Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Gemma CLI

gemma:gemma-cli:1.31.8-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
HdrHistogram-2.2.1.jarpkg:maven/org.hdrhistogram/HdrHistogram@2.2.1 030
HikariCP-4.0.3.jarpkg:maven/com.zaxxer/HikariCP@4.0.3 038
JRI-0.5-0.jarpkg:maven/RoSuDA/JRI@0.5-0 015
JRIEngine-0.5-0.jarcpe:2.3:a:rengine_project:rengine:0.5.0:*:*:*:*:*:*:*pkg:maven/RoSuDA/JRIEngine@0.5-0CRITICAL2Low17
JavaEWAH-0.7.9.jarcpe:2.3:a:google:gmail:0.7.9:*:*:*:*:*:*:*pkg:maven/com.googlecode.javaewah/JavaEWAH@0.7.9 0Low31
LatencyUtils-2.0.3.jarcpe:2.3:a:utils_project:utils:2.0.3:*:*:*:*:*:*:*pkg:maven/org.latencyutils/LatencyUtils@2.0.3 0Highest20
REngine-2.1.0.jarcpe:2.3:a:rengine_project:rengine:2.1.0:*:*:*:*:*:*:*pkg:maven/org.rosuda.REngine/REngine@2.1.0 0Low24
SparseBitSet-1.3.jarcpe:2.3:a:bit_project:bit:1.3:*:*:*:*:*:*:*pkg:maven/com.zaxxer/SparseBitSet@1.3 0Low28
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 026
all-1.1.2.pompkg:maven/com.github.fommil.netlib/all@1.1.2 011
ant-1.10.14.jarcpe:2.3:a:apache:ant:1.10.14:*:*:*:*:*:*:*pkg:maven/org.apache.ant/ant@1.10.14 0Highest24
antlr-2.7.7.jarpkg:maven/antlr/antlr@2.7.7 024
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 020
arpack_combined_all-0.1.jarcpe:2.3:a:lapack_project:lapack:0.1:*:*:*:*:*:*:*pkg:maven/net.sourceforge.f2j/arpack_combined_all@0.1CRITICAL1Low28
aspectjweaver-1.9.22.1.jarpkg:maven/org.aspectj/aspectjweaver@1.9.22.1 049
baseCode-1.1.23.jarpkg:maven/baseCode/baseCode@1.1.23 037
colt-1.2.0.jarpkg:maven/colt/colt@1.2.0 014
commons-cli-1.7.0.jarpkg:maven/commons-cli/commons-cli@1.7.0 0102
commons-codec-1.16.1.jarpkg:maven/commons-codec/commons-codec@1.16.1 0123
commons-collections4-4.4.jarcpe:2.3:a:apache:commons_collections:4.4:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-collections4@4.4 0Highest105
commons-configuration2-2.8.0.jarcpe:2.3:a:apache:commons_configuration:2.8.0:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-configuration2@2.8.0MEDIUM2Highest147
commons-csv-1.11.0.jarpkg:maven/org.apache.commons/commons-csv@1.11.0 090
commons-fileupload-1.5.jarcpe:2.3:a:apache:commons_fileupload:1.5:*:*:*:*:*:*:*pkg:maven/commons-fileupload/commons-fileupload@1.5 0Highest115
commons-io-2.16.1.jarcpe:2.3:a:apache:commons_io:2.16.1:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.16.1 0Highest125
commons-lang-2.6.jarpkg:maven/commons-lang/commons-lang@2.6 0122
commons-lang3-3.14.0.jarpkg:maven/org.apache.commons/commons-lang3@3.14.0 0145
commons-logging-1.3.2.jarpkg:maven/commons-logging/commons-logging@1.3.2 0129
commons-logging-api-1.1.jarpkg:maven/commons-logging/commons-logging-api@1.1 0105
commons-math3-3.6.1.jarpkg:maven/org.apache.commons/commons-math3@3.6.1 0134
commons-net-3.10.0.jarcpe:2.3:a:apache:commons_net:3.10.0:*:*:*:*:*:*:*pkg:maven/commons-net/commons-net@3.10.0 0Highest107
commons-text-1.12.0.jarcpe:2.3:a:apache:commons_text:1.12.0:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-text@1.12.0 0Highest73
concurrent-1.3.4.jarpkg:maven/concurrent/concurrent@1.3.4 021
core-1.1.2.jarpkg:maven/com.github.fommil.netlib/core@1.1.2 023
dom4j-2.1.4.jarcpe:2.3:a:dom4j_project:dom4j:2.1.4:*:*:*:*:*:*:*pkg:maven/org.dom4j/dom4j@2.1.4 0Highest21
ehcache-core-2.4.3.jarpkg:maven/net.sf.ehcache/ehcache-core@2.4.3 027
gemma-gsec-0.0.16.jarpkg:maven/pavlab/gemma-gsec@0.0.16 034
hibernate-commons-annotations-4.0.2.Final.jarpkg:maven/org.hibernate.common/hibernate-commons-annotations@4.0.2.Final 047
hibernate-core-4.2.21.Final.jarcpe:2.3:a:hibernate:hibernate_orm:4.2.21:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-core@4.2.21.FinalHIGH2Low37
hibernate-jpa-2.0-api-1.0.1.Final.jarpkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final 045
hibernate-search-engine-4.4.6.Final.jarcpe:2.3:a:hibernate:hibernate_orm:4.4.6:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-search-engine@4.4.6.FinalHIGH2Low30
hibernate-search-orm-4.4.6.Final.jarcpe:2.3:a:hibernate:hibernate_orm:4.4.6:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-search-orm@4.4.6.FinalHIGH2Highest24
httpclient-4.5.14.jarcpe:2.3:a:apache:httpclient:4.5.14:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.14 0Highest32
httpcore-4.4.16.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.16 032
jackson-core-2.17.1.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.17.1:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.17.1 0Low47
jackson-databind-2.17.1.jarcpe:2.3:a:fasterxml:jackson-databind:2.17.1:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.17.1:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.17.1 0Highest41
javassist-3.30.2-GA.jarpkg:maven/org.javassist/javassist@3.30.2-GA 059
javax.activation-api-1.2.0.jarpkg:maven/javax.activation/javax.activation-api@1.2.0 039
javax.mail-1.6.2.jarpkg:maven/com.sun.mail/javax.mail@1.6.2 042
javax.resource-api-1.7.1.jarpkg:maven/javax.resource/javax.resource-api@1.7.1 048
javax.transaction-api-1.3.jarpkg:maven/javax.transaction/javax.transaction-api@1.3 048
jaxb-api-2.3.1.jarpkg:maven/javax.xml.bind/jaxb-api@2.3.1 035
jboss-ejb3x-4.2.2.GA.jarpkg:maven/jboss/jboss-ejb3x@4.2.2.GA 016
jboss-logging-3.1.0.GA.jarpkg:maven/org.jboss.logging/jboss-logging@3.1.0.GA 036
jboss-transaction-api_1.1_spec-1.0.1.Final.jarpkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.1_spec@1.0.1.Final 039
jena-core-2.13.0.jarcpe:2.3:a:apache:jena:2.13.0:*:*:*:*:*:*:*pkg:maven/org.apache.jena/jena-core@2.13.0HIGH1Highest26
jena-iri-1.1.2.jarcpe:2.3:a:apache:jena:1.1.2:*:*:*:*:*:*:*pkg:maven/org.apache.jena/jena-iri@1.1.2HIGH1Highest26
jfreechart-1.5.4.jarcpe:2.3:a:time_project:time:1.5.4:*:*:*:*:*:*:*pkg:maven/org.jfree/jfreechart@1.5.4HIGH3Low37
jniloader-1.1.jarpkg:maven/com.github.fommil/jniloader@1.1 032
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
log4j-core-2.23.1.jarcpe:2.3:a:apache:log4j:2.23.1:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-core@2.23.1 0Highest40
log4j-slf4j-impl-2.23.1.jarpkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.23.1 036
lombok-1.18.32.jarpkg:maven/org.projectlombok/lombok@1.18.32 036
lombok-1.18.32.jar: mavenEcjBootstrapAgent.jar 07
lucene-analyzers-3.6.2.jarpkg:maven/org.apache.lucene/lucene-analyzers@3.6.2 023
lucene-core-3.6.2.jarpkg:maven/org.apache.lucene/lucene-core@3.6.2 024
lucene-facet-3.6.2.jarpkg:maven/org.apache.lucene/lucene-facet@3.6.2 027
lucene-grouping-3.6.2.jarpkg:maven/org.apache.lucene/lucene-grouping@3.6.2 026
lucene-highlighter-3.6.2.jarpkg:maven/org.apache.lucene/lucene-highlighter@3.6.2 024
lucene-kuromoji-3.6.2.jarpkg:maven/org.apache.lucene/lucene-kuromoji@3.6.2 023
lucene-memory-3.6.2.jarpkg:maven/org.apache.lucene/lucene-memory@3.6.2 027
lucene-misc-3.6.2.jarpkg:maven/org.apache.lucene/lucene-misc@3.6.2 025
lucene-phonetic-3.6.2.jarpkg:maven/org.apache.lucene/lucene-phonetic@3.6.2 025
lucene-smartcn-3.6.2.jarpkg:maven/org.apache.lucene/lucene-smartcn@3.6.2 023
lucene-spatial-3.6.2.jarpkg:maven/org.apache.lucene/lucene-spatial@3.6.2 025
lucene-spellchecker-3.6.2.jarpkg:maven/org.apache.lucene/lucene-spellchecker@3.6.2 026
lucene-stempel-3.6.2.jarpkg:maven/org.apache.lucene/lucene-stempel@3.6.2 025
metrics-core-4.2.25.jarpkg:maven/io.dropwizard.metrics/metrics-core@4.2.25 027
metrics-jmx-4.2.25.jarpkg:maven/io.dropwizard.metrics/metrics-jmx@4.2.25 029
micrometer-commons-1.13.0.jarpkg:maven/io.micrometer/micrometer-commons@1.13.0 065
micrometer-core-1.13.0.jarpkg:maven/io.micrometer/micrometer-core@1.13.0 067
micrometer-observation-1.13.0.jarpkg:maven/io.micrometer/micrometer-observation@1.13.0 065
micrometer-registry-jmx-1.13.0.jarpkg:maven/io.micrometer/micrometer-registry-jmx@1.13.0 065
mtj-1.0.4.jarpkg:maven/com.googlecode.matrix-toolkits-java/mtj@1.0.4 029
mysql-connector-j-8.4.0.jarcpe:2.3:a:mysql:mysql:8.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_connector\/j:8.4.0:*:*:*:*:*:*:*
pkg:maven/com.mysql/mysql-connector-j@8.4.0 0Highest52
native_ref-java-1.1.jarpkg:maven/com.github.fommil.netlib/native_ref-java@1.1 022
native_system-java-1.1.jarpkg:maven/com.github.fommil.netlib/native_system-java@1.1 022
netlib-native_ref-linux-armhf-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_ref-linux-armhf@1.1 011
netlib-native_ref-linux-i686-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_ref-linux-i686@1.1 011
netlib-native_ref-linux-x86_64-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_ref-linux-x86_64@1.1 011
netlib-native_ref-osx-x86_64-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_ref-osx-x86_64@1.1 011
netlib-native_ref-win-i686-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_ref-win-i686@1.1 011
netlib-native_ref-win-x86_64-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_ref-win-x86_64@1.1 011
netlib-native_system-linux-armhf-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_system-linux-armhf@1.1 011
netlib-native_system-linux-i686-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_system-linux-i686@1.1 011
netlib-native_system-linux-x86_64-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_system-linux-x86_64@1.1 011
netlib-native_system-osx-x86_64-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_system-osx-x86_64@1.1 011
netlib-native_system-win-i686-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_system-win-i686@1.1 011
netlib-native_system-win-x86_64-1.1-natives.jarpkg:maven/com.github.fommil.netlib/netlib-native_system-win-x86_64@1.1 011
opencsv-5.9.jarpkg:maven/com.opencsv/opencsv@5.9 034
org.geneontology-1.002.jarpkg:maven/obo/org.geneontology@1.002 018
poi-5.2.5.jarcpe:2.3:a:apache:poi:5.2.5:*:*:*:*:*:*:*pkg:maven/org.apache.poi/poi@5.2.5 0Highest35
protobuf-java-3.25.1.jarcpe:2.3:a:google:protobuf-java:3.25.1:*:*:*:*:*:*:*
cpe:2.3:a:protobuf:protobuf:3.25.1:*:*:*:*:*:*:*
pkg:maven/com.google.protobuf/protobuf-java@3.25.1 0Highest25
slf4j-api-1.7.36.jarpkg:maven/org.slf4j/slf4j-api@1.7.36 029
solr-core-3.6.2.jarcpe:2.3:a:apache:solr:3.6.2:*:*:*:*:*:*:*pkg:maven/org.apache.solr/solr-core@3.6.2CRITICAL*20Highest26
solr-solrj-3.6.2.jarcpe:2.3:a:apache:solr:3.6.2:*:*:*:*:*:*:*pkg:maven/org.apache.solr/solr-solrj@3.6.2CRITICAL*19Highest25
spring-core-3.2.18.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.18:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@3.2.18.RELEASECRITICAL*11Highest32
spring-expression-3.2.18.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.18:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-expression@3.2.18.RELEASECRITICAL*12Highest34
spring-retry-1.0.3.RELEASE.jarpkg:maven/org.springframework.retry/spring-retry@1.0.3.RELEASE 037
spring-security-acl-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-acl@3.2.10.RELEASECRITICAL3Highest34
spring-security-config-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-config@3.2.10.RELEASECRITICAL5Highest37
spring-security-core-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASECRITICAL6Highest34
swagger-annotations-2.2.22.jarcpe:2.3:a:http-swagger_project:http-swagger:2.2.22:*:*:*:*:*:*:*pkg:maven/io.swagger.core.v3/swagger-annotations@2.2.22 0Low38
velocity-engine-core-2.3.jar (shaded: commons-io:commons-io:2.8.0)cpe:2.3:a:apache:commons_io:2.8.0:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.8.0 0Highest92
velocity-engine-core-2.3.jarcpe:2.3:a:apache:velocity_engine:2.3:*:*:*:*:*:*:*pkg:maven/org.apache.velocity/velocity-engine-core@2.3 0Highest33
xercesImpl-2.12.2.jarcpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*
pkg:maven/xerces/xercesImpl@2.12.2MEDIUM1Low84
xml-apis-1.4.01.jarpkg:maven/xml-apis/xml-apis@1.4.01 087

* indicates the dependency has a known exploited vulnerability

Dependencies (vulnerable)

HdrHistogram-2.2.1.jar

Description:

        HdrHistogram supports the recording and analyzing sampled data value
        counts across a configurable integer value range with configurable value
        precision within the range. Value precision is expressed as the number of
        significant digits in the value recording, and provides control over value
        quantization behavior across the value range and the subsequent value
        resolution at any given level.
    

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
BSD-2-Clause: https://opensource.org/licenses/BSD-2-Clause
File Path: /home/jenkins/.m2/repository/org/hdrhistogram/HdrHistogram/2.2.1/HdrHistogram-2.2.1.jar
MD5: da024c845b9456beec00d8890fd8ef51
SHA1: 0eb1feb351f64176c377772a30174e582c0274d5
SHA256:df6afd38afcf79fc5c8e67087ea953c1b83b040176d5f573db4ce91a260fc07c
Referenced In Project/Scope: Gemma CLI:runtime
HdrHistogram-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0

Identifiers

HikariCP-4.0.3.jar

Description:

Ultimate JDBC Connection Pool

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/zaxxer/HikariCP/4.0.3/HikariCP-4.0.3.jar
MD5: e725642926105cd1bbf4ad7fdff5d5a9
SHA1: 107cbdf0db6780a065f895ae9d8fbf3bb0e1c21f
SHA256:7c024aeff1c1063576d74453513f9de6447d8e624d17f8e27f30a2e97688c6c9
Referenced In Project/Scope: Gemma CLI:compile
HikariCP-4.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

JRI-0.5-0.jar

File Path: /home/jenkins/.m2/repository/RoSuDA/JRI/0.5-0/JRI-0.5-0.jar
MD5: da1c711f9748c288afc2f8574165405f
SHA1: 2d9612a95065c291b2ae41fcac28446aa47a8410
SHA256:bcc4b8bd8edc28aa2fbaec6b441fe44e4ed51fb11a310477928460748cf69a04
Referenced In Project/Scope: Gemma CLI:runtime
JRI-0.5-0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

JRIEngine-0.5-0.jar

File Path: /home/jenkins/.m2/repository/RoSuDA/JRIEngine/0.5-0/JRIEngine-0.5-0.jar
MD5: b0cb089fab38efdc95b200ab931b2efb
SHA1: 9751022a2938a4207e178f8c8142d098e4c549d7
SHA256:dd26c4bc37222635388ea5898fc78740f486a384bebcb5ea2fa7e2f4ad453750
Referenced In Project/Scope: Gemma CLI:compile
JRIEngine-0.5-0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

CVE-2022-1813  

OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-39491  

A Cross Site Scripting (XSS) vulnerability exists in Yogesh Ojha reNgine v1.0 via the Scan Engine name file in the Scan Engine deletion confirmation modal box . .
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A

References:

Vulnerable Software & Versions:

JavaEWAH-0.7.9.jar

Description:

The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.

JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.

The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme. 

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/googlecode/javaewah/JavaEWAH/0.7.9/JavaEWAH-0.7.9.jar
MD5: 3186322b6558b126cef0e00bdbd2466c
SHA1: eceaf316a8faf0e794296ebe158ae110c7d72a5a
SHA256:fc499deb9153610f735f75817f1c177978d27a95a18e03d7d3849cfcb35abfc4
Referenced In Project/Scope: Gemma CLI:compile
JavaEWAH-0.7.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

LatencyUtils-2.0.3.jar

Description:

        LatencyUtils is a package that provides latency recording and reporting utilities.
    

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /home/jenkins/.m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar
MD5: 2ad12e1ef7614cecfb0483fa9ac6da73
SHA1: 769c0b82cb2421c8256300e907298a9410a2a3d3
SHA256:a32a9ffa06b2f4e01c5360f8f9df7bc5d9454a5d373cd8f361347fa5a57165ec
Referenced In Project/Scope: Gemma CLI:runtime
LatencyUtils-2.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0

Identifiers

REngine-2.1.0.jar

Description:

REngine API to access R from Java in a backend-independent way.

License:

LGPL v2.1: https://www.gnu.org/licenses/lgpl-2.1.txt
File Path: /home/jenkins/.m2/repository/org/rosuda/REngine/REngine/2.1.0/REngine-2.1.0.jar
MD5: 9377ddb81ad3e37d94926367b410c9fc
SHA1: 73c31209d4ac42d669ccf731e8a1d845f601adac
SHA256:a268b4d1e0aa0c5ab3a79153764beca2d90087904c7d087b33110fa188fe5c04
Referenced In Project/Scope: Gemma CLI:compile
REngine-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

SparseBitSet-1.3.jar

Description:

An efficient sparse bitset implementation for Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/zaxxer/SparseBitSet/1.3/SparseBitSet-1.3.jar
MD5: fbe27bb4c05e8719b7fff5aa71a57364
SHA1: 533eac055afe3d5f614ea95e333afd6c2bde8f26
SHA256:f76b85adb0c00721ae267b7cfde4da7f71d3121cc2160c9fc00c0c89f8c53c8a
Referenced In Project/Scope: Gemma CLI:compile
SparseBitSet-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

activation-1.1.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
  

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/jenkins/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Referenced In Project/Scope: Gemma CLI:runtime
activation-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

all-1.1.2.pom

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/all/1.1.2/all-1.1.2.pom
MD5: b60dd3450b3a8d030f4799dcb273f846
SHA1: f235011206ac009adad2d6607f222649aba5ca9e
SHA256:cced6c7973b2f43c84944f21e45f292c94af566f1d6b45915264acb080dd6b67
all-1.1.2.pom is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

ant-1.10.14.jar

File Path: /home/jenkins/.m2/repository/org/apache/ant/ant/1.10.14/ant-1.10.14.jar
MD5: 263e00d844d0e4efa54440ec5ed6362a
SHA1: 1edce9bbfa60dfd51f010879c78f4421dafae7a7
SHA256:4cbbd9243de4c1042d61d9a15db4c43c90ff93b16d78b39481da1c956c8e9671
Referenced In Project/Scope: Gemma CLI:compile
ant-1.10.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

antlr-2.7.7.jar

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.
  

License:

BSD License: http://www.antlr.org/license.html
File Path: /home/jenkins/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope: Gemma CLI:compile
antlr-2.7.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final

Identifiers

aopalliance-1.0.jar

Description:

AOP Alliance

License:

Public Domain
File Path: /home/jenkins/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope: Gemma CLI:compile
aopalliance-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/pavlab/gemma-gsec@0.0.16

Identifiers

arpack_combined_all-0.1.jar

Description:

Java APIs for the BLAS, LAPACK, and ARPACK Fortran libraries as translated through F2J.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/jenkins/.m2/repository/net/sourceforge/f2j/arpack_combined_all/0.1/arpack_combined_all-0.1.jar
MD5: 83d82dd480da2aeba6429e746453ec0b
SHA1: 225619a060b42605b4d9fd4af11815664abf26eb
SHA256:9964fb948ef213548a79b23dd480af9d72f1450824fa006bbfea211ac1ffa6dc
Referenced In Project/Scope: Gemma CLI:compile
arpack_combined_all-0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

CVE-2021-4048  

An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
CWE-125 Out-of-bounds Read

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

aspectjweaver-1.9.22.1.jar

Description:

The AspectJ weaver applies aspects to Java classes. It can be used as a Java agent in order to apply load-time
		weaving (LTW) during class-loading and also contains the AspectJ runtime classes.

License:

Eclipse Public License - v 2.0: https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.txt
File Path: /home/jenkins/.m2/repository/org/aspectj/aspectjweaver/1.9.22.1/aspectjweaver-1.9.22.1.jar
MD5: f2edbc088126174a11b68279bd26c6eb
SHA1: bca243d0af0db4758fbae45c5f4995cb5dabb612
SHA256:cd2dd01ec2424c05669df4d557f6c6cd7ed87b05257ee3c866b4c5b116b18a78
Referenced In Project/Scope: Gemma CLI:compile
aspectjweaver-1.9.22.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

baseCode-1.1.23.jar

Description:

		Data structures, math and statistics tools, and utilities that are often needed across projects.
	

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/baseCode/baseCode/1.1.23/baseCode-1.1.23.jar
MD5: 209fa8b43a8f35843c2dd2657508a350
SHA1: 3d762955f197c680df14a7189201e979bbfa1a59
SHA256:26ac5054f781f5666e96c056f88ccd1e227e90f163bc36b04b48d32ba9ff9fbd
Referenced In Project/Scope: Gemma CLI:compile
baseCode-1.1.23.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

colt-1.2.0.jar

File Path: /home/jenkins/.m2/repository/colt/colt/1.2.0/colt-1.2.0.jar
MD5: f6be558e44de25df08b9f515b2a7ffee
SHA1: 0abc984f3adc760684d49e0f11ddf167ba516d4f
SHA256:e1fcbfbdd0d0caedadfb59febace5a62812db3b9425f3a03ef4c4cbba3ed0ee3
Referenced In Project/Scope: Gemma CLI:compile
colt-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-cli-1.7.0.jar

Description:

    Apache Commons CLI provides a simple API for presenting, processing and validating a Command Line Interface.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-cli/commons-cli/1.7.0/commons-cli-1.7.0.jar
MD5: a7843398103e8e4f9e5c037862b0a5c1
SHA1: 6504b3f17e8bc5adc6b6c8deecc90144d0154075
SHA256:ef990c7522ed6caa06265e24317f29ce839f7702938e1aebe8187a0bac19c0d7
Referenced In Project/Scope: Gemma CLI:compile
commons-cli-1.7.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-codec-1.16.1.jar

Description:

     The Apache Commons Codec component contains encoder and decoders for
     various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-codec/commons-codec/1.16.1/commons-codec-1.16.1.jar
MD5: 6c5be822d8d3fa61c3b54c4c8978dfdc
SHA1: 47bd4d333fba53406f6c6c51884ddbca435c8862
SHA256:ec87bfb55f22cbd1b21e2190eeda28b2b312ed2a431ee49fbdcc01812d04a5e4
Referenced In Project/Scope: Gemma CLI:compile
commons-codec-1.16.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

commons-collections4-4.4.jar

Description:

The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar
MD5: 4a37023740719b391f10030362c86be6
SHA1: 62ebe7544cb7164d87e0637a2a6a2bdc981395e8
SHA256:1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
Referenced In Project/Scope: Gemma CLI:compile
commons-collections4-4.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-configuration2-2.8.0.jar

Description:

        Tools to assist in the reading of configuration/preferences files in
        various formats
    

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-configuration2/2.8.0/commons-configuration2-2.8.0.jar
MD5: 4bb1f1ad26727cf5966554cb6b9eb073
SHA1: 6a76acbe14d2c01d4758a57171f3f6a150dbd462
SHA256:e5c46e4b0b1acddbc96651838c19d3df70da92dfb5107a6e4c42cb92d3a300bd
Referenced In Project/Scope: Gemma CLI:compile
commons-configuration2-2.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

CVE-2024-29131 (OSSINDEX)  

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.



Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-29131 for details
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.commons:commons-configuration2:2.8.0:*:*:*:*:*:*:*

CVE-2024-29133 (OSSINDEX)  

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.



Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-29133 for details
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: MEDIUM (4.400000095367432)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.commons:commons-configuration2:2.8.0:*:*:*:*:*:*:*

commons-csv-1.11.0.jar

Description:

The Apache Commons CSV library provides a simple interface for reading and writing CSV files of various types.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-csv/1.11.0/commons-csv-1.11.0.jar
MD5: 670327702ca6f22103531d20d140bc9e
SHA1: 8f2dc805097da534612128b7cdf491a5a76752bf
SHA256:b697fe3f94cfc4f7e2a87bddf78d15cd10d8c86cbe56ae9196a62d6edbf6b76d
Referenced In Project/Scope: Gemma CLI:compile
commons-csv-1.11.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

commons-fileupload-1.5.jar

Description:

    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-fileupload/commons-fileupload/1.5/commons-fileupload-1.5.jar
MD5: e57ac8a1a6412886a133a2fa08b89735
SHA1: ad4ad2ab2961b4e1891472bd1a33fabefb0385f3
SHA256:51f7b3dcb4e50c7662994da2f47231519ff99707a5c7fb7b05f4c4d3a1728c14
Referenced In Project/Scope: Gemma CLI:compile
commons-fileupload-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-io-2.16.1.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-io/commons-io/2.16.1/commons-io-2.16.1.jar
MD5: ed8191a5a217940140001b0acfed18d9
SHA1: 377d592e740dc77124e0901291dbfaa6810a200e
SHA256:f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f
Referenced In Project/Scope: Gemma CLI:compile
commons-io-2.16.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-lang-2.6.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope: Gemma CLI:compile
commons-lang-2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

commons-lang3-3.14.0.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
MD5: 4e5c3f5e6b0b965ef241d7d72ac8971f
SHA1: 1ed471194b02f2c6cb734a0cd6f6f107c673afae
SHA256:7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c
Referenced In Project/Scope: Gemma CLI:compile
commons-lang3-3.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-logging-1.3.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well-known logging systems.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar
MD5: 4b970f3b14a5e53d8e8edff1cf2ecd91
SHA1: 3dc966156ef19d23c839715165435e582fafa753
SHA256:6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489
Referenced In Project/Scope: Gemma CLI:compile
commons-logging-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-logging-api-1.1.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /home/jenkins/.m2/repository/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar
MD5: 4374238076ab08e60e0d296234480837
SHA1: 7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322
SHA256:33a4dd47bb4764e4eb3692d86386d17a0d9827f4f4bb0f70121efab6bc03ba35
Referenced In Project/Scope: Gemma CLI:compile
commons-logging-api-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

commons-math3-3.6.1.jar

Description:

The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
MD5: 5b730d97e4e6368069de1983937c508e
SHA1: e4ba98f1d4b3c80ec46392f25e094a6a2e58fcbf
SHA256:1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308
Referenced In Project/Scope: Gemma CLI:compile
commons-math3-3.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

commons-net-3.10.0.jar

Description:

Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois.
    

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-net/commons-net/3.10.0/commons-net-3.10.0.jar
MD5: 84511bcbcbd37725fd1a53360e0c3fd6
SHA1: 86762ea0ac98fd41c91745a32d496a985e2bd5e7
SHA256:2230eec44ef4b8112ea09cbeb6de826977abe792e627cee2770e35ca8c39dce1
Referenced In Project/Scope: Gemma CLI:compile
commons-net-3.10.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

commons-text-1.12.0.jar

Description:

Apache Commons Text is a set of utility functions and reusable components for the purpose of processing
    and manipulating text that should be of use in a Java environment.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar
MD5: 544add6fbc8d4b100b07c3692d08099e
SHA1: 66aa90dc099701c4d3b14bd256c328f592ccf0d6
SHA256:de023257ff166044a56bd1aa9124e843cd05dac5806cc705a9311f3556d5a15f
Referenced In Project/Scope: Gemma CLI:compile
commons-text-1.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

concurrent-1.3.4.jar

License:

Public domain, Sun Microsoystems: >http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.html
File Path: /home/jenkins/.m2/repository/concurrent/concurrent/1.3.4/concurrent-1.3.4.jar
MD5: f29b9d930d3426ebc56919eba10fbd4d
SHA1: 1cf394c2a388199db550cda311174a4c6a7d117c
SHA256:12639def9a5b5ebf56040ab764bd42b7e662523d3b983e5d5da04bf37be152f9
Referenced In Project/Scope: Gemma CLI:compile
concurrent-1.3.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/colt/colt@1.2.0

Identifiers

core-1.1.2.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/core/1.1.2/core-1.1.2.jar
MD5: ab845840ad73fa2ec1a5025a7c48b97e
SHA1: 574b480eca62f535fad6d259e144fee3ef24b66e
SHA256:5ffaddee0a3f8d09a56064aa05feb95837ddad9d42d9dcc37479c66e869aa139
Referenced In Project/Scope: Gemma CLI:compile
core-1.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

dom4j-2.1.4.jar

Description:

flexible XML framework for Java

License:

Plexus: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /home/jenkins/.m2/repository/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar
MD5: 8246840e53db2781ca941e4d3f9ad715
SHA1: 35c16721b88cf17b8279fcb134c0abb161cc0e9b
SHA256:235a9167a8a199be04b5326d92927ca0adeb90d11f69fe2e821b34ce8433b591
Referenced In Project/Scope: Gemma CLI:runtime
dom4j-2.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

ehcache-core-2.4.3.jar

Description:

This is the ehcache core module. Pair it with other modules for added
        functionality.
    

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /home/jenkins/.m2/repository/net/sf/ehcache/ehcache-core/2.4.3/ehcache-core-2.4.3.jar
MD5: 9d4b1464a2fcbc16ae46740669a0dab8
SHA1: fd258ef6959f27fb678b04f90139ded4588e2d15
SHA256:9b93a12cda08e7ad4d567d2027d292e67ee726da0cbb330f5de0e90aeb1d3fd1
Referenced In Project/Scope: Gemma CLI:compile
ehcache-core-2.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

gemma-gsec-0.0.16.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/pavlab/gemma-gsec/0.0.16/gemma-gsec-0.0.16.jar
MD5: f28b6a8bd682b7e4806493f9e2328f7c
SHA1: 40e5cd542c29de0474c151076c9f604c866a3a9f
SHA256:4ff346e56a7de22605181eb5b05c2445840b62644b376d0ace3adc081f13e650
Referenced In Project/Scope: Gemma CLI:compile
gemma-gsec-0.0.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

hibernate-commons-annotations-4.0.2.Final.jar

Description:

Common reflection code used in support of annotation processing

License:

GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/jenkins/.m2/repository/org/hibernate/common/hibernate-commons-annotations/4.0.2.Final/hibernate-commons-annotations-4.0.2.Final.jar
MD5: 916d4ddfb26db16da75ee8f973fd08ad
SHA1: 0094edcc5572efb02e123cc9ef7ad7d0fa5f76cf
SHA256:ae6b6708a03a144265ac7bf1def64b18def3b6576a8a52d7a6787d9cf00aa0ec
Referenced In Project/Scope: Gemma CLI:compile
hibernate-commons-annotations-4.0.2.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final

Identifiers

hibernate-core-4.2.21.Final.jar

Description:

A module of the Hibernate O/RM project

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/jenkins/.m2/repository/org/hibernate/hibernate-core/4.2.21.Final/hibernate-core-4.2.21.Final.jar
MD5: 492567c1f36fb3a5968ca2d3c452edaf
SHA1: bb587d00287c13d9e4324bc76c13abbd493efa81
SHA256:7c33583de97e42b95c530e7e4752efbdbd46a566f7708ff0e8cf490203db74e3
Referenced In Project/Scope: Gemma CLI:compile
hibernate-core-4.2.21.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

hibernate-jpa-2.0-api-1.0.1.Final.jar

Description:

        Hibernate definition of the Java Persistence 2.0 (JSR 317) API.
    

License:

license.txt
File Path: /home/jenkins/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.0-api/1.0.1.Final/hibernate-jpa-2.0-api-1.0.1.Final.jar
MD5: d7e7d8f60fc44a127ba702d43e71abec
SHA1: 3306a165afa81938fc3d8a0948e891de9f6b192b
SHA256:bacfb6460317d421aa2906d9e63c293b69dc1a5dac480d0f6416df50796a4bb3
Referenced In Project/Scope: Gemma CLI:compile
hibernate-jpa-2.0-api-1.0.1.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final

Identifiers

hibernate-search-engine-4.4.6.Final.jar

Description:

the core of the Object/Lucene mapper, query engine and index management

File Path: /home/jenkins/.m2/repository/org/hibernate/hibernate-search-engine/4.4.6.Final/hibernate-search-engine-4.4.6.Final.jar
MD5: 9e9d56601b801f8d22a95f93aa14b599
SHA1: b3395324b7a3ff069ceae3f929805859b6f78cd4
SHA256:c4b6df8b2045f512f65559ad0a0ad370f8dc2a41a1854142c0a826cd3f30d86c
Referenced In Project/Scope: Gemma CLI:compile
hibernate-search-engine-4.4.6.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

hibernate-search-orm-4.4.6.Final.jar

Description:

Hibernate Search integration with Hibernate Core

File Path: /home/jenkins/.m2/repository/org/hibernate/hibernate-search-orm/4.4.6.Final/hibernate-search-orm-4.4.6.Final.jar
MD5: 211a4877ef941c8f754e22f049076b27
SHA1: 306bbf61e5c9d5e807cf178f20de09ce65bf088d
SHA256:62703d15aa0d11376b263e0d25abdbc25242975c62260f1795d0eae8ba6990b0
Referenced In Project/Scope: Gemma CLI:compile
hibernate-search-orm-4.4.6.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

httpclient-4.5.14.jar

Description:

   Apache HttpComponents Client
  

File Path: /home/jenkins/.m2/repository/org/apache/httpcomponents/httpclient/4.5.14/httpclient-4.5.14.jar
MD5: 2cb357c4b763f47e58af6cad47df6ba3
SHA1: 1194890e6f56ec29177673f2f12d0b8e627dec98
SHA256:c8bc7e1c51a6d4ce72f40d2ebbabf1c4b68bfe76e732104b04381b493478e9d6
Referenced In Project/Scope: Gemma CLI:compile
httpclient-4.5.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

httpcore-4.4.16.jar

Description:

   Apache HttpComponents Core (blocking I/O)
  

File Path: /home/jenkins/.m2/repository/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar
MD5: 28d2cd9bf8789fd2ec774fb88436ebd1
SHA1: 51cf043c87253c9f58b539c9f7e44c8894223850
SHA256:6c9b3dd142a09dc468e23ad39aad6f75a0f2b85125104469f026e52a474e464f
Referenced In Project/Scope: Gemma CLI:compile
httpcore-4.4.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

jackson-core-2.17.1.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.17.1/jackson-core-2.17.1.jar
MD5: 9363584821290882417f1c3ceab784df
SHA1: 5e52a11644cd59a28ef79f02bddc2cc3bab45edb
SHA256:ddb26c8a1f1a84535e8213c48b35b253370434e3287b3cf15777856fc4e58ce6
Referenced In Project/Scope: Gemma CLI:compile
jackson-core-2.17.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

jackson-databind-2.17.1.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.17.1/jackson-databind-2.17.1.jar
MD5: f0a1c37dc7d937f14e183d84f15c0f83
SHA1: 0524dcbcccdde7d45a679dfc333e4763feb09079
SHA256:b6ca2f7d5b1ab245cec5495ec339773d2d90554c48592590673fb18f4400a948
Referenced In Project/Scope: Gemma CLI:compile
jackson-databind-2.17.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

javassist-3.30.2-GA.jar

Description:

    Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple. It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: https://www.mozilla.org/en-US/MPL/1.1/
LGPL 2.1: https://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/jenkins/.m2/repository/org/javassist/javassist/3.30.2-GA/javassist-3.30.2-GA.jar
MD5: f5b827b8ddec0629cc7a6d7dafc45999
SHA1: 284580b5e42dfa1b8267058566435d9e93fae7f7
SHA256:eba37290994b5e4868f3af98ff113f6244a6b099385d9ad46881307d3cb01aaf
Referenced In Project/Scope: Gemma CLI:runtime
javassist-3.30.2-GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final

Identifiers

javax.activation-api-1.2.0.jar

Description:

JavaBeans Activation Framework API jar

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /home/jenkins/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Project/Scope: Gemma CLI:compile
javax.activation-api-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

javax.mail-1.6.2.jar

Description:

JavaMail API

License:

https://javaee.github.io/javamail/LICENSE
File Path: /home/jenkins/.m2/repository/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2.jar
MD5: 0b81d022797740d72d21620781841374
SHA1: 935151eb71beff17a2ffac15dd80184a99a0514f
SHA256:45b515e7104944c09e45b9c7bb1ce5dff640486374852dd2b2e80cc3752dfa11
Referenced In Project/Scope: Gemma CLI:runtime
javax.mail-1.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

javax.resource-api-1.7.1.jar

Description:

Java EE Connector Architecture API

License:

CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/jenkins/.m2/repository/javax/resource/javax.resource-api/1.7.1/javax.resource-api-1.7.1.jar
MD5: 41f26638ff807ef37845d6d89ef0e694
SHA1: f86b4d697ecd992ec6c4c6053736db16d41dc57f
SHA256:c75bd698263abd9c8c773e3b433a4da2c983fbc92a0a4ef5fc3286e62f41e411
Referenced In Project/Scope: Gemma CLI:compile
javax.resource-api-1.7.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

javax.transaction-api-1.3.jar

Description:

Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.transaction/blob/master/LICENSE
File Path: /home/jenkins/.m2/repository/javax/transaction/javax.transaction-api/1.3/javax.transaction-api-1.3.jar
MD5: 6e9cb1684621821248b6823143ae26c0
SHA1: e006adf5cf3cca2181d16bd640ecb80148ec0fce
SHA256:603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da
Referenced In Project/Scope: Gemma CLI:compile
javax.transaction-api-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/javax.resource/javax.resource-api@1.7.1

Identifiers

jaxb-api-2.3.1.jar

Description:

JAXB (JSR 222) API

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/jenkins/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Project/Scope: Gemma CLI:compile
jaxb-api-2.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

jboss-ejb3x-4.2.2.GA.jar

Description:

POM was created from install:install-file

File Path: /home/jenkins/.m2/repository/jboss/jboss-ejb3x/4.2.2.GA/jboss-ejb3x-4.2.2.GA.jar
MD5: d16f3d4ae032297b792b42f54879eeb0
SHA1: b11f499d19a6346b1446146307131ec901081bfd
SHA256:17a8db82cd60b9336adc3d13eacc5cf2aaf85f821338503cecad1875e0f6e64c
Referenced In Project/Scope: Gemma CLI:compile
jboss-ejb3x-4.2.2.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

jboss-logging-3.1.0.GA.jar

Description:

The JBoss Logging Framework

License:

GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/lgpl-2.1.txt
File Path: /home/jenkins/.m2/repository/org/jboss/logging/jboss-logging/3.1.0.GA/jboss-logging-3.1.0.GA.jar
MD5: 735bcea3e47fd715900cfb95ec68b50f
SHA1: c71f2856e7b60efe485db39b37a31811e6c84365
SHA256:dea2fe7895033bdbbe2c1688ad08a0588d9d9b0f17d53349081cc20dda31353e
Referenced In Project/Scope: Gemma CLI:compile
jboss-logging-3.1.0.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final

Identifiers

jboss-transaction-api_1.1_spec-1.0.1.Final.jar

Description:

The Java Transaction 1.1 API classes

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: /home/jenkins/.m2/repository/org/jboss/spec/javax/transaction/jboss-transaction-api_1.1_spec/1.0.1.Final/jboss-transaction-api_1.1_spec-1.0.1.Final.jar
MD5: 679cd909d6130e6bf467b291031e1e2d
SHA1: 18f0e1d42f010a8b53aa447bf274a706d5148852
SHA256:d9ccc72cdcf5450fcb8cc614b4930261d5cc5b40da6b3be783308cebcd100723
Referenced In Project/Scope: Gemma CLI:compile
jboss-transaction-api_1.1_spec-1.0.1.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@4.2.21.Final

Identifiers

jena-core-2.13.0.jar

Description:

Jena is a Java framework for building Semantic Web applications. It provides a programmatic environment for RDF, RDFS and OWL, SPARQL and includes a rule-based inference engine.

File Path: /home/jenkins/.m2/repository/org/apache/jena/jena-core/2.13.0/jena-core-2.13.0.jar
MD5: 21d03d936cee3e62c22978cb73115a28
SHA1: 74f2536cd41a23892acd1ef4c016bed29c81994c
SHA256:5423ddf5ca2541311aadad2301743522e52bf86645fbaacc47e3a992aa9bef59
Referenced In Project/Scope: Gemma CLI:compile
jena-core-2.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

CVE-2021-39239  

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

jena-iri-1.1.2.jar

Description:

    The IRI module provides an implementation of the IRI and URI specifications (RFC 3987 and 3986) which are used across Jena in order to comply with relevant W3C specifications for RDF and SPARQL which require conformance to these specifications.
  

File Path: /home/jenkins/.m2/repository/org/apache/jena/jena-iri/1.1.2/jena-iri-1.1.2.jar
MD5: eca2119771d9114c440014045cbe216b
SHA1: 533fb3ae5e839c84227688e7c92c946131d6886e
SHA256:6ecb4f137f9495cedf6ac5ea799905106955092905996c5674989958c12d6d94
Referenced In Project/Scope: Gemma CLI:compile
jena-iri-1.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

CVE-2021-39239  

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

jfreechart-1.5.4.jar

Description:

        JFreeChart is a class library, written in Java, for generating charts. 
        Utilising the Java2D API, it supports a wide range of chart types including
        bar charts, pie charts, line charts, XY-plots, time series plots, Sankey charts
        and more.
    

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/jenkins/.m2/repository/org/jfree/jfreechart/1.5.4/jfreechart-1.5.4.jar
MD5: 36e760314d688997c7e5ad135a3efc44
SHA1: 9a5edddb05a3ca4fbc0628c594e6641a6f36a3b4
SHA256:cd0649b04b64f2638b55c7c3ac24788ff064b777bbbaf1b952f82ee078ed8b81
Referenced In Project/Scope: Gemma CLI:compile
jfreechart-1.5.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

CVE-2023-52070 (OSSINDEX)  

JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int index, int type)' method. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-129 Improper Validation of Array Index

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.jfree:jfreechart:1.5.4:*:*:*:*:*:*:*

CVE-2024-22949 (OSSINDEX)  

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-476 NULL Pointer Dereference

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.jfree:jfreechart:1.5.4:*:*:*:*:*:*:*

CVE-2024-23076 (OSSINDEX)  

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-476 NULL Pointer Dereference

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.jfree:jfreechart:1.5.4:*:*:*:*:*:*:*

jniloader-1.1.jar

Description:

Lightweight convenience for loading JNI natives.

License:

LGPL: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/jenkins/.m2/repository/com/github/fommil/jniloader/1.1/jniloader-1.1.jar
MD5: a9f5b7619b4329c6b6588a5d25164949
SHA1: 4840f897eeb54d67ee14e478f8a45cc9937f3ce1
SHA256:2f1def54f30e1db5f1e7f2fd600fe2ab331bd6b52037e9a21505c237020b5573
Referenced In Project/Scope: Gemma CLI:compile
jniloader-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope: Gemma CLI:compile
jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

log4j-core-2.23.1.jar

Description:

The Apache Log4j Implementation

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.23.1/log4j-core-2.23.1.jar
MD5: 34fad2df975cf874a2fdf4b797122f16
SHA1: 905802940e2c78042d75b837c136ac477d2b4e4d
SHA256:7079368005fc34f56248f57f8a8a53361c3a53e9007d556dbc66fc669df081b5
Referenced In Project/Scope: Gemma CLI:compile
log4j-core-2.23.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

log4j-slf4j-impl-2.23.1.jar

Description:

The Apache Log4j SLF4J API binding to Log4j 2 Core

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/logging/log4j/log4j-slf4j-impl/2.23.1/log4j-slf4j-impl-2.23.1.jar
MD5: c5a27e08e18600d379d0ca72d71838b8
SHA1: 9ef67909a1b4eae999af4c7a211ab2379e4b86c2
SHA256:210742c8fb85b0dcc26a9d74a32fbc828e0429087dee3d2920d4a76b1eb96d91
Referenced In Project/Scope: Gemma CLI:runtime
log4j-slf4j-impl-2.23.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

lombok-1.18.32.jar

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: https://projectlombok.org/LICENSE
File Path: /home/jenkins/.m2/repository/org/projectlombok/lombok/1.18.32/lombok-1.18.32.jar
MD5: 56e9be7b9a26802ac0c784ad824f3a29
SHA1: 17d46b3e205515e1e8efd3ee4d57ce8018914163
SHA256:97574674e2a25f567a313736ace00df8787d443de316407d57fc877d9f19a65d
Referenced In Project/Scope: Gemma CLI:compile
lombok-1.18.32.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

lombok-1.18.32.jar: mavenEcjBootstrapAgent.jar

File Path: /home/jenkins/.m2/repository/org/projectlombok/lombok/1.18.32/lombok-1.18.32.jar/lombok/launch/mavenEcjBootstrapAgent.jar
MD5: 81090c80616485973f6cd4a19d72bbdb
SHA1: ed1e7c8794dea7c7f7050098d56b2751b9f91288
SHA256:e97851350e56f4d1b02356ef61276886831e3a5e33a914ea95e878e2a46df69e
Referenced In Project/Scope: Gemma CLI:compile

Identifiers

  • None

lucene-analyzers-3.6.2.jar

Description:

Additional Analyzers

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-analyzers/3.6.2/lucene-analyzers-3.6.2.jar
MD5: 13f8241b6991bd1349c05369a7c0f002
SHA1: 3a083510dcb0d0fc67f8456cdac6f48aa0da2993
SHA256:82f9f78ff2143f1895ac04500aa47fdac3c52632a08522dde7dbb0f0c082801f
Referenced In Project/Scope: Gemma CLI:compile
lucene-analyzers-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-core-3.6.2.jar

Description:

Apache Lucene Java Core

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-core/3.6.2/lucene-core-3.6.2.jar
MD5: ee396d04f5a35557b424025f5382c815
SHA1: 9ec77e2507f9cc01756964c71d91efd8154a8c47
SHA256:cef4436bae85c31417443284f736e321511cd1615268103378a9bf00b1df036d
Referenced In Project/Scope: Gemma CLI:compile
lucene-core-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-facet-3.6.2.jar

Description:

    Package for Faceted Indexing and Search
  

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-facet/3.6.2/lucene-facet-3.6.2.jar
MD5: c14d30cca1f61cfcc16678db730516f1
SHA1: 72ae9f9115c4beb5f3e32b71966723a10cf4c083
SHA256:62ad5faecbf0f2da93ce495395d432e02e7715accaa0c074c94ec760e9de60fa
Referenced In Project/Scope: Gemma CLI:compile
lucene-facet-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-grouping-3.6.2.jar

Description:

Lucene Grouping Module

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-grouping/3.6.2/lucene-grouping-3.6.2.jar
MD5: 14598baf52660d5a1f282791ce09cc70
SHA1: 77c16722fc1ab2a42634dde6478ed2662c0a061a
SHA256:b1ac49babb6d325105b6646807d9abec97f3007a9bff581870e8f2b882d6dc10
Referenced In Project/Scope: Gemma CLI:compile
lucene-grouping-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-highlighter-3.6.2.jar

Description:

    This is the highlighter for apache lucene java
  

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-highlighter/3.6.2/lucene-highlighter-3.6.2.jar
MD5: f75c4869b55c060e2a313f6416ee68cf
SHA1: a90682c6bc0b9e105bd260c9a041fefea9579e46
SHA256:377b2ddcb7c902daf5dd3d22a1ff5b8da4ad6f7fd6c5e5da4731d17a8d935534
Referenced In Project/Scope: Gemma CLI:compile
lucene-highlighter-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-kuromoji-3.6.2.jar

Description:

  	 Lucene Kuromoji Japanese Morphological Analyzer
  

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-kuromoji/3.6.2/lucene-kuromoji-3.6.2.jar
MD5: d8d1afc4ab28eee2f775e01b39808e78
SHA1: f117e4b867987406b26069bb0fbd889ace21badd
SHA256:63f249909f29cf7b796a47a3816a72b30b2062ee37d2ce97942dfbc96e409bda
Referenced In Project/Scope: Gemma CLI:compile
lucene-kuromoji-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-memory-3.6.2.jar

Description:

    High-performance single-document index to compare against Query
  

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-memory/3.6.2/lucene-memory-3.6.2.jar
MD5: 765143db9e68cf91ac1c2070a2db6769
SHA1: 11846819b2f661b229d6ce861bc857774c0c4cdb
SHA256:d99058d68f4853457f47957a84b7a41078c3afd5a377735d82eaf4fc99f23415
Referenced In Project/Scope: Gemma CLI:compile
lucene-memory-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-misc-3.6.2.jar

Description:

Miscellaneous Lucene extensions

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-misc/3.6.2/lucene-misc-3.6.2.jar
MD5: eecbfe3cf5b047a9dab6933ee44f24d9
SHA1: 2e64f8dc9cc1df63f98426aa46aae0f5fe8cee13
SHA256:4f957c6489be9337178167c874074742e39e3b8ea10d8b83de79704415db1642
Referenced In Project/Scope: Gemma CLI:compile
lucene-misc-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-phonetic-3.6.2.jar

Description:

Phonetic Analyzer

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-phonetic/3.6.2/lucene-phonetic-3.6.2.jar
MD5: 9bca3c6ca60efa9cbeb097c9fc3f6d30
SHA1: 89268de870916789e041e676a2888c8a7d6e0ea2
SHA256:cc987497e66ba8c12970c080671247f029dadeb2d9ab7dae10363a6bb5430845
Referenced In Project/Scope: Gemma CLI:compile
lucene-phonetic-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-smartcn-3.6.2.jar

Description:

Smart Chinese Analyzer

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-smartcn/3.6.2/lucene-smartcn-3.6.2.jar
MD5: 3935444a27b519b8e11b411f81b53446
SHA1: e86dfea83d8fa5062145025c1f06ca27f9a49cab
SHA256:e4f24de68ac692c11fa6c906653599f0c50445f65b8af84d44d27afeeb909735
Referenced In Project/Scope: Gemma CLI:compile
lucene-smartcn-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-spatial-3.6.2.jar

Description:

Spatial search package

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-spatial/3.6.2/lucene-spatial-3.6.2.jar
MD5: 85f76ee4b163cc6d13b36e225add5603
SHA1: 52e29032cfadec88dfe604257106ac038260b53b
SHA256:53139893aec0b576f3816592dda7051595759b1848e776d93e5b6efdd8c6f14e
Referenced In Project/Scope: Gemma CLI:compile
lucene-spatial-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-spellchecker-3.6.2.jar

Description:

Spell Checker

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-spellchecker/3.6.2/lucene-spellchecker-3.6.2.jar
MD5: a4b684913f93aea76f5dbd7e479f19c5
SHA1: 15db0c0cfee44e275f15ad046e46b9a05910ad24
SHA256:307bb7da7f19b30326ea0163d470597854964796cbfef56b8fc7f9b3241dc609
Referenced In Project/Scope: Gemma CLI:compile
lucene-spellchecker-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

lucene-stempel-3.6.2.jar

Description:

Stempel Analyzer

File Path: /home/jenkins/.m2/repository/org/apache/lucene/lucene-stempel/3.6.2/lucene-stempel-3.6.2.jar
MD5: 0c87d87198b314ff4afdb8a63c1a702e
SHA1: a0b8b2e20fd04724fbbd6a67037f5a1a98feed72
SHA256:0b9dd990e3515e3f253eae4a6e614bf9c980c2e04211f6529a34b6c6d95b1dc8
Referenced In Project/Scope: Gemma CLI:compile
lucene-stempel-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

metrics-core-4.2.25.jar

Description:

        Metrics is a Java library which gives you unparalleled insight into what your code does in
        production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
        components in your production environment.
    

License:

https://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/jenkins/.m2/repository/io/dropwizard/metrics/metrics-core/4.2.25/metrics-core-4.2.25.jar
MD5: f9476a4f1a8287f7a4a2af759c33e44a
SHA1: 76162cb1f7a6f902da4f80e5bcf472078e8cd7e1
SHA256:8bc7de609a2816b78a7a5009bddf11be560ba527d44db74a0a31a6f44fdb5b5f
Referenced In Project/Scope: Gemma CLI:compile
metrics-core-4.2.25.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-registry-jmx@1.13.0

Identifiers

metrics-jmx-4.2.25.jar

Description:

        A set of classes which allow you to report metrics via JMX.
    

License:

https://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/jenkins/.m2/repository/io/dropwizard/metrics/metrics-jmx/4.2.25/metrics-jmx-4.2.25.jar
MD5: b8ec52ac806adc0f8dcd3cbc855b9f42
SHA1: 8d57d9f33530fef4ed3489dc8d1351deb18d1f15
SHA256:6b6956f8eecc18b3712e266fccde58bc0844169e79214cea9d0f6dcc822ec714
Referenced In Project/Scope: Gemma CLI:compile
metrics-jmx-4.2.25.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-registry-jmx@1.13.0

Identifiers

micrometer-commons-1.13.0.jar

Description:

Module containing common code

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-commons/1.13.0/micrometer-commons-1.13.0.jar
MD5: 92e95856a39f7b1319d1cb9131f1bfc5
SHA1: 156a59aff8d72c5e631eb4a2d739373ed5881609
SHA256:039aef255b5092561fdf649367fd0ff9af8da00aadb25f0c60cf30ebad8dceb8
Referenced In Project/Scope: Gemma CLI:compile
micrometer-commons-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0

Identifiers

micrometer-core-1.13.0.jar

Description:

Core module of Micrometer containing instrumentation API and implementation

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-core/1.13.0/micrometer-core-1.13.0.jar
MD5: cc5834ef064a952d17392cbc0216d8c8
SHA1: d7ed656fbc54fde5a03d978fc0d66f270cc4a997
SHA256:1ced414878f151d08617b47732fa67a5d06b47b63903e2722f40e2294e883643
Referenced In Project/Scope: Gemma CLI:compile
micrometer-core-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

micrometer-observation-1.13.0.jar

Description:

Module containing Observation related code

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-observation/1.13.0/micrometer-observation-1.13.0.jar
MD5: 9a5c0482f47a2fb1b1f9812ae2e251d4
SHA1: 5aa75fbb4367dc3b28e557d14535d21335dc8985
SHA256:33e7c9de55ef34ae502a2ad6c4c9786563b6d44eca2cbd2b832911594b378858
Referenced In Project/Scope: Gemma CLI:compile
micrometer-observation-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.micrometer/micrometer-core@1.13.0

Identifiers

micrometer-registry-jmx-1.13.0.jar

Description:

Application monitoring instrumentation facade

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/io/micrometer/micrometer-registry-jmx/1.13.0/micrometer-registry-jmx-1.13.0.jar
MD5: ee24c9ffae39c0984582c5e68edba3ae
SHA1: 61e1dfeafa02d4b057d8bdfd48092d44a9835f2c
SHA256:521334321adb38bf27e2f818b7d02d34b6737930b186e186594873bf2c346299
Referenced In Project/Scope: Gemma CLI:compile
micrometer-registry-jmx-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

mtj-1.0.4.jar

Description:

A comprehensive collection of matrix data structures, linear solvers, least squares methods,
        eigenvalue, and singular value decompositions.
    

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl.html
File Path: /home/jenkins/.m2/repository/com/googlecode/matrix-toolkits-java/mtj/1.0.4/mtj-1.0.4.jar
MD5: 846c7a7311d492c6102afd23647f46cc
SHA1: e14ed840ff5e15de92dba2d1af29201fa70a0f35
SHA256:27a53db335bc6af524b30f97ec3fb4b6df65e7648d70e752447c7dd9bc4697c8
Referenced In Project/Scope: Gemma CLI:compile
mtj-1.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

mysql-connector-j-8.4.0.jar

Description:

JDBC Type 4 driver for MySQL.

License:

The GNU General Public License, v2 with Universal FOSS Exception, v1.0
File Path: /home/jenkins/.m2/repository/com/mysql/mysql-connector-j/8.4.0/mysql-connector-j-8.4.0.jar
MD5: 2607d710106276083d26e6a1505948d7
SHA1: b1bc0f47bcad26ad5f9bceefb63fcb920d868fca
SHA256:d77962877d010777cff997015da90ee689f0f4bb76848340e1488f2b83332af5
Referenced In Project/Scope: Gemma CLI:compile
mysql-connector-j-8.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

Identifiers

native_ref-java-1.1.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/native_ref-java/1.1/native_ref-java-1.1.jar
MD5: 1aac8a554c0a9b36340e8eba1c8a8ba9
SHA1: 408c71ffbc3646dda7bee1e22bf19101e5e9ee90
SHA256:120ca95d3a7b4646f44c3bcebdf7a149ec4f8cccf731a13bd84da103b836e236
Referenced In Project/Scope: Gemma CLI:compile
native_ref-java-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

native_system-java-1.1.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/native_system-java/1.1/native_system-java-1.1.jar
MD5: 7244aab504c9fdce6c320498459b9432
SHA1: 3c6a2455f96b354a6940dce1393abb35ed7641da
SHA256:2414fc6e29b73ba40e0df21ab9618e4f5dc5ac66aab32bd81ee213a68796155d
Referenced In Project/Scope: Gemma CLI:compile
native_system-java-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_ref-linux-armhf-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-linux-armhf/1.1/netlib-native_ref-linux-armhf-1.1-natives.jar
MD5: e2ff3e665c6eea38eb975e2ecf1abaa7
SHA1: ec467162f74710fd8897cff6888534ceaf297d9a
SHA256:1d9ff5c35a542f598bd8d01c12d838ac4f457beae528f0b1930f21c0bff3eaae
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_ref-linux-armhf-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_ref-linux-i686-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-linux-i686/1.1/netlib-native_ref-linux-i686-1.1-natives.jar
MD5: 101fb0618fbf80d1392d9e6bf2eaa8e1
SHA1: eedd845b214aea560bce317d778ebb52f8f46038
SHA256:bf1dcc3b32a32bde8bd897b8c7da21cbd75b9febb89321a11b4f9a254aeb92ec
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_ref-linux-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_ref-linux-x86_64-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-linux-x86_64/1.1/netlib-native_ref-linux-x86_64-1.1-natives.jar
MD5: 950476b98b61793f045aab84f471fb96
SHA1: 05a3e5787d03c39790d5ae08cce189dd1ccc4a38
SHA256:f9034b22e89352ea1ba0c1edfb7529057c6b6acd651babb58839af19897e8ac0
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_ref-linux-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_ref-osx-x86_64-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-osx-x86_64/1.1/netlib-native_ref-osx-x86_64-1.1-natives.jar
MD5: 38b6cb1ce53e3793c48e1d99848d1600
SHA1: 80da53ec862f283dc3b191b9dbd3166ea6671831
SHA256:fbe45f80be86fb809eb159b75ba45433cbba2b5fb6814758d1f15823b2b17438
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_ref-osx-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_ref-win-i686-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-win-i686/1.1/netlib-native_ref-win-i686-1.1-natives.jar
MD5: 5f94993d3cffa7a46fb3ac1f5c28afd8
SHA1: 167fb794a26cb0bfc74890c704c7137b1d5b50fd
SHA256:0dcdc8348430365f7d912dcffb13d4c133810fbc3f3334123edb7c7f88990c5f
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_ref-win-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_ref-win-x86_64-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_ref-win-x86_64/1.1/netlib-native_ref-win-x86_64-1.1-natives.jar
MD5: d310ba2205a98b5d3219dbe1a66a0301
SHA1: 4ab54511c2844546279d9f8e427c73953b794686
SHA256:322a4d1a9cdfa284b1025b3d85c9ece18605be2caf795abfbaa366eb403fbf32
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_ref-win-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_system-linux-armhf-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-linux-armhf/1.1/netlib-native_system-linux-armhf-1.1-natives.jar
MD5: 09def97e97d35ff4be5692b3d33d4bfc
SHA1: 27ae9f6a9c88b3f8d12ffa52d62941615f8ed416
SHA256:aab65e3a3f3f664496dc512bea38d5ece0723799770f2aa608a4f1410342cb96
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_system-linux-armhf-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_system-linux-i686-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-linux-i686/1.1/netlib-native_system-linux-i686-1.1-natives.jar
MD5: 93769919423f7fd54ee2347784d2c9d3
SHA1: dd43225560dbd9115d306f9be3ca195aed236b78
SHA256:ecfd3c4e442411be9bc9aa74ea1b28b0fdf201dda00fe4559c68cde6e311520f
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_system-linux-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_system-linux-x86_64-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-linux-x86_64/1.1/netlib-native_system-linux-x86_64-1.1-natives.jar
MD5: 39de4e1383f61881098e2e66cbb2b475
SHA1: 163e88facabe7fa29952890dc2d3429e28501120
SHA256:9a929390c8c4845a2bff01e7bc0d8381fcc89ebc147c037f877f02b19806d013
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_system-linux-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_system-osx-x86_64-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-osx-x86_64/1.1/netlib-native_system-osx-x86_64-1.1-natives.jar
MD5: ab50d62f2ffd44c4623d915ae11e0f37
SHA1: d724e33675dc8eaa5c8fcb05a3aaca6f3339afa7
SHA256:07230441e6d7985e30e13b4c6844c6388324a971e1d3c5d46880a213b37a4dd1
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_system-osx-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_system-win-i686-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-win-i686/1.1/netlib-native_system-win-i686-1.1-natives.jar
MD5: c83df62ee7516fb876c499921d2da434
SHA1: c25fd1881cf93f7716f47b7deec859f6b6b7be50
SHA256:65b4900fd4fdc6715d3d48cfac2a7809cab5ed626f20e212a747f579bb60a40a
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_system-win-i686-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

netlib-native_system-win-x86_64-1.1-natives.jar

File Path: /home/jenkins/.m2/repository/com/github/fommil/netlib/netlib-native_system-win-x86_64/1.1/netlib-native_system-win-x86_64-1.1-natives.jar
MD5: 2de500c3ad6bde324f59977f67dc33cc
SHA1: 222c7915be1daf1c26a4206f375d4957ae5f9d81
SHA256:d855c2fc7d70ffddaac504b556c6cc7c33288d85c173386e47921f44bbb34202
Referenced In Project/Scope: Gemma CLI:compile
netlib-native_system-win-x86_64-1.1-natives.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

opencsv-5.9.jar

Description:

A simple library for reading and writing CSV in Java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/opencsv/opencsv/5.9/opencsv-5.9.jar
MD5: 8cee3b4e9ebeba7bd2834831a969d97c
SHA1: 284ea0b60a24b71a530100783185e7d547ab5339
SHA256:2023969b86ce968ad8ae549648ac587d141c19ae684a9a5c67c9105f37ab0d1c
Referenced In Project/Scope: Gemma CLI:compile
opencsv-5.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

org.geneontology-1.002.jar

File Path: /home/jenkins/.m2/repository/obo/org.geneontology/1.002/org.geneontology-1.002.jar
MD5: fd0489a45e4d8c8ea83b2ec5ba86a59c
SHA1: 831ea4bc937235c49cb1b7fac5d612041aff29f3
SHA256:5d50f3b29d7b023e0716c06d5a6c48a754f80306856b407596a6823cbd066bae
Referenced In Project/Scope: Gemma CLI:compile
org.geneontology-1.002.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

poi-5.2.5.jar

Description:

Apache POI - Java API To Access Microsoft Format Files

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/poi/poi/5.2.5/poi-5.2.5.jar
MD5: c7725f44e62223d1f37e7a4883f01425
SHA1: 7e00f6b2f76375fe89022d5a7db8acb71cbd55f5
SHA256:352e1b44a5777af2df3d7dc408cda9f75f932d0e0125fa1a7d336a13c0a663a7
Referenced In Project/Scope: Gemma CLI:compile
poi-5.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

protobuf-java-3.25.1.jar

Description:

    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.
  

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/jenkins/.m2/repository/com/google/protobuf/protobuf-java/3.25.1/protobuf-java-3.25.1.jar
MD5: 7dc81d3c2187ce5627d134a37df88cc0
SHA1: 2933a5c3f022456d8842323fe0d7fb2d25a7e3c7
SHA256:48a8e58a1a8f82eff141a7a388d38dfe77d7a48d5e57c9066ee37f19147e20df
Referenced In Project/Scope: Gemma CLI:compile
protobuf-java-3.25.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.mysql/mysql-connector-j@8.4.0

Identifiers

slf4j-api-1.7.36.jar

Description:

The slf4j API

File Path: /home/jenkins/.m2/repository/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar
MD5: 872da51f5de7f3923da4de871d57fd85
SHA1: 6c62681a2f655b49963a5983b8b0950a6120ae14
SHA256:d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0
Referenced In Project/Scope: Gemma CLI:compile
slf4j-api-1.7.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/baseCode/baseCode@1.1.23

Identifiers

solr-core-3.6.2.jar

Description:

Apache Solr Core

File Path: /home/jenkins/.m2/repository/org/apache/solr/solr-core/3.6.2/solr-core-3.6.2.jar
MD5: 5c1ed4b8c48a422451f4566bc1a60d3a
SHA1: 6a7fd7092ba403e9002dd935bbf6a42141a80c8c
SHA256:4369b38e5f600c81653f221776d7087aa7428084795d5fe7bf9896fd3ac83377
Referenced In Project/Scope: Gemma CLI:compile
solr-core-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

Identifiers

CVE-2021-27905  

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-44548  

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation, CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-29943  

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2020-13941  

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2012-6612  

The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2017-3163  

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

    Vulnerable Software & Versions: (show all)

    CVE-2017-3164  

    Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
    CWE-918 Server-Side Request Forgery (SSRF)

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2018-1308  

    This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
    CWE-611 Improper Restriction of XML External Entity Reference

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2019-12401  

    Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it���s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
    CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2021-29262  

    When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
    CWE-522 Insufficiently Protected Credentials

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2023-44487  

    CISA Known Exploited Vulnerability:
    • Product: IETF HTTP/2
    • Name: HTTP/2 Rapid Reset Attack Vulnerability
    • Date Added: 2023-10-10
    • Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
    • Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
    • Due Date: 2023-10-31
    • Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
    CWE-400 Uncontrolled Resource Consumption

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2019-0193  

    CISA Known Exploited Vulnerability:
    • Product: Apache Solr
    • Name: Apache Solr DataImportHandler Code Injection Vulnerability
    • Date Added: 2021-12-10
    • Description: The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
    • Required Action: Apply updates per vendor instructions.
    • Due Date: 2022-06-10

    In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
    CWE-94 Improper Control of Generation of Code ('Code Injection')

    CVSSv2:
    • Base Score: HIGH (9.0)
    • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
    CVSSv3:
    • Base Score: HIGH (7.2)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:1.2/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2013-6407  

    The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
    NVD-CWE-noinfo

    CVSSv2:
    • Base Score: MEDIUM (6.4)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2013-6408  

    The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
    NVD-CWE-noinfo

    CVSSv2:
    • Base Score: MEDIUM (6.4)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2015-8795  

    Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2015-8796  

    Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2015-8797  

    Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2018-8026 (OSSINDEX)  

    This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.
    CWE-611 Improper Restriction of XML External Entity Reference

    CVSSv3:
    • Base Score: MEDIUM (5.5)
    • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    References:

    Vulnerable Software & Versions (OSSINDEX):

    • cpe:2.3:a:org.apache.solr:solr-core:3.6.2:*:*:*:*:*:*:*

    CVE-2013-6397  

    Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT.  NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
    CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2018-11802  

    In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
    CWE-863 Incorrect Authorization

    CVSSv2:
    • Base Score: MEDIUM (4.0)
    • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
    CVSSv3:
    • Base Score: MEDIUM (4.3)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    solr-solrj-3.6.2.jar

    Description:

    Apache Solr Solrj

    File Path: /home/jenkins/.m2/repository/org/apache/solr/solr-solrj/3.6.2/solr-solrj-3.6.2.jar
    MD5: 34df7ce752a336588fc80f4f67926e46
    SHA1: 7f7e4dc77f72b86eb198fb9199f8e1eebf800ba8
    SHA256:135f76fb0c12ef41fad818b7a4be6595400e1481258c460e809079bc2393819b
    Referenced In Project/Scope: Gemma CLI:compile
    solr-solrj-3.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

    Identifiers

    CVE-2021-27905  

    The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
    CWE-918 Server-Side Request Forgery (SSRF)

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2021-44548  

    An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
    CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation, CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

    CVSSv2:
    • Base Score: MEDIUM (6.8)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2021-29943  

    When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
    CWE-863 Incorrect Authorization

    CVSSv2:
    • Base Score: MEDIUM (6.4)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
    CVSSv3:
    • Base Score: CRITICAL (9.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2020-13941  

    Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
    CWE-20 Improper Input Validation

    CVSSv2:
    • Base Score: MEDIUM (6.5)
    • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
    CVSSv3:
    • Base Score: HIGH (8.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2012-6612  

    The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
    NVD-CWE-noinfo

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2017-3163  

    When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
    CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

    References:

      Vulnerable Software & Versions: (show all)

      CVE-2017-3164  

      Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
      CWE-918 Server-Side Request Forgery (SSRF)

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2018-1308  

      This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
      CWE-611 Improper Restriction of XML External Entity Reference

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2019-12401  

      Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it���s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
      CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2021-29262  

      When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
      CWE-522 Insufficiently Protected Credentials

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2023-44487  

      CISA Known Exploited Vulnerability:
      • Product: IETF HTTP/2
      • Name: HTTP/2 Rapid Reset Attack Vulnerability
      • Date Added: 2023-10-10
      • Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
      • Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
      • Due Date: 2023-10-31
      • Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

      The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
      CWE-400 Uncontrolled Resource Consumption

      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2019-0193  

      CISA Known Exploited Vulnerability:
      • Product: Apache Solr
      • Name: Apache Solr DataImportHandler Code Injection Vulnerability
      • Date Added: 2021-12-10
      • Description: The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
      • Required Action: Apply updates per vendor instructions.
      • Due Date: 2022-06-10

      In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
      CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: HIGH (9.0)
      • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
      CVSSv3:
      • Base Score: HIGH (7.2)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:1.2/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2013-6407  

      The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: MEDIUM (6.4)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-6408  

      The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: MEDIUM (6.4)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2015-8795  

      Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (6.1)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2015-8796  

      Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (6.1)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2015-8797  

      Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (6.1)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2013-6397  

      Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT.  NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
      CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2018-11802  

      In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
      CWE-863 Incorrect Authorization

      CVSSv2:
      • Base Score: MEDIUM (4.0)
      • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
      CVSSv3:
      • Base Score: MEDIUM (4.3)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      spring-core-3.2.18.RELEASE.jar

      Description:

      Spring Core

      License:

      The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/jenkins/.m2/repository/org/springframework/spring-core/3.2.18.RELEASE/spring-core-3.2.18.RELEASE.jar
      MD5: 635537b54653d8155b107630ae41599e
      SHA1: 0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd
      SHA256:5c7ab868509a6b1214ebe557bfcf489cfac6e1ae4c4a39181b0fe66621fbe32e
      Referenced In Project/Scope: Gemma CLI:compile
      spring-core-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

      Identifiers

      CVE-2018-1270  

      Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
      CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
      CVSSv3:
      • Base Score: CRITICAL (9.8)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22965  

      CISA Known Exploited Vulnerability:
      • Product: VMware Spring Framework
      • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
      • Date Added: 2022-04-04
      • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
      • Required Action: Apply updates per vendor instructions.
      • Due Date: 2022-04-25

      A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
      CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
      CVSSv3:
      • Base Score: CRITICAL (9.8)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2016-5007  

      Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
      CWE-264 Permissions, Privileges, and Access Controls

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2018-11040  

      Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
      CWE-829 Inclusion of Functionality from Untrusted Control Sphere

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2018-1257  

      Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: MEDIUM (4.0)
      • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2020-5421  

      In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: LOW (3.6)
      • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22950  

      n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
      CWE-770 Allocation of Resources Without Limits or Throttling

      CVSSv2:
      • Base Score: MEDIUM (4.0)
      • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2023-20861  

      In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
      NVD-CWE-noinfo

      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2018-11039  

      Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: MEDIUM (5.9)
      • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22968  

      In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
      CWE-178 Improper Handling of Case Sensitivity

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (5.3)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22970  

      In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
      CWE-770 Allocation of Resources Without Limits or Throttling

      CVSSv2:
      • Base Score: LOW (3.5)
      • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (5.3)
      • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      spring-expression-3.2.18.RELEASE.jar

      Description:

      Spring Expression Language (SpEL)

      License:

      The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/jenkins/.m2/repository/org/springframework/spring-expression/3.2.18.RELEASE/spring-expression-3.2.18.RELEASE.jar
      MD5: 7e5fbe8696a4e71dc310c1ff9f8286e1
      SHA1: 070c1fb9f2111601193e01a8d0c3ccbca1bf3706
      SHA256:cde7eda6cc2270ab726f963aeb546c3f4db76746c661c247fbfb5d2a4d2f4411
      Referenced In Project/Scope: Gemma CLI:runtime
      spring-expression-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

      Identifiers

      CVE-2018-1270  

      Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
      CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
      CVSSv3:
      • Base Score: CRITICAL (9.8)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22965  

      CISA Known Exploited Vulnerability:
      • Product: VMware Spring Framework
      • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
      • Date Added: 2022-04-04
      • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
      • Required Action: Apply updates per vendor instructions.
      • Due Date: 2022-04-25

      A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
      CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
      CVSSv3:
      • Base Score: CRITICAL (9.8)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2016-5007  

      Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
      CWE-264 Permissions, Privileges, and Access Controls

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2018-11040  

      Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
      CWE-829 Inclusion of Functionality from Untrusted Control Sphere

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2018-1257  

      Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: MEDIUM (4.0)
      • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2020-5421  

      In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: LOW (3.6)
      • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22950  

      n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
      CWE-770 Allocation of Resources Without Limits or Throttling

      CVSSv2:
      • Base Score: MEDIUM (4.0)
      • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2023-20861  

      In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
      NVD-CWE-noinfo

      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2023-20863 (OSSINDEX)  

      In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
      CWE-400 Uncontrolled Resource Consumption

      CVSSv3:
      • Base Score: MEDIUM (6.5)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

      References:

      Vulnerable Software & Versions (OSSINDEX):

      • cpe:2.3:a:org.springframework:spring-expression:3.2.18.RELEASE:*:*:*:*:*:*:*

      CVE-2018-11039  

      Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
      NVD-CWE-noinfo

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: MEDIUM (5.9)
      • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22968  

      In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
      CWE-178 Improper Handling of Case Sensitivity

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
      CVSSv3:
      • Base Score: MEDIUM (5.3)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2022-22970  

      In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
      CWE-770 Allocation of Resources Without Limits or Throttling

      CVSSv2:
      • Base Score: LOW (3.5)
      • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (5.3)
      • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      spring-retry-1.0.3.RELEASE.jar

      Description:

      Spring Retry provides an abstraction around retrying failed operations, with an emphasis on declarative control of the process and policy-based bahaviour that is easy to extend and customize.  For instance, you can configure a plain POJO operation to retry if it fails, based on the type of exception, and with a fixed or exponential backoff.
          

      License:

      Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/jenkins/.m2/repository/org/springframework/retry/spring-retry/1.0.3.RELEASE/spring-retry-1.0.3.RELEASE.jar
      MD5: 5d5f5046b698320b27d4f86285928a34
      SHA1: 33b967f6abaa0a496318bff2ce96e6da6285a54d
      SHA256:d8f2fd2339e794f4dd78e29d44b33f1f0b5fa687525abee8e7246f61d9cd9fca
      Referenced In Project/Scope: Gemma CLI:compile
      spring-retry-1.0.3.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

      Identifiers

      spring-security-acl-3.2.10.RELEASE.jar

      Description:

      spring-security-acl

      License:

      The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-acl/3.2.10.RELEASE/spring-security-acl-3.2.10.RELEASE.jar
      MD5: f87a9ef5d7952bc6f8096b3223d67e19
      SHA1: 0417714b1b6c7f11cb6c2a5ee4c3738d43353928
      SHA256:7916014dbd3c61585d92aeb14e4c74584c60b7858bfb8e63b2af4560d1955315
      Referenced In Project/Scope: Gemma CLI:compile
      spring-security-acl-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

      Identifiers

      CVE-2022-22978  

      In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
      CWE-863 Incorrect Authorization

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
      CVSSv3:
      • Base Score: CRITICAL (9.8)
      • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

      References:

        Vulnerable Software & Versions: (show all)

        CVE-2021-22112  

        Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
        NVD-CWE-noinfo

        CVSSv2:
        • Base Score: HIGH (9.0)
        • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
        CVSSv3:
        • Base Score: HIGH (8.8)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2016-5007  

        Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
        CVSSv3:
        • Base Score: HIGH (7.5)
        • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        spring-security-config-3.2.10.RELEASE.jar

        Description:

        spring-security-config

        License:

        The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-config/3.2.10.RELEASE/spring-security-config-3.2.10.RELEASE.jar
        MD5: 8c8534526c1ed31e3cdc65523e782e3c
        SHA1: c8c9c742067d5a4879bf8db289cb48b60262056a
        SHA256:f8849bb9e245423924ccdaee6693d497f1b4d2dd2069e7695d4fdd2b82a2f5b3
        Referenced In Project/Scope: Gemma CLI:runtime
        spring-security-config-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

        Identifiers

        CVE-2022-22978  

        In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
        CWE-863 Incorrect Authorization

        CVSSv2:
        • Base Score: HIGH (7.5)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
        CVSSv3:
        • Base Score: CRITICAL (9.8)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

        References:

          Vulnerable Software & Versions: (show all)

          CVE-2021-22112  

          Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
          NVD-CWE-noinfo

          CVSSv2:
          • Base Score: HIGH (9.0)
          • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
          CVSSv3:
          • Base Score: HIGH (8.8)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2016-5007  

          Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
          CWE-264 Permissions, Privileges, and Access Controls

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
          CVSSv3:
          • Base Score: HIGH (7.5)
          • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2023-20862 (OSSINDEX)  

          In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
          
          Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
          CWE-459 Incomplete Cleanup

          CVSSv3:
          • Base Score: MEDIUM (6.300000190734863)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

          References:

          Vulnerable Software & Versions (OSSINDEX):

          • cpe:2.3:a:org.springframework.security:spring-security-config:3.2.10.RELEASE:*:*:*:*:*:*:*

          CVE-2018-1199 (OSSINDEX)  

          Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
          CWE-20 Improper Input Validation

          CVSSv3:
          • Base Score: MEDIUM (5.300000190734863)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

          References:

          Vulnerable Software & Versions (OSSINDEX):

          • cpe:2.3:a:org.springframework.security:spring-security-config:3.2.10.RELEASE:*:*:*:*:*:*:*

          spring-security-core-3.2.10.RELEASE.jar

          Description:

          spring-security-core

          License:

          The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
          File Path: /home/jenkins/.m2/repository/org/springframework/security/spring-security-core/3.2.10.RELEASE/spring-security-core-3.2.10.RELEASE.jar
          MD5: 86427a3f1e565f975b48cb8b9be4649d
          SHA1: e8018fab2ada266288d1db83cc4e452de1e2ed1c
          SHA256:10443ef19e3cbe2b82197983d7fa0dec5bebd40dc3ca2c0cf02864359cdc2c93
          Referenced In Project/Scope: Gemma CLI:compile
          spring-security-core-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

          Identifiers

          CVE-2022-22978  

          In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
          CWE-863 Incorrect Authorization

          CVSSv2:
          • Base Score: HIGH (7.5)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
          CVSSv3:
          • Base Score: CRITICAL (9.8)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

          References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22112  

            Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2024-22257 (OSSINDEX)  

            In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 
            5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, 
            versions 6.2.x prior to 6.2.3, an application is possible vulnerable to 
            broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
            
            
            CWE-1390 Weak Authentication

            CVSSv3:
            • Base Score: HIGH (8.199999809265137)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-core:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2019-11272 (OSSINDEX)  

            Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
            CWE-522 Insufficiently Protected Credentials

            CVSSv3:
            • Base Score: HIGH (7.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-core:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2019-3795 (OSSINDEX)  

            Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-3795 for details
            CWE-330 Use of Insufficiently Random Values

            CVSSv3:
            • Base Score: MEDIUM (5.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-core:3.2.10.RELEASE:*:*:*:*:*:*:*

            swagger-annotations-2.2.22.jar

            Description:

            swagger-annotations

            License:

            "Apache License 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.html"
            File Path: /home/jenkins/.m2/repository/io/swagger/core/v3/swagger-annotations/2.2.22/swagger-annotations-2.2.22.jar
            MD5: 2010c66fe450b61569fa7d8649ce85a6
            SHA1: a62994e7d8d87a0966bb12b85536bdd35287ab1b
            SHA256:bf8f7c5564f4f6506f00b88e745bef3427845cbc854155c8b220b22cb0349fa8
            Referenced In Project/Scope: Gemma CLI:compile
            swagger-annotations-2.2.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

            Identifiers

            velocity-engine-core-2.3.jar (shaded: commons-io:commons-io:2.8.0)

            Description:

            The Apache Commons IO library contains utility classes, stream implementations, file filters,
            file comparators, endian transformation classes, and much more.
              

            File Path: /home/jenkins/.m2/repository/org/apache/velocity/velocity-engine-core/2.3/velocity-engine-core-2.3.jar/META-INF/maven/commons-io/commons-io/pom.xml
            MD5: bde9745d9cea5e45d720cb5a860f1fc6
            SHA1: 9bde4473ef8c6f2e5aef5bc5fbf357663a90834e
            SHA256:d7c8641a37d6e76f36fb9e81fc1420e26a09d63fa32f00f74764de067ca8347d
            Referenced In Project/Scope: Gemma CLI:compile

            Identifiers

            velocity-engine-core-2.3.jar

            Description:

            Apache Velocity is a general purpose template engine.

            License:

            https://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/jenkins/.m2/repository/org/apache/velocity/velocity-engine-core/2.3/velocity-engine-core-2.3.jar
            MD5: e761e6088b946b42289c5d676a515581
            SHA1: e2133b723d0e42be74880d34de6bf6538ea7f915
            SHA256:b086cee8fd8183e240b4afcf54fe38ec33dd8eb0da414636e5bf7aa4d9856629
            Referenced In Project/Scope: Gemma CLI:compile
            velocity-engine-core-2.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-core@1.31.8-SNAPSHOT

            Identifiers

            xercesImpl-2.12.2.jar

            Description:

                  Xerces2 provides high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces continues to build upon the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
            
                  The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
            
                  Xerces2 provides fully conforming XML Schema 1.0 and 1.1 processors. An experimental implementation of the "XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010)" is also provided for evaluation. For more information, refer to the XML Schema page.
            
                  Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
            
                  Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.  
            	

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/jenkins/.m2/repository/xerces/xercesImpl/2.12.2/xercesImpl-2.12.2.jar
            MD5: 40e4f2d5aacfbf51a9a1572d77a0e5e9
            SHA1: f051f988aa2c9b4d25d05f95742ab0cc3ed789e2
            SHA256:6fc991829af1708d15aea50c66f0beadcd2cfeb6968e0b2f55c1b0909883fe16
            Referenced In Project/Scope: Gemma CLI:compile
            xercesImpl-2.12.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

            Identifiers

            • pkg:maven/xerces/xercesImpl@2.12.2  (Confidence:High)
            • cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:*  (Confidence:Low)  
            • cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*  (Confidence:Low)  

            CVE-2017-10355 (OSSINDEX)  

            sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
            
            The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
            CWE-833 Deadlock

            CVSSv3:
            • Base Score: MEDIUM (5.900000095367432)
            • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:*

            xml-apis-1.4.01.jar

            Description:

            xml-commons provides an Apache-hosted set of DOM, SAX, and 
                JAXP interfaces for use in other xml-based projects. Our hope is that we 
                can standardize on both a common version and packaging scheme for these 
                critical XML standards interfaces to make the lives of both our developers 
                and users easier. The External Components portion of xml-commons contains 
                interfaces that are defined by external standards organizations. For DOM, 
                that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
                JAXP it's Sun.

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            The SAX License: http://www.saxproject.org/copying.html
            The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
            File Path: /home/jenkins/.m2/repository/xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar
            MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d
            SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3
            SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad
            Referenced In Project/Scope: Gemma CLI:compile
            xml-apis-1.4.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/gemma/gemma-cli@1.31.8-SNAPSHOT

            Identifiers



            This report contains data retrieved from the National Vulnerability Database.
            This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
            This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
            This report may contain data retrieved from RetireJS.
            This report may contain data retrieved from the Sonatype OSS Index.