVE-2022-29599 - High Severity Vulnerability

Vulnerable Library - maven-shared-utils-3.2.1.jar

Shared utils without any further dependencies

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar

Dependency Hierarchy:

  • maven-compiler-plugin-3.8.1.jar (Root Library)
    • maven-shared-utils-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

Publish Date: 2022-05-23

URL: CVE-2022-29599

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rhgr-952r-6p8q

Release Date: 2022-05-23

Fix Resolution: org.apache.maven.shared:maven-shared-utils:3.3.3

Step up your Open Source Security Game with Mend here

WS-2016-7062 (Medium) detected in plexus-utils-2.0.4.jar

WS-2016-7062 - Medium Severity Vulnerability

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

  • maven-compiler-plugin-3.8.1.jar (Root Library)
    • maven-artifact-3.0.jar
      • plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2016-05-07

URL: WS-2016-7062

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution: 3.0.24

Step up your Open Source Security Game with Mend here

WS-2019-0490 (High) detected in jcommander-1.72.jar

WS-2019-0490 - High Severity Vulnerability

Vulnerable Library - jcommander-1.72.jar

Command line parsing

Library home page: http://jcommander.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar

Dependency Hierarchy:

  • testng-6.14.3.jar (Root Library)
    • jcommander-1.72.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Publish Date: 2019-02-19

URL: WS-2019-0490

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-19

Fix Resolution: com.beust:jcommander:1.75

Step up your Open Source Security Game with Mend here

CVE-2022-4245 (Medium) detected in plexus-utils-2.0.4.jar

CVE-2022-4245 - Medium Severity Vulnerability

Vulnerable Library - plexus-utils-2.0.4.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.4/plexus-utils-2.0.4.jar

Dependency Hierarchy:

  • maven-compiler-plugin-3.8.1.jar (Root Library)
    • maven-artifact-3.0.jar
      • plexus-utils-2.0.4.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

CVE-2022-4245 codehaus-plexus: XML External Entity (XXE) Injection

Publish Date: 2022-12-01

URL: CVE-2022-4245

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.suse.com/show_bug.cgi?id=1205930

Release Date: 2022-12-01

Fix Resolution: org.codehaus.plexus:plexus-utils:3.0.24

Step up your Open Source Security Game with Mend here

CVE-2019-12415 (Medium) detected in poi-ooxml-3.17.jar

CVE-2019-12415 - Medium Severity Vulnerability

Vulnerable Library - poi-ooxml-3.17.jar

Apache POI - Java API To Access Microsoft Format Files

Path to dependency file: /pom.xml

Path to vulnerable library: /pository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar

Dependency Hierarchy:

  • poi-ooxml-3.17.jar (Vulnerable Library)

Found in HEAD commit: 160e69822964b88ff887ba903106f5fc169a5abf

Found in base branch: main

Vulnerability Details

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Publish Date: 2019-10-23

URL: CVE-2019-12415

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415

Release Date: 2019-10-23

Fix Resolution: 4.1.1

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of org.apache.commons:commons-compress:1.20

Vulnerabilities

DepShield reports that this application's usage of org.apache.commons:commons-compress:1.20 results in the following vulnerability(s):

Occurrences

org.apache.commons:commons-compress:1.20 is a transitive dependency introduced by the following direct dependency(s):

io.github.bonigarcia:webdrivermanager:4.2.2
        └─ org.rauschig:jarchivelib:1.1.0
              └─ org.apache.commons:commons-compress:1.20

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.