Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Scan Information (
show all ):
dependency-check version : 11.1.1Report Generated On : Thu, 2 Jan 2025 01:23:53 GMTDependencies Scanned : 56 (39 unique)Vulnerable Dependencies : 9 Vulnerabilities Found : 26Vulnerabilities Suppressed : 0 ... NVD API Last Checked : 2025-01-02T01:18:14ZNVD API Last Modified : 2025-01-01T14:15:23ZSummary Display:
Showing Vulnerable Dependencies (click to show all) Description:
Byte Buddy is a Java library for creating Java classes at run time.
This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy/1.15.11/byte-buddy-1.15.11.jar
MD5: 603bc53c7a294f23765bfb7e1820ad44
SHA1: f61886478e0f9ee4c21d09574736f0ff45e0a46c
SHA256: fa08998aae1e7bdae83bde0712c50e8444d71c0e0c196bb2247ade8d4ad0eb90
Referenced In Projects/Scopes: waffle-spring-boot2:compile waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile byte-buddy-1.15.11.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name byte-buddy High Vendor jar package name asm Highest Vendor jar package name build Highest Vendor jar package name bytebuddy Highest Vendor jar package name net Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-symbolicname net.bytebuddy.byte-buddy Medium Vendor Manifest multi-release true Low Vendor pom artifactid byte-buddy Highest Vendor pom artifactid byte-buddy Low Vendor pom groupid net.bytebuddy Highest Vendor pom name Byte Buddy (without dependencies) High Vendor pom parent-artifactid byte-buddy-parent Low Product file name byte-buddy High Product jar package name asm Highest Product jar package name build Highest Product jar package name bytebuddy Highest Product jar package name net Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest Bundle-Name Byte Buddy (without dependencies) Medium Product Manifest bundle-symbolicname net.bytebuddy.byte-buddy Medium Product Manifest multi-release true Low Product pom artifactid byte-buddy Highest Product pom groupid net.bytebuddy Highest Product pom name Byte Buddy (without dependencies) High Product pom parent-artifactid byte-buddy-parent Medium Version file version 1.15.11 High Version Manifest Bundle-Version 1.15.11 High Version pom version 1.15.11 Highest
Description:
The Byte Buddy agent offers convenience for attaching an agent to the local or a remote VM. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.15.11/byte-buddy-agent-1.15.11.jar
MD5: 449a1534609bf3535d74cbb10b4ed074
SHA1: a38b16385e867f59a641330f0362ebe742788ed8
SHA256: 316d2c0795c2a4d4c4756f2e6f9349837c7430ac34e0477ead874d05f5cc19e5
Referenced In Projects/Scopes: waffle-spring-boot2:compile waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile byte-buddy-agent-1.15.11.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name byte-buddy-agent High Vendor jar package name agent Highest Vendor jar package name bytebuddy Highest Vendor jar package name net Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-symbolicname net.bytebuddy.byte-buddy-agent Medium Vendor Manifest can-redefine-classes true Low Vendor Manifest can-retransform-classes true Low Vendor Manifest can-set-native-method-prefix true Low Vendor Manifest multi-release true Low Vendor pom artifactid byte-buddy-agent Highest Vendor pom artifactid byte-buddy-agent Low Vendor pom groupid net.bytebuddy Highest Vendor pom name Byte Buddy agent High Vendor pom parent-artifactid byte-buddy-parent Low Product file name byte-buddy-agent High Product jar package name agent Highest Product jar package name bytebuddy Highest Product jar package name net Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest Bundle-Name Byte Buddy agent Medium Product Manifest bundle-symbolicname net.bytebuddy.byte-buddy-agent Medium Product Manifest can-redefine-classes true Low Product Manifest can-retransform-classes true Low Product Manifest can-set-native-method-prefix true Low Product Manifest multi-release true Low Product pom artifactid byte-buddy-agent Highest Product pom groupid net.bytebuddy Highest Product pom name Byte Buddy agent High Product pom parent-artifactid byte-buddy-parent Medium Version file version 1.15.11 High Version Manifest Bundle-Version 1.15.11 High Version pom version 1.15.11 Highest
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.15.11/byte-buddy-agent-1.15.11.jar/win32-x86-64/attach_hotspot_windows.dllMD5: 053a783e5777c6a9867c27d51af89677SHA1: 5ef4d98ae6a033a5707d0b5466e6138beb337e76SHA256: 16d424423f9b09accf132ad35dbeaa52ac9f6bd45bba1406b89df851f651db20Referenced In Projects/Scopes:
waffle-spring-boot2:compile waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile Evidence Type Source Name Value Confidence Vendor file name attach_hotspot_windows High Product file name attach_hotspot_windows High
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.15.11/byte-buddy-agent-1.15.11.jar/win32-x86/attach_hotspot_windows.dllMD5: fbca33102ac97be0ed496c0f78e466b3SHA1: c4df05146a86a6d073769bb697d550ef42518ed5SHA256: 810f94c4a2f5ca1a072c19859f7954fed9aa3a1dcb0d601e92d2338793202e72Referenced In Projects/Scopes:
waffle-spring-boot2:compile waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile Evidence Type Source Name Value Confidence Vendor file name attach_hotspot_windows High Product file name attach_hotspot_windows High
Description:
A high performance caching library License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/github/ben-manes/caffeine/caffeine/2.9.3/caffeine-2.9.3.jar
MD5: e0b9c5ccd60a1b5403df1dfe6de37d8e
SHA1: b162491f768824d21487551873f9b3b374a7fe19
SHA256: 1e0a7bbef1dd791653143f3f05d0e489934bf5481e58a87c9e619cd46b68729b
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile caffeine-2.9.3.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name caffeine High Vendor jar package name benmanes Highest Vendor jar package name cache Highest Vendor jar package name caffeine Highest Vendor jar package name github Highest Vendor Manifest automatic-module-name com.github.benmanes.caffeine Medium Vendor Manifest bundle-symbolicname com.github.ben-manes.caffeine Medium Vendor pom artifactid caffeine Highest Vendor pom artifactid caffeine Low Vendor pom developer email ben.manes@gmail.com Low Vendor pom developer id ben-manes Medium Vendor pom developer name Ben Manes Medium Vendor pom groupid com.github.ben-manes.caffeine Highest Vendor pom name Caffeine cache High Vendor pom url ben-manes/caffeine Highest Product file name caffeine High Product jar package name benmanes Highest Product jar package name cache Highest Product jar package name caffeine Highest Product jar package name github Highest Product Manifest automatic-module-name com.github.benmanes.caffeine Medium Product Manifest Bundle-Name com.github.ben-manes.caffeine Medium Product Manifest bundle-symbolicname com.github.ben-manes.caffeine Medium Product pom artifactid caffeine Highest Product pom developer email ben.manes@gmail.com Low Product pom developer id ben-manes Low Product pom developer name Ben Manes Low Product pom groupid com.github.ben-manes.caffeine Highest Product pom name Caffeine cache High Product pom url ben-manes/caffeine High Version file version 2.9.3 High Version Manifest Bundle-Version 2.9.3 High Version pom version 2.9.3 Highest
Description:
checker-qual contains annotations (type qualifiers) that a programmerwrites to specify Java code for type-checking by the Checker Framework. License:
The MIT License: http://opensource.org/licenses/MIT File Path: /home/runner/.m2/repository/org/checkerframework/checker-qual/3.48.1/checker-qual-3.48.1.jar
MD5: 1594c16f661bec96488b56d4d5b56582
SHA1: 7d8cf1c00aec0042df92f8d71d7f15baaf9773f4
SHA256: 21e8dfe8103e125d96a329653ca81e87ac430326dbdbf299cea3dc1ae3f039a2
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile checker-qual-3.48.1.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.hazendaz.jmockit/jmockit@1.55.0 pkg:maven/com.github.hazendaz.jmockit/jmockit@1.55.0 Evidence Type Source Name Value Confidence Vendor file name checker-qual High Vendor jar package name checker Highest Vendor jar package name checkerframework Highest Vendor jar package name framework Highest Vendor jar package name qual Highest Vendor Manifest bundle-symbolicname checker-qual Medium Vendor Manifest implementation-url https://checkerframework.org Low Vendor pom artifactid checker-qual Highest Vendor pom artifactid checker-qual Low Vendor pom developer email mernst@cs.washington.edu Low Vendor pom developer email smillst@cs.washington.edu Low Vendor pom developer id mernst Medium Vendor pom developer id smillst Medium Vendor pom developer name Michael Ernst Medium Vendor pom developer name Suzanne Millstein Medium Vendor pom developer org University of Washington Medium Vendor pom developer org URL https://www.cs.washington.edu/ Medium Vendor pom groupid org.checkerframework Highest Vendor pom name Checker Qual High Vendor pom url https://checkerframework.org/ Highest Product file name checker-qual High Product jar package name checker Highest Product jar package name checkerframework Highest Product jar package name framework Highest Product jar package name qual Highest Product Manifest Bundle-Name checker-qual Medium Product Manifest bundle-symbolicname checker-qual Medium Product Manifest implementation-url https://checkerframework.org Low Product pom artifactid checker-qual Highest Product pom developer email mernst@cs.washington.edu Low Product pom developer email smillst@cs.washington.edu Low Product pom developer id mernst Low Product pom developer id smillst Low Product pom developer name Michael Ernst Low Product pom developer name Suzanne Millstein Low Product pom developer org University of Washington Low Product pom developer org URL https://www.cs.washington.edu/ Low Product pom groupid org.checkerframework Highest Product pom name Checker Qual High Product pom url https://checkerframework.org/ Medium Version file version 3.48.1 High Version Manifest Bundle-Version 3.48.1 High Version Manifest Implementation-Version 3.48.1 High Version pom version 3.48.1 Highest
Description:
WAFFLE JNA implementation License:
MIT https://raw.github.com/Waffle/waffle/master/LICENSE File Path: /home/runner/work/waffle/waffle/Source/JNA/waffle-jna/pom.xml
Referenced In Projects/Scopes: waffle-spring-boot-starter2 waffle-spring-boot-autoconfigure2 com.github.waffle:waffle-jna:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name pom High Vendor project artifactid waffle-jna Low Vendor project groupid com.github.waffle Highest Product file name pom High Product project artifactid waffle-jna Highest Product project groupid com.github.waffle Low
Description:
Spring Boot Autoconfigure for WAFFLE License:
MIT https://raw.github.com/Waffle/waffle/master/LICENSE File Path: /home/runner/work/waffle/waffle/Source/JNA/waffle-spring-boot2/waffle-spring-boot-autoconfigure2/pom.xml
Referenced In Project/Scope: waffle-spring-boot-starter2
com.github.waffle:waffle-spring-boot-autoconfigure2:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT
Evidence Type Source Name Value Confidence Vendor file name pom High Vendor project artifactid waffle-spring-boot-autoconfigure2 Low Vendor project groupid com.github.waffle Highest Product file name pom High Product project artifactid waffle-spring-boot-autoconfigure2 Highest Product project groupid com.github.waffle Low
Description:
Spring Security 5 integration for WAFFLE License:
MIT https://raw.github.com/Waffle/waffle/master/LICENSE File Path: /home/runner/work/waffle/waffle/Source/JNA/waffle-spring-security5/pom.xml
Referenced In Projects/Scopes: waffle-spring-boot-starter2 waffle-spring-boot-autoconfigure2 com.github.waffle:waffle-spring-security5:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name pom High Vendor project artifactid waffle-spring-security5 Low Vendor project groupid com.github.waffle Highest Product file name pom High Product project artifactid waffle-spring-security5 Highest Product project groupid com.github.waffle Low
Description:
Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time. License:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
MD5: 0e48e5ba2cd0a8d8d09bad849b99f6a6
SHA1: 227d4d4957ccc3dc5761bd897e3a0ee587e750a7
SHA256: 77440e270b0bc9a249903c5a076c36a722c4886ca4f42675f2903a1c53ed61a5
Referenced In Projects/Scopes: waffle-spring-boot2:provided waffle-spring-boot-autoconfigure2:provided waffle-spring-boot-starter2:provided error_prone_annotations-2.36.0.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name error_prone_annotations High Vendor jar package name annotations Highest Vendor jar package name errorprone Highest Vendor jar package name google Highest Vendor Manifest build-jdk-spec 17 Low Vendor Manifest bundle-docurl https://errorprone.info/error_prone_annotations Low Vendor Manifest bundle-symbolicname com.google.errorprone.annotations Medium Vendor Manifest multi-release true Low Vendor pom artifactid error_prone_annotations Highest Vendor pom artifactid error_prone_annotations Low Vendor pom groupid com.google.errorprone Highest Vendor pom name error-prone annotations High Vendor pom parent-artifactid error_prone_parent Low Product file name error_prone_annotations High Product jar package name annotations Highest Product jar package name errorprone Highest Product jar package name google Highest Product Manifest build-jdk-spec 17 Low Product Manifest bundle-docurl https://errorprone.info/error_prone_annotations Low Product Manifest Bundle-Name error-prone annotations Medium Product Manifest bundle-symbolicname com.google.errorprone.annotations Medium Product Manifest multi-release true Low Product pom artifactid error_prone_annotations Highest Product pom groupid com.google.errorprone Highest Product pom name error-prone annotations High Product pom parent-artifactid error_prone_parent Medium Version file version 2.36.0 High Version Manifest Bundle-Version 2.36.0 High Version pom version 2.36.0 Highest
Description:
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.jar
MD5: f59529b29202a5baf37f491ea5ec8627
SHA1: 7399e65dd7e9ff3404f4535b2f017093bdb134c7
SHA256: 88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64
Referenced In Projects/Scopes: waffle-spring-boot2:provided waffle-spring-boot-autoconfigure2:provided waffle-spring-boot-starter2:provided j2objc-annotations-3.0.0.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name j2objc-annotations High Vendor jar package name annotations Highest Vendor jar package name google Highest Vendor jar package name j2objc Highest Vendor Manifest build-jdk-spec 11 Low Vendor Manifest multi-release true Low Vendor pom artifactid j2objc-annotations Highest Vendor pom artifactid j2objc-annotations Low Vendor pom developer email tball@google.com Low Vendor pom developer id tomball Medium Vendor pom developer name Tom Ball Medium Vendor pom developer org Google Medium Vendor pom developer org URL https://www.google.com Medium Vendor pom groupid com.google.j2objc Highest Vendor pom name J2ObjC Annotations High Vendor pom url google/j2objc/ Highest Product file name j2objc-annotations High Product jar package name annotations Highest Product jar package name google Highest Product jar package name j2objc Highest Product Manifest build-jdk-spec 11 Low Product Manifest multi-release true Low Product pom artifactid j2objc-annotations Highest Product pom developer email tball@google.com Low Product pom developer id tomball Low Product pom developer name Tom Ball Low Product pom developer org Google Low Product pom developer org URL https://www.google.com Low Product pom groupid com.google.j2objc Highest Product pom name J2ObjC Annotations High Product pom url google/j2objc/ High Version file version 3.0.0 High Version pom version 3.0.0 Highest
Description:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.13.5/jackson-core-2.13.5.jar
MD5: 2272453c780d1383ecd2efde00c1a7a9
SHA1: 0d07c97d3de9ea658caf1ff1809fd9de930a286a
SHA256: 48f36a025311d0464ad8dda4512a20c79e279a9550f63f3179d731d94482474b
Referenced In Project/Scope: waffle-spring-boot-autoconfigure2:compile
jackson-core-2.13.5.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Evidence Type Source Name Value Confidence Vendor file name jackson-core High Vendor jar package name base Highest Vendor jar package name core Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name json Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Vendor Manifest implementation-build-date 2023-01-23 00:23:55+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest multi-release true Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-core Highest Vendor pom artifactid jackson-core Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-core High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url FasterXML/jackson-core Highest Product file name jackson-core High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name base Highest Product jar package name core Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name json Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Product Manifest Bundle-Name Jackson-core Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Product Manifest implementation-build-date 2023-01-23 00:23:55+0000 Low Product Manifest Implementation-Title Jackson-core High Product Manifest multi-release true Low Product Manifest specification-title Jackson-core Medium Product pom artifactid jackson-core Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-core High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url FasterXML/jackson-core High Version file version 2.13.5 High Version Manifest Bundle-Version 2.13.5 High Version Manifest Implementation-Version 2.13.5 High Version pom version 2.13.5 Highest
Related Dependencies jackson-annotations-2.13.5.jarFile Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.13.5/jackson-annotations-2.13.5.jar MD5: 0b1245f3245cbfa53e61d9d366006041 SHA1: 136f77ab424f302c9e27230b4482e8000e142edf SHA256: 80aea8ed7232db5040ced4b3f982f29da95bb3d802343dbf6fd82ccd98c21c4f pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.5 jackson-datatype-jdk8-2.13.5.jarFile Path: /home/runner/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.13.5/jackson-datatype-jdk8-2.13.5.jar MD5: 3803e35b61c5812310fd093c398b43b6 SHA1: 1278f38160812811c56eb77f67213662ed1c7a2e SHA256: e58761751fea8a00dc626aae1c5f1be38c5cfd487aeb333d933a4ab5f5a73c55 pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.5 jackson-datatype-jsr310-2.13.5.jarFile Path: /home/runner/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.13.5/jackson-datatype-jsr310-2.13.5.jar MD5: 712138e14895b15181e0b9af3292e222 SHA1: 8ba3b868e81d7fc6ead686bd2353859b111d9eaf SHA256: ef15ceddddc58dfbd686b6b7fd0853ed328ff08c628bd4a395734bec20ca857b pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.5 jackson-module-parameter-names-2.13.5.jar Description:
General data-binding functionality for Jackson: works on core streaming API License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.13.5/jackson-databind-2.13.5.jar
MD5: 1dbb98839964a6967a428d868b2d8714
SHA1: aa95e46dbc32454f3983221d420e78ef19ddf844
SHA256: 5fedb24b2356491815d18267f65da9a21dd67413345ad7795f221afa25c78984
Referenced In Project/Scope: waffle-spring-boot-autoconfigure2:compile
jackson-databind-2.13.5.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Evidence Type Source Name Value Confidence Vendor file name jackson-databind High Vendor jar package name databind Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Vendor Manifest implementation-build-date 2023-01-23 00:47:48+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest multi-release true Low Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-databind Highest Vendor pom artifactid jackson-databind Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name jackson-databind High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://github.com/FasterXML/jackson Highest Product file name jackson-databind High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name databind Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product Manifest Bundle-Name jackson-databind Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Product Manifest implementation-build-date 2023-01-23 00:47:48+0000 Low Product Manifest Implementation-Title jackson-databind High Product Manifest multi-release true Low Product Manifest specification-title jackson-databind Medium Product pom artifactid jackson-databind Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name jackson-databind High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://github.com/FasterXML/jackson Medium Version file version 2.13.5 High Version Manifest Bundle-Version 2.13.5 High Version Manifest Implementation-Version 2.13.5 High Version pom version 2.13.5 Highest
CVE-2023-35116 suppress
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.0/RC:R/MAV:A References:
Vulnerable Software & Versions:
Description:
Jakarta Annotations API License:
EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html File Path: /home/runner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
MD5: 8b165cf58df5f8c2a222f637c0a07c97
SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d
SHA256: 85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile jakarta.annotation-api-1.3.5.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 Evidence Type Source Name Value Confidence Vendor file name jakarta.annotation-api High Vendor jar package name annotation Highest Vendor Manifest automatic-module-name java.annotation Medium Vendor Manifest bundle-docurl https://www.eclipse.org Low Vendor Manifest bundle-symbolicname jakarta.annotation-api Medium Vendor Manifest extension-name jakarta.annotation Medium Vendor Manifest Implementation-Vendor Eclipse Foundation High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Eclipse Foundation Low Vendor pom artifactid jakarta.annotation-api Highest Vendor pom artifactid jakarta.annotation-api Low Vendor pom developer name Linda De Michiel Medium Vendor pom developer org Oracle Corp. Medium Vendor pom groupid jakarta.annotation Highest Vendor pom name Jakarta Annotations API High Vendor pom parent-artifactid ca-parent Low Vendor pom url https://projects.eclipse.org/projects/ee4j.ca Highest Product file name jakarta.annotation-api High Product jar package name annotation Highest Product Manifest automatic-module-name java.annotation Medium Product Manifest bundle-docurl https://www.eclipse.org Low Product Manifest Bundle-Name Jakarta Annotations API Medium Product Manifest bundle-symbolicname jakarta.annotation-api Medium Product Manifest extension-name jakarta.annotation Medium Product pom artifactid jakarta.annotation-api Highest Product pom developer name Linda De Michiel Low Product pom developer org Oracle Corp. Low Product pom groupid jakarta.annotation Highest Product pom name Jakarta Annotations API High Product pom parent-artifactid ca-parent Medium Product pom url https://projects.eclipse.org/projects/ee4j.ca Medium Version file version 1.3.5 High Version Manifest Bundle-Version 1.3.5 High Version Manifest Implementation-Version 1.3.5 High Version pom version 1.3.5 Highest
Description:
Java Native Access License:
LGPL-2.1-or-later: https://www.gnu.org/licenses/old-licenses/lgpl-2.1
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.16.0/jna-5.16.0.jar
MD5: accc2e2b8676434a87f4f73fb4d90b44
SHA1: ebea09f91dc9f7048099f963fb8d6f919f0a4d9c
SHA256: 3f5233589a799eb66dc2969afa3433fb56859d3d787c58b9bc7dd9e86f0a250c
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile jna-5.16.0.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name jna High Vendor jar package name jna Highest Vendor jar package name native Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest automatic-module-name com.sun.jna Medium Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-category jni Low Vendor Manifest bundle-nativecode com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win32, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win32, com/sun/jna/win32-aarch64/jnidispatch.dll; processor=aarch64;osname=win32, com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win, com/sun/jna/win32-aarch64/jnidispatch.dll; processor=aarch64;osname=win, com/sun/jna/w32ce-arm/jnidispatch.dll; processor=arm;osname=wince, com/sun/jna/sunos-x86/libjnidispatch.so; processor=x86;osname=sunos, com/sun/jna/sunos-x86-64/libjnidispatch.so; processor=x86-64;osname=sunos, com/sun/jna/sunos-sparc/libjnidispatch.so; processor=sparc;osname=sunos, com/sun/jna/sunos-sparcv9/libjnidispatch.so; processor=sparcv9;osname=sunos, com/sun/jna/aix-ppc/libjnidispatch.a; processor=ppc;osname=aix, com/sun/jna/aix-ppc64/libjnidispatch.a; processor=ppc64;osname=aix, com/sun/jna/linux-ppc/libjnidispatch.so; processor=ppc;osname=linux, com/sun/jna/linux-ppc64/libjnidispatch.so; processor=ppc64;osname=linux, com/sun/jna/linux-ppc64le/libjnidispatch.so; processor=ppc64le;osname=linux, com/sun/jna/linux-x86/libjnidispatch.so; processor=x86;osname=linux, com/sun/jna/linux-x86-64/libjnidispatch.so; processor=x86-64;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm_le;osname=linux, com/sun/jna/linux-armel/libjnidispatch.so; processor=armel;osname=linux, com/sun/jna/linux-aarch64/libjnidispatch.so; processor=aarch64;osname=linux, com/sun/jna/linux-ia64/libjnidispatch.so; processor=ia64;osname=linux, com/sun/jna/linux-sparcv9/libjnidispatch.so; processor=sparcv9;osname=linux, com/sun/jna/linux-mips64el/libjnidispatch.so; processor=mips64el;osname=linux, com/sun/jna/linux-s390x/libjnidispatch.so; processor=S390x;osname=linux, com/sun/jna/linux-loongarch64/libjnidispatch.so; processor=loongarch64;osname=linux, com/sun/jna/linux-riscv64/libjnidispatch.so; processor=riscv64;osname=linux, com/sun/jna/dragonflybsd-x86-64/libjnidispatch.so; processor=x86-64;osname=dragonflybsd, com/sun/jna/freebsd-x86/libjnidispatch.so; processor=x86;osname=freebsd, com/sun/jna/freebsd-x86-64/libjnidispatch.so; processor=x86-64;osname=freebsd, com/sun/jna/freebsd-aarch64/libjnidispatch.so; processor=aarch64;osname=freebsd, com/sun/jna/freebsd-ppc64le/libjnidispatch.so; processor=ppc64le;osname=freebsd, com/sun/jna/freebsd-ppc64/libjnidispatch.so; processor=ppc64;osname=freebsd, com/sun/jna/openbsd-x86/libjnidispatch.so; processor=x86;osname=openbsd, com/sun/jna/openbsd-x86-64/libjnidispatch.so; processor=x86-64;osname=openbsd, com/sun/jna/darwin-ppc/libjnidispatch.jnilib; osname=macosx;processor=ppc, com/sun/jna/darwin-ppc64/libjnidispatch.jnilib; osname=macosx;processor=ppc64, com/sun/jna/darwin-x86/libjnidispatch.jnilib; osname=macosx;processor=x86, com/sun/jna/darwin-x86-64/libjnidispatch.jnilib; osname=macosx;processor=x86-64, com/sun/jna/darwin-aarch64/libjnidispatch.jnilib; osname=macosx;processor=aarch64 Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname com.sun.jna Medium Vendor Manifest Implementation-Vendor JNA Development Team High Vendor Manifest specification-vendor JNA Development Team Low Vendor pom artifactid jna Highest Vendor pom artifactid jna Low Vendor pom developer email mblaesing@doppel-helix.eu Low Vendor pom developer id twall Medium Vendor pom developer name Matthias Bläsing Medium Vendor pom developer name Timothy Wall Medium Vendor pom groupid net.java.dev.jna Highest Vendor pom name Java Native Access High Vendor pom url java-native-access/jna Highest Product file name jna High Product jar package name jna Highest Product jar package name library Highest Product jar package name native Highest Product jar package name sun Highest Product jar package name win32 Highest Product Manifest automatic-module-name com.sun.jna Medium Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-category jni Low Product Manifest Bundle-Name jna Medium Product Manifest bundle-nativecode com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win32, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win32, com/sun/jna/win32-aarch64/jnidispatch.dll; processor=aarch64;osname=win32, com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win, com/sun/jna/win32-aarch64/jnidispatch.dll; processor=aarch64;osname=win, com/sun/jna/w32ce-arm/jnidispatch.dll; processor=arm;osname=wince, com/sun/jna/sunos-x86/libjnidispatch.so; processor=x86;osname=sunos, com/sun/jna/sunos-x86-64/libjnidispatch.so; processor=x86-64;osname=sunos, com/sun/jna/sunos-sparc/libjnidispatch.so; processor=sparc;osname=sunos, com/sun/jna/sunos-sparcv9/libjnidispatch.so; processor=sparcv9;osname=sunos, com/sun/jna/aix-ppc/libjnidispatch.a; processor=ppc;osname=aix, com/sun/jna/aix-ppc64/libjnidispatch.a; processor=ppc64;osname=aix, com/sun/jna/linux-ppc/libjnidispatch.so; processor=ppc;osname=linux, com/sun/jna/linux-ppc64/libjnidispatch.so; processor=ppc64;osname=linux, com/sun/jna/linux-ppc64le/libjnidispatch.so; processor=ppc64le;osname=linux, com/sun/jna/linux-x86/libjnidispatch.so; processor=x86;osname=linux, com/sun/jna/linux-x86-64/libjnidispatch.so; processor=x86-64;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm_le;osname=linux, com/sun/jna/linux-armel/libjnidispatch.so; processor=armel;osname=linux, com/sun/jna/linux-aarch64/libjnidispatch.so; processor=aarch64;osname=linux, com/sun/jna/linux-ia64/libjnidispatch.so; processor=ia64;osname=linux, com/sun/jna/linux-sparcv9/libjnidispatch.so; processor=sparcv9;osname=linux, com/sun/jna/linux-mips64el/libjnidispatch.so; processor=mips64el;osname=linux, com/sun/jna/linux-s390x/libjnidispatch.so; processor=S390x;osname=linux, com/sun/jna/linux-loongarch64/libjnidispatch.so; processor=loongarch64;osname=linux, com/sun/jna/linux-riscv64/libjnidispatch.so; processor=riscv64;osname=linux, com/sun/jna/dragonflybsd-x86-64/libjnidispatch.so; processor=x86-64;osname=dragonflybsd, com/sun/jna/freebsd-x86/libjnidispatch.so; processor=x86;osname=freebsd, com/sun/jna/freebsd-x86-64/libjnidispatch.so; processor=x86-64;osname=freebsd, com/sun/jna/freebsd-aarch64/libjnidispatch.so; processor=aarch64;osname=freebsd, com/sun/jna/freebsd-ppc64le/libjnidispatch.so; processor=ppc64le;osname=freebsd, com/sun/jna/freebsd-ppc64/libjnidispatch.so; processor=ppc64;osname=freebsd, com/sun/jna/openbsd-x86/libjnidispatch.so; processor=x86;osname=openbsd, com/sun/jna/openbsd-x86-64/libjnidispatch.so; processor=x86-64;osname=openbsd, com/sun/jna/darwin-ppc/libjnidispatch.jnilib; osname=macosx;processor=ppc, com/sun/jna/darwin-ppc64/libjnidispatch.jnilib; osname=macosx;processor=ppc64, com/sun/jna/darwin-x86/libjnidispatch.jnilib; osname=macosx;processor=x86, com/sun/jna/darwin-x86-64/libjnidispatch.jnilib; osname=macosx;processor=x86-64, com/sun/jna/darwin-aarch64/libjnidispatch.jnilib; osname=macosx;processor=aarch64 Low Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname com.sun.jna Medium Product Manifest Implementation-Title com.sun.jna High Product Manifest specification-title Java Native Access (JNA) Medium Product pom artifactid jna Highest Product pom developer email mblaesing@doppel-helix.eu Low Product pom developer id twall Low Product pom developer name Matthias Bläsing Low Product pom developer name Timothy Wall Low Product pom groupid net.java.dev.jna Highest Product pom name Java Native Access High Product pom url java-native-access/jna High Version file version 5.16.0 High Version Manifest Bundle-Version 5.16.0 High Version pom version 5.16.0 Highest
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.16.0/jna-5.16.0.jar/com/sun/jna/win32-aarch64/jnidispatch.dllMD5: 302945a811fd8e21bcdd5226c73b6f74SHA1: 6b05e299ff2b3eb3b7b7aeac44263f715693607cSHA256: b8f98be314234cf12b5b46c29652f70c0f6abb93ae19b63d3fe2692062aa699dReferenced In Projects/Scopes:
waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.16.0/jna-5.16.0.jar/com/sun/jna/win32-x86-64/jnidispatch.dllMD5: 2d2475f1f026dd54e9f3e787ae4f81daSHA1: 27ff882ac271db547aee520b38e3ba9aa91e136cSHA256: 5a7ff949f6d93d86491eb5b26b1cfc60051168a60622650224b89995ac420023Referenced In Projects/Scopes:
waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.16.0/jna-5.16.0.jar/com/sun/jna/win32-x86/jnidispatch.dllMD5: 0caa1ef75a807f9dde05084fa2219a5cSHA1: 2f5e1cd82cde192905c7510ce99037b67d980640SHA256: 752d597cee7e95cb517327146bf42f124c0d6c0bc48b3ecc3b1b3b0531a52f44Referenced In Projects/Scopes:
waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
Description:
Java Native Access Platform License:
LGPL-2.1-or-later: https://www.gnu.org/licenses/old-licenses/lgpl-2.1
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/net/java/dev/jna/jna-platform/5.16.0/jna-platform-5.16.0.jar
MD5: 12ba6b7a7752ecf0a5baed725f3192c2
SHA1: b2a9065f97c166893d504b164706512338e3bbc2
SHA256: e5a79523964509757555782bb60283e4902611013f107e4600dc93298f73f382
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile jna-platform-5.16.0.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name jna-platform High Vendor jar package name jna Highest Vendor jar package name platform Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest automatic-module-name com.sun.jna.platform Medium Vendor Manifest bundle-category jni Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Vendor Manifest bundle-symbolicname com.sun.jna.platform Medium Vendor Manifest Implementation-Vendor JNA Development Team High Vendor Manifest require-bundle com.sun.jna;bundle-version="5.16.0" Low Vendor Manifest specification-vendor JNA Development Team Low Vendor pom artifactid jna-platform Highest Vendor pom artifactid jna-platform Low Vendor pom developer email mblaesing@doppel-helix.eu Low Vendor pom developer id twall Medium Vendor pom developer name Matthias Bläsing Medium Vendor pom developer name Timothy Wall Medium Vendor pom groupid net.java.dev.jna Highest Vendor pom name Java Native Access Platform High Vendor pom url java-native-access/jna Highest Product file name jna-platform High Product jar package name jna Highest Product jar package name platform Highest Product jar package name sun Highest Product Manifest automatic-module-name com.sun.jna.platform Medium Product Manifest bundle-category jni Low Product Manifest Bundle-Name jna-platform Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Product Manifest bundle-symbolicname com.sun.jna.platform Medium Product Manifest Implementation-Title com.sun.jna High Product Manifest require-bundle com.sun.jna;bundle-version="5.16.0" Low Product Manifest specification-title Java Native Access (JNA) Medium Product pom artifactid jna-platform Highest Product pom developer email mblaesing@doppel-helix.eu Low Product pom developer id twall Low Product pom developer name Matthias Bläsing Low Product pom developer name Timothy Wall Low Product pom groupid net.java.dev.jna Highest Product pom name Java Native Access Platform High Product pom url java-native-access/jna High Version file version 5.16.0 High Version Manifest Bundle-Version 5.16.0 High Version pom version 5.16.0 Highest
Description:
JSR305 Annotations for Findbugs License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256: 766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Projects/Scopes: waffle-spring-boot2:provided waffle-spring-boot-autoconfigure2:provided waffle-spring-boot-starter2:provided jsr305-3.0.2.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.6 pkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.6 pkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.6 Evidence Type Source Name Value Confidence Vendor file name jsr305 High Vendor Manifest bundle-symbolicname org.jsr-305 Medium Vendor pom artifactid jsr305 Highest Vendor pom artifactid jsr305 Low Vendor pom groupid com.google.code.findbugs Highest Vendor pom name FindBugs-jsr305 High Vendor pom url http://findbugs.sourceforge.net/ Highest Product file name jsr305 High Product Manifest Bundle-Name FindBugs-jsr305 Medium Product Manifest bundle-symbolicname org.jsr-305 Medium Product pom artifactid jsr305 Highest Product pom groupid com.google.code.findbugs Highest Product pom name FindBugs-jsr305 High Product pom url http://findbugs.sourceforge.net/ Medium Version file version 3.0.2 High Version Manifest Bundle-Version 3.0.2 High Version pom version 3.0.2 Highest
Description:
JUL to SLF4J bridge File Path: /home/runner/.m2/repository/org/slf4j/jul-to-slf4j/1.7.36/jul-to-slf4j-1.7.36.jarMD5: 2a3fe73e6cafe8f102facaf2dd65353fSHA1: ed46d81cef9c412a88caef405b58f93a678ff2caSHA256: 9e641fb142c5f0b0623d6222c09ea87523a41bf6bed48ac79940724010b989deReferenced In Projects/Scopes:
waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile jul-to-slf4j-1.7.36.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 Evidence Type Source Name Value Confidence Vendor file name jul-to-slf4j High Vendor jar package name bridge Highest Vendor jar package name slf4j Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname jul.to.slf4j Medium Vendor pom artifactid jul-to-slf4j Highest Vendor pom artifactid jul-to-slf4j Low Vendor pom groupid org.slf4j Highest Vendor pom name JUL to SLF4J bridge High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name jul-to-slf4j High Product jar package name bridge Highest Product jar package name slf4j Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest Bundle-Name jul-to-slf4j Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname jul.to.slf4j Medium Product pom artifactid jul-to-slf4j Highest Product pom groupid org.slf4j Highest Product pom name JUL to SLF4J bridge High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.36 High Version Manifest Bundle-Version 1.7.36 High Version Manifest Implementation-Version 1.7.36 High Version pom version 1.7.36 Highest
Description:
The logging API of the Log4j project.
Library and application code can log through this API.
It contains a simple built-in implementation (`SimpleLogger`) for trivial use cases.
Production applications are recommended to use Log4j API in combination with a fully-fledged implementation, such as Log4j Core. License:
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/apache/logging/log4j/log4j-api/2.24.3/log4j-api-2.24.3.jar
MD5: d89516699543c5c21be87ee1760695f3
SHA1: b02c125db8b6d295adf72ae6e71af5d83bce2370
SHA256: 5b4a0a0cd0e751ded431c162442bdbdd53328d1f8bb2bae5fc1bbeee0f66d80f
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile log4j-api-2.24.3.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 Evidence Type Source Name Value Confidence Vendor file name log4j-api High Vendor jar package name apache Highest Vendor jar package name log4j Highest Vendor jar package name logging Highest Vendor jar package name org Highest Vendor jar package name simple Highest Vendor Manifest build-jdk-spec 17 Low Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-symbolicname org.apache.logging.log4j.api Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest multi-release true Low Vendor Manifest provide-capability osgi.service;objectClass:List="org.apache.logging.log4j.util.PropertySource";effective:=active,osgi.serviceloader;osgi.serviceloader="org.apache.logging.log4j.util.PropertySource";register:="org.apache.logging.log4j.util.EnvironmentPropertySource",osgi.serviceloader;osgi.serviceloader="org.apache.logging.log4j.util.PropertySource";register:="org.apache.logging.log4j.util.SystemPropertiesPropertySource" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid log4j-api Highest Vendor pom artifactid log4j-api Low Vendor pom groupid org.apache.logging.log4j Highest Vendor pom name Apache Log4j API High Vendor pom parent-artifactid log4j Low Product file name log4j-api High Product jar package name apache Highest Product jar package name log4j Highest Product jar package name logging Highest Product jar package name org Highest Product jar package name simple Highest Product jar package name util Highest Product Manifest build-jdk-spec 17 Low Product Manifest bundle-activationpolicy lazy Low Product Manifest Bundle-Name Apache Log4j API Medium Product Manifest bundle-symbolicname org.apache.logging.log4j.api Medium Product Manifest Implementation-Title Apache Log4j API High Product Manifest multi-release true Low Product Manifest provide-capability osgi.service;objectClass:List="org.apache.logging.log4j.util.PropertySource";effective:=active,osgi.serviceloader;osgi.serviceloader="org.apache.logging.log4j.util.PropertySource";register:="org.apache.logging.log4j.util.EnvironmentPropertySource",osgi.serviceloader;osgi.serviceloader="org.apache.logging.log4j.util.PropertySource";register:="org.apache.logging.log4j.util.SystemPropertiesPropertySource" Low Product Manifest specification-title Apache Log4j API Medium Product pom artifactid log4j-api Highest Product pom groupid org.apache.logging.log4j Highest Product pom name Apache Log4j API High Product pom parent-artifactid log4j Medium Version file version 2.24.3 High Version Manifest Bundle-Version 2.24.3 High Version Manifest Implementation-Version 2.24.3 High Version pom version 2.24.3 Highest
Description:
Forwards the Log4j API calls to SLF4J.
(Refer to the `log4j-slf4j[2]-impl` artifacts for forwarding SLF4J to the Log4j API.) License:
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.24.3/log4j-to-slf4j-2.24.3.jar
MD5: 1f4b63f9c41f2f5179aa10b35d76e805
SHA1: da1143e2a2531ee1c2d90baa98eb50a28a39d5a7
SHA256: c7f2b0c612a4eb05b1587d1c880eb4cf5f4f53850676a8ede8da2b8fabb4f73f
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile log4j-to-slf4j-2.24.3.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 Evidence Type Source Name Value Confidence Vendor file name log4j-to-slf4j High Vendor jar package name apache Highest Vendor jar package name logging Highest Vendor jar package name slf4j Highest Vendor Manifest build-jdk-spec 17 Low Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-symbolicname org.apache.logging.log4j.to.slf4j Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest multi-release false Low Vendor Manifest provide-capability osgi.service;objectClass:List="org.apache.logging.log4j.spi.Provider";effective:=active,osgi.serviceloader;osgi.serviceloader="org.apache.logging.log4j.spi.Provider";register:="org.apache.logging.slf4j.SLF4JProvider" Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid log4j-to-slf4j Highest Vendor pom artifactid log4j-to-slf4j Low Vendor pom groupid org.apache.logging.log4j Highest Vendor pom name Log4j API to SLF4J Adapter High Vendor pom parent-artifactid log4j Low Product file name log4j-to-slf4j High Product jar package name apache Highest Product jar package name logging Highest Product jar package name slf4j Highest Product jar package name slf4jprovider Highest Product Manifest build-jdk-spec 17 Low Product Manifest bundle-activationpolicy lazy Low Product Manifest Bundle-Name Log4j API to SLF4J Adapter Medium Product Manifest bundle-symbolicname org.apache.logging.log4j.to.slf4j Medium Product Manifest Implementation-Title Log4j API to SLF4J Adapter High Product Manifest multi-release false Low Product Manifest provide-capability osgi.service;objectClass:List="org.apache.logging.log4j.spi.Provider";effective:=active,osgi.serviceloader;osgi.serviceloader="org.apache.logging.log4j.spi.Provider";register:="org.apache.logging.slf4j.SLF4JProvider" Low Product Manifest specification-title Log4j API to SLF4J Adapter Medium Product pom artifactid log4j-to-slf4j Highest Product pom groupid org.apache.logging.log4j Highest Product pom name Log4j API to SLF4J Adapter High Product pom parent-artifactid log4j Medium Version file version 2.24.3 High Version Manifest Bundle-Version 2.24.3 High Version Manifest Implementation-Version 2.24.3 High Version pom version 2.24.3 Highest
Description:
logback-classic module License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html File Path: /home/runner/.m2/repository/ch/qos/logback/logback-classic/1.2.12/logback-classic-1.2.12.jar
MD5: a7ebf115c247690da5e5e64849da6f5f
SHA1: d4dee19148dccb177a0736eb2027bd195341da78
SHA256: f65352bf627177e414c956a977a5851e7125e9f3a2e1a7847b2fa78182dc49fe
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile logback-classic-1.2.12.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 Evidence Type Source Name Value Confidence Vendor file name logback-classic High Vendor jar package name ch Highest Vendor jar package name classic Highest Vendor jar package name logback Highest Vendor jar package name qos Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl http://www.qos.ch Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname ch.qos.logback.classic Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin 5.1.4 Low Vendor pom artifactid logback-classic Highest Vendor pom artifactid logback-classic Low Vendor pom groupid ch.qos.logback Highest Vendor pom name Logback Classic Module High Vendor pom parent-artifactid logback-parent Low Product file name logback-classic High Product jar package name ch Highest Product jar package name classic Highest Product jar package name logback Highest Product jar package name qos Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl http://www.qos.ch Low Product Manifest Bundle-Name Logback Classic Module Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname ch.qos.logback.classic Medium Product Manifest originally-created-by Apache Maven Bundle Plugin 5.1.4 Low Product pom artifactid logback-classic Highest Product pom groupid ch.qos.logback Highest Product pom name Logback Classic Module High Product pom parent-artifactid logback-parent Medium Version file version 1.2.12 High Version Manifest Bundle-Version 1.2.12 High Version pom version 1.2.12 Highest
CVE-2023-6378 suppress
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-6481 suppress
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
Description:
logback-core module License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html File Path: /home/runner/.m2/repository/ch/qos/logback/logback-core/1.2.12/logback-core-1.2.12.jar
MD5: 879d60b3fa9c6617cee4e20f12f6a16e
SHA1: 1d8e51a698b138065d73baefb4f94531faa323cb
SHA256: 0cba0755fbdc1793f60dc9d1ef22337737899f4f28b485c42bcadacb73664b34
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile logback-core-1.2.12.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 Evidence Type Source Name Value Confidence Vendor file name logback-core High Vendor jar package name ch Highest Vendor jar package name core Highest Vendor jar package name logback Highest Vendor jar package name qos Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-docurl http://www.qos.ch Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname ch.qos.logback.core Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin 5.1.4 Low Vendor pom artifactid logback-core Highest Vendor pom artifactid logback-core Low Vendor pom groupid ch.qos.logback Highest Vendor pom name Logback Core Module High Vendor pom parent-artifactid logback-parent Low Product file name logback-core High Product jar package name ch Highest Product jar package name core Highest Product jar package name logback Highest Product jar package name qos Highest Product Manifest build-jdk-spec 1.8 Low Product Manifest bundle-docurl http://www.qos.ch Low Product Manifest Bundle-Name Logback Core Module Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname ch.qos.logback.core Medium Product Manifest originally-created-by Apache Maven Bundle Plugin 5.1.4 Low Product pom artifactid logback-core Highest Product pom groupid ch.qos.logback Highest Product pom name Logback Core Module High Product pom parent-artifactid logback-parent Medium Version file version 1.2.12 High Version Manifest Bundle-Version 1.2.12 High Version pom version 1.2.12 Highest
CVE-2023-6378 suppress
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-6481 suppress
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2024-12798 (OSSINDEX)suppress
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto and including version 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege. CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSSv2:
Base Score: MEDIUM (5.900000095367432) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:ch.qos.logback:logback-core:1.2.12:*:*:*:*:*:*:* CVE-2024-12801 (OSSINDEX)suppress
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-12801 for details CWE-918 Server-Side Request Forgery (SSRF)
CVSSv2:
Base Score: LOW (2.4000000953674316) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:ch.qos.logback:logback-core:1.2.12:*:*:*:*:*:*:* Description:
The slf4j API File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jarMD5: 872da51f5de7f3923da4de871d57fd85SHA1: 6c62681a2f655b49963a5983b8b0950a6120ae14SHA256: d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0Referenced In Projects/Scopes:
waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile slf4j-api-1.7.36.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.slf4j/slf4j-simple@1.7.36 pkg:maven/org.slf4j/slf4j-simple@1.7.36 Evidence Type Source Name Value Confidence Vendor file name slf4j-api High Vendor jar package name slf4j Highest Vendor Manifest automatic-module-name org.slf4j Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor pom artifactid slf4j-api Highest Vendor pom artifactid slf4j-api Low Vendor pom groupid org.slf4j Highest Vendor pom name SLF4J API Module High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name slf4j-api High Product jar package name slf4j Highest Product Manifest automatic-module-name org.slf4j Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest Bundle-Name slf4j-api Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname slf4j.api Medium Product Manifest Implementation-Title slf4j-api High Product pom artifactid slf4j-api Highest Product pom groupid org.slf4j Highest Product pom name SLF4J API Module High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.36 High Version Manifest Bundle-Version 1.7.36 High Version Manifest Implementation-Version 1.7.36 High Version pom version 1.7.36 Highest
Description:
YAML 1.1 parser and emitter for Java License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar
MD5: ba063b8ef3a8bfd591a1b56451166b14
SHA1: 8fde7fe2586328ac3c68db92045e1c8759125000
SHA256: f43a4e40a946b8cdfd0321bc1c9a839bc3f119c57e4ca84fb87c367f51c8b2b3
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile snakeyaml-1.30.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18 Evidence Type Source Name Value Confidence Vendor file name snakeyaml High Vendor jar package name emitter Highest Vendor jar package name parser Highest Vendor jar package name snakeyaml Highest Vendor jar package name yaml Highest Vendor Manifest automatic-module-name org.yaml.snakeyaml Medium Vendor Manifest bundle-symbolicname org.yaml.snakeyaml Medium Vendor pom artifactid snakeyaml Highest Vendor pom artifactid snakeyaml Low Vendor pom developer email alexander.maslov@gmail.com Low Vendor pom developer email jordanangold@gmail.com Low Vendor pom developer email public.somov@gmail.com Low Vendor pom developer id asomov Medium Vendor pom developer id Jordan Medium Vendor pom developer id maslovalex Medium Vendor pom developer name Alexander Maslov Medium Vendor pom developer name Andrey Somov Medium Vendor pom developer name Jordan Angold Medium Vendor pom groupid org.yaml Highest Vendor pom name SnakeYAML High Vendor pom url https://bitbucket.org/snakeyaml/snakeyaml Highest Product file name snakeyaml High Product jar package name emitter Highest Product jar package name parser Highest Product jar package name snakeyaml Highest Product jar package name yaml Highest Product Manifest automatic-module-name org.yaml.snakeyaml Medium Product Manifest Bundle-Name SnakeYAML Medium Product Manifest bundle-symbolicname org.yaml.snakeyaml Medium Product pom artifactid snakeyaml Highest Product pom developer email alexander.maslov@gmail.com Low Product pom developer email jordanangold@gmail.com Low Product pom developer email public.somov@gmail.com Low Product pom developer id asomov Low Product pom developer id Jordan Low Product pom developer id maslovalex Low Product pom developer name Alexander Maslov Low Product pom developer name Andrey Somov Low Product pom developer name Jordan Angold Low Product pom groupid org.yaml Highest Product pom name SnakeYAML High Product pom url https://bitbucket.org/snakeyaml/snakeyaml Medium Version file version 1.30 High Version pom version 1.30 Highest
CVE-2022-1471 suppress
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-25857 suppress
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-25857] CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25857 OSSIndex - https://bitbucket.org/snakeyaml/snakeyaml/issues/525 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,PATCH,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY report@snyk.io - PATCH,THIRD_PARTY_ADVISORY report@snyk.io - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
CVE-2022-38749 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-38751 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-38752 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-41854 suppress
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-38750 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-38750] CWE-121: Stack-based Buffer Overflow OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38750 OSSIndex - https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027 OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY cve-coordination@google.com - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve-coordination@google.com - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve-coordination@google.com - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
Description:
Annotations the SpotBugs tool supports License:
GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html File Path: /home/runner/.m2/repository/com/github/spotbugs/spotbugs-annotations/4.8.6/spotbugs-annotations-4.8.6.jar
MD5: 0806b237c67c69869506ce3ced9a722f
SHA1: 1dcffed3e561ed32134a0dff4717f19bc2fdf4d8
SHA256: 4548b74a815ed44f5480ca4f06204a8b00809dc7e5f6a825a9edf18f40377b65
Referenced In Projects/Scopes: waffle-spring-boot2:provided waffle-spring-boot-autoconfigure2:provided waffle-spring-boot-starter2:provided spotbugs-annotations-4.8.6.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spotbugs-annotations High Vendor Manifest automatic-module-name com.github.spotbugs.annotations Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname spotbugs-annotations Medium Vendor pom artifactid spotbugs-annotations Highest Vendor pom artifactid spotbugs-annotations Low Vendor pom developer email andreas.sewe@codetrails.com Low Vendor pom developer email dbrosius@mebigfatguy.com Low Vendor pom developer email loskutov@gmx.de Low Vendor pom developer email skypencil@gmail.com Low Vendor pom developer id henrik242 Medium Vendor pom developer id iloveeclipse Medium Vendor pom developer id jsotuyod Medium Vendor pom developer id KengoTODA Medium Vendor pom developer id mebigfatguy Medium Vendor pom developer id sewe Medium Vendor pom developer id ThrawnCA Medium Vendor pom developer name Andreas Sewe Medium Vendor pom developer name Andrey Loskutov Medium Vendor pom developer name Dave Brosius Medium Vendor pom developer name Juan Martín Sotuyo Dodero Medium Vendor pom developer name Kengo TODA Medium Vendor pom groupid com.github.spotbugs Highest Vendor pom name SpotBugs Annotations High Vendor pom url https://spotbugs.github.io/ Highest Product file name spotbugs-annotations High Product Manifest automatic-module-name com.github.spotbugs.annotations Medium Product Manifest Bundle-Name spotbugs-annotations Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname spotbugs-annotations Medium Product pom artifactid spotbugs-annotations Highest Product pom developer email andreas.sewe@codetrails.com Low Product pom developer email dbrosius@mebigfatguy.com Low Product pom developer email loskutov@gmx.de Low Product pom developer email skypencil@gmail.com Low Product pom developer id henrik242 Low Product pom developer id iloveeclipse Low Product pom developer id jsotuyod Low Product pom developer id KengoTODA Low Product pom developer id mebigfatguy Low Product pom developer id sewe Low Product pom developer id ThrawnCA Low Product pom developer name Andreas Sewe Low Product pom developer name Andrey Loskutov Low Product pom developer name Dave Brosius Low Product pom developer name Juan Martín Sotuyo Dodero Low Product pom developer name Kengo TODA Low Product pom groupid com.github.spotbugs Highest Product pom name SpotBugs Annotations High Product pom url https://spotbugs.github.io/ Medium Version file version 4.8.6 High Version Manifest Bundle-Version 4.8.6 High Version pom version 4.8.6 Highest
Description:
Spring Boot License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot/2.7.18/spring-boot-2.7.18.jar
MD5: 0941c83c25204150f8bd73ae66c63fd1
SHA1: f6dbdd8da7c2bded63dff9b1f48d01a4923f20a0
SHA256: 530f4e0fdfeb3a0e2b3a369d15cdea38fbdc1696f8b030c35a6ad65c27524950
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-boot-2.7.18.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-boot High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name boot Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.boot Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor pom artifactid spring-boot Highest Vendor pom artifactid spring-boot Low Vendor pom developer email ask@spring.io Low Vendor pom developer name Spring Medium Vendor pom developer org VMware, Inc. Medium Vendor pom developer org URL https://www.spring.io Medium Vendor pom groupid org.springframework.boot Highest Vendor pom name spring-boot High Vendor pom organization name VMware, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom url https://spring.io/projects/spring-boot Highest Product file name spring-boot High Product jar package name boot Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.boot Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest Implementation-Title Spring Boot High Product pom artifactid spring-boot Highest Product pom developer email ask@spring.io Low Product pom developer name Spring Low Product pom developer org VMware, Inc. Low Product pom developer org URL https://www.spring.io Low Product pom groupid org.springframework.boot Highest Product pom name spring-boot High Product pom organization name VMware, Inc. Low Product pom organization url https://spring.io Low Product pom url https://spring.io/projects/spring-boot Medium Version file version 2.7.18 High Version Manifest Implementation-Version 2.7.18 High Version pom version 2.7.18 Highest
Related Dependencies spring-boot-autoconfigure-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.7.18/spring-boot-autoconfigure-2.7.18.jar MD5: e127e4ed0469cc5442d3c8e5e42e7988 SHA1: 9cf147c6ca274c75b32556acdcba5a1de081ebcd SHA256: 1c4e0aadcb662b6149b536a2cf288003ffefe81a6cc69846e9f14976529a1b08 pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.7.18 spring-boot-configuration-processor-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-configuration-processor/2.7.18/spring-boot-configuration-processor-2.7.18.jar MD5: 46f23c11c49166214396335e16ae3f45 SHA1: 899128018a7962b3e4be665910bae65dff08d1b0 SHA256: 79dc3480e94fe708b817097ee2745f8b1c19d650ce6ddd153c2f2ab068674dea pkg:maven/org.springframework.boot/spring-boot-configuration-processor@2.7.18 spring-boot-starter-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter/2.7.18/spring-boot-starter-2.7.18.jar MD5: 03fc89fcd959a332de7cdc22e6bdc60d SHA1: e56b75105f9ace6df154fd47eeeeadc2f5791e56 SHA256: f67a5d913defa764295b6a0d8d13573624e437eb34e97d88c0e76bf181656071 pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18 spring-boot-starter-json-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-json/2.7.18/spring-boot-starter-json-2.7.18.jar MD5: 4227a48b68fbd7fb37dd079ad3217226 SHA1: b6d9ed5cae0c1929a9e561bf4799a3dc93a10db1 SHA256: 084f592d522dfa36790fe08d4d0b9cebe6683638889834ed2f885f3c42fecbf6 pkg:maven/org.springframework.boot/spring-boot-starter-json@2.7.18 spring-boot-starter-logging-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-logging/2.7.18/spring-boot-starter-logging-2.7.18.jar MD5: b812106a59ea242570f1c55d71982495 SHA1: 19f7c255ba5255116f58c3bbaf52c7b88ea6af3e SHA256: 202c0894dbfdeff7be005597ff98288133a62fe7f5593be4938400482d19dcb7 pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.7.18 spring-boot-starter-security-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-security/2.7.18/spring-boot-starter-security-2.7.18.jar MD5: f0461734fe73c8f250012d453cb4fb12 SHA1: 5d29a712fd0a5d7b77e348b660e2c0885b215bc4 SHA256: 075ee2311819e7076278f3f6321bca21447ee52db62ca000caf17132b37c986a pkg:maven/org.springframework.boot/spring-boot-starter-security@2.7.18 spring-boot-starter-tomcat-2.7.18.jarFile Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-tomcat/2.7.18/spring-boot-starter-tomcat-2.7.18.jar MD5: c2080ad5020671b7884b9564006bd09c SHA1: c56e50e006448e75a8bde595dbc754ba294389af SHA256: e4a44478556749137f28001c35d897efff31f39161606589cc355dcbf797c6f0 pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.7.18 Description:
Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-web/2.7.18/spring-boot-starter-web-2.7.18.jar
MD5: e0bfe77aa7415f3b86d70d41cf425ccd
SHA1: 0dd62ea85098187b4604e78dc15a7ff87dba173d
SHA256: a74fab5f826b600e3c3f4cd7028c5c982b0bf1b849673629cbb758ae790a4c08
Referenced In Project/Scope: waffle-spring-boot-autoconfigure2:compile
spring-boot-starter-web-2.7.18.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-boot-autoconfigure2@3.5.2-SNAPSHOT
Evidence Type Source Name Value Confidence Vendor file name spring-boot-starter-web High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor Manifest automatic-module-name spring.boot.starter.web Medium Vendor Manifest build-jdk-spec 1.8 Low Vendor Manifest spring-boot-jar-type dependencies-starter Low Vendor pom artifactid spring-boot-starter-web Highest Vendor pom artifactid spring-boot-starter-web Low Vendor pom developer email ask@spring.io Low Vendor pom developer name Spring Medium Vendor pom developer org VMware, Inc. Medium Vendor pom developer org URL https://www.spring.io Medium Vendor pom groupid org.springframework.boot Highest Vendor pom name spring-boot-starter-web High Vendor pom organization name VMware, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom url https://spring.io/projects/spring-boot Highest Product file name spring-boot-starter-web High Product Manifest automatic-module-name spring.boot.starter.web Medium Product Manifest build-jdk-spec 1.8 Low Product Manifest Implementation-Title Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container High Product Manifest spring-boot-jar-type dependencies-starter Low Product pom artifactid spring-boot-starter-web Highest Product pom developer email ask@spring.io Low Product pom developer name Spring Low Product pom developer org VMware, Inc. Low Product pom developer org URL https://www.spring.io Low Product pom groupid org.springframework.boot Highest Product pom name spring-boot-starter-web High Product pom organization name VMware, Inc. Low Product pom organization url https://spring.io Low Product pom url https://spring.io/projects/spring-boot Medium Version file version 2.7.18 High Version Manifest Implementation-Version 2.7.18 High Version pom version 2.7.18 Highest
Description:
Spring Core License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/spring-core/5.3.31/spring-core-5.3.31.jar
MD5: a9ef5a29eaa89fe909a0c4ed870d90a1
SHA1: 368e76f732a3c331b970f69cafec1525d27b34d3
SHA256: 7013ed3da15a8d4be797f5c310f9aa1b196b97f2313bc41e60ef3f5627224fe9
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-core-5.3.31.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-core High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name core Highest Vendor jar package name io Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.core Medium Vendor pom artifactid spring-core Highest Vendor pom artifactid spring-core Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Core High Vendor pom organization name Spring IO High Vendor pom organization url https://spring.io/projects/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product file name spring-core High Product hint analyzer product springsource_spring_framework Highest Product jar package name core Highest Product jar package name io Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.core Medium Product Manifest Implementation-Title spring-core High Product pom artifactid spring-core Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Core High Product pom organization name Spring IO Low Product pom organization url https://spring.io/projects/spring-framework Low Product pom url spring-projects/spring-framework High Version file version 5.3.31 High Version Manifest Implementation-Version 5.3.31 High Version pom version 5.3.31 Highest
Related Dependencies spring-aop-5.3.31.jarFile Path: /home/runner/.m2/repository/org/springframework/spring-aop/5.3.31/spring-aop-5.3.31.jar MD5: 48143a3242d23f66736e34cf1b5ad632 SHA1: 3be929dbdb5f4516919ad09a3d3720d779bb65d9 SHA256: 3f0c666f317abaa845fc3a24fba219b1f469716bf309cccd755eecb8fee20430 pkg:maven/org.springframework/spring-aop@5.3.31 spring-beans-5.3.31.jarFile Path: /home/runner/.m2/repository/org/springframework/spring-beans/5.3.31/spring-beans-5.3.31.jar MD5: b5fe5c018f96edf76b7e92b34668fa44 SHA1: d27258849071b3b268ecc388eca35bbfcc586448 SHA256: a8d6d99003d0a28049cba4273afbcfc64e1107ee3c33f67935853e9711544aa7 pkg:maven/org.springframework/spring-beans@5.3.31 spring-context-5.3.31.jarFile Path: /home/runner/.m2/repository/org/springframework/spring-context/5.3.31/spring-context-5.3.31.jar MD5: 6aa19e7e6a87b4ac8b649057315b1dd1 SHA1: a2d6e76507f037ad835e8c2288dfedf28981999f SHA256: 38def055d1e22b5514b1cb19cef4474e5c1b0d2127c483e7d014bde87c4a4cf3 pkg:maven/org.springframework/spring-context@5.3.31 spring-jcl-5.3.31.jarFile Path: /home/runner/.m2/repository/org/springframework/spring-jcl/5.3.31/spring-jcl-5.3.31.jar MD5: 4d281617e07553792218e37c47b8bd8c SHA1: e7ab9ee590a195415dd6b898440d776b4c8db78c SHA256: eee0df6a25a9c56d228ea86272546aa5a0656caf2f14e7b375417b066abbc0db pkg:maven/org.springframework/spring-jcl@5.3.31 CVE-2024-38820 suppress
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
Description:
Spring Expression Language (SpEL) License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/spring-expression/5.3.31/spring-expression-5.3.31.jar
MD5: 9e309bb1a738acbd0ac9c9fc58931fd3
SHA1: 55637af1b186d1008890980c2876c5fc83599756
SHA256: e027f122b8a4e3030339068220bed02d1c9d397eb5897f1e33ba2f63b22591ac
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-expression-5.3.31.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-expression High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name expression Highest Vendor jar package name spel Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.expression Medium Vendor pom artifactid spring-expression Highest Vendor pom artifactid spring-expression Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Expression Language (SpEL) High Vendor pom organization name Spring IO High Vendor pom organization url https://spring.io/projects/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product file name spring-expression High Product hint analyzer product springsource_spring_framework Highest Product jar package name expression Highest Product jar package name spel Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.expression Medium Product Manifest Implementation-Title spring-expression High Product pom artifactid spring-expression Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Expression Language (SpEL) High Product pom organization name Spring IO Low Product pom organization url https://spring.io/projects/spring-framework Low Product pom url spring-projects/spring-framework High Version file version 5.3.31 High Version Manifest Implementation-Version 5.3.31 High Version pom version 5.3.31 Highest
CVE-2024-38808 (OSSINDEX)suppress
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
* The application evaluates user-supplied SpEL expressions.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-38808 for details CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.300000190734863) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-expression:5.3.31:*:*:*:*:*:*:* CVE-2024-38820 suppress
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
Description:
Spring Security License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/security/spring-security-core/5.8.16/spring-security-core-5.8.16.jar
MD5: c70ae997256d27ca6fb1c7a8b24e4248
SHA1: b3d21a1f967db39dabaca487ba3fe58972e6a9a5
SHA256: 3be7d217048f5ea76fd6d0eddaa3169ad3bee0bba9c456e27670ec37ca33c3fd
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-security-core-5.8.16.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-security-core High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name core Highest Vendor jar package name security Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.security.core Medium Vendor pom artifactid spring-security-core Highest Vendor pom artifactid spring-security-core Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL https://www.spring.io Medium Vendor pom groupid org.springframework.security Highest Vendor pom name spring-security-core High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom url https://spring.io/projects/spring-security Highest Product file name spring-security-core High Product jar package name core Highest Product jar package name security Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.security.core Medium Product Manifest Implementation-Title spring-security-core High Product pom artifactid spring-security-core Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL https://www.spring.io Low Product pom groupid org.springframework.security Highest Product pom name spring-security-core High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom url https://spring.io/projects/spring-security Medium Version file version 5.8.16 High Version Manifest Implementation-Version 5.8.16 High Version pom version 5.8.16 Highest
Related Dependencies spring-security-config-5.8.16.jarFile Path: /home/runner/.m2/repository/org/springframework/security/spring-security-config/5.8.16/spring-security-config-5.8.16.jar MD5: 1e386c77733c252f4b9a80904ccb1c00 SHA1: 73bff85307254de9f30514db587420110aee72ee SHA256: fb7218cd28ca5f82bafd4cc038d1727fc99ccfb0f3b38a8fc0545a93e9b2f8b5 pkg:maven/org.springframework.security/spring-security-config@5.8.16 Description:
Spring Security License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/security/spring-security-crypto/5.7.11/spring-security-crypto-5.7.11.jar
MD5: 29553faabff72c4261058e8ebf9e5210
SHA1: 3abf76cedbba13496108c89159451a65dfd544b5
SHA256: 916b099504044134fa2d24bc61531819e3d720d17bfea2762c0defc1f7846d9b
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-security-crypto-5.7.11.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-security-crypto High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name crypto Highest Vendor jar package name security Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.security.crypto Medium Vendor pom artifactid spring-security-crypto Highest Vendor pom artifactid spring-security-crypto Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL https://www.spring.io Medium Vendor pom groupid org.springframework.security Highest Vendor pom name spring-security-crypto High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom url https://spring.io/projects/spring-security Highest Product file name spring-security-crypto High Product jar package name crypto Highest Product jar package name security Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.security.crypto Medium Product Manifest Implementation-Title spring-security-crypto High Product pom artifactid spring-security-crypto Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL https://www.spring.io Low Product pom groupid org.springframework.security Highest Product pom name spring-security-crypto High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom url https://spring.io/projects/spring-security Medium Version file version 5.7.11 High Version Manifest Implementation-Version 5.7.11 High Version pom version 5.7.11 Highest
CVE-2020-5408 (OSSINDEX)suppress
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-5408 for details CWE-329 Generation of Predictable IV with CBC Mode
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework.security:spring-security-crypto:5.7.11:*:*:*:*:*:*:* Description:
Spring Security License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/security/spring-security-web/5.8.16/spring-security-web-5.8.16.jar
MD5: 137862bb11c72092dd94d14d380fc784
SHA1: fade885f7f9df056dd5e3592d949e888cd82397d
SHA256: fe0843587f4dff188a1ecb822bf544c5f1c1ee46c757858a5a585039d8118304
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-security-web-5.8.16.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-security-web High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name security Highest Vendor jar package name springframework Highest Vendor jar package name web Highest Vendor Manifest automatic-module-name spring.security.web Medium Vendor pom artifactid spring-security-web Highest Vendor pom artifactid spring-security-web Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL https://www.spring.io Medium Vendor pom groupid org.springframework.security Highest Vendor pom name spring-security-web High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom url https://spring.io/projects/spring-security Highest Product file name spring-security-web High Product jar package name security Highest Product jar package name springframework Highest Product jar package name web Highest Product Manifest automatic-module-name spring.security.web Medium Product Manifest Implementation-Title spring-security-web High Product pom artifactid spring-security-web Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL https://www.spring.io Low Product pom groupid org.springframework.security Highest Product pom name spring-security-web High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom url https://spring.io/projects/spring-security Medium Version file version 5.8.16 High Version Manifest Implementation-Version 5.8.16 High Version pom version 5.8.16 Highest
Description:
Spring Web License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/spring-web/5.3.31/spring-web-5.3.31.jar
MD5: 4bef28044f222933ea2e45818c7f96a1
SHA1: 3bf73c385a1f2f4a0d482149d6a205e854cec497
SHA256: 7b7b4db19acc8c0cdb0dea93a3aa4b1b706db4bcc7b77f677a0c56e86d379ac7
Referenced In Projects/Scopes: waffle-spring-boot-starter2:compile waffle-spring-boot-autoconfigure2:compile spring-web-5.3.31.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT pkg:maven/com.github.waffle/waffle-spring-security5@3.5.2-SNAPSHOT Evidence Type Source Name Value Confidence Vendor file name spring-web High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name springframework Highest Vendor jar package name web Highest Vendor Manifest automatic-module-name spring.web Medium Vendor pom artifactid spring-web Highest Vendor pom artifactid spring-web Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Web High Vendor pom organization name Spring IO High Vendor pom organization url https://spring.io/projects/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product file name spring-web High Product hint analyzer product springsource_spring_framework Highest Product jar package name springframework Highest Product jar package name web Highest Product Manifest automatic-module-name spring.web Medium Product Manifest Implementation-Title spring-web High Product pom artifactid spring-web Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Web High Product pom organization name Spring IO Low Product pom organization url https://spring.io/projects/spring-framework Low Product pom url spring-projects/spring-framework High Version file version 5.3.31 High Version Manifest Implementation-Version 5.3.31 High Version pom version 5.3.31 Highest
CVE-2016-1000027 suppress
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
OSSINDEX - [CVE-2016-1000027] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 OSSIndex - https://blog.gypsyengineer.com/en/security/detecting-dangerous-spring-exporters-with-codeql.html OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027 OSSIndex - https://github.com/spring-projects/spring-framework/issues/24434 OSSIndex - https://www.tenable.com/security/research/tra-2016-20 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - BROKEN_LINK,EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
CVE-2024-38809 (OSSINDEX)suppress
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter. CWE-400 Uncontrolled Resource Consumption
CVSSv2:
Base Score: HIGH (8.699999809265137) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.3.31:*:*:*:*:*:*:* CVE-2024-22243 (OSSINDEX)suppress
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22243 for details CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.100000381469727) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.3.31:*:*:*:*:*:*:* CVE-2024-22262 (OSSINDEX)suppress
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.100000381469727) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.3.31:*:*:*:*:*:*:* CVE-2024-38828 (OSSINDEX)suppress
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. CWE-400 Uncontrolled Resource Consumption
CVSSv2:
Base Score: MEDIUM (6.900000095367432) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.3.31:*:*:*:*:*:*:* CVE-2024-38820 suppress
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
Description:
Spring Web MVC License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 File Path: /home/runner/.m2/repository/org/springframework/spring-webmvc/5.3.31/spring-webmvc-5.3.31.jar
MD5: 7401b647e906d3853ad02b62496cfadf
SHA1: 45754d056effe8257a012f6b98ed5454cf1e8960
SHA256: 29c1b96c424dcb637fec2d1e6493b088d977e748a56da7f34e6a7c3c39d18c74
Referenced In Project/Scope: waffle-spring-boot-autoconfigure2:compile
spring-webmvc-5.3.31.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Evidence Type Source Name Value Confidence Vendor file name spring-webmvc High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name mvc Highest Vendor jar package name springframework Highest Vendor jar package name web Highest Vendor Manifest automatic-module-name spring.webmvc Medium Vendor pom artifactid spring-webmvc Highest Vendor pom artifactid spring-webmvc Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Web MVC High Vendor pom organization name Spring IO High Vendor pom organization url https://spring.io/projects/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product file name spring-webmvc High Product hint analyzer product springsource_spring_framework Highest Product jar package name mvc Highest Product jar package name springframework Highest Product jar package name web Highest Product Manifest automatic-module-name spring.webmvc Medium Product Manifest Implementation-Title spring-webmvc High Product pom artifactid spring-webmvc Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Web MVC High Product pom organization name Spring IO Low Product pom organization url https://spring.io/projects/spring-framework Low Product pom url spring-projects/spring-framework High Version file version 5.3.31 High Version Manifest Implementation-Version 5.3.31 High Version pom version 5.3.31 Highest
CVE-2024-38816 (OSSINDEX)suppress
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
* the web application uses RouterFunctions to serve static resources
* resource handling is explicitly configured with a FileSystemResource location
However, malicious requests are blocked and rejected when any of the following is true:
* the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use
* the application runs on Tomcat or Jetty CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: HIGH (8.199999809265137) Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-webmvc:5.3.31:*:*:*:*:*:*:* CVE-2024-38820 suppress
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
Description:
Core Tomcat implementation License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.83/tomcat-embed-core-9.0.83.jar
MD5: d4e2068023fe800fd22a9fe2529c290b
SHA1: d771e4343b0515c67dab2a09fe02f5d47550153f
SHA256: 4ed404d5dea8652846f3c52c094764c2ec018f28a3561f1d27df700f7aa5b376
Referenced In Project/Scope: waffle-spring-boot-autoconfigure2:compile
tomcat-embed-core-9.0.83.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Evidence Type Source Name Value Confidence Vendor file name tomcat-embed-core High Vendor jar package name apache Highest Vendor jar package name core Highest Vendor jar package name tomcat Highest Vendor Manifest bundle-symbolicname org.apache.tomcat-embed-core Medium Vendor Manifest Implementation-Vendor Apache Software Foundation High Vendor Manifest provide-capability osgi.contract;osgi.contract=JavaJASPIC;version:List="1.1,1";uses:="javax.security.auth.message,javax.security.auth.message.callback,javax.security.auth.message.config,javax.security.auth.message.module",osgi.contract;osgi.contract=JavaServlet;version:List="4.0,3.1,3,2.5";uses:="javax.servlet,javax.servlet.annotation,javax.servlet.descriptor,javax.servlet.http,javax.servlet.resources" Low Vendor Manifest specification-vendor Apache Software Foundation Low Vendor manifest: javax/security/auth/message/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/security/auth/message/callback/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/security/auth/message/config/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/security/auth/message/module/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/servlet/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/servlet/annotation/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/servlet/descriptor/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/servlet/http/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/servlet/resources/ Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid tomcat-embed-core Highest Vendor pom artifactid tomcat-embed-core Low Vendor pom groupid org.apache.tomcat.embed Highest Vendor pom url https://tomcat.apache.org/ Highest Product file name tomcat-embed-core High Product jar package name annotation Highest Product jar package name apache Highest Product jar package name auth Highest Product jar package name core Highest Product jar package name descriptor Highest Product jar package name http Highest Product jar package name java Highest Product jar package name javax Highest Product jar package name message Highest Product jar package name security Highest Product jar package name servlet Highest Product jar package name servlets Highest Product jar package name tomcat Highest Product Manifest Bundle-Name tomcat-embed-core Medium Product Manifest bundle-symbolicname org.apache.tomcat-embed-core Medium Product Manifest Implementation-Title Apache Tomcat High Product Manifest provide-capability osgi.contract;osgi.contract=JavaJASPIC;version:List="1.1,1";uses:="javax.security.auth.message,javax.security.auth.message.callback,javax.security.auth.message.config,javax.security.auth.message.module",osgi.contract;osgi.contract=JavaServlet;version:List="4.0,3.1,3,2.5";uses:="javax.servlet,javax.servlet.annotation,javax.servlet.descriptor,javax.servlet.http,javax.servlet.resources" Low Product Manifest specification-title Apache Tomcat Medium Product manifest: javax/security/auth/message/ Implementation-Title javax.security.auth.message Medium Product manifest: javax/security/auth/message/ Specification-Title Java Authentication SPI for Containers Medium Product manifest: javax/security/auth/message/callback/ Implementation-Title javax.security.auth.message Medium Product manifest: javax/security/auth/message/callback/ Specification-Title Java Authentication SPI for Containers Medium Product manifest: javax/security/auth/message/config/ Implementation-Title javax.security.auth.message Medium Product manifest: javax/security/auth/message/config/ Specification-Title Java Authentication SPI for Containers Medium Product manifest: javax/security/auth/message/module/ Implementation-Title javax.security.auth.message Medium Product manifest: javax/security/auth/message/module/ Specification-Title Java Authentication SPI for Containers Medium Product manifest: javax/servlet/ Implementation-Title javax.servlet Medium Product manifest: javax/servlet/ Specification-Title Java API for Servlets Medium Product manifest: javax/servlet/annotation/ Implementation-Title javax.servlet Medium Product manifest: javax/servlet/annotation/ Specification-Title Java API for Servlets Medium Product manifest: javax/servlet/descriptor/ Implementation-Title javax.servlet Medium Product manifest: javax/servlet/descriptor/ Specification-Title Java API for Servlets Medium Product manifest: javax/servlet/http/ Implementation-Title javax.servlet Medium Product manifest: javax/servlet/http/ Specification-Title Java API for Servlets Medium Product manifest: javax/servlet/resources/ Implementation-Title javax.servlet Medium Product manifest: javax/servlet/resources/ Specification-Title Java API for Servlets Medium Product pom artifactid tomcat-embed-core Highest Product pom groupid org.apache.tomcat.embed Highest Product pom url https://tomcat.apache.org/ Medium Version file version 9.0.83 High Version Manifest Bundle-Version 9.0.83 High Version Manifest Implementation-Version 9.0.83 High Version pom version 9.0.83 Highest
Related Dependencies tomcat-embed-websocket-9.0.83.jarFile Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/9.0.83/tomcat-embed-websocket-9.0.83.jar MD5: 3ba44fc9bf48656f448a565318ea8c46 SHA1: 9af4b7450296bb4eff93b2ee3e52ab69d07512e4 SHA256: b78130b05960761992787edf2cb4c0af18d1fe52b35119ad63712af137d7eb3e pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.83 Description:
Core Tomcat implementation License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/9.0.83/tomcat-embed-el-9.0.83.jar
MD5: eabd7f3ade6cb0cf36f7b238897b8f1d
SHA1: b0cdada70099c25f45fceb48e1ebce60d138a5ce
SHA256: a82c4cf8cf9e88d6891cbb4cbcb9f85f788e147c464cbeba15a2c83276f3344c
Referenced In Project/Scope: waffle-spring-boot-autoconfigure2:compile
tomcat-embed-el-9.0.83.jar is in the transitive dependency tree of the listed items. Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Evidence Type Source Name Value Confidence Vendor file name tomcat-embed-el High Vendor jar package name apache Highest Vendor jar package name el Highest Vendor Manifest bundle-symbolicname org.apache.tomcat-embed-jasper-el Medium Vendor Manifest Implementation-Vendor Apache Software Foundation High Vendor Manifest provide-capability osgi.contract;osgi.contract=JavaEL;version:List="3.0,2.2,2.1";uses:="javax.el",osgi.service;objectClass:List="javax.el.ExpressionFactory";effective:=active,osgi.serviceloader;osgi.serviceloader="javax.el.ExpressionFactory";register:="org.apache.el.ExpressionFactoryImpl" Low Vendor Manifest specification-vendor Apache Software Foundation Low Vendor manifest: javax/el/ Implementation-Vendor Apache Software Foundation Medium Vendor pom artifactid tomcat-embed-el Highest Vendor pom artifactid tomcat-embed-el Low Vendor pom groupid org.apache.tomcat.embed Highest Vendor pom url https://tomcat.apache.org/ Highest Product file name tomcat-embed-el High Product jar package name apache Highest Product jar package name el Highest Product jar package name expression Highest Product jar package name expressionfactory Highest Product jar package name expressionfactoryimpl Highest Product jar package name javax Highest Product Manifest Bundle-Name tomcat-embed-jasper-el Medium Product Manifest bundle-symbolicname org.apache.tomcat-embed-jasper-el Medium Product Manifest Implementation-Title Apache Tomcat High Product Manifest provide-capability osgi.contract;osgi.contract=JavaEL;version:List="3.0,2.2,2.1";uses:="javax.el",osgi.service;objectClass:List="javax.el.ExpressionFactory";effective:=active,osgi.serviceloader;osgi.serviceloader="javax.el.ExpressionFactory";register:="org.apache.el.ExpressionFactoryImpl" Low Product Manifest specification-title Apache Tomcat Medium Product manifest: javax/el/ Implementation-Title javax.el Medium Product manifest: javax/el/ Specification-Title Expression Language Medium Product pom artifactid tomcat-embed-el Highest Product pom groupid org.apache.tomcat.embed Highest Product pom url https://tomcat.apache.org/ Medium Version file version 9.0.83 High Version Manifest Bundle-Version 9.0.83 High Version Manifest Implementation-Version 9.0.83 High Version pom version 9.0.83 Highest