Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Scan Information (
show all ):
dependency-check version : 5.3.1Report Generated On : Fri, 22 Sep 2023 16:04:11 GMTDependencies Scanned : 22 (21 unique)Vulnerable Dependencies : 7 Vulnerabilities Found : 9Vulnerabilities Suppressed : 0... NVD CVE Checked : 2023-09-22T16:03:06NVD CVE Modified : 2023-09-22T14:00:01VersionCheckOn : 2023-09-22T16:03:06Summary Display:
Showing Vulnerable Dependencies (click to show all) Dependencies Description:
SQLite JDBC library License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/xerial/sqlite-jdbc/3.42.0.0/sqlite-jdbc-3.42.0.0.jar
MD5: 6a46db3a6f38043ffb7e6782708cd401
SHA1: a4c84376df810062d20c84777b84ec077b5ecdab
SHA256: 53174d76087bb73cc29db9c02766fb921fd7fc652f7952f3609e0018e3dd5ded
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname org.xerial.sqlite-jdbc;singleton:=true Medium Vendor pom artifactid sqlite-jdbc Low Vendor Manifest multi-release true Low Vendor file name sqlite-jdbc High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid xerial Highest Vendor jar package name org Highest Vendor jar package name sqlite Highest Vendor jar package name jdbc Highest Vendor pom url xerial/sqlite-jdbc Highest Vendor pom groupid org.xerial Highest Vendor Manifest build-jdk-spec 11 Low Vendor pom name SQLite JDBC High Product pom url xerial/sqlite-jdbc High Product Manifest bundle-symbolicname org.xerial.sqlite-jdbc;singleton:=true Medium Product Manifest multi-release true Low Product file name sqlite-jdbc High Product Manifest Bundle-Name SQLite JDBC Medium Product pom artifactid sqlite-jdbc Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid xerial Highest Product jar package name sqlite Highest Product jar package name org Highest Product jar package name jdbc Highest Product Manifest build-jdk-spec 11 Low Product pom name SQLite JDBC High Version pom version 3.42.0.0 Highest Version file version 3.42.0.0 High Version Manifest Bundle-Version 3.42.0.0 High
Description:
The Jdbi core API.
Jdbi 3 is designed to provide convenient tabular data access in
Java(tm) and other JVM based languages.
It uses the Java collections framework for query results,
provides a convenient means of externalizing SQL statements, and
named parameter support for any database that supports JDBC. File Path: /home/runner/.m2/repository/org/jdbi/jdbi3-core/3.39.1/jdbi3-core-3.39.1.jarMD5: 02c4a9a39b64be87a5664083dc62c323SHA1: 3cf0d9683f596205e7ecc1c8e4029ffe82092783SHA256: 97df5ff14aab838af473dc20af507506f7035add9046ab9984702d7b118b4cbbReferenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor jar package name v3 Highest Vendor pom parent-artifactid jdbi3-parent Low Vendor pom groupid jdbi Highest Vendor Manifest x-basepom-build-id 29426096-741b-43b0-a564-c282181e05ab Low Vendor Manifest automatic-module-name org.jdbi.v3.core Medium Vendor pom name jdbi3 core High Vendor jar package name internal Highest Vendor jar package name core Highest Vendor pom parent-groupid org.jdbi.internal Medium Vendor jar package name jdbi Highest Vendor Manifest x-basepom-name jdbi3 core Medium Vendor Manifest build-jdk-spec 17 Low Vendor Manifest x-basepom-git-commit-id c229d019263ddcb96aa8310e1c47cd628160cf30 Low Vendor file name jdbi3-core High Vendor pom artifactid jdbi3-core Low Vendor pom groupid org.jdbi Highest Product jar package name v3 Highest Product pom artifactid jdbi3-core Highest Product pom groupid jdbi Highest Product Manifest x-basepom-build-id 29426096-741b-43b0-a564-c282181e05ab Low Product Manifest automatic-module-name org.jdbi.v3.core Medium Product pom name jdbi3 core High Product jar package name internal Highest Product pom parent-artifactid jdbi3-parent Medium Product jar package name core Highest Product pom parent-groupid org.jdbi.internal Medium Product Manifest specification-title jdbi3 core Medium Product jar package name jdbi Highest Product Manifest x-basepom-name jdbi3 core Medium Product Manifest build-jdk-spec 17 Low Product Manifest x-basepom-git-commit-id c229d019263ddcb96aa8310e1c47cd628160cf30 Low Product file name jdbi3-core High Product Manifest Implementation-Title jdbi3 core High Version Manifest Implementation-Version 3.39.1 High Version pom version 3.39.1 Highest Version file version 3.39.1 High
Description:
Generic type reflection library with support for AnnotatedType License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/io/leangen/geantyref/geantyref/1.3.14/geantyref-1.3.14.jar
MD5: 8ff9aa6efb1cbdd491e2393dd1fb3209
SHA1: 104fa1c08e44f5d7573f9fc0763d92984596645d
SHA256: 62b722d132454503904a5f7b0a47a24f0fc581821ec8d3687df1e0f146c6d61e
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom groupid io.leangen.geantyref Highest Vendor Manifest bundle-symbolicname io.leangen.geantyref.geantyref Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor file name geantyref High Vendor jar package name leangen Highest Vendor pom name GeantyRef High Vendor Manifest bundle-docurl https://github.com/leangen/geantyref Low Vendor pom artifactid geantyref Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor jar package name geantyref Highest Vendor Manifest automatic-module-name io.leangen.geantyref Medium Vendor pom url leangen/geantyref Highest Vendor Manifest bundle-developers kaqqao;email="veggen@gmail.com";name="Bojan Tomic";organization=Leangen;organizationUrl="http://leangen.io" Low Vendor jar package name io Highest Product Manifest bundle-symbolicname io.leangen.geantyref.geantyref Medium Product Manifest build-jdk-spec 1.8 Low Product pom groupid io.leangen.geantyref Highest Product file name geantyref High Product jar package name leangen Highest Product pom name GeantyRef High Product Manifest bundle-docurl https://github.com/leangen/geantyref Low Product pom artifactid geantyref Highest Product Manifest Bundle-Name GeantyRef Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name geantyref Highest Product Manifest automatic-module-name io.leangen.geantyref Medium Product pom url leangen/geantyref High Product Manifest bundle-developers kaqqao;email="veggen@gmail.com";name="Bojan Tomic";organization=Leangen;organizationUrl="http://leangen.io" Low Product jar package name io Highest Version Manifest Bundle-Version 1.3.14 High Version pom version 1.3.14 Highest Version file version 1.3.14 High
Description:
Core library of the MessagePack for Java License:
Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/msgpack/msgpack-core/0.9.5/msgpack-core-0.9.5.jar
MD5: cf3baac082728253152121fb83aadd77
SHA1: 60dd74abd86c3620d49e70ffd13f348e545730cb
SHA256: e446cef1cd934da5b626fd14a1479445ef368e11c87904b498b7fb43bc8b92c2
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom name msgpack-core High Vendor pom groupid org.msgpack Highest Vendor pom artifactid msgpack-core Low Vendor Manifest Implementation-Vendor MessagePack High Vendor file name msgpack-core High Vendor Manifest Implementation-Vendor-Id org.msgpack Medium Vendor jar package name core Highest Vendor pom url https://msgpack.org/ Highest Vendor pom organization name MessagePack High Vendor Manifest specification-vendor MessagePack Low Vendor Manifest implementation-url https://msgpack.org/ Low Vendor pom organization url http://msgpack.org/ Medium Vendor pom groupid msgpack Highest Vendor jar package name messagepack Highest Vendor jar package name msgpack Highest Product pom name msgpack-core High Product pom artifactid msgpack-core Highest Product pom url https://msgpack.org/ Medium Product pom organization url http://msgpack.org/ Low Product file name msgpack-core High Product jar package name core Highest Product pom organization name MessagePack Low Product Manifest Implementation-Title msgpack-core High Product Manifest implementation-url https://msgpack.org/ Low Product Manifest specification-title msgpack-core Medium Product pom groupid msgpack Highest Product jar package name messagepack Highest Product jar package name msgpack Highest Version Manifest Implementation-Version 0.9.5 High Version pom version 0.9.5 Highest Version file version 0.9.5 High
pkg:maven/org.msgpack/msgpack-core@0.9.5 (Confidence :High)cpe:2.3:a:messagepack:messagepack:0.9.5:*:*:*:*:*:*:* (Confidence :Low) suppress cpe:2.3:a:messagepack_project:messagepack:0.9.5:*:*:*:*:*:*:* (Confidence :Low) suppress Published Vulnerabilities CVE-2020-5234 suppress
MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps. CWE-787 Out-of-bounds Write
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:C CVSSv3:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41719 suppress
Unmarshal can panic on some inputs, possibly allowing for denial of service attacks. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.13.0/commons-lang3-3.13.0.jar
MD5: 3435b913691a5c1b173485a49850b1a8
SHA1: b7263237aa89c1f99b327197c41d0669707a462e
SHA256: 82f528cf718c7a3c2f30fc5bc784e3c6a0a10b17605dadb9e16c82ede11e6064
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor jar package name commons Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid commons-lang3 Low Vendor pom url https://commons.apache.org/proper/commons-lang/ Highest Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name lang3 Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor Manifest bundle-symbolicname org.apache.commons.lang3 Medium Vendor pom groupid apache.commons Highest Vendor file name commons-lang3 High Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest automatic-module-name org.apache.commons.lang3 Medium Vendor pom groupid org.apache.commons Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-lang/ Low Vendor pom name Apache Commons Lang High Product jar package name commons Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest Implementation-Title Apache Commons Lang High Product pom parent-groupid org.apache.commons Medium Product jar package name lang3 Highest Product jar package name apache Highest Product pom url https://commons.apache.org/proper/commons-lang/ Medium Product Manifest bundle-symbolicname org.apache.commons.lang3 Medium Product pom groupid apache.commons Highest Product file name commons-lang3 High Product Manifest specification-title Apache Commons Lang Medium Product Manifest automatic-module-name org.apache.commons.lang3 Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest bundle-docurl https://commons.apache.org/proper/commons-lang/ Low Product Manifest Bundle-Name Apache Commons Lang Medium Product pom name Apache Commons Lang High Product pom parent-artifactid commons-parent Medium Product pom artifactid commons-lang3 Highest Version Manifest Bundle-Version 3.13.0 High Version Manifest Implementation-Version 3.13.0 High Version file version 3.13.0 High Version pom parent-version 3.13.0 Low Version pom version 3.13.0 Highest
Description:
Apache HttpComponents HttpClient - MIME coded entities
File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpmime/4.5.14/httpmime-4.5.14.jarMD5: 714c4ae31c40e6633c0bcaa4e6264153SHA1: 6662758a1f1cb1149cf916bdac28332e0902ec44SHA256: d401243d5c6eae928a37121b6e819158c8c32ea0584793e7285bb489ab2a3d17Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom url http://hc.apache.org/httpcomponents-client-ga Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid httpmime Low Vendor pom parent-artifactid httpcomponents-client Low Vendor jar package name apache Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpmime Medium Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor pom groupid apache.httpcomponents Highest Vendor file name httpmime High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name mime Highest Vendor pom name Apache HttpClient Mime High Vendor pom groupid org.apache.httpcomponents Highest Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-client-ga Low Vendor pom parent-groupid org.apache.httpcomponents Medium Product Manifest Implementation-Title Apache HttpClient Mime High Product pom url http://hc.apache.org/httpcomponents-client-ga Medium Product jar package name apache Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpmime Medium Product pom groupid apache.httpcomponents Highest Product file name httpmime High Product jar package name mime Highest Product pom name Apache HttpClient Mime High Product pom artifactid httpmime Highest Product jar package name http Highest Product Manifest implementation-url http://hc.apache.org/httpcomponents-client-ga Low Product pom parent-artifactid httpcomponents-client Medium Product Manifest specification-title Apache HttpClient Mime Medium Product pom parent-groupid org.apache.httpcomponents Medium Version file version 4.5.14 High Version pom version 4.5.14 Highest Version Manifest Implementation-Version 4.5.14 High
Description:
Apache HttpComponents Client
File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.14/httpclient-4.5.14.jarMD5: 2cb357c4b763f47e58af6cad47df6ba3SHA1: 1194890e6f56ec29177673f2f12d0b8e627dec98SHA256: c8bc7e1c51a6d4ce72f40d2ebbabf1c4b68bfe76e732104b04381b493478e9d6Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor file name httpclient High Vendor pom url http://hc.apache.org/httpcomponents-client-ga Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-artifactid httpcomponents-client Low Vendor jar package name apache Highest Vendor pom artifactid httpclient Low Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor pom groupid apache.httpcomponents Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name httpclient Highest Vendor pom groupid org.apache.httpcomponents Highest Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-client-ga Low Vendor jar package name client Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpclient Medium Vendor pom parent-groupid org.apache.httpcomponents Medium Vendor pom name Apache HttpClient High Product file name httpclient High Product pom url http://hc.apache.org/httpcomponents-client-ga Medium Product jar package name apache Highest Product pom groupid apache.httpcomponents Highest Product pom artifactid httpclient Highest Product Manifest Implementation-Title Apache HttpClient High Product jar package name httpclient Highest Product Manifest specification-title Apache HttpClient Medium Product jar package name http Highest Product Manifest implementation-url http://hc.apache.org/httpcomponents-client-ga Low Product pom parent-artifactid httpcomponents-client Medium Product jar package name client Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpclient Medium Product pom parent-groupid org.apache.httpcomponents Medium Product pom name Apache HttpClient High Version file version 4.5.14 High Version pom version 4.5.14 Highest Version Manifest Implementation-Version 4.5.14 High
Description:
Apache HttpComponents Core (blocking I/O)
File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jarMD5: 28d2cd9bf8789fd2ec774fb88436ebd1SHA1: 51cf043c87253c9f58b539c9f7e44c8894223850SHA256: 6c9b3dd142a09dc468e23ad39aad6f75a0f2b85125104469f026e52a474e464fReferenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom parent-artifactid httpcomponents-core Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpcore Medium Vendor Manifest url http://hc.apache.org/httpcomponents-core-ga Low Vendor pom groupid apache.httpcomponents Highest Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom url http://hc.apache.org/httpcomponents-core-ga Highest Vendor file name httpcore High Vendor pom groupid org.apache.httpcomponents Highest Vendor pom artifactid httpcore Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest implementation-build ${scmBranch}@r${buildNumber}; 2022-11-26 09:44:32+0000 Low Vendor pom name Apache HttpCore High Vendor pom parent-groupid org.apache.httpcomponents Medium Product jar package name apache Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpcore Medium Product Manifest url http://hc.apache.org/httpcomponents-core-ga Low Product pom groupid apache.httpcomponents Highest Product pom url http://hc.apache.org/httpcomponents-core-ga Medium Product Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Product Manifest Implementation-Title HttpComponents Apache HttpCore High Product file name httpcore High Product Manifest specification-title HttpComponents Apache HttpCore Medium Product jar package name http Highest Product pom artifactid httpcore Highest Product pom parent-artifactid httpcomponents-core Medium Product Manifest implementation-build ${scmBranch}@r${buildNumber}; 2022-11-26 09:44:32+0000 Low Product pom name Apache HttpCore High Product pom parent-groupid org.apache.httpcomponents Medium Version pom version 4.4.16 Highest Version Manifest Implementation-Version 4.4.16 High Version file version 4.4.16 High
Description:
Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256: daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor jar package name commons Highest Vendor Manifest bundle-symbolicname org.apache.commons.logging Medium Vendor pom parent-groupid org.apache.commons Medium Vendor file name commons-logging High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid commons-logging Highest Vendor pom artifactid commons-logging Low Vendor pom url http://commons.apache.org/proper/commons-logging/ Highest Vendor Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Low Vendor pom name Apache Commons Logging High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor jar package name logging Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ Low Product jar package name commons Highest Product Manifest bundle-symbolicname org.apache.commons.logging Medium Product pom parent-groupid org.apache.commons Medium Product file name commons-logging High Product jar package name apache Highest Product Manifest Bundle-Name Apache Commons Logging Medium Product Manifest Implementation-Title Apache Commons Logging High Product pom groupid commons-logging Highest Product pom url http://commons.apache.org/proper/commons-logging/ Medium Product Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Low Product Manifest specification-title Apache Commons Logging Medium Product pom parent-artifactid commons-parent Medium Product pom artifactid commons-logging Highest Product pom name Apache Commons Logging High Product jar package name logging Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ Low Version pom version 1.2 Highest Version Manifest Implementation-Version 1.2 High Version pom parent-version 1.2 Low Version file version 1.2 High
Published Vulnerabilities CVE-2021-37533 suppress
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
MD5: 567159b1ae257a43e1391a8f59d24cfe
SHA1: 3acb4705652e16236558f0f4f2192cc33c3bd189
SHA256: e599d5318e97aa48f42136a2927e6dfa4e8881dff0e6c8e3109ddbbff51d7b7d
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor jar package name commons Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom groupid commons-codec Highest Vendor file name commons-codec High Vendor pom parent-groupid org.apache.commons Medium Vendor pom name Apache Commons Codec High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor jar package name encoder Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-codec/ Low Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest bundle-symbolicname org.apache.commons.codec Medium Vendor Manifest Implementation-Vendor-Id commons-codec Medium Vendor jar package name codec Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-codec/ Low Vendor pom artifactid commons-codec Low Vendor Manifest automatic-module-name org.apache.commons.codec Medium Vendor pom url http://commons.apache.org/proper/commons-codec/ Highest Product Manifest Bundle-Name Apache Commons Codec Medium Product jar package name commons Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom groupid commons-codec Highest Product file name commons-codec High Product pom parent-groupid org.apache.commons Medium Product pom name Apache Commons Codec High Product jar package name apache Highest Product jar package name encoder Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-codec/ Low Product Manifest specification-title Apache Commons Codec Medium Product pom url http://commons.apache.org/proper/commons-codec/ Medium Product Manifest bundle-symbolicname org.apache.commons.codec Medium Product pom artifactid commons-codec Highest Product Manifest Implementation-Title Apache Commons Codec High Product pom parent-artifactid commons-parent Medium Product jar package name codec Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-codec/ Low Product Manifest automatic-module-name org.apache.commons.codec Medium Version pom version 1.11 Highest Version file version 1.11 High Version Manifest Implementation-Version 1.11 High Version pom parent-version 1.11 Low
Published Vulnerabilities CVE-2021-37533 suppress
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
Description:
Jackson extension that adds support for MessagePack License:
Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/msgpack/jackson-dataformat-msgpack/0.9.5/jackson-dataformat-msgpack-0.9.5.jar
MD5: d7e0f3e7db7fcfe091bd0c22407cbb33
SHA1: 850c19c52023330be453bd072ed16368c0e1df33
SHA256: 33d6e278618226f75ef4c3d9b53672db976b1231533511c30d0258eed0f5d7c7
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom groupid org.msgpack Highest Vendor Manifest Implementation-Vendor MessagePack High Vendor Manifest Implementation-Vendor-Id org.msgpack Medium Vendor file name jackson-dataformat-msgpack High Vendor jar package name jackson Highest Vendor jar package name dataformat Highest Vendor pom url https://msgpack.org/ Highest Vendor pom organization name MessagePack High Vendor Manifest specification-vendor MessagePack Low Vendor Manifest implementation-url https://msgpack.org/ Low Vendor pom artifactid jackson-dataformat-msgpack Low Vendor pom organization url http://msgpack.org/ Medium Vendor pom groupid msgpack Highest Vendor pom name jackson-dataformat-msgpack High Vendor jar package name msgpack Highest Product pom url https://msgpack.org/ Medium Product pom organization url http://msgpack.org/ Low Product pom organization name MessagePack Low Product file name jackson-dataformat-msgpack High Product Manifest Implementation-Title jackson-dataformat-msgpack High Product jar package name jackson Highest Product jar package name dataformat Highest Product Manifest implementation-url https://msgpack.org/ Low Product pom artifactid jackson-dataformat-msgpack Highest Product pom groupid msgpack Highest Product Manifest specification-title jackson-dataformat-msgpack Medium Product pom name jackson-dataformat-msgpack High Product jar package name msgpack Highest Version Manifest Implementation-Version 0.9.5 High Version pom version 0.9.5 Highest Version file version 0.9.5 High
Published Vulnerabilities CVE-2020-5234 suppress
MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps. CWE-787 Out-of-bounds Write
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:C CVSSv3:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2022-41719 suppress
Unmarshal can panic on some inputs, possibly allowing for denial of service attacks. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
Description:
General data-binding functionality for Jackson: works on core streaming API License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.14.2/jackson-databind-2.14.2.jar
MD5: c1b12dd14734cd1986132bf55042dd7e
SHA1: 01e71fddbc80bb86f71a6345ac1e8ab8a00e7134
SHA256: 501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor jar package name databind Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor Manifest multi-release true Low Vendor pom url FasterXML/jackson Highest Vendor jar package name jackson Highest Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor pom name jackson-databind High Vendor pom artifactid jackson-databind Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor jar package name fasterxml Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson Low Vendor pom groupid fasterxml.jackson.core Highest Vendor Manifest Implementation-Vendor FasterXML High Vendor file name jackson-databind High Vendor Manifest specification-vendor FasterXML Low Vendor pom parent-artifactid jackson-base Low Product jar package name databind Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Product pom parent-groupid com.fasterxml.jackson Medium Product Manifest multi-release true Low Product pom artifactid jackson-databind Highest Product jar package name jackson Highest Product pom name jackson-databind High Product Manifest specification-title jackson-databind Medium Product pom url FasterXML/jackson High Product jar package name fasterxml Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest bundle-docurl https://github.com/FasterXML/jackson Low Product pom groupid fasterxml.jackson.core Highest Product pom parent-artifactid jackson-base Medium Product Manifest Implementation-Title jackson-databind High Product file name jackson-databind High Product Manifest Bundle-Name jackson-databind Medium Version file version 2.14.2 High Version Manifest Bundle-Version 2.14.2 High Version pom version 2.14.2 Highest Version Manifest Implementation-Version 2.14.2 High
Published Vulnerabilities CVE-2023-35116 suppress
** DISPUTED ** jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (4.7) Vector: /AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
Description:
Core annotations used for value types, used by Jackson data binding package.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.14.2/jackson-annotations-2.14.2.jar
MD5: 10d19982a8890f6eb37557af2f58e272
SHA1: a7aae9525864930723e3453ab799521fdfd9d873
SHA256: 2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor file name jackson-annotations High Vendor pom url FasterXML/jackson Highest Vendor jar package name jackson Highest Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Vendor pom groupid com.fasterxml.jackson.core Highest Vendor jar package name fasterxml Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson Low Vendor pom groupid fasterxml.jackson.core Highest Vendor Manifest Implementation-Vendor FasterXML High Vendor pom parent-artifactid jackson-parent Low Vendor pom name Jackson-annotations High Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-annotations Low Product Manifest build-jdk-spec 1.8 Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom parent-groupid com.fasterxml.jackson Medium Product pom parent-artifactid jackson-parent Medium Product file name jackson-annotations High Product jar package name jackson Highest Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Product Manifest specification-title Jackson-annotations Medium Product pom url FasterXML/jackson High Product jar package name fasterxml Highest Product Manifest Bundle-Name Jackson-annotations Medium Product Manifest bundle-docurl https://github.com/FasterXML/jackson Low Product Manifest Implementation-Title Jackson-annotations High Product pom groupid fasterxml.jackson.core Highest Product pom artifactid jackson-annotations Highest Product pom name Jackson-annotations High Version file version 2.14.2 High Version Manifest Bundle-Version 2.14.2 High Version pom version 2.14.2 Highest Version Manifest Implementation-Version 2.14.2 High Version pom parent-version 2.14.2 Low
Description:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
MD5: 6ee422ee4c481b2d5aacb2b5e36a7dc0
SHA1: f804090e6399ce0cf78242db086017512dd71fcc
SHA256: b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor Manifest build-jdk-spec 1.8 Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom artifactid jackson-core Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Vendor Manifest multi-release true Low Vendor jar package name core Highest Vendor jar package name base Highest Vendor jar package name jackson Highest Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor pom name Jackson-core High Vendor pom url FasterXML/jackson-core Highest Vendor pom groupid com.fasterxml.jackson.core Highest Vendor jar package name fasterxml Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid fasterxml.jackson.core Highest Vendor Manifest Implementation-Vendor FasterXML High Vendor file name jackson-core High Vendor Manifest specification-vendor FasterXML Low Vendor jar package name json Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Vendor pom parent-artifactid jackson-base Low Product Manifest build-jdk-spec 1.8 Low Product Manifest specification-title Jackson-core Medium Product pom parent-groupid com.fasterxml.jackson Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Product Manifest multi-release true Low Product pom artifactid jackson-core Highest Product jar package name core Highest Product jar package name base Highest Product jar package name jackson Highest Product pom name Jackson-core High Product jar package name fasterxml Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name filter Highest Product pom groupid fasterxml.jackson.core Highest Product pom parent-artifactid jackson-base Medium Product pom url FasterXML/jackson-core High Product Manifest Implementation-Title Jackson-core High Product file name jackson-core High Product jar package name version Highest Product jar package name json Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Product Manifest Bundle-Name Jackson-core Medium Version file version 2.14.2 High Version Manifest Bundle-Version 2.14.2 High Version pom version 2.14.2 Highest Version Manifest Implementation-Version 2.14.2 High
Published Vulnerabilities CVE-2022-45688 suppress
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
Description:
Apache HttpComponents Client File Path: /home/runner/.m2/repository/org/apache/httpcomponents/client5/httpclient5/5.2.1/httpclient5-5.2.1.jarMD5: fbbefc687f2e0c55b34b77edf53d486aSHA1: 0c900514d3446d9ce5d9dbd90c21192048125440SHA256: 9355f3876baf82fec13ced22c12b62d57536230836406d359459128e4f73ed51Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.apache.httpcomponents.client5 Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor file name httpclient5 High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-url https://hc.apache.org/httpcomponents-client-5.0.x/5.2.1/httpclient5/ Low Vendor jar package name apache Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name client5 Highest Vendor pom artifactid httpclient5 Low Vendor pom groupid apache.httpcomponents.client5 Highest Vendor pom groupid org.apache.httpcomponents.client5 Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest automatic-module-name org.apache.httpcomponents.client5.httpclient5 Medium Vendor pom parent-artifactid httpclient5-parent Low Vendor pom name Apache HttpClient High Product pom parent-groupid org.apache.httpcomponents.client5 Medium Product Manifest build-jdk-spec 1.8 Low Product jar package name hc Highest Product file name httpclient5 High Product Manifest implementation-url https://hc.apache.org/httpcomponents-client-5.0.x/5.2.1/httpclient5/ Low Product jar package name apache Highest Product pom artifactid httpclient5 Highest Product Manifest Implementation-Title Apache HttpClient High Product jar package name client5 Highest Product Manifest specification-title Apache HttpClient Medium Product pom groupid apache.httpcomponents.client5 Highest Product pom parent-artifactid httpclient5-parent Medium Product Manifest automatic-module-name org.apache.httpcomponents.client5.httpclient5 Medium Product pom name Apache HttpClient High Version Manifest Implementation-Version 5.2.1 High Version pom version 5.2.1 Highest Version file version 5.2.1 High
Description:
Apache HttpComponents HTTP/1.1 core components File Path: /home/runner/.m2/repository/org/apache/httpcomponents/core5/httpcore5/5.2/httpcore5-5.2.jarMD5: 3a40241f9a99cf063f347dfb73c5c4e8SHA1: ab7d251b8dfa3f2878f1eefbcca0e1fc0ebeba27SHA256: 293321cbf594d79ea8a0cb0214f75f146d17f088be17ad5ce11c2fe864df124cReferenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.apache.httpcomponents.core5 Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest implementation-url https://hc.apache.org/httpcomponents-core-5.2.x/5.2/httpcore5/ Low Vendor pom artifactid httpcore5 Low Vendor pom parent-artifactid httpcore5-parent Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor jar package name core5 Highest Vendor pom groupid org.apache.httpcomponents.core5 Highest Vendor file name httpcore5 High Vendor Manifest automatic-module-name org.apache.httpcomponents.core5.httpcore5 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom groupid apache.httpcomponents.core5 Highest Vendor pom name Apache HttpComponents Core HTTP/1.1 High Product Manifest Implementation-Title Apache HttpComponents Core HTTP/1.1 High Product pom parent-groupid org.apache.httpcomponents.core5 Medium Product Manifest build-jdk-spec 1.8 Low Product jar package name hc Highest Product Manifest implementation-url https://hc.apache.org/httpcomponents-core-5.2.x/5.2/httpcore5/ Low Product jar package name apache Highest Product jar package name core5 Highest Product file name httpcore5 High Product Manifest automatic-module-name org.apache.httpcomponents.core5.httpcore5 Medium Product pom parent-artifactid httpcore5-parent Medium Product pom groupid apache.httpcomponents.core5 Highest Product Manifest specification-title Apache HttpComponents Core HTTP/1.1 Medium Product pom artifactid httpcore5 Highest Product pom name Apache HttpComponents Core HTTP/1.1 High Version file version 5.2 High Version pom version 5.2 Highest Version Manifest Implementation-Version 5.2 High
Description:
Apache HttpComponents HTTP/2 Core Components File Path: /home/runner/.m2/repository/org/apache/httpcomponents/core5/httpcore5-h2/5.2/httpcore5-h2-5.2.jarMD5: 272112133e0dd0559efdd8f5e615a344SHA1: 698bd8c759ccc7fd7398f3179ff45d0e5a7ccc16SHA256: 5a087fb8c619979d492a83546f351ddadf32b28cc6a32923229f3fc777171578Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.apache.httpcomponents.core5 Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom parent-artifactid httpcore5-parent Low Vendor file name httpcore5-h2 High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Apache HttpComponents Core HTTP/2 High Vendor jar package name apache Highest Vendor jar package name core5 Highest Vendor pom groupid org.apache.httpcomponents.core5 Highest Vendor pom artifactid httpcore5-h2 Low Vendor Manifest automatic-module-name org.apache.httpcomponents.core5.httpcore5.h2 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest implementation-url https://hc.apache.org/httpcomponents-core-5.2.x/5.2/httpcore5-h2/ Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom groupid apache.httpcomponents.core5 Highest Product pom parent-groupid org.apache.httpcomponents.core5 Medium Product Manifest build-jdk-spec 1.8 Low Product jar package name hc Highest Product file name httpcore5-h2 High Product pom name Apache HttpComponents Core HTTP/2 High Product jar package name apache Highest Product jar package name core5 Highest Product pom artifactid httpcore5-h2 Highest Product Manifest Implementation-Title Apache HttpComponents Core HTTP/2 High Product Manifest specification-title Apache HttpComponents Core HTTP/2 Medium Product Manifest automatic-module-name org.apache.httpcomponents.core5.httpcore5.h2 Medium Product Manifest implementation-url https://hc.apache.org/httpcomponents-core-5.2.x/5.2/httpcore5-h2/ Low Product pom parent-artifactid httpcore5-parent Medium Product pom groupid apache.httpcomponents.core5 Highest Version file version 5.2 High Version pom version 5.2 Highest Version Manifest Implementation-Version 5.2 High
Description:
logback-core module License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html File Path: /home/runner/.m2/repository/ch/qos/logback/logback-core/1.4.6/logback-core-1.4.6.jar
MD5: 4ab481af4f93588f5a1a2eddea6cce80
SHA1: c4eb386f0fe83d61c2e8a91df50bb07e7ea95140
SHA256: f19cbd234b3f7d4e1292c62cb49e9090ee12a80e72891431076cbbc7df2d694c
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor Manifest originally-created-by Apache Maven Bundle Plugin 5.1.6 Low Vendor pom groupid ch.qos.logback Highest Vendor Manifest specification-vendor QOS.ch Low Vendor Manifest Implementation-Vendor QOS.ch High Vendor pom name Logback Core Module High Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor jar package name core Highest Vendor jar package name ch Highest Vendor pom parent-artifactid logback-parent Low Vendor pom artifactid logback-core Low Vendor Manifest build-jdk-spec 19 Low Vendor jar package name logback Highest Vendor Manifest bundle-docurl http://www.qos.ch Low Vendor jar package name qos Highest Vendor file name logback-core High Vendor Manifest bundle-symbolicname ch.qos.logback.core Medium Product Manifest Bundle-Name Logback Core Module Medium Product Manifest originally-created-by Apache Maven Bundle Plugin 5.1.6 Low Product pom parent-artifactid logback-parent Medium Product Manifest specification-title Logback Core Module Medium Product pom groupid ch.qos.logback Highest Product pom name Logback Core Module High Product jar package name core Highest Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product pom artifactid logback-core Highest Product jar package name ch Highest Product Manifest build-jdk-spec 19 Low Product jar package name logback Highest Product Manifest bundle-docurl http://www.qos.ch Low Product jar package name qos Highest Product file name logback-core High Product Manifest bundle-symbolicname ch.qos.logback.core Medium Product Manifest Implementation-Title Logback Core Module High Version pom version 1.4.6 Highest Version file version 1.4.6 High Version Manifest Bundle-Version 1.4.6 High Version Manifest Implementation-Version 1.4.6 High
Related Dependencies logback-classic-1.4.6.jarFile Path: /home/runner/.m2/repository/ch/qos/logback/logback-classic/1.4.6/logback-classic-1.4.6.jar MD5: b493c72a2258f7b4bf173446c788102f SHA1: 61f81fe5d996f077f90a08ff5ca75d01dbe752c3 SHA256: 60d7030939d962afd3cec302e97eda66684f23b6d2de627a57734405bc8ebca8 pkg:maven/ch.qos.logback/logback-classic@1.4.6 Description:
The slf4j API File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/2.0.5/slf4j-api-2.0.5.jarMD5: 0f3fd4e1dccb6fa50f60b849594bc51aSHA1: 3a759df277e854f7c4ca951e5899bcec0dbdca73SHA256: f4a2974509291acc49fda4a79b0d59e15e2b524095d6421c66391b92387af4c9Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom parent-artifactid slf4j-parent Low Vendor jar package name slf4j Highest Vendor pom parent-groupid org.slf4j Medium Vendor pom groupid slf4j Highest Vendor Manifest multi-release true Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor Manifest require-capability osgi.extender;filter:="(&(osgi.extender=osgi.serviceloader.processor)(version>=1.0.0)(!(version>=2.0.0)))",osgi.serviceloader;filter:="(osgi.serviceloader=org.slf4j.spi.SLF4JServiceProvider)";osgi.serviceloader="org.slf4j.spi.SLF4JServiceProvider" Low Vendor pom artifactid slf4j-api Low Vendor pom url http://www.slf4j.org Highest Vendor pom groupid org.slf4j Highest Vendor Manifest build-jdk-spec 19 Low Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor pom name SLF4J API Module High Vendor file name slf4j-api High Product jar package name slf4j Highest Product pom parent-groupid org.slf4j Medium Product pom parent-artifactid slf4j-parent Medium Product pom groupid slf4j Highest Product pom artifactid slf4j-api Highest Product Manifest multi-release true Low Product jar package name slf4jserviceprovider Highest Product pom url http://www.slf4j.org Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest require-capability osgi.extender;filter:="(&(osgi.extender=osgi.serviceloader.processor)(version>=1.0.0)(!(version>=2.0.0)))",osgi.serviceloader;filter:="(osgi.serviceloader=org.slf4j.spi.SLF4JServiceProvider)";osgi.serviceloader="org.slf4j.spi.SLF4JServiceProvider" Low Product Manifest build-jdk-spec 19 Low Product jar package name spi Highest Product Manifest bundle-symbolicname slf4j.api Medium Product pom name SLF4J API Module High Product Manifest Implementation-Title slf4j-api High Product file name slf4j-api High Product Manifest Bundle-Name slf4j-api Medium Version Manifest Implementation-Version 2.0.5 High Version pom version 2.0.5 Highest Version file version 2.0.5 High Version Manifest Bundle-Version 2.0.5 High
Description:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar
MD5: 3b4b7ccfaeceeac240b804839ee1a1ca
SHA1: a2503f302b11ebde7ebc3df41daebe0e4eea3689
SHA256: 961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908
Referenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor jar package name commons Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid commons-io Low Vendor pom groupid commons-io Highest Vendor pom parent-groupid org.apache.commons Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-io/ Low Vendor jar package name file Highest Vendor pom name Apache Commons IO High Vendor file name commons-io High Vendor pom parent-artifactid commons-parent Low Vendor Manifest automatic-module-name org.apache.commons.io Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom url https://commons.apache.org/proper/commons-io/ Highest Vendor Manifest bundle-symbolicname org.apache.commons.commons-io Medium Vendor jar package name io Highest Product jar package name commons Highest Product Manifest build-jdk-spec 1.8 Low Product pom groupid commons-io Highest Product pom parent-groupid org.apache.commons Medium Product jar package name apache Highest Product jar package name file Highest Product Manifest bundle-docurl https://commons.apache.org/proper/commons-io/ Low Product pom artifactid commons-io Highest Product pom name Apache Commons IO High Product file name commons-io High Product Manifest automatic-module-name org.apache.commons.io Medium Product Manifest specification-title Apache Commons IO Medium Product Manifest Implementation-Title Apache Commons IO High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom url https://commons.apache.org/proper/commons-io/ Medium Product pom parent-artifactid commons-parent Medium Product Manifest bundle-symbolicname org.apache.commons.commons-io Medium Product Manifest Bundle-Name Apache Commons IO Medium Product jar package name io Highest Version Manifest Implementation-Version 2.11.0 High Version pom parent-version 2.11.0 Low Version Manifest Bundle-Version 2.11.0 High Version pom version 2.11.0 Highest Version file version 2.11.0 High
Published Vulnerabilities CVE-2021-37533 suppress
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
Description:
The ANTLR 4 Runtime File Path: /home/runner/.m2/repository/org/jdbi/jdbi3-core/3.39.1/jdbi3-core-3.39.1.jar/META-INF/maven/org.antlr/antlr4-runtime/pom.xmlMD5: f16817c1f4c33149ab516295328e3447SHA1: bd7a583a403c741d7b33674d693a7d3787a41519SHA256: 198e34fb5ac7597b1a3c31930301e08ce941e5ca504116dd54a3a75378914a7fReferenced In Project/Scope: kodexa-java:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid antlr4-runtime Low Vendor pom groupid antlr Highest Vendor pom parent-artifactid antlr4-master Low Vendor pom parent-groupid org.antlr Medium Vendor pom name ANTLR 4 Runtime High Product pom groupid antlr Highest Product pom parent-groupid org.antlr Medium Product pom parent-artifactid antlr4-master Medium Product pom artifactid antlr4-runtime Highest Product pom name ANTLR 4 Runtime High Version pom version 4.13.0 Highest