Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
* indicates the dependency has a known exploited vulnerability
Dependencies (vulnerable)
HdrHistogram-2.2.1.jar
Description:
HdrHistogram supports the recording and analyzing sampled data value
counts across a configurable integer value range with configurable value
precision within the range. Value precision is expressed as the number of
significant digits in the value recording, and provides control over value
quantization behavior across the value range and the subsequent value
resolution at any given level.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
BSD-2-Clause: https://opensource.org/licenses/BSD-2-Clause
File Path: /home/jenkins/.m2/repository/org/hdrhistogram/HdrHistogram/2.2.1/HdrHistogram-2.2.1.jar MD5: da024c845b9456beec00d8890fd8ef51 SHA1: 0eb1feb351f64176c377772a30174e582c0274d5 SHA256:df6afd38afcf79fc5c8e67087ea953c1b83b040176d5f573db4ce91a260fc07c Referenced In Project/Scope: Gemma REST:runtime HdrHistogram-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/zaxxer/HikariCP/4.0.3/HikariCP-4.0.3.jar MD5: e725642926105cd1bbf4ad7fdff5d5a9 SHA1: 107cbdf0db6780a065f895ae9d8fbf3bb0e1c21f SHA256:7c024aeff1c1063576d74453513f9de6447d8e624d17f8e27f30a2e97688c6c9 Referenced In Project/Scope: Gemma REST:compile HikariCP-4.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/RoSuDA/JRI/0.5-0/JRI-0.5-0.jar MD5: da1c711f9748c288afc2f8574165405f SHA1: 2d9612a95065c291b2ae41fcac28446aa47a8410 SHA256:bcc4b8bd8edc28aa2fbaec6b441fe44e4ed51fb11a310477928460748cf69a04 Referenced In Project/Scope: Gemma REST:runtime JRI-0.5-0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/RoSuDA/JRIEngine/0.5-0/JRIEngine-0.5-0.jar MD5: b0cb089fab38efdc95b200ab931b2efb SHA1: 9751022a2938a4207e178f8c8142d098e4c549d7 SHA256:dd26c4bc37222635388ea5898fc78740f486a384bebcb5ea2fa7e2f4ad453750 Referenced In Project/Scope: Gemma REST:compile JRIEngine-0.5-0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
A Cross Site Scripting (XSS) vulnerability exists in Yogesh Ojha reNgine v1.0 via the Scan Engine name file in the Scan Engine deletion confirmation modal box . .
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.
JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.
The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme.
File Path: /home/jenkins/.m2/repository/com/googlecode/javaewah/JavaEWAH/0.7.9/JavaEWAH-0.7.9.jar MD5: 3186322b6558b126cef0e00bdbd2466c SHA1: eceaf316a8faf0e794296ebe158ae110c7d72a5a SHA256:fc499deb9153610f735f75817f1c177978d27a95a18e03d7d3849cfcb35abfc4 Referenced In Project/Scope: Gemma REST:compile JavaEWAH-0.7.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
LatencyUtils is a package that provides latency recording and reporting utilities.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /home/jenkins/.m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar MD5: 2ad12e1ef7614cecfb0483fa9ac6da73 SHA1: 769c0b82cb2421c8256300e907298a9410a2a3d3 SHA256:a32a9ffa06b2f4e01c5360f8f9df7bc5d9454a5d373cd8f361347fa5a57165ec Referenced In Project/Scope: Gemma REST:runtime LatencyUtils-2.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0
File Path: /home/jenkins/.m2/repository/org/rosuda/REngine/REngine/2.1.0/REngine-2.1.0.jar MD5: 9377ddb81ad3e37d94926367b410c9fc SHA1: 73c31209d4ac42d669ccf731e8a1d845f601adac SHA256:a268b4d1e0aa0c5ab3a79153764beca2d90087904c7d087b33110fa188fe5c04 Referenced In Project/Scope: Gemma REST:compile REngine-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
An efficient sparse bitset implementation for Java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/zaxxer/SparseBitSet/1.3/SparseBitSet-1.3.jar MD5: fbe27bb4c05e8719b7fff5aa71a57364 SHA1: 533eac055afe3d5f614ea95e333afd6c2bde8f26 SHA256:f76b85adb0c00721ae267b7cfde4da7f71d3121cc2160c9fc00c0c89f8c53c8a Referenced In Project/Scope: Gemma REST:compile SparseBitSet-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/jenkins/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar MD5: 8ae38e87cd4f86059c0294a8fe3e0b18 SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50 SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3 Referenced In Project/Scope: Gemma REST:runtime activation-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/all/1.1.2/all-1.1.2.pom MD5: b60dd3450b3a8d030f4799dcb273f846 SHA1: f235011206ac009adad2d6607f222649aba5ca9e SHA256:cced6c7973b2f43c84944f21e45f292c94af566f1d6b45915264acb080dd6b67 all-1.1.2.pom is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/org/apache/ant/ant/1.10.14/ant-1.10.14.jar MD5: 263e00d844d0e4efa54440ec5ed6362a SHA1: 1edce9bbfa60dfd51f010879c78f4421dafae7a7 SHA256:4cbbd9243de4c1042d61d9a15db4c43c90ff93b16d78b39481da1c956c8e9671 Referenced In Project/Scope: Gemma REST:compile ant-1.10.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html
File Path: /home/jenkins/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar MD5: f8f1352c52a4c6a500b597596501fc64 SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0 SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c Referenced In Project/Scope: Gemma REST:compile antlr-2.7.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final
File Path: /home/jenkins/.m2/repository/org/antlr/antlr4-runtime/4.9.3/antlr4-runtime-4.9.3.jar MD5: 718f199bafa6574ffa1111fa3e10276a SHA1: 81befc16ebedb8b8aea3e4c0835dd5ca7e8523a8 SHA256:131a6594969bc4f321d652ea2a33bc0e378ca312685ef87791b2c60b29d01ea5 Referenced In Project/Scope: Gemma REST:compile antlr4-runtime-4.9.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar MD5: 04177054e180d09e3998808efa0401c7 SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8 SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08 Referenced In Project/Scope: Gemma REST:compile aopalliance-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@3.2.10.RELEASE
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/external/aopalliance-repackaged/2.5.0-b32/aopalliance-repackaged-2.5.0-b32.jar MD5: 99809f55109881865ce8b47f03522fb6 SHA1: 6af37c3f8ec6f9e9653ec837eb508da28ce443cd SHA256:32a44ed0258c00bb8f0acf7e4dbf000a377bd48702465f6195f878a6dc2024d6 Referenced In Project/Scope: Gemma REST:compile aopalliance-repackaged-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
aopalliance-repackaged
High
Vendor
jar
package name
aopalliance
Highest
Vendor
Manifest
bundle-docurl
http://www.oracle.com
Low
Vendor
Manifest
bundle-symbolicname
org.glassfish.hk2.external.aopalliance-repackaged
Medium
Vendor
pom
artifactid
aopalliance-repackaged
Highest
Vendor
pom
artifactid
aopalliance-repackaged
Low
Vendor
pom
groupid
org.glassfish.hk2.external
Highest
Vendor
pom
name
aopalliance version repackaged as a module
High
Vendor
pom
name
aopalliance version ${aopalliance.version} repackaged as a module
High
Vendor
pom
parent-artifactid
external
Low
Vendor
pom
parent-groupid
org.glassfish.hk2
Medium
Product
file
name
aopalliance-repackaged
High
Product
jar
package name
aopalliance
Highest
Product
Manifest
bundle-docurl
http://www.oracle.com
Low
Product
Manifest
Bundle-Name
aopalliance version 1.0 repackaged as a module
Medium
Product
Manifest
bundle-symbolicname
org.glassfish.hk2.external.aopalliance-repackaged
Medium
Product
pom
artifactid
aopalliance-repackaged
Highest
Product
pom
groupid
org.glassfish.hk2.external
Highest
Product
pom
name
aopalliance version repackaged as a module
High
Product
pom
name
aopalliance version ${aopalliance.version} repackaged as a module
Java APIs for the BLAS, LAPACK, and ARPACK Fortran libraries as translated through F2J.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/jenkins/.m2/repository/net/sourceforge/f2j/arpack_combined_all/0.1/arpack_combined_all-0.1.jar MD5: 83d82dd480da2aeba6429e746453ec0b SHA1: 225619a060b42605b4d9fd4af11815664abf26eb SHA256:9964fb948ef213548a79b23dd480af9d72f1450824fa006bbfea211ac1ffa6dc Referenced In Project/Scope: Gemma REST:compile arpack_combined_all-0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
org.objectweb.asm.all version repackaged as a module
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/external/asm-all-repackaged/2.5.0-b32/asm-all-repackaged-2.5.0-b32.jar MD5: b7710f0109a9aca153b48fa5474b8a9d SHA1: dc705f1d54cd5a96cbc5a473525e75ef1cb59a9e SHA256:83bd18063fefc7a6352539fde4e3fc7a0ec13734e17f8b787dc1bff5d426820c Referenced In Project/Scope: Gemma REST:compile asm-all-repackaged-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
The AspectJ weaver applies aspects to Java classes. It can be used as a Java agent in order to apply load-time
weaving (LTW) during class-loading and also contains the AspectJ runtime classes.
License:
Eclipse Public License - v 2.0: https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.txt
File Path: /home/jenkins/.m2/repository/org/aspectj/aspectjweaver/1.9.22.1/aspectjweaver-1.9.22.1.jar MD5: f2edbc088126174a11b68279bd26c6eb SHA1: bca243d0af0db4758fbae45c5f4995cb5dabb612 SHA256:cd2dd01ec2424c05669df4d557f6c6cd7ed87b05257ee3c866b4c5b116b18a78 Referenced In Project/Scope: Gemma REST:compile aspectjweaver-1.9.22.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Data structures, math and statistics tools, and utilities that are often needed across projects.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/baseCode/baseCode/1.1.23/baseCode-1.1.23.jar MD5: 209fa8b43a8f35843c2dd2657508a350 SHA1: 3d762955f197c680df14a7189201e979bbfa1a59 SHA256:26ac5054f781f5666e96c056f88ccd1e227e90f163bc36b04b48d32ba9ff9fbd Referenced In Project/Scope: Gemma REST:compile baseCode-1.1.23.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/class-model/2.5.0-b32/class-model-2.5.0-b32.jar MD5: b995e20985e420e7bce29be5a35d7aeb SHA1: 017f054f3e91898c0c0fc52163ad904b13c24e8b SHA256:9a4d6e54e48bf71f7669cae5e10277b3dbc438d29c48730c778725a121df8d64 Referenced In Project/Scope: Gemma REST:compile class-model-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
The uber-fast, ultra-lightweight classpath and module scanner for JVM languages.
License:
The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /home/jenkins/.m2/repository/io/github/classgraph/classgraph/4.8.165/classgraph-4.8.165.jar MD5: 184a77ae08192b53063aa42e540d2d4a SHA1: d7237a1fc235030b7b548eb3d671f714da01e50b SHA256:5258d9218fc6413f4d14218a5a6e784528e349f60f48883b77de74bb478ebafd Referenced In Project/Scope: Gemma REST:compile classgraph-4.8.165.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.swagger.core.v3/swagger-jaxrs2@2.2.22
File Path: /home/jenkins/.m2/repository/colt/colt/1.2.0/colt-1.2.0.jar MD5: f6be558e44de25df08b9f515b2a7ffee SHA1: 0abc984f3adc760684d49e0f11ddf167ba516d4f SHA256:e1fcbfbdd0d0caedadfb59febace5a62812db3b9425f3a03ef4c4cbba3ed0ee3 Referenced In Project/Scope: Gemma REST:compile colt-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
The Apache Commons Codec component contains encoder and decoders for
various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /home/jenkins/.m2/repository/commons-codec/commons-codec/1.16.1/commons-codec-1.16.1.jar MD5: 6c5be822d8d3fa61c3b54c4c8978dfdc SHA1: 47bd4d333fba53406f6c6c51884ddbca435c8862 SHA256:ec87bfb55f22cbd1b21e2190eeda28b2b312ed2a431ee49fbdcc01812d04a5e4 Referenced In Project/Scope: Gemma REST:compile commons-codec-1.16.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar MD5: 4a37023740719b391f10030362c86be6 SHA1: 62ebe7544cb7164d87e0637a2a6a2bdc981395e8 SHA256:1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1 Referenced In Project/Scope: Gemma REST:compile commons-collections4-4.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-configuration2/2.8.0/commons-configuration2-2.8.0.jar MD5: 4bb1f1ad26727cf5966554cb6b9eb073 SHA1: 6a76acbe14d2c01d4758a57171f3f6a150dbd462 SHA256:e5c46e4b0b1acddbc96651838c19d3df70da92dfb5107a6e4c42cb92d3a300bd Referenced In Project/Scope: Gemma REST:compile commons-configuration2-2.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-29131 for details
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-29133 for details
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-csv/1.11.0/commons-csv-1.11.0.jar MD5: 670327702ca6f22103531d20d140bc9e SHA1: 8f2dc805097da534612128b7cdf491a5a76752bf SHA256:b697fe3f94cfc4f7e2a87bddf78d15cd10d8c86cbe56ae9196a62d6edbf6b76d Referenced In Project/Scope: Gemma REST:compile commons-csv-1.11.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
File Path: /home/jenkins/.m2/repository/commons-fileupload/commons-fileupload/1.5/commons-fileupload-1.5.jar MD5: e57ac8a1a6412886a133a2fa08b89735 SHA1: ad4ad2ab2961b4e1891472bd1a33fabefb0385f3 SHA256:51f7b3dcb4e50c7662994da2f47231519ff99707a5c7fb7b05f4c4d3a1728c14 Referenced In Project/Scope: Gemma REST:compile commons-fileupload-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: /home/jenkins/.m2/repository/commons-io/commons-io/2.16.1/commons-io-2.16.1.jar MD5: ed8191a5a217940140001b0acfed18d9 SHA1: 377d592e740dc77124e0901291dbfaa6810a200e SHA256:f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f Referenced In Project/Scope: Gemma REST:compile commons-io-2.16.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/jenkins/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar MD5: 4d5c1693079575b362edf41500630bbd SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2 SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c Referenced In Project/Scope: Gemma REST:compile commons-lang-2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar MD5: 4e5c3f5e6b0b965ef241d7d72ac8971f SHA1: 1ed471194b02f2c6cb734a0cd6f6f107c673afae SHA256:7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c Referenced In Project/Scope: Gemma REST:compile commons-lang3-3.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar MD5: 4b970f3b14a5e53d8e8edff1cf2ecd91 SHA1: 3dc966156ef19d23c839715165435e582fafa753 SHA256:6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489 Referenced In Project/Scope: Gemma REST:compile commons-logging-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /home/jenkins/.m2/repository/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar MD5: 4374238076ab08e60e0d296234480837 SHA1: 7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322 SHA256:33a4dd47bb4764e4eb3692d86386d17a0d9827f4f4bb0f70121efab6bc03ba35 Referenced In Project/Scope: Gemma REST:compile commons-logging-api-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar MD5: 5b730d97e4e6368069de1983937c508e SHA1: e4ba98f1d4b3c80ec46392f25e094a6a2e58fcbf SHA256:1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308 Referenced In Project/Scope: Gemma REST:compile commons-math3-3.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/commons-net/commons-net/3.10.0/commons-net-3.10.0.jar MD5: 84511bcbcbd37725fd1a53360e0c3fd6 SHA1: 86762ea0ac98fd41c91745a32d496a985e2bd5e7 SHA256:2230eec44ef4b8112ea09cbeb6de826977abe792e627cee2770e35ca8c39dce1 Referenced In Project/Scope: Gemma REST:compile commons-net-3.10.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
Apache Commons Text is a set of utility functions and reusable components for the purpose of processing
and manipulating text that should be of use in a Java environment.
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar MD5: 544add6fbc8d4b100b07c3692d08099e SHA1: 66aa90dc099701c4d3b14bd256c328f592ccf0d6 SHA256:de023257ff166044a56bd1aa9124e843cd05dac5806cc705a9311f3556d5a15f Referenced In Project/Scope: Gemma REST:compile commons-text-1.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Public domain, Sun Microsoystems: >http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.html
File Path: /home/jenkins/.m2/repository/concurrent/concurrent/1.3.4/concurrent-1.3.4.jar MD5: f29b9d930d3426ebc56919eba10fbd4d SHA1: 1cf394c2a388199db550cda311174a4c6a7d117c SHA256:12639def9a5b5ebf56040ab764bd42b7e662523d3b983e5d5da04bf37be152f9 Referenced In Project/Scope: Gemma REST:compile concurrent-1.3.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/colt/colt@1.2.0
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/config-types/2.5.0-b32/config-types-2.5.0-b32.jar MD5: 6ad3a1e788c84830ffc2f3a4454ce5ee SHA1: 686bbe7f80b1b879d64c06bc6606c97721a795f2 SHA256:21b4c91cfe7f3a78802fe1c63fbe738a664e1ba21ee29177442ff2c75b798d7b Referenced In Project/Scope: Gemma REST:compile config-types-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/core/1.1.2/core-1.1.2.jar MD5: ab845840ad73fa2ec1a5025a7c48b97e SHA1: 574b480eca62f535fad6d259e144fee3ef24b66e SHA256:5ffaddee0a3f8d09a56064aa05feb95837ddad9d42d9dcc37479c66e869aa139 Referenced In Project/Scope: Gemma REST:compile core-1.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar MD5: 8246840e53db2781ca941e4d3f9ad715 SHA1: 35c16721b88cf17b8279fcb134c0abb161cc0e9b SHA256:235a9167a8a199be04b5326d92927ca0adeb90d11f69fe2e821b34ce8433b591 Referenced In Project/Scope: Gemma REST:runtime dom4j-2.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
This is the ehcache core module. Pair it with other modules for added
functionality.
License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /home/jenkins/.m2/repository/net/sf/ehcache/ehcache-core/2.4.3/ehcache-core-2.4.3.jar MD5: 9d4b1464a2fcbc16ae46740669a0dab8 SHA1: fd258ef6959f27fb678b04f90139ded4588e2d15 SHA256:9b93a12cda08e7ad4d567d2027d292e67ee726da0cbb330f5de0e90aeb1d3fd1 Referenced In Project/Scope: Gemma REST:compile ehcache-core-2.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/pavlab/gemma-gsec/0.0.16/gemma-gsec-0.0.16.jar MD5: f28b6a8bd682b7e4806493f9e2328f7c SHA1: 40e5cd542c29de0474c151076c9f604c866a3a9f SHA256:4ff346e56a7de22605181eb5b05c2445840b62644b376d0ace3adc081f13e650 Referenced In Project/Scope: Gemma REST:compile gemma-gsec-0.0.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Common reflection code used in support of annotation processing
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/jenkins/.m2/repository/org/hibernate/common/hibernate-commons-annotations/4.0.2.Final/hibernate-commons-annotations-4.0.2.Final.jar MD5: 916d4ddfb26db16da75ee8f973fd08ad SHA1: 0094edcc5572efb02e123cc9ef7ad7d0fa5f76cf SHA256:ae6b6708a03a144265ac7bf1def64b18def3b6576a8a52d7a6787d9cf00aa0ec Referenced In Project/Scope: Gemma REST:compile hibernate-commons-annotations-4.0.2.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/jenkins/.m2/repository/org/hibernate/hibernate-core/4.2.21.Final/hibernate-core-4.2.21.Final.jar MD5: 492567c1f36fb3a5968ca2d3c452edaf SHA1: bb587d00287c13d9e4324bc76c13abbd493efa81 SHA256:7c33583de97e42b95c530e7e4752efbdbd46a566f7708ff0e8cf490203db74e3 Referenced In Project/Scope: Gemma REST:compile hibernate-core-4.2.21.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Hibernate definition of the Java Persistence 2.0 (JSR 317) API.
License:
license.txt
File Path: /home/jenkins/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.0-api/1.0.1.Final/hibernate-jpa-2.0-api-1.0.1.Final.jar MD5: d7e7d8f60fc44a127ba702d43e71abec SHA1: 3306a165afa81938fc3d8a0948e891de9f6b192b SHA256:bacfb6460317d421aa2906d9e63c293b69dc1a5dac480d0f6416df50796a4bb3 Referenced In Project/Scope: Gemma REST:compile hibernate-jpa-2.0-api-1.0.1.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final
the core of the Object/Lucene mapper, query engine and index management
File Path: /home/jenkins/.m2/repository/org/hibernate/hibernate-search-engine/4.4.6.Final/hibernate-search-engine-4.4.6.Final.jar MD5: 9e9d56601b801f8d22a95f93aa14b599 SHA1: b3395324b7a3ff069ceae3f929805859b6f78cd4 SHA256:c4b6df8b2045f512f65559ad0a0ad370f8dc2a41a1854142c0a826cd3f30d86c Referenced In Project/Scope: Gemma REST:compile hibernate-search-engine-4.4.6.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
File Path: /home/jenkins/.m2/repository/org/hibernate/hibernate-search-orm/4.4.6.Final/hibernate-search-orm-4.4.6.Final.jar MD5: 211a4877ef941c8f754e22f049076b27 SHA1: 306bbf61e5c9d5e807cf178f20de09ce65bf088d SHA256:62703d15aa0d11376b263e0d25abdbc25242975c62260f1795d0eae8ba6990b0 Referenced In Project/Scope: Gemma REST:compile hibernate-search-orm-4.4.6.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/hk2/2.5.0-b32/hk2-2.5.0-b32.jar MD5: 31e1db921be02e0d5af049306502e730 SHA1: 0c3accae585955e49c771d464899e906ecc9ffb4 SHA256:544704ba09f01b7079b4280c9f45c73221693e37f3f3de77953d53cbe8c3b4dc Referenced In Project/Scope: Gemma REST:compile hk2-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/hk2-api/2.5.0-b32/hk2-api-2.5.0-b32.jar MD5: 93322931c4ec277c5190c7cddf7ad155 SHA1: 6a576c9653832ce610b80a2f389374ef19d96171 SHA256:b3fe4f295ab8e74ea9d641717dc55e5768f1e5db3709e84235346a4d6bcde5c2 Referenced In Project/Scope: Gemma REST:compile hk2-api-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/hk2-config/2.5.0-b32/hk2-config-2.5.0-b32.jar MD5: 6ea901d4ede7a568fda9c3b91bebc648 SHA1: dce05ac4225dbc0c1c382ad02e3b5bee51f0168a SHA256:7aa82ea0bfbfe68959473414a5cb12b3a3a288795f18b1187043ae9b953e81c3 Referenced In Project/Scope: Gemma REST:compile hk2-config-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/hk2-core/2.5.0-b32/hk2-core-2.5.0-b32.jar MD5: 9b0ee99635dcb6e04100698d4f805c90 SHA1: 8cb6a8a9522ec523b7740d29f555bdbe9d936af2 SHA256:ad86f38c17d4c0d2d4b7972ef64ae92383beb5751f05ddf8fe98da574f8412e1 Referenced In Project/Scope: Gemma REST:compile hk2-core-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/hk2-locator/2.5.0-b32/hk2-locator-2.5.0-b32.jar MD5: 5baf0f144cf8552a9fe476b096fc18a7 SHA1: 195474f8ad0a8d130e9ea949a771bcf1215fc33b SHA256:27cacf80e8c088cc50f73b56344b779bdb7418e590a037659ab66b2b0cd9c492 Referenced In Project/Scope: Gemma REST:compile hk2-locator-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/hk2-utils/2.5.0-b32/hk2-utils-2.5.0-b32.jar MD5: acc873aece4f8e89814ac0300b549e3e SHA1: 5108a926988c4ceda7f1e681dddfe3101454a002 SHA256:3912c470e621eb3e469c111f4c9a4dee486e2ce9db09a65b7609e006b6c3d38e Referenced In Project/Scope: Gemma REST:compile hk2-utils-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
File Path: /home/jenkins/.m2/repository/org/apache/httpcomponents/httpclient/4.5.14/httpclient-4.5.14.jar MD5: 2cb357c4b763f47e58af6cad47df6ba3 SHA1: 1194890e6f56ec29177673f2f12d0b8e627dec98 SHA256:c8bc7e1c51a6d4ce72f40d2ebbabf1c4b68bfe76e732104b04381b493478e9d6 Referenced In Project/Scope: Gemma REST:compile httpclient-4.5.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar MD5: 28d2cd9bf8789fd2ec774fb88436ebd1 SHA1: 51cf043c87253c9f58b539c9f7e44c8894223850 SHA256:6c9b3dd142a09dc468e23ad39aad6f75a0f2b85125104469f026e52a474e464f Referenced In Project/Scope: Gemma REST:compile httpcore-4.4.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.17.1/jackson-core-2.17.1.jar MD5: 9363584821290882417f1c3ceab784df SHA1: 5e52a11644cd59a28ef79f02bddc2cc3bab45edb SHA256:ddb26c8a1f1a84535e8213c48b35b253370434e3287b3cf15777856fc4e58ce6 Referenced In Project/Scope: Gemma REST:compile jackson-core-2.17.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
General data-binding functionality for Jackson: works on core streaming API
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.17.1/jackson-databind-2.17.1.jar MD5: f0a1c37dc7d937f14e183d84f15c0f83 SHA1: 0524dcbcccdde7d45a679dfc333e4763feb09079 SHA256:b6ca2f7d5b1ab245cec5495ec339773d2d90554c48592590673fb18f4400a948 Referenced In Project/Scope: Gemma REST:compile jackson-databind-2.17.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.16.2/jackson-dataformat-yaml-2.16.2.jar MD5: 195173d37b475172610d4830fb66e506 SHA1: 13088f6762211f264bc0ebf5467be96d8e9e3ebf SHA256:df33f4dd29f975600d3ac2e7c891ef7a9bce33f0715680df479c63a44ddc8fa9 Referenced In Project/Scope: Gemma REST:compile jackson-dataformat-yaml-2.16.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.swagger.core.v3/swagger-core@2.2.22
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.16.2/jackson-datatype-jsr310-2.16.2.jar MD5: 17b881ce122838518321585edd2e8586 SHA1: 58e86108e4b1b1e893e7a69b1bbca880acfca143 SHA256:9d03ad6d47b5f9951b75fb0cae0760156fa827794730cd5ef6cd79d3785cc9c0 Referenced In Project/Scope: Gemma REST:compile jackson-datatype-jsr310-2.16.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.swagger.core.v3/swagger-core@2.2.22
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.8.4/jackson-jaxrs-base-2.8.4.jar MD5: a4f28b06972a3a1228f00d391a78c528 SHA1: 6c0ceb3c9fed2e225b0cc2a45533574df393f606 SHA256:f33eebc483f6f23a3afb160a5d0199aa9e932f0bd554a2f04ad0e26b3d80e2dc Referenced In Project/Scope: Gemma REST:compile jackson-jaxrs-base-2.8.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.media/jersey-media-json-jackson@2.25.1
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.8.4/jackson-jaxrs-json-provider-2.8.4.jar MD5: 1d6803bb4c746d7dc561805d31e831b1 SHA1: 839366ece31829a19cb15719b2b54a3f9f91148d SHA256:27e4110361836b62e3fdb8909e058518ef2f0e208ee744b4daf4ce2d644726c7 Referenced In Project/Scope: Gemma REST:compile jackson-jaxrs-json-provider-2.8.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.media/jersey-media-json-jackson@2.25.1
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.8.4/jackson-module-jaxb-annotations-2.8.4.jar MD5: 2f72f2cfedb7f9db842ca4b3cdd4a97a SHA1: d2eec7cf6c4284f7d5f0b1a72dc7cfa9d6bb579d SHA256:07fa24560b69913166d584eb4806e09515e6dd5f2a6858defa1239119466c790 Referenced In Project/Scope: Gemma REST:compile jackson-module-jaxb-annotations-2.8.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.media/jersey-media-json-jackson@2.25.1
File Path: /home/jenkins/.m2/repository/org/javassist/javassist/3.30.2-GA/javassist-3.30.2-GA.jar MD5: f5b827b8ddec0629cc7a6d7dafc45999 SHA1: 284580b5e42dfa1b8267058566435d9e93fae7f7 SHA256:eba37290994b5e4868f3af98ff113f6244a6b099385d9ad46881307d3cb01aaf Referenced In Project/Scope: Gemma REST:runtime javassist-3.30.2-GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.swagger.core.v3/swagger-jaxrs2@2.2.22
File Path: /home/jenkins/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16 SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393 Referenced In Project/Scope: Gemma REST:compile javax.activation-api-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/jenkins/.m2/repository/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar MD5: 75fe320d2b3763bd6883ae1ede35e987 SHA1: 479c1e06db31c432330183f5cae684163f186146 SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04 Referenced In Project/Scope: Gemma REST:compile javax.annotation-api-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/external/javax.inject/2.5.0-b32/javax.inject-2.5.0-b32.jar MD5: b7e8633eb1e5aad9f44a37a3f3bfa8f5 SHA1: b2fa50c8186a38728c35fe6a9da57ce4cc806923 SHA256:437c92cf50a0efa6b501b8939b5b92ede7cfe4455cf06b68ec69d1b21ab921ed Referenced In Project/Scope: Gemma REST:compile javax.inject-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
javax.inject
High
Vendor
jar
package name
inject
Highest
Vendor
jar
package name
javax
Highest
Vendor
Manifest
bundle-docurl
http://www.oracle.com
Low
Vendor
Manifest
bundle-symbolicname
org.glassfish.hk2.external.javax.inject
Medium
Vendor
pom
artifactid
javax.inject
Highest
Vendor
pom
artifactid
javax.inject
Low
Vendor
pom
groupid
org.glassfish.hk2.external
Highest
Vendor
pom
name
javax.inject: as OSGi bundle
High
Vendor
pom
name
javax.inject:${javax-inject.version} as OSGi bundle
High
Vendor
pom
parent-artifactid
external
Low
Vendor
pom
parent-groupid
org.glassfish.hk2
Medium
Product
file
name
javax.inject
High
Product
jar
package name
inject
Highest
Product
jar
package name
javax
Highest
Product
Manifest
bundle-docurl
http://www.oracle.com
Low
Product
Manifest
Bundle-Name
javax.inject:1 as OSGi bundle
Medium
Product
Manifest
bundle-symbolicname
org.glassfish.hk2.external.javax.inject
Medium
Product
pom
artifactid
javax.inject
Highest
Product
pom
groupid
org.glassfish.hk2.external
Highest
Product
pom
name
javax.inject: as OSGi bundle
High
Product
pom
name
javax.inject:${javax-inject.version} as OSGi bundle
File Path: /home/jenkins/.m2/repository/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2.jar MD5: 0b81d022797740d72d21620781841374 SHA1: 935151eb71beff17a2ffac15dd80184a99a0514f SHA256:45b515e7104944c09e45b9c7bb1ce5dff640486374852dd2b2e80cc3752dfa11 Referenced In Project/Scope: Gemma REST:runtime javax.mail-1.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/jenkins/.m2/repository/javax/resource/javax.resource-api/1.7.1/javax.resource-api-1.7.1.jar MD5: 41f26638ff807ef37845d6d89ef0e694 SHA1: f86b4d697ecd992ec6c4c6053736db16d41dc57f SHA256:c75bd698263abd9c8c773e3b433a4da2c983fbc92a0a4ef5fc3286e62f41e411 Referenced In Project/Scope: Gemma REST:compile javax.resource-api-1.7.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/jenkins/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar MD5: 79de69e9f5ed8c7fcb8342585732bbf7 SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482 Referenced In Project/Scope: Gemma REST:provided javax.servlet-api-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.test-framework/jersey-test-framework-core@2.25.1
CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.transaction/blob/master/LICENSE
File Path: /home/jenkins/.m2/repository/javax/transaction/javax.transaction-api/1.3/javax.transaction-api-1.3.jar MD5: 6e9cb1684621821248b6823143ae26c0 SHA1: e006adf5cf3cca2181d16bd640ecb80148ec0fce SHA256:603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da Referenced In Project/Scope: Gemma REST:compile javax.transaction-api-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/javax.resource/javax.resource-api@1.7.1
File Path: /home/jenkins/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar MD5: edcd111cf4d3ba8ac8e1f326efc37a17 SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d Referenced In Project/Scope: Gemma REST:compile javax.ws.rs-api-2.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar MD5: bcf270d320f645ad19f5edb60091e87f SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06 Referenced In Project/Scope: Gemma REST:compile jaxb-api-2.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/jboss/jboss-ejb3x/4.2.2.GA/jboss-ejb3x-4.2.2.GA.jar MD5: d16f3d4ae032297b792b42f54879eeb0 SHA1: b11f499d19a6346b1446146307131ec901081bfd SHA256:17a8db82cd60b9336adc3d13eacc5cf2aaf85f821338503cecad1875e0f6e64c Referenced In Project/Scope: Gemma REST:compile jboss-ejb3x-4.2.2.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/lgpl-2.1.txt
File Path: /home/jenkins/.m2/repository/org/jboss/logging/jboss-logging/3.1.0.GA/jboss-logging-3.1.0.GA.jar MD5: 735bcea3e47fd715900cfb95ec68b50f SHA1: c71f2856e7b60efe485db39b37a31811e6c84365 SHA256:dea2fe7895033bdbbe2c1688ad08a0588d9d9b0f17d53349081cc20dda31353e Referenced In Project/Scope: Gemma REST:compile jboss-logging-3.1.0.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final
Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: /home/jenkins/.m2/repository/org/jboss/spec/javax/transaction/jboss-transaction-api_1.1_spec/1.0.1.Final/jboss-transaction-api_1.1_spec-1.0.1.Final.jar MD5: 679cd909d6130e6bf467b291031e1e2d SHA1: 18f0e1d42f010a8b53aa447bf274a706d5148852 SHA256:d9ccc72cdcf5450fcb8cc614b4930261d5cc5b40da6b3be783308cebcd100723 Referenced In Project/Scope: Gemma REST:compile jboss-transaction-api_1.1_spec-1.0.1.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final
Jena is a Java framework for building Semantic Web applications. It provides a programmatic environment for RDF, RDFS and OWL, SPARQL and includes a rule-based inference engine.
File Path: /home/jenkins/.m2/repository/org/apache/jena/jena-core/2.13.0/jena-core-2.13.0.jar MD5: 21d03d936cee3e62c22978cb73115a28 SHA1: 74f2536cd41a23892acd1ef4c016bed29c81994c SHA256:5423ddf5ca2541311aadad2301743522e52bf86645fbaacc47e3a992aa9bef59 Referenced In Project/Scope: Gemma REST:compile jena-core-2.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
CWE-611 Improper Restriction of XML External Entity Reference
The IRI module provides an implementation of the IRI and URI specifications (RFC 3987 and 3986) which are used across Jena in order to comply with relevant W3C specifications for RDF and SPARQL which require conformance to these specifications.
File Path: /home/jenkins/.m2/repository/org/apache/jena/jena-iri/1.1.2/jena-iri-1.1.2.jar MD5: eca2119771d9114c440014045cbe216b SHA1: 533fb3ae5e839c84227688e7c92c946131d6886e SHA256:6ecb4f137f9495cedf6ac5ea799905106955092905996c5674989958c12d6d94 Referenced In Project/Scope: Gemma REST:compile jena-iri-1.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /home/jenkins/.m2/repository/org/glassfish/jersey/core/jersey-common/2.25.1/jersey-common-2.25.1.jar MD5: d1f25f421cafb38efb49e2fef0799339 SHA1: 2438ce68d4907046095ab54aa83a6092951b4bbb SHA256:4df653fc69d5feec7ad1928018f964e12a7513bcea7b5e8b1aa4b1f5a815815f Referenced In Project/Scope: Gemma REST:compile jersey-common-2.25.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
CWE-378 Creation of Temporary File With Insecure Permissions
File Path: /home/jenkins/.m2/repository/org/glassfish/jersey/core/jersey-server/2.25.1/jersey-server-2.25.1.jar MD5: 92dad916eab7a19c5398838a78ee9cab SHA1: 276e2ee0fd1cdabf99357fce560c5baab675b1a2 SHA256:4b9cdae8eae88b75762614b9a458f5aac47cf6486fe408206fc64e38b80469ae Referenced In Project/Scope: Gemma REST:compile jersey-server-2.25.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
JFreeChart is a class library, written in Java, for generating charts.
Utilising the Java2D API, it supports a wide range of chart types including
bar charts, pie charts, line charts, XY-plots, time series plots, Sankey charts
and more.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/jenkins/.m2/repository/org/jfree/jfreechart/1.5.4/jfreechart-1.5.4.jar MD5: 36e760314d688997c7e5ad135a3efc44 SHA1: 9a5edddb05a3ca4fbc0628c594e6641a6f36a3b4 SHA256:cd0649b04b64f2638b55c7c3ac24788ff064b777bbbaf1b952f82ee078ed8b81 Referenced In Project/Scope: Gemma REST:compile jfreechart-1.5.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int index, int type)' method. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
File Path: /home/jenkins/.m2/repository/com/github/fommil/jniloader/1.1/jniloader-1.1.jar MD5: a9f5b7619b4329c6b6588a5d25164949 SHA1: 4840f897eeb54d67ee14e478f8a45cc9937f3ce1 SHA256:2f1def54f30e1db5f1e7f2fd600fe2ab331bd6b52037e9a21505c237020b5573 Referenced In Project/Scope: Gemma REST:compile jniloader-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar MD5: dd83accb899363c32b07d7a1b2e4ce40 SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 Referenced In Project/Scope: Gemma REST:compile jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.23.1/log4j-core-2.23.1.jar MD5: 34fad2df975cf874a2fdf4b797122f16 SHA1: 905802940e2c78042d75b837c136ac477d2b4e4d SHA256:7079368005fc34f56248f57f8a8a53361c3a53e9007d556dbc66fc669df081b5 Referenced In Project/Scope: Gemma REST:compile log4j-core-2.23.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/logging/log4j/log4j-slf4j-impl/2.23.1/log4j-slf4j-impl-2.23.1.jar MD5: c5a27e08e18600d379d0ca72d71838b8 SHA1: 9ef67909a1b4eae999af4c7a211ab2379e4b86c2 SHA256:210742c8fb85b0dcc26a9d74a32fbc828e0429087dee3d2920d4a76b1eb96d91 Referenced In Project/Scope: Gemma REST:runtime log4j-slf4j-impl-2.23.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!
License:
The MIT License: https://projectlombok.org/LICENSE
File Path: /home/jenkins/.m2/repository/org/projectlombok/lombok/1.18.32/lombok-1.18.32.jar MD5: 56e9be7b9a26802ac0c784ad824f3a29 SHA1: 17d46b3e205515e1e8efd3ee4d57ce8018914163 SHA256:97574674e2a25f567a313736ace00df8787d443de316407d57fc877d9f19a65d Referenced In Project/Scope: Gemma REST:compile lombok-1.18.32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-analyzers/3.6.2/lucene-analyzers-3.6.2.jar MD5: 13f8241b6991bd1349c05369a7c0f002 SHA1: 3a083510dcb0d0fc67f8456cdac6f48aa0da2993 SHA256:82f9f78ff2143f1895ac04500aa47fdac3c52632a08522dde7dbb0f0c082801f Referenced In Project/Scope: Gemma REST:compile lucene-analyzers-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-core/3.6.2/lucene-core-3.6.2.jar MD5: ee396d04f5a35557b424025f5382c815 SHA1: 9ec77e2507f9cc01756964c71d91efd8154a8c47 SHA256:cef4436bae85c31417443284f736e321511cd1615268103378a9bf00b1df036d Referenced In Project/Scope: Gemma REST:compile lucene-core-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-facet/3.6.2/lucene-facet-3.6.2.jar MD5: c14d30cca1f61cfcc16678db730516f1 SHA1: 72ae9f9115c4beb5f3e32b71966723a10cf4c083 SHA256:62ad5faecbf0f2da93ce495395d432e02e7715accaa0c074c94ec760e9de60fa Referenced In Project/Scope: Gemma REST:compile lucene-facet-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-grouping/3.6.2/lucene-grouping-3.6.2.jar MD5: 14598baf52660d5a1f282791ce09cc70 SHA1: 77c16722fc1ab2a42634dde6478ed2662c0a061a SHA256:b1ac49babb6d325105b6646807d9abec97f3007a9bff581870e8f2b882d6dc10 Referenced In Project/Scope: Gemma REST:compile lucene-grouping-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-highlighter/3.6.2/lucene-highlighter-3.6.2.jar MD5: f75c4869b55c060e2a313f6416ee68cf SHA1: a90682c6bc0b9e105bd260c9a041fefea9579e46 SHA256:377b2ddcb7c902daf5dd3d22a1ff5b8da4ad6f7fd6c5e5da4731d17a8d935534 Referenced In Project/Scope: Gemma REST:compile lucene-highlighter-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-kuromoji/3.6.2/lucene-kuromoji-3.6.2.jar MD5: d8d1afc4ab28eee2f775e01b39808e78 SHA1: f117e4b867987406b26069bb0fbd889ace21badd SHA256:63f249909f29cf7b796a47a3816a72b30b2062ee37d2ce97942dfbc96e409bda Referenced In Project/Scope: Gemma REST:compile lucene-kuromoji-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
High-performance single-document index to compare against Query
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-memory/3.6.2/lucene-memory-3.6.2.jar MD5: 765143db9e68cf91ac1c2070a2db6769 SHA1: 11846819b2f661b229d6ce861bc857774c0c4cdb SHA256:d99058d68f4853457f47957a84b7a41078c3afd5a377735d82eaf4fc99f23415 Referenced In Project/Scope: Gemma REST:compile lucene-memory-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-misc/3.6.2/lucene-misc-3.6.2.jar MD5: eecbfe3cf5b047a9dab6933ee44f24d9 SHA1: 2e64f8dc9cc1df63f98426aa46aae0f5fe8cee13 SHA256:4f957c6489be9337178167c874074742e39e3b8ea10d8b83de79704415db1642 Referenced In Project/Scope: Gemma REST:compile lucene-misc-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-phonetic/3.6.2/lucene-phonetic-3.6.2.jar MD5: 9bca3c6ca60efa9cbeb097c9fc3f6d30 SHA1: 89268de870916789e041e676a2888c8a7d6e0ea2 SHA256:cc987497e66ba8c12970c080671247f029dadeb2d9ab7dae10363a6bb5430845 Referenced In Project/Scope: Gemma REST:compile lucene-phonetic-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-smartcn/3.6.2/lucene-smartcn-3.6.2.jar MD5: 3935444a27b519b8e11b411f81b53446 SHA1: e86dfea83d8fa5062145025c1f06ca27f9a49cab SHA256:e4f24de68ac692c11fa6c906653599f0c50445f65b8af84d44d27afeeb909735 Referenced In Project/Scope: Gemma REST:compile lucene-smartcn-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-spatial/3.6.2/lucene-spatial-3.6.2.jar MD5: 85f76ee4b163cc6d13b36e225add5603 SHA1: 52e29032cfadec88dfe604257106ac038260b53b SHA256:53139893aec0b576f3816592dda7051595759b1848e776d93e5b6efdd8c6f14e Referenced In Project/Scope: Gemma REST:compile lucene-spatial-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-spellchecker/3.6.2/lucene-spellchecker-3.6.2.jar MD5: a4b684913f93aea76f5dbd7e479f19c5 SHA1: 15db0c0cfee44e275f15ad046e46b9a05910ad24 SHA256:307bb7da7f19b30326ea0163d470597854964796cbfef56b8fc7f9b3241dc609 Referenced In Project/Scope: Gemma REST:compile lucene-spellchecker-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-stempel/3.6.2/lucene-stempel-3.6.2.jar MD5: 0c87d87198b314ff4afdb8a63c1a702e SHA1: a0b8b2e20fd04724fbbd6a67037f5a1a98feed72 SHA256:0b9dd990e3515e3f253eae4a6e614bf9c980c2e04211f6529a34b6c6d95b1dc8 Referenced In Project/Scope: Gemma REST:compile lucene-stempel-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
Metrics is a Java library which gives you unparalleled insight into what your code does in
production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
components in your production environment.
File Path: /home/jenkins/.m2/repository/io/dropwizard/metrics/metrics-core/4.2.25/metrics-core-4.2.25.jar MD5: f9476a4f1a8287f7a4a2af759c33e44a SHA1: 76162cb1f7a6f902da4f80e5bcf472078e8cd7e1 SHA256:8bc7de609a2816b78a7a5009bddf11be560ba527d44db74a0a31a6f44fdb5b5f Referenced In Project/Scope: Gemma REST:compile metrics-core-4.2.25.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-registry-jmx@1.13.0
File Path: /home/jenkins/.m2/repository/io/dropwizard/metrics/metrics-jmx/4.2.25/metrics-jmx-4.2.25.jar MD5: b8ec52ac806adc0f8dcd3cbc855b9f42 SHA1: 8d57d9f33530fef4ed3489dc8d1351deb18d1f15 SHA256:6b6956f8eecc18b3712e266fccde58bc0844169e79214cea9d0f6dcc822ec714 Referenced In Project/Scope: Gemma REST:compile metrics-jmx-4.2.25.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-registry-jmx@1.13.0
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-commons/1.13.0/micrometer-commons-1.13.0.jar MD5: 92e95856a39f7b1319d1cb9131f1bfc5 SHA1: 156a59aff8d72c5e631eb4a2d739373ed5881609 SHA256:039aef255b5092561fdf649367fd0ff9af8da00aadb25f0c60cf30ebad8dceb8 Referenced In Project/Scope: Gemma REST:compile micrometer-commons-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0
Core module of Micrometer containing instrumentation API and implementation
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-core/1.13.0/micrometer-core-1.13.0.jar MD5: cc5834ef064a952d17392cbc0216d8c8 SHA1: d7ed656fbc54fde5a03d978fc0d66f270cc4a997 SHA256:1ced414878f151d08617b47732fa67a5d06b47b63903e2722f40e2294e883643 Referenced In Project/Scope: Gemma REST:compile micrometer-core-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-observation/1.13.0/micrometer-observation-1.13.0.jar MD5: 9a5c0482f47a2fb1b1f9812ae2e251d4 SHA1: 5aa75fbb4367dc3b28e557d14535d21335dc8985 SHA256:33e7c9de55ef34ae502a2ad6c4c9786563b6d44eca2cbd2b832911594b378858 Referenced In Project/Scope: Gemma REST:compile micrometer-observation-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-registry-jmx/1.13.0/micrometer-registry-jmx-1.13.0.jar MD5: ee24c9ffae39c0984582c5e68edba3ae SHA1: 61e1dfeafa02d4b057d8bdfd48092d44a9835f2c SHA256:521334321adb38bf27e2f818b7d02d34b6737930b186e186594873bf2c346299 Referenced In Project/Scope: Gemma REST:compile micrometer-registry-jmx-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
A comprehensive collection of matrix data structures, linear solvers, least squares methods,
eigenvalue, and singular value decompositions.
License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl.html
File Path: /home/jenkins/.m2/repository/com/googlecode/matrix-toolkits-java/mtj/1.0.4/mtj-1.0.4.jar MD5: 846c7a7311d492c6102afd23647f46cc SHA1: e14ed840ff5e15de92dba2d1af29201fa70a0f35 SHA256:27a53db335bc6af524b30f97ec3fb4b6df65e7648d70e752447c7dd9bc4697c8 Referenced In Project/Scope: Gemma REST:compile mtj-1.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
The GNU General Public License, v2 with Universal FOSS Exception, v1.0
File Path: /home/jenkins/.m2/repository/com/mysql/mysql-connector-j/8.4.0/mysql-connector-j-8.4.0.jar MD5: 2607d710106276083d26e6a1505948d7 SHA1: b1bc0f47bcad26ad5f9bceefb63fcb920d868fca SHA256:d77962877d010777cff997015da90ee689f0f4bb76848340e1488f2b83332af5 Referenced In Project/Scope: Gemma REST:compile mysql-connector-j-8.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
mysql-connector-j
High
Vendor
hint analyzer
vendor
oracle
Highest
Vendor
hint analyzer (hint)
vendor
sun
Highest
Vendor
jar
package name
cj
Highest
Vendor
jar
package name
driver
Highest
Vendor
jar
package name
jdbc
Highest
Vendor
jar
package name
mysql
Highest
Vendor
jar
package name
type
Highest
Vendor
Manifest
bundle-symbolicname
com.mysql.cj
Medium
Vendor
Manifest
Implementation-Vendor
Oracle
High
Vendor
Manifest
Implementation-Vendor-Id
com.mysql
Medium
Vendor
Manifest
specification-vendor
Oracle Corporation
Low
Vendor
Manifest (hint)
Implementation-Vendor
sun
High
Vendor
pom
artifactid
mysql-connector-j
Highest
Vendor
pom
artifactid
mysql-connector-j
Low
Vendor
pom
developer email
filipe.silva@oracle.com
Low
Vendor
pom
developer name
Filipe Silva
Medium
Vendor
pom
developer org
Oracle Corporation
Medium
Vendor
pom
developer org URL
https://www.oracle.com/
Medium
Vendor
pom
groupid
com.mysql
Highest
Vendor
pom
name
MySQL Connector/J
High
Vendor
pom
organization name
Oracle Corporation
High
Vendor
pom
organization url
https://www.oracle.com/
Medium
Vendor
pom
url
http://dev.mysql.com/doc/connector-j/en/
Highest
Product
file
name
mysql-connector-j
High
Product
hint analyzer
product
mysql_connector/j
Highest
Product
hint analyzer
product
mysql_connector_j
Highest
Product
hint analyzer
product
mysql_connectors
Highest
Product
jar
package name
cj
Highest
Product
jar
package name
driver
Highest
Product
jar
package name
jdbc
Highest
Product
jar
package name
mysql
Highest
Product
jar
package name
type
Highest
Product
jar
package name
xdevapi
Highest
Product
Manifest
Bundle-Name
Oracle Corporation's JDBC and XDevAPI Driver for MySQL
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/native_ref-java/1.1/native_ref-java-1.1.jar MD5: 1aac8a554c0a9b36340e8eba1c8a8ba9 SHA1: 408c71ffbc3646dda7bee1e22bf19101e5e9ee90 SHA256:120ca95d3a7b4646f44c3bcebdf7a149ec4f8cccf731a13bd84da103b836e236 Referenced In Project/Scope: Gemma REST:compile native_ref-java-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/native_system-java/1.1/native_system-java-1.1.jar MD5: 7244aab504c9fdce6c320498459b9432 SHA1: 3c6a2455f96b354a6940dce1393abb35ed7641da SHA256:2414fc6e29b73ba40e0df21ab9618e4f5dc5ac66aab32bd81ee213a68796155d Referenced In Project/Scope: Gemma REST:compile native_system-java-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-linux-armhf/1.1/netlib-native_ref-linux-armhf-1.1-natives.jar MD5: e2ff3e665c6eea38eb975e2ecf1abaa7 SHA1: ec467162f74710fd8897cff6888534ceaf297d9a SHA256:1d9ff5c35a542f598bd8d01c12d838ac4f457beae528f0b1930f21c0bff3eaae Referenced In Project/Scope: Gemma REST:compile netlib-native_ref-linux-armhf-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-linux-i686/1.1/netlib-native_ref-linux-i686-1.1-natives.jar MD5: 101fb0618fbf80d1392d9e6bf2eaa8e1 SHA1: eedd845b214aea560bce317d778ebb52f8f46038 SHA256:bf1dcc3b32a32bde8bd897b8c7da21cbd75b9febb89321a11b4f9a254aeb92ec Referenced In Project/Scope: Gemma REST:compile netlib-native_ref-linux-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-linux-x86_64/1.1/netlib-native_ref-linux-x86_64-1.1-natives.jar MD5: 950476b98b61793f045aab84f471fb96 SHA1: 05a3e5787d03c39790d5ae08cce189dd1ccc4a38 SHA256:f9034b22e89352ea1ba0c1edfb7529057c6b6acd651babb58839af19897e8ac0 Referenced In Project/Scope: Gemma REST:compile netlib-native_ref-linux-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-osx-x86_64/1.1/netlib-native_ref-osx-x86_64-1.1-natives.jar MD5: 38b6cb1ce53e3793c48e1d99848d1600 SHA1: 80da53ec862f283dc3b191b9dbd3166ea6671831 SHA256:fbe45f80be86fb809eb159b75ba45433cbba2b5fb6814758d1f15823b2b17438 Referenced In Project/Scope: Gemma REST:compile netlib-native_ref-osx-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-win-i686/1.1/netlib-native_ref-win-i686-1.1-natives.jar MD5: 5f94993d3cffa7a46fb3ac1f5c28afd8 SHA1: 167fb794a26cb0bfc74890c704c7137b1d5b50fd SHA256:0dcdc8348430365f7d912dcffb13d4c133810fbc3f3334123edb7c7f88990c5f Referenced In Project/Scope: Gemma REST:compile netlib-native_ref-win-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-win-x86_64/1.1/netlib-native_ref-win-x86_64-1.1-natives.jar MD5: d310ba2205a98b5d3219dbe1a66a0301 SHA1: 4ab54511c2844546279d9f8e427c73953b794686 SHA256:322a4d1a9cdfa284b1025b3d85c9ece18605be2caf795abfbaa366eb403fbf32 Referenced In Project/Scope: Gemma REST:compile netlib-native_ref-win-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-linux-armhf/1.1/netlib-native_system-linux-armhf-1.1-natives.jar MD5: 09def97e97d35ff4be5692b3d33d4bfc SHA1: 27ae9f6a9c88b3f8d12ffa52d62941615f8ed416 SHA256:aab65e3a3f3f664496dc512bea38d5ece0723799770f2aa608a4f1410342cb96 Referenced In Project/Scope: Gemma REST:compile netlib-native_system-linux-armhf-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-linux-i686/1.1/netlib-native_system-linux-i686-1.1-natives.jar MD5: 93769919423f7fd54ee2347784d2c9d3 SHA1: dd43225560dbd9115d306f9be3ca195aed236b78 SHA256:ecfd3c4e442411be9bc9aa74ea1b28b0fdf201dda00fe4559c68cde6e311520f Referenced In Project/Scope: Gemma REST:compile netlib-native_system-linux-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-linux-x86_64/1.1/netlib-native_system-linux-x86_64-1.1-natives.jar MD5: 39de4e1383f61881098e2e66cbb2b475 SHA1: 163e88facabe7fa29952890dc2d3429e28501120 SHA256:9a929390c8c4845a2bff01e7bc0d8381fcc89ebc147c037f877f02b19806d013 Referenced In Project/Scope: Gemma REST:compile netlib-native_system-linux-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-osx-x86_64/1.1/netlib-native_system-osx-x86_64-1.1-natives.jar MD5: ab50d62f2ffd44c4623d915ae11e0f37 SHA1: d724e33675dc8eaa5c8fcb05a3aaca6f3339afa7 SHA256:07230441e6d7985e30e13b4c6844c6388324a971e1d3c5d46880a213b37a4dd1 Referenced In Project/Scope: Gemma REST:compile netlib-native_system-osx-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-win-i686/1.1/netlib-native_system-win-i686-1.1-natives.jar MD5: c83df62ee7516fb876c499921d2da434 SHA1: c25fd1881cf93f7716f47b7deec859f6b6b7be50 SHA256:65b4900fd4fdc6715d3d48cfac2a7809cab5ed626f20e212a747f579bb60a40a Referenced In Project/Scope: Gemma REST:compile netlib-native_system-win-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-win-x86_64/1.1/netlib-native_system-win-x86_64-1.1-natives.jar MD5: 2de500c3ad6bde324f59977f67dc33cc SHA1: 222c7915be1daf1c26a4206f375d4957ae5f9d81 SHA256:d855c2fc7d70ffddaac504b556c6cc7c33288d85c173386e47921f44bbb34202 Referenced In Project/Scope: Gemma REST:compile netlib-native_system-win-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/opencsv/opencsv/5.9/opencsv-5.9.jar MD5: 8cee3b4e9ebeba7bd2834831a969d97c SHA1: 284ea0b60a24b71a530100783185e7d547ab5339 SHA256:2023969b86ce968ad8ae549648ac587d141c19ae684a9a5c67c9105f37ab0d1c Referenced In Project/Scope: Gemma REST:compile opencsv-5.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/obo/org.geneontology/1.002/org.geneontology-1.002.jar MD5: fd0489a45e4d8c8ea83b2ec5ba86a59c SHA1: 831ea4bc937235c49cb1b7fac5d612041aff29f3 SHA256:5d50f3b29d7b023e0716c06d5a6c48a754f80306856b407596a6823cbd066bae Referenced In Project/Scope: Gemma REST:compile org.geneontology-1.002.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.1/osgi-resource-locator-1.0.1.jar MD5: 51e70ad8fc9d1e9fb19debeb55555b75 SHA1: 4ed2b2d4738aed5786cfa64cba5a332779c4c708 SHA256:775003be577e8806f51b6e442be1033d83be2cb2207227b349be0bf16e6c0843 Referenced In Project/Scope: Gemma REST:compile osgi-resource-locator-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
osgi-resource-locator
High
Vendor
jar
package name
glassfish
Highest
Vendor
jar
package name
hk2
Highest
Vendor
Manifest
bundle-activationpolicy
lazy
Low
Vendor
Manifest
bundle-docurl
https://glassfish.dev.java.net
Low
Vendor
Manifest
bundle-symbolicname
org.glassfish.hk2.osgi-resource-locator
Medium
Vendor
pom
artifactid
osgi-resource-locator
Highest
Vendor
pom
artifactid
osgi-resource-locator
Low
Vendor
pom
developer id
ss141213
Medium
Vendor
pom
developer name
Sahoo
Medium
Vendor
pom
developer org
Sun Microsystems, Inc.
Medium
Vendor
pom
groupid
org.glassfish.hk2
Highest
Vendor
pom
name
OSGi resource locator bundle - used by various API providers that rely on META-INF/services mechanism to locate providers.
High
Vendor
pom
parent-artifactid
pom
Low
Vendor
pom
parent-groupid
org.glassfish
Medium
Product
file
name
osgi-resource-locator
High
Product
jar
package name
glassfish
Highest
Product
jar
package name
hk2
Highest
Product
Manifest
bundle-activationpolicy
lazy
Low
Product
Manifest
bundle-docurl
https://glassfish.dev.java.net
Low
Product
Manifest
Bundle-Name
OSGi resource locator bundle - used by various API providers that rely on META-INF/services mechanism to locate providers.
Medium
Product
Manifest
bundle-symbolicname
org.glassfish.hk2.osgi-resource-locator
Medium
Product
pom
artifactid
osgi-resource-locator
Highest
Product
pom
developer id
ss141213
Low
Product
pom
developer name
Sahoo
Low
Product
pom
developer org
Sun Microsystems, Inc.
Low
Product
pom
groupid
org.glassfish.hk2
Highest
Product
pom
name
OSGi resource locator bundle - used by various API providers that rely on META-INF/services mechanism to locate providers.
Apache POI - Java API To Access Microsoft Format Files
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/poi/poi/5.2.5/poi-5.2.5.jar MD5: c7725f44e62223d1f37e7a4883f01425 SHA1: 7e00f6b2f76375fe89022d5a7db8acb71cbd55f5 SHA256:352e1b44a5777af2df3d7dc408cda9f75f932d0e0125fa1a7d336a13c0a663a7 Referenced In Project/Scope: Gemma REST:compile poi-5.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23
File Path: /home/jenkins/.m2/repository/com/google/protobuf/protobuf-java/3.25.1/protobuf-java-3.25.1.jar MD5: 7dc81d3c2187ce5627d134a37df88cc0 SHA1: 2933a5c3f022456d8842323fe0d7fb2d25a7e3c7 SHA256:48a8e58a1a8f82eff141a7a388d38dfe77d7a48d5e57c9066ee37f19147e20df Referenced In Project/Scope: Gemma REST:compile protobuf-java-3.25.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.mysql/mysql-connector-j@8.4.0
File Path: /home/jenkins/.m2/repository/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar MD5: 872da51f5de7f3923da4de871d57fd85 SHA1: 6c62681a2f655b49963a5983b8b0950a6120ae14 SHA256:d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0 Referenced In Project/Scope: Gemma REST:compile slf4j-api-1.7.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.swagger.core.v3/swagger-core@2.2.22
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/yaml/snakeyaml/2.2/snakeyaml-2.2.jar MD5: d78aacf5f2de5b52f1a327470efd1ad7 SHA1: 3af797a25458550a16bf89acc8e4ab2b7f2bfce0 SHA256:1467931448a0817696ae2805b7b8b20bfb082652bf9c4efaed528930dc49389b Referenced In Project/Scope: Gemma REST:compile snakeyaml-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.swagger.core.v3/swagger-core@2.2.22
File Path: /home/jenkins/.m2/repository/org/apache/solr/solr-core/3.6.2/solr-core-3.6.2.jar MD5: 5c1ed4b8c48a422451f4566bc1a60d3a SHA1: 6a7fd7092ba403e9002dd935bbf6a42141a80c8c SHA256:4369b38e5f600c81653f221776d7087aa7428084795d5fe7bf9896fd3ac83377 Referenced In Project/Scope: Gemma REST:compile solr-core-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation, CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
CWE-611 Improper Restriction of XML External Entity Reference
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it���s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Description: The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-06-10
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.
CWE-611 Improper Restriction of XML External Entity Reference
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
File Path: /home/jenkins/.m2/repository/org/apache/solr/solr-solrj/3.6.2/solr-solrj-3.6.2.jar MD5: 34df7ce752a336588fc80f4f67926e46 SHA1: 7f7e4dc77f72b86eb198fb9199f8e1eebf800ba8 SHA256:135f76fb0c12ef41fad818b7a4be6595400e1481258c460e809079bc2393819b Referenced In Project/Scope: Gemma REST:compile solr-solrj-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation, CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
CWE-611 Improper Restriction of XML External Entity Reference
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it���s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Description: The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-06-10
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
File Path: /home/jenkins/.m2/repository/org/glassfish/hk2/spring-bridge/2.5.0-b32/spring-bridge-2.5.0-b32.jar MD5: 6ae9e7388f599d06bb76539c4a5e2755 SHA1: f38ecef23edc769942a95c062efd63541044de42 SHA256:44f5a5f44d1b52e8cd252ee160b900b079d4ec273cfaffb329e8a986a65d3b70 Referenced In Project/Scope: Gemma REST:compile spring-bridge-2.5.0-b32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/spring-core/3.2.18.RELEASE/spring-core-3.2.18.RELEASE.jar MD5: 635537b54653d8155b107630ae41599e SHA1: 0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd SHA256:5c7ab868509a6b1214ebe557bfcf489cfac6e1ae4c4a39181b0fe66621fbe32e Referenced In Project/Scope: Gemma REST:compile spring-core-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/spring-expression/3.2.18.RELEASE/spring-expression-3.2.18.RELEASE.jar MD5: 7e5fbe8696a4e71dc310c1ff9f8286e1 SHA1: 070c1fb9f2111601193e01a8d0c3ccbca1bf3706 SHA256:cde7eda6cc2270ab726f963aeb546c3f4db76746c661c247fbfb5d2a4d2f4411 Referenced In Project/Scope: Gemma REST:runtime spring-expression-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
Spring Retry provides an abstraction around retrying failed operations, with an emphasis on declarative control of the process and policy-based bahaviour that is easy to extend and customize. For instance, you can configure a plain POJO operation to retry if it fails, based on the type of exception, and with a fixed or exponential backoff.
File Path: /home/jenkins/.m2/repository/org/springframework/retry/spring-retry/1.0.3.RELEASE/spring-retry-1.0.3.RELEASE.jar MD5: 5d5f5046b698320b27d4f86285928a34 SHA1: 33b967f6abaa0a496318bff2ce96e6da6285a54d SHA256:d8f2fd2339e794f4dd78e29d44b33f1f0b5fa687525abee8e7246f61d9cd9fca Referenced In Project/Scope: Gemma REST:compile spring-retry-1.0.3.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-acl/3.2.10.RELEASE/spring-security-acl-3.2.10.RELEASE.jar MD5: f87a9ef5d7952bc6f8096b3223d67e19 SHA1: 0417714b1b6c7f11cb6c2a5ee4c3738d43353928 SHA256:7916014dbd3c61585d92aeb14e4c74584c60b7858bfb8e63b2af4560d1955315 Referenced In Project/Scope: Gemma REST:compile spring-security-acl-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-config/3.2.10.RELEASE/spring-security-config-3.2.10.RELEASE.jar MD5: 8c8534526c1ed31e3cdc65523e782e3c SHA1: c8c9c742067d5a4879bf8db289cb48b60262056a SHA256:f8849bb9e245423924ccdaee6693d497f1b4d2dd2069e7695d4fdd2b82a2f5b3 Referenced In Project/Scope: Gemma REST:runtime spring-security-config-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-core/3.2.10.RELEASE/spring-security-core-3.2.10.RELEASE.jar MD5: 86427a3f1e565f975b48cb8b9be4649d SHA1: e8018fab2ada266288d1db83cc4e452de1e2ed1c SHA256:10443ef19e3cbe2b82197983d7fa0dec5bebd40dc3ca2c0cf02864359cdc2c93 Referenced In Project/Scope: Gemma REST:compile spring-security-core-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-3795 for details
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-web/3.2.10.RELEASE/spring-security-web-3.2.10.RELEASE.jar MD5: 22b94b4f676727805952091f92cd60f5 SHA1: b925996ca5a7310e3315705cd2b69a15214ee3e1 SHA256:84b59931956693916e744977cec02db88fcd17eb11f47081d46b7fdc5196b1dd Referenced In Project/Scope: Gemma REST:compile spring-security-web-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/spring-web/3.2.18.RELEASE/spring-web-3.2.18.RELEASE.jar MD5: c3435c31fea5f1e479b4bb5eba32133d SHA1: bc0bdade0a7a52b8fae88e1febc8479383a2acad SHA256:0aa220d3703eaf6eff670423978566a2af506fb9ea8bb728fa05bb16bdc74e9c Referenced In Project/Scope: Gemma REST:compile spring-web-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework/spring-webmvc@3.2.18.RELEASE
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22243 for details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/spring-webmvc/3.2.18.RELEASE/spring-webmvc-3.2.18.RELEASE.jar MD5: 2cb8a9569b95a76a0485d71c913c1819 SHA1: 60e5bb3dc9cb83d6cc53628082ec89a57d4832b2 SHA256:effcce98fd4e9fa95c9a53e49db801f1e2d011ee6dcbb7a7eb1a3ca3bcb2cfd5 Referenced In Project/Scope: Gemma REST:compile spring-webmvc-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
File Path: /home/jenkins/.m2/repository/io/swagger/core/v3/swagger-core/2.2.22/swagger-core-2.2.22.jar MD5: 03ddcaa6a062b05e648920c5349325bb SHA1: bda27a7291d01e96eb4b33bab33ca44f323becaf SHA256:8a8753f2425304fa7001eb79064bbba5949a2ab3c096c48096c07a5acea95b9f Referenced In Project/Scope: Gemma REST:compile swagger-core-2.2.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/io/swagger/core/v3/swagger-jaxrs2-servlet-initializer-v2/2.2.22/swagger-jaxrs2-servlet-initializer-v2-2.2.22.jar MD5: 3d281b49e5133881a0dbc19caefd29e6 SHA1: 0aa29d99663edc8e6b370be19dbe1d1c99d6a081 SHA256:92883aab52b4631dcbbc0c43fe50de3f5e4ac65ef9ea7d1df50534c98070b125 Referenced In Project/Scope: Gemma REST:runtime swagger-jaxrs2-servlet-initializer-v2-2.2.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
File Path: /home/jenkins/.m2/repository/org/jvnet/tiger-types/1.4/tiger-types-1.4.jar MD5: 51f3d145cf8ff9ee5af99f58c1cc7930 SHA1: 09f75db7dea926f497e76eae2cea36eca74ea508 SHA256:0dd463a62f6417d7da60dad0613f2e14d598aa2fa93fe535de7142ae19cdfbe5 Referenced In Project/Scope: Gemma REST:compile tiger-types-1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.ext/jersey-spring3@2.25.1
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar MD5: 4c257f52462860b62ab3cdab45f53082 SHA1: 8613ae82954779d518631e05daa73a6a954817d5 SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed Referenced In Project/Scope: Gemma REST:compile validation-api-1.1.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.jersey.core/jersey-server@2.25.1
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: /home/jenkins/.m2/repository/org/apache/velocity/velocity-engine-core/2.3/velocity-engine-core-2.3.jar MD5: e761e6088b946b42289c5d676a515581 SHA1: e2133b723d0e42be74880d34de6bf6538ea7f915 SHA256:b086cee8fd8183e240b4afcf54fe38ec33dd8eb0da414636e5bf7aa4d9856629 Referenced In Project/Scope: Gemma REST:compile velocity-engine-core-2.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.6
Xerces2 provides high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces continues to build upon the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 provides fully conforming XML Schema 1.0 and 1.1 processors. An experimental implementation of the "XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010)" is also provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/xerces/xercesImpl/2.12.2/xercesImpl-2.12.2.jar MD5: 40e4f2d5aacfbf51a9a1572d77a0e5e9 SHA1: f051f988aa2c9b4d25d05f95742ab0cc3ed789e2 SHA256:6fc991829af1708d15aea50c66f0beadcd2cfeb6968e0b2f55c1b0909883fe16 Referenced In Project/Scope: Gemma REST:compile xercesImpl-2.12.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6
sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: /home/jenkins/.m2/repository/xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3 SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad Referenced In Project/Scope: Gemma REST:compile xml-apis-1.4.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-rest@1.31.6