Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: spring-rest-data-exploit

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

DependencyCPECoordinatesHighest SeverityCVE CountCPE ConfidenceEvidence Count
maven-wrapper.jario.takari:maven-wrapper:0.2.1  024
maven-wrapper.jario.takari:maven-wrapper:0.4.2  024
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jarcpe:/a:pivotal_software:spring_data_rest:0.0.1com.pavelsklenar:spring-rest-data-exploit-example:0.0.1-SNAPSHOTHigh1Low21
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-impl-2.2.11.jarcom.sun.xml.bind:jaxb-impl:2.2.11  041
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-jpa-2.1-api-1.0.0.Final.jarorg.hibernate.javax.persistence:hibernate-jpa-2.1-api:1.0.0.Final  026
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-data-rest-core-2.5.2.RELEASE.jarcpe:/a:pivotal_software:spring_data_rest:2.5.2org.springframework.data:spring-data-rest-core:2.5.2.RELEASEHigh2Highest24
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jackson-core-2.8.1.jarcpe:/a:fasterxml:jackson:2.8.1com.fasterxml.jackson.core:jackson-core:2.8.1 0Highest35
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: snakeyaml-1.17.jarorg.yaml:snakeyaml:1.17 023
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: log4j-over-slf4j-1.7.21.jarorg.slf4j:log4j-over-slf4j:1.7.21 025
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-boot-1.4.0.RELEASE.jarcpe:/a:pivotal_software:spring_boot:1.4.0org.springframework.boot:spring-boot:1.4.0.RELEASEHigh2Highest30
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: tomcat-jdbc-8.5.4.jarcpe:/a:apache_software_foundation:tomcat:8.5.4org.apache.tomcat:tomcat-jdbc:8.5.4  0Low24
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-core-5.0.9.Final.jarorg.hibernate:hibernate-core:5.0.9.Final  035
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: evo-inflector-1.2.1.jarorg.atteo:evo-inflector:1.2.1 021
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-tx-4.3.2.RELEASE.jarcpe:/a:pivotal:spring_framework:4.3.2
cpe:/a:pivotal_software:spring_framework:4.3.2
cpe:/a:springsource:spring_framework:4.3.2
org.springframework:spring-tx:4.3.2.RELEASE High10Highest29
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: commons-codec-1.10.jarcommons-codec:commons-codec:1.10 035
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-hateoas-0.20.0.RELEASE.jarorg.springframework.hateoas:spring-hateoas:0.20.0.RELEASE 026
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jul-to-slf4j-1.7.21.jarorg.slf4j:jul-to-slf4j:1.7.21 024
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-entitymanager-5.0.9.Final.jarorg.hibernate:hibernate-entitymanager:5.0.9.Final  037
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jarcom.sun.xml.bind:jaxb-core:2.2.11  038
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jboss-logging-3.3.0.Final.jarorg.jboss.logging:jboss-logging:3.3.0.Final 040
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: logback-core-1.1.7.jarcpe:/a:logback:logback:1.1.7ch.qos.logback:logback-core:1.1.7High1Low27
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: javax.transaction-api-1.2.jarcpe:/a:fish:fish:1.2javax.transaction:javax.transaction-api:1.2 0Low35
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jandex-2.0.0.Final.jarorg.jboss:jandex:2.0.0.Final 032
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-plugin-core-1.2.0.RELEASE.jarorg.springframework.plugin:spring-plugin-core:1.2.0.RELEASE 024
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: httpcore-4.4.5.jarorg.apache.httpcomponents:httpcore:4.4.5 028
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: dom4j-1.6.1.jarcpe:/a:dom4j_project:dom4j:1.6.1dom4j:dom4j:1.6.1 Medium1Highest39
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-data-commons-1.12.2.RELEASE.jarcpe:/a:pivotal_software:spring_data_commons:1.12.2org.springframework.data:spring-data-commons:1.12.2.RELEASEHigh1Low25
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-data-jpa-1.10.2.RELEASE.jarcpe:/a:pivotal_software:spring_data_jpa:1.10.2org.springframework.data:spring-data-jpa:1.10.2.RELEASEMedium1Highest29
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: validation-api-1.1.0.Final.jarjavax.validation:validation-api:1.1.0.Final 019
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: classmate-1.3.1.jarcom.fasterxml:classmate:1.3.1 037
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: antlr-2.7.7.jarantlr:antlr:2.7.7  018
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: aspectjweaver-1.8.9.jarorg.aspectj:aspectjweaver:1.8.9  027
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-core-4.3.2.RELEASE.jarcpe:/a:vmware:springsource_spring_framework:4.3.2
cpe:/a:pivotal:spring_framework:4.3.2
cpe:/a:pivotal_software:spring_framework:4.3.2
cpe:/a:springsource:spring_framework:4.3.2
org.springframework:spring-core:4.3.2.RELEASE High10Highest30
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jackson-databind-2.8.1.jarcpe:/a:fasterxml:jackson-databind:2.8.1
cpe:/a:fasterxml:jackson:2.8.1
com.fasterxml.jackson.core:jackson-databind:2.8.1High12Highest35
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-boot-starter-data-rest-1.4.0.RELEASE.jarorg.springframework.boot:spring-boot-starter-data-rest:1.4.0.RELEASE 030
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-api-2.2.11.jarjavax.xml.bind:jaxb-api:2.2.11 035
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: httpclient-4.5.2.jarcpe:/a:apache:httpclient:4.5.2org.apache.httpcomponents:httpclient:4.5.2 0Low26
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: tomcat-embed-core-8.5.4.jarcpe:/a:apache_tomcat:apache_tomcat:8.5.4org.apache.tomcat.embed:tomcat-embed-core:8.5.4  0Low21
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-validator-5.2.4.Final.jarcpe:/a:hibernate:hibernate_validator:5.2.4org.hibernate:hibernate-validator:5.2.4.Final 0Low28
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jcl-over-slf4j-1.7.21.jarorg.slf4j:jcl-over-slf4j:1.7.21 025
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-commons-annotations-5.0.1.Final.jarorg.hibernate.common:hibernate-commons-annotations:5.0.1.Final  035
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: activation-1.1.1.jarcpe:/a:sun:javamail:1.1.1javax.activation:activation:1.1.1  0Low27
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: slf4j-api-1.7.21.jarorg.slf4j:slf4j-api:1.7.21 025
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: tomcat-embed-el-8.5.4.jarorg.apache.tomcat.embed:tomcat-embed-el:8.5.4  023
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: h2-1.4.192.jarcpe:/a:h2database:h2:1.4.192com.h2database:h2:1.4.192  0Low25
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: javassist-3.20.0-GA.jarorg.javassist:javassist:3.20.0-GA 023
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: xml-apis-1.4.01.jarxml-apis:xml-apis:1.4.01  050
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: h2-1.4.192.jar: data.zip: tree.js 00
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: h2-1.4.192.jar: data.zip: table.js 00
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-impl-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.2.11)org.glassfish.jaxb:jaxb-runtime:2.2.11 013
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar (shaded: com.sun.istack:istack-commons-runtime:2.21)com.sun.istack:istack-commons-runtime:2.21 09
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-core:2.2.11)org.glassfish.jaxb:jaxb-core:2.2.11 013
spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:txw2:2.2.11)org.glassfish.jaxb:txw2:2.2.11 013

Dependencies

maven-wrapper.jar

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-boot-docker-build/.mvn/wrapper/maven-wrapper.jar
MD5: 0d96a88e602e02418e0f838dea8e4dda
SHA1: 8196a861947fba6267db30f9541ad028c631e2d2
SHA256:454823f2648525cb5ff8900d0f80f2ade6b8865043a55d7015b1ecaf4a43d6e4

Identifiers

maven-wrapper.jar

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/.mvn/wrapper/maven-wrapper.jar
MD5: f24493a75bff0bff5a83b097f6726f11
SHA1: ca0763264dc2e879c0ec8f3460f35d017fd8f61c
SHA256:1dfe794c50f17f7808b1ed3cde3c009ba9a1b56aeb5c54e1dd3c3b1a93feefe7

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar
MD5: 4ff57f1b78c2669cccea6cae0b81b918
SHA1: bc4bdd973de267eafb9b7663cf32202c5e1d96fa
SHA256:427f3b67dac1eb3e0987087483ac42e94a9ca13e34b9062d3d1daf16d63abcbc

Identifiers

  • maven: com.pavelsklenar:spring-rest-data-exploit-example:0.0.1-SNAPSHOT  Confidence:High
  • cpe: cpe:/a:pivotal_software:spring_data_rest:0.0.1  Confidence:Low  

CVE-2018-1273  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-impl-2.2.11.jar

Description:

 Old JAXB Runtime module. Contains sources required for runtime processing.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-impl-2.2.11.jar
MD5: bea06b3ee5ef2c338beac9187b7782f3
SHA1: a49ce57aee680f9435f49ba6ef427d38c93247a6
SHA256:f91793a96f185a2fc004c86a37086f060985854ce6b19935e03c4de51e3201d2

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-jpa-2.1-api-1.0.0.Final.jar

Description:

 Clean-room definition of JPA APIs intended for use in developing Hibernate JPA implementation.  See README.md for details

License:

Eclipse Public License (EPL), Version 1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License (EDL), Version 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/hibernate-jpa-2.1-api-1.0.0.Final.jar
MD5: 01b091825023c97fdfd6d2bceebe03ff
SHA1: 5e731d961297e5a07290bfaf3db1fbc8bbbf405a
SHA256:ab46597e3a057f99c8339fffe14c1d27f9dbd2409ae840c62121b00d983c78bd

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-data-rest-core-2.5.2.RELEASE.jar

Description:

 Spring Data REST - Core

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-data-rest-core-2.5.2.RELEASE.jar
MD5: 0acbf88f0f625283a4580b5769f95113
SHA1: 048b3f98fb7007c0eb077aa2c2ade0e541695de7
SHA256:631ea2a2139012d168469c2261821326bc5d54e566567f53550f7323c1e86949

Identifiers

CVE-2017-8046  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Vulnerable Software & Versions: (show all)

CVE-2018-1273  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jackson-core-2.8.1.jar

Description:

 Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jackson-core-2.8.1.jar
MD5: dcbfe4152111a0c1c47d5303ca9b8aa4
SHA1: fd13b1c033741d48291315c6370f7d475a42dccf
SHA256:f0b5493ad3fe59a54d50aaf20cc414eb893cbed045d30e4b81925fcb4ced8e22

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: snakeyaml-1.17.jar

Description:

 YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/snakeyaml-1.17.jar
MD5: ab621c3cee316236ad04a6f0fe4dd17c
SHA1: 7a27ea250c5130b2922b86dea63cbb1cc10a660c
SHA256:5666b36f9db46f06dd5a19d73bbff3b588d5969c0f4b8848fde0f5ec849430a5

Identifiers

  • maven: org.yaml:snakeyaml:1.17  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: log4j-over-slf4j-1.7.21.jar

Description:

 Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/log4j-over-slf4j-1.7.21.jar
MD5: b5e6cd0bce36e1dc2c112a44d95789eb
SHA1: b3700d97464d99bdcd42c0177d6e7951c94d75ff
SHA256:c8c561b61fdf96a5f70ca4d7c241c89b5ad5f6a9e57873c04d62a485d98affcb

Identifiers

  • maven: org.slf4j:log4j-over-slf4j:1.7.21  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-boot-1.4.0.RELEASE.jar

Description:

 Spring Boot

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-boot-1.4.0.RELEASE.jar
MD5: dca103824b9d46dddb23e1485d722034
SHA1: 03b4ea475b40eb9dc966fb3c650c97bfabb988f9
SHA256:fa85a3ae630cb1c60e6f2b8c9fbad4e624fed295570da8150be5b4959be5931b

Identifiers

CVE-2017-8046  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: tomcat-jdbc-8.5.4.jar

Description:

 Tomcat JDBC Pool Package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/tomcat-jdbc-8.5.4.jar
MD5: 84375eb08899c17a4794d2c2e75cc50e
SHA1: bebaa475e69c649dcd9616bd204712cfd8551321
SHA256:21d7437438d01b9b83a7e42d1b1db3e3b39ad548a5cdc6eae88a8cc40cb9bb39

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-core-5.0.9.Final.jar

Description:

 The core O/RM functionality as provided by Hibernate

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/hibernate-core-5.0.9.Final.jar
MD5: aaccf21206e677510e4acc01e77c7f9a
SHA1: 7e06db0b4365876419daafc9b40c9088ba40f64d
SHA256:b9dfb47a2d357dad77bfe613bd079fccf78ef2f05c7ccf4b1d46630f221a4cd8

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: evo-inflector-1.2.1.jar

Description:

 Evo Inflector implements English pluralization algorithm.

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/evo-inflector-1.2.1.jar
MD5: 11a5f0f749ad3ea6a12efda6cb638318
SHA1: b9cdd1e7dc20a222db0853dfb152ef349c7d0eed
SHA256:9cd8e818253ab4e4685a039ccf6faeb82f99557da711a92d8e54785d490cdc7b

Identifiers

  • maven: org.atteo:evo-inflector:1.2.1  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-tx-4.3.2.RELEASE.jar

Description:

 Spring Transaction

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-tx-4.3.2.RELEASE.jar
MD5: 6caa4954c5e4dc18f50dadf72a303d4c
SHA1: dd75075485ddebb1f912102527ff91c4bfbae903
SHA256:79b202a7f4fb15d23f51609811d7c460329b97039790aab0c7d0e39c89687a0d

Identifiers

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-11039  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Vulnerable Software & Versions: (show all)

CVE-2018-15756  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: commons-codec-1.10.jar

Description:

 
     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
SHA256:4241dfa94e711d435f29a4604a3e2de5c4aa3c165e23bd066be6fc1fc4309569

Identifiers

  • maven: commons-codec:commons-codec:1.10  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-hateoas-0.20.0.RELEASE.jar

Description:

 
		Library to support implementing representations for
		hyper-text driven REST web services.
	

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-hateoas-0.20.0.RELEASE.jar
MD5: 7a37cb87047ab6d870f2f0e107ada1cb
SHA1: 623a5983010e905090f69e55f4e0a63fba195085
SHA256:1227319c0f92df231e6f234e2f8f4b11d7b9e4255920cfa91d925827b6e6a052

Identifiers

  • maven: org.springframework.hateoas:spring-hateoas:0.20.0.RELEASE  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jul-to-slf4j-1.7.21.jar

Description:

 JUL to SLF4J bridge

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jul-to-slf4j-1.7.21.jar
MD5: 21b2ed33c9f08f437dfd149755fb769f
SHA1: 2f22c882ffa479d1e9ff4eb0e8e2c29f2a0871ed
SHA256:446d6dad595ab38a78247a80c631e701ad7e08674f4a67a87deeb4b41c91e8bc

Identifiers

  • maven: org.slf4j:jul-to-slf4j:1.7.21  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-entitymanager-5.0.9.Final.jar

Description:

 Hibernate O/RM implementation of the JPA specification

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/hibernate-entitymanager-5.0.9.Final.jar
MD5: 7a2be38fbca3600c09ab83470c6f32bf
SHA1: 9eed86e58baf4a3fb9d5156cf03e59051e2bc6c5
SHA256:40f869457ac4b14c34f30f94ce16a5eaef77e14e3d7125e36d60a3964dd48381

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar

Description:

 Old JAXB Core module. Contains sources required by XJC, JXC and Runtime modules with dependencies.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-core-2.2.11.jar
MD5: c5eca4e58a75eabe3379926803421bab
SHA1: c3f87d654f8d5943cd08592f3f758856544d279a
SHA256:b13da0c655a3d590a2a945553648c407e6347648c9f7a3f811b7b3a8a1974baa

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jboss-logging-3.3.0.Final.jar

Description:

 The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jboss-logging-3.3.0.Final.jar
MD5: bc11af4b8ce7138cdc79b7ba8561638c
SHA1: 3616bb87707910296e2c195dc016287080bba5af
SHA256:e0e0595e7f70c464609095aef9e47a8484e05f2f621c0aa5081c18e3db2d498c

Identifiers

  • maven: org.jboss.logging:jboss-logging:3.3.0.Final  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: logback-core-1.1.7.jar

Description:

 logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/logback-core-1.1.7.jar
MD5: 4021551de5018dfa4b79ec553280f00a
SHA1: 7873092d39ef741575ca91378a6a21c388363ac8
SHA256:a500aedf2681fa4850e06698579140bb6233ee0e1878f98862b48ccca4b2f1de

Identifiers

  • maven: ch.qos.logback:logback-core:1.1.7  Confidence:High
  • cpe: cpe:/a:logback:logback:1.1.7  Confidence:Low  

CVE-2017-5929  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Vulnerable Software & Versions:

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: javax.transaction-api-1.2.jar

Description:

 Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/javax.transaction-api-1.2.jar
MD5: 2dfee184286530e726ad155816e15b4c
SHA1: d81aff979d603edd90dcd8db2abc1f4ce6479e3e
SHA256:9528449583c34d9d63aa1d8d15069790f925ae1f27b33784773b8099eff4c9ff

Identifiers

  • cpe: cpe:/a:fish:fish:1.2  Confidence:Low  
  • maven: javax.transaction:javax.transaction-api:1.2  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jandex-2.0.0.Final.jar

Description:

 Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jandex-2.0.0.Final.jar
MD5: a76f6c70f99b5d9c6cd14180df0b6df1
SHA1: 3e899258936f94649c777193e1be846387ed54b3
SHA256:09dccab9584a610d6d067909edd7149ef9b535cad73fe65dde270b75251ddde9

Identifiers

  • maven: org.jboss:jandex:2.0.0.Final  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-plugin-core-1.2.0.RELEASE.jar

Description:

 Core plugin infrastructure

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-plugin-core-1.2.0.RELEASE.jar
MD5: 4e6325e5ed2c1aa1949313c184d83640
SHA1: f380e7760032e7d929184f8ad8a33716b75c0657
SHA256:de8d411556cccbb9a68a4b40f847e473593336412de86fb3f6f7f61f3923c09e

Identifiers

  • maven: org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: httpcore-4.4.5.jar

Description:

 
   Apache HttpComponents Core (blocking I/O)
  

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/httpcore-4.4.5.jar
MD5: 77e3c6477ecd4112078869b023d93ae5
SHA1: e7501a1b34325abb00d17dde96150604a0658b54
SHA256:64d5453874cab7e40a7065cb01a9a9ca1053845a9786b478878b679e0580cec3

Identifiers

  • maven: org.apache.httpcomponents:httpcore:4.4.5  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: dom4j-1.6.1.jar

Description:

 dom4j: the flexible XML framework for Java

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
SHA256:593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73

Identifiers

CVE-2018-1000632  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-data-commons-1.12.2.RELEASE.jar

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-data-commons-1.12.2.RELEASE.jar
MD5: be9736c1ae900b759f169e38bab8aad1
SHA1: a827ed936b8685c19eecda0abb86fb86193ddffc
SHA256:43223e76f532f43d55b1f10c27a562ca84e5190f6cdb5d3d683a7339a86ffb69

Identifiers

  • maven: org.springframework.data:spring-data-commons:1.12.2.RELEASE  Confidence:High
  • cpe: cpe:/a:pivotal_software:spring_data_commons:1.12.2  Confidence:Low  

CVE-2018-1273  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-data-jpa-1.10.2.RELEASE.jar

Description:

 Spring Data module for JPA repositories.

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-data-jpa-1.10.2.RELEASE.jar
MD5: 119aa34694330d73f70663ae1d4710f3
SHA1: 5da5131a02365790d38469cd3bae778e4891daff
SHA256:b849d926eb659d68ea04abc11fbf23dc9c5b7b7e781aeaee8af053650ce8fbdd

Identifiers

CVE-2016-6652  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: validation-api-1.1.0.Final.jar

Description:

 
        Bean Validation API
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed

Identifiers

  • maven: javax.validation:validation-api:1.1.0.Final  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: classmate-1.3.1.jar

Description:

 Library for introspecting types with full generic information
        including resolving of field and method types.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/classmate-1.3.1.jar
MD5: ec2f1109b7020232c6350fd9ded3e40b
SHA1: 02ad2fd09dcf5607ca96f8ef432096a96986c40a
SHA256:c2585bca1fd36a1e6bc7c94c4459ec65e3aa393cbfcee204fd134ed018bfd22f

Identifiers

  • maven: com.fasterxml:classmate:1.3.1  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: antlr-2.7.7.jar

Description:

 
    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.
  

License:

BSD License: http://www.antlr.org/license.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: aspectjweaver-1.8.9.jar

Description:

 The AspectJ weaver introduces advices to java classes

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/aspectjweaver-1.8.9.jar
MD5: 304a51bce49f52a26bb79f3fd0b58325
SHA1: db28774f477f07220eac18d5ec9c4e01f48589d7
SHA256:5e41d39eca300e2d8e6067f5660d70dcc66ec2da9cbd46a3d5985e609d1e6ecf

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-core-4.3.2.RELEASE.jar

Description:

 Spring Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-core-4.3.2.RELEASE.jar
MD5: 5f8ff7aad0b4fed535d01004657a4506
SHA1: fd2f3cf45d3c84f293cb7ee3ab7d24c979495552
SHA256:e372c7d92e9cf23075dfaea8640d63df318f8efdb98853a76c7d1a894b38d730

Identifiers

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-11039  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Vulnerable Software & Versions: (show all)

CVE-2018-15756  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jackson-databind-2.8.1.jar

Description:

 General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jackson-databind-2.8.1.jar
MD5: ea9e974ead306a615eb8d8cb50fb93d9
SHA1: c04eb2cc599cd1742889bfa7cc41878db0d152f5
SHA256:0bbf7a039135fefee20d6205bef4f72a42eed5713a144acfb32d422ec450cc9d

Identifiers

CVE-2017-15095  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Vulnerable Software & Versions: (show all)

CVE-2017-17485  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

CVE-2017-7525  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Vulnerable Software & Versions: (show all)

CVE-2018-1000873  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Vulnerable Software & Versions: (show all)

CVE-2018-14719  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-14720  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-14721  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-918 Server-Side Request Forgery (SSRF)

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-19360  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-19361  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-19362  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-5968  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Vulnerable Software & Versions: (show all)

CVE-2018-7489  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: spring-boot-starter-data-rest-1.4.0.RELEASE.jar

Description:

 Starter for exposing Spring Data repositories over REST using Spring
		Data REST

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/spring-boot-starter-data-rest-1.4.0.RELEASE.jar
MD5: 31ef07aab5d6a51969804db2f3460a2f
SHA1: 7f3cf7e363db99fcd7f5382eaeac40a69dce3002
SHA256:ed2bdf6c1ab767474f90a746cedef5f4fcbb32410c676eda5cfa60603af82f2e

Identifiers

  • maven: org.springframework.boot:spring-boot-starter-data-rest:1.4.0.RELEASE  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-api-2.2.11.jar

Description:

 JAXB (JSR 222) API

License:

CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-api-2.2.11.jar
MD5: 5983d1e2ec1a9b0604575cd9e9582591
SHA1: 32274d4244967ff43e7a5d967743d94ed3d2aea7
SHA256:273d82f8653b53ad9d00ce2b2febaef357e79a273560e796ff3fcfec765f8910

Identifiers

  • maven: javax.xml.bind:jaxb-api:2.2.11  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: httpclient-4.5.2.jar

Description:

 
   Apache HttpComponents Client
  

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/httpclient-4.5.2.jar
MD5: e0a45df625cb96b69505e59bb25a0189
SHA1: 733db77aa8d9b2d68015189df76ab06304406e50
SHA256:0dffc621400d6c632f55787d996b8aeca36b30746a716e079a985f24d8074057

Identifiers

  • cpe: cpe:/a:apache:httpclient:4.5.2  Confidence:Low  
  • maven: org.apache.httpcomponents:httpclient:4.5.2  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: tomcat-embed-core-8.5.4.jar

Description:

 Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/tomcat-embed-core-8.5.4.jar
MD5: 1bb91a06e004c1c509deb8119c88ebb8
SHA1: 48ee085e4b3f71e98535e4c17c0ce1394812a94a
SHA256:21cf3bdcb6409e0d24caf48ca2eff3c809299ecce4ee7ae573afee6841412761

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-validator-5.2.4.Final.jar

Description:

 Hibernate's Bean Validation (JSR-303) reference implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/hibernate-validator-5.2.4.Final.jar
MD5: 7b98dcb67a8ac9fe2697d10bf123cba9
SHA1: fb18766b576aa6632bcfe9a20a023cbd52bf9769
SHA256:fc7e2ed4079859f61390932a4f4cd5b2447e1ebc77d4915badb1a0655588697a

Identifiers

  • cpe: cpe:/a:hibernate:hibernate_validator:5.2.4  Confidence:Low  
  • maven: org.hibernate:hibernate-validator:5.2.4.Final  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jcl-over-slf4j-1.7.21.jar

Description:

 JCL 1.1.1 implemented over SLF4J

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jcl-over-slf4j-1.7.21.jar
MD5: 49956e8cf1ce48b1d8933c2d9b975d61
SHA1: 331b564a3a42f002a0004b039c1c430da89062cd
SHA256:686b9dab357b7b665b969bbbf3dcdc67edd88ee9500699e893b5e70927be5e3f

Identifiers

  • maven: org.slf4j:jcl-over-slf4j:1.7.21  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: hibernate-commons-annotations-5.0.1.Final.jar

Description:

 Common reflection code used in support of annotation processing

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/hibernate-commons-annotations-5.0.1.Final.jar
MD5: 2a9d6f5a4ece96557bc4300ecc4486fb
SHA1: 71e1cff3fcb20d3b3af4f3363c3ddb24d33c6879
SHA256:9431ca05c335f9b6ec550f5d65ad56047a5f336e2d41cce4067591d20c4e51df

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: activation-1.1.1.jar

Description:

 The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: slf4j-api-1.7.21.jar

Description:

 The slf4j API

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/slf4j-api-1.7.21.jar
MD5: c9be56284a92dcb2576679282eff80bf
SHA1: 139535a69a4239db087de9bab0bee568bf8e0b70
SHA256:1d5aeb6bd98b0fdd151269eae941c05f6468a791ea0f1e68d8e7fe518af3e7df

Identifiers

  • maven: org.slf4j:slf4j-api:1.7.21  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: tomcat-embed-el-8.5.4.jar

Description:

 Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/tomcat-embed-el-8.5.4.jar
MD5: eafe280cf5a6b269a9086eed1ef07590
SHA1: 2d53f2e3b6b456cb7ac82e1549a944db7f5b05bf
SHA256:6da157decb3d75976bd4d07f5d8ce5210a8656240b54543321642ea095f950b4

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: h2-1.4.192.jar

Description:

 H2 Database Engine

License:

MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/h2-1.4.192.jar
MD5: 8e161053d21949a13e0918550cd5d2ca
SHA1: 1106492605db135523d2817881cdf029d9292afa
SHA256:225b22e9857235c46c93861410b60b8c81c10dc8985f4faf188985ba5445126c

Identifiers

  • cpe: cpe:/a:h2database:h2:1.4.192  Confidence:Low  
  • maven: com.h2database:h2:1.4.192   Confidence:Highest

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: javassist-3.20.0-GA.jar

Description:

 
  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/javassist-3.20.0-GA.jar
MD5: a89dd7907d76e061ec2c07e762a74256
SHA1: a9cbcdfb7e9f86fbc74d3afae65f2248bfbf82a0
SHA256:d7691062fb779c2381640c8f72acba2c23873b01c243866d41c15dc4c8848ea2

Identifiers

  • maven: org.javassist:javassist:3.20.0-GA  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: xml-apis-1.4.01.jar

Description:

 xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/xml-apis-1.4.01.jar
MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d
SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3
SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad

Identifiers

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: h2-1.4.192.jar: data.zip: tree.js

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/h2-1.4.192.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 495277155635a72b0c69f987d938b6e1
SHA1: 446cad47e33a62baf330ee5200646b5ccb9c0df9
SHA256:14c797bd700570c38e8af1aa50ecea205a385be466ec9431e46dbe586ce7a61c

Identifiers

  • None

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: h2-1.4.192.jar: data.zip: table.js

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/h2-1.4.192.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: a914a66de53dcdeb39684f1ce8ce8527
SHA1: c41ef5fb193ac25622f4e129470339aec24d731a
SHA256:8c5b079b38e94718bb58a71b0e310bad6c1004670a19c1bc0f63b32fdd81134a

Identifiers

  • None

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-impl-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.2.11)

Description:

 JAXB (JSR 222) Reference Implementation

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-impl-2.2.11.jar/META-INF/maven/org.glassfish.jaxb/jaxb-runtime/pom.xml
MD5: fa2e4dc2609e6a4d96418f4ac6519e8d
SHA1: 6a1651361e4c2392aff30da0df648187f670f8cb
SHA256:e5327b31b595ab8143e97836d5ccdf85feb91e7ff5666f7b26913632facca4aa

Identifiers

  • maven: org.glassfish.jaxb:jaxb-runtime:2.2.11  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar (shaded: com.sun.istack:istack-commons-runtime:2.21)

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-core-2.2.11.jar/META-INF/maven/com.sun.istack/istack-commons-runtime/pom.xml
MD5: caebf95d1d57fc0321b36137e246e192
SHA1: 04c234cf684a202c5c9bb7f0a198ba97e958f8f4
SHA256:ebe7137b5fbfd050545f9a7f3f339ae55beb0b53755071b4fd62aa024c626d1c

Identifiers

  • maven: com.sun.istack:istack-commons-runtime:2.21  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-core:2.2.11)

Description:

 JAXB Core module. Contains sources required by XJC, JXC and Runtime modules.

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-core-2.2.11.jar/META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.xml
MD5: e43898fed87ecb9838381436b212416c
SHA1: f3208abdc61be827cf28838c3881213648807821
SHA256:ec31409f203bcabf99534f59231ec0576d875d4d4b7349b09566a7a8c8179b24

Identifiers

  • maven: org.glassfish.jaxb:jaxb-core:2.2.11  Confidence:High

spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar: jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:txw2:2.2.11)

Description:

 
        TXW is a library that allows you to write XML documents.
    

File Path: /var/jenkins_home/workspace/spring-rest-data-exploit/spring-rest-data-exploit/target/spring-rest-data-exploit-example-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jaxb-core-2.2.11.jar/META-INF/maven/org.glassfish.jaxb/txw2/pom.xml
MD5: 83d24d59202baf2810daa01739963822
SHA1: 4be03527dbf2428f7ea99fb9c2f50f089dffad5e
SHA256:8514cb724b4fca59a5cf272b632e539bd0a0f3cacf1844082d0a173a86406bd8

Identifiers

  • maven: org.glassfish.jaxb:txw2:2.2.11  Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.