esapi-2.1.0.1.jar: 39 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-jackfan.us.kg]

Vulnerable Library - esapi-2.1.0.1.jar

The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

Library home page: http://www.owasp.org/index.php

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (esapi version)	Remediation Possible**	Reachability
CVE-2022-23305	Critical	9.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Reachable
CVE-2016-2510	High	8.1	bsh-core-2.0b4.jar	Transitive	N/A*	❌	Reachable
WS-2023-0388	High	7.5	esapi-2.1.0.1.jar	Direct	2.5.2.0	✅	Reachable
WS-2014-0034	High	7.5	commons-fileupload-1.3.1.jar	Transitive	2.4.0.0	✅	Reachable
CVE-2023-26464	High	7.5	log4j-1.2.17.jar	Transitive	N/A*	❌	Reachable
CVE-2023-24998	High	7.5	commons-fileupload-1.3.1.jar	Transitive	2.5.2.0	✅	Reachable
CVE-2022-34169	High	7.5	xalan-2.7.0.jar	Transitive	N/A*	❌	Reachable
CVE-2022-29546	High	7.5	nekohtml-1.9.22.jar	Transitive	N/A*	❌	Reachable
CVE-2022-28366	High	7.5	nekohtml-1.9.22.jar	Transitive	N/A*	❌	Reachable
CVE-2022-23457	High	7.5	esapi-2.1.0.1.jar	Direct	2.3.0.0	✅	Reachable
CVE-2021-4104	High	7.5	log4j-1.2.17.jar	Transitive	N/A*	❌	Reachable
CVE-2016-3092	High	7.5	commons-fileupload-1.3.1.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2012-0881	High	7.5	xercesImpl-2.8.0.jar	Transitive	2.5.3.0	✅	Reachable
CVE-2019-10086	High	7.3	commons-beanutils-core-1.8.3.jar	Transitive	N/A*	❌	Reachable
CVE-2016-1000031	High	7.3	commons-fileupload-1.3.1.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2014-0114	High	7.3	commons-beanutils-core-1.8.3.jar	Transitive	N/A*	❌	Reachable
CVE-2014-0107	High	7.3	xalan-2.7.0.jar	Transitive	2.5.0.0	✅	Reachable
CVE-2022-23437	Medium	6.5	xercesImpl-2.8.0.jar	Transitive	N/A*	❌	Reachable
WS-2023-0429	Medium	6.1	esapi-2.1.0.1.jar	Direct	2.6.0.0	✅	Reachable
CVE-2024-23635	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.5.4.0	✅	Reachable
CVE-2023-43643	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.5.3.0	✅	Reachable
CVE-2022-29577	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.3.0.0	✅	Reachable
CVE-2022-28367	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.3.0.0	✅	Reachable
CVE-2021-35043	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.3.0.0	✅	Reachable
CVE-2017-14735	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2016-10006	Medium	6.1	antisamy-1.5.3.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2013-4002	Medium	5.9	xercesImpl-2.8.0.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2020-14338	Medium	5.3	xercesImpl-2.8.0.jar	Transitive	2.5.3.0	✅	Reachable
CVE-2009-2625	Medium	5.3	xercesImpl-2.8.0.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2021-29425	Medium	4.8	commons-io-2.2.jar	Transitive	2.5.3.0	✅	Reachable
CVE-2012-5783	Medium	4.8	commons-httpclient-3.1.jar	Transitive	2.2.0.0	✅	Reachable
CVE-2020-9488	Low	3.7	log4j-1.2.17.jar	Transitive	N/A*	❌	Reachable
CVE-2012-6153	Low	3.7	commons-httpclient-3.1.jar	Transitive	N/A*	❌	Reachable
CVE-2020-9493	Critical	9.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-17571	Critical	9.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-23307	High	8.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-23302	High	8.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-24891	Medium	5.4	esapi-2.1.0.1.jar	Direct	2.3.0.0	✅	Unreachable
CVE-2024-47554	Medium	4.3	commons-io-2.2.jar	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-23305

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.web.context.support.GenericWebApplicationContext (Extension)
   -> org.springframework.web.filter.Log4jNestedDiagnosticContextFilter (Extension)
    -> org.apache.log4j.NDC (Extension)
    ...
      -> org.apache.log4j.helpers.OptionConverter (Extension)
       -> org.apache.log4j.PropertyConfigurator (Extension)
        -> ❌ org.apache.log4j.jdbc.JDBCAppender (Vulnerable Component)

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2016-2510

Vulnerable Library - bsh-core-2.0b4.jar

BeanShell core

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ bsh-core-2.0b4.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.web.context.support.AnnotationConfigWebApplicationContext (Extension)
   -> org.springframework.context.annotation.AnnotationConfigUtils (Extension)
    -> org.springframework.context.annotation.CommonAnnotationBeanPostProcessor (Extension)
    ...
      -> org.springframework.scripting.bsh.BshScriptFactory (Extension)
       -> org.springframework.scripting.bsh.BshScriptUtils (Extension)
        -> ❌ bsh.XThis (Vulnerable Component)

Vulnerability Details

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Publish Date: 2016-04-07

URL: CVE-2016-2510

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2510

Release Date: 2016-04-07

Fix Resolution: 2.0b6

WS-2023-0388

Vulnerable Library - esapi-2.1.0.1.jar

The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

Library home page: http://www.owasp.org/index.php

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar

Dependency Hierarchy:

• ❌ esapi-2.1.0.1.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.InitializationListener (Application)
  -> org.owasp.esapi.ESAPI (Extension)
   -> ❌ org.owasp.esapi.reference.DefaultHTTPUtilities (Vulnerable Component)

Vulnerability Details

ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.

Publish Date: 2024-12-06

URL: WS-2023-0388

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7c2q-5qmr-v76q

Release Date: 2024-12-06

Fix Resolution: 2.5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2014-0034

Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.owasp.esapi.ESAPI (Extension)
   -> org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
    -> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
     -> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)

Vulnerability Details

The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.

Publish Date: 2014-02-17

URL: WS-2014-0034

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2014-02-17

Fix Resolution (commons-fileupload:commons-fileupload): 1.4

Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26464

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.web.context.support.StaticWebApplicationContext (Extension)
   -> org.springframework.web.filter.Log4jNestedDiagnosticContextFilter (Extension)
    -> org.apache.log4j.Logger (Extension)
     -> org.apache.log4j.lf5.LF5Appender (Extension)
      -> org.apache.log4j.lf5.viewer.LogBrokerMonitor (Extension)
       -> ❌ org.apache.log4j.lf5.util.LogFileParser (Vulnerable Component)

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

CVE-2023-24998

Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.owasp.esapi.ESAPI (Extension)
   -> org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
    -> org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
     -> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)

Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution (commons-fileupload:commons-fileupload): 1.5

Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-34169

Vulnerable Library - xalan-2.7.0.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • xom-1.2.5.jar
    • ❌ xalan-2.7.0.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
  -> org.apache.xalan.processor.StylesheetHandler (Extension)
   -> org.apache.xalan.templates.ElemCallTemplate (Extension)
    -> org.apache.xalan.templates.RedundentExprEliminator (Extension)
     -> org.apache.xalan.templates.AbsPathChecker (Extension)
      -> ❌ org.apache.xpath.functions.FuncCurrent (Vulnerable Component)

Vulnerability Details

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Publish Date: 2022-07-19

URL: CVE-2022-34169

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9339-86wc-4qgf

Release Date: 2022-07-19

Fix Resolution: xalan:xalan:2.7.3

CVE-2022-29546

Vulnerable Library - nekohtml-1.9.22.jar

An HTML parser and tag balancer.

Library home page: http://nekohtml.sourceforge.net/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.22/nekohtml-1.9.22.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • antisamy-1.5.3.jar
    • ❌ nekohtml-1.9.22.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
  -> org.thymeleaf.templateparser.xmlsax.AbstractNonValidatingSAXTemplateParser$XmlSAXHandler (Extension)
   -> org.thymeleaf.dom.Element (Extension)
    -> org.thymeleaf.templateparser.html.AbstractHtmlTemplateParser (Extension)
    ...
      -> org.cyberneko.html.HTMLConfiguration (Extension)
       -> org.cyberneko.html.HTMLScanner (Extension)
        -> ❌ org.cyberneko.html.HTMLScanner$ContentScanner (Vulnerable Component)

Vulnerability Details

HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.

Publish Date: 2022-04-25

URL: CVE-2022-29546

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-04-25

Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0

CVE-2022-28366

Vulnerable Library - nekohtml-1.9.22.jar

An HTML parser and tag balancer.

Library home page: http://nekohtml.sourceforge.net/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.22/nekohtml-1.9.22.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • antisamy-1.5.3.jar
    • ❌ nekohtml-1.9.22.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
  -> org.thymeleaf.templateparser.xmlsax.AbstractNonValidatingSAXTemplateParser$XmlSAXHandler (Extension)
   -> org.thymeleaf.dom.CDATASection (Extension)
    -> org.cyberneko.html.HTMLConfiguration (Extension)
    ...
      -> org.cyberneko.html.SecuritySupport (Extension)
       -> org.cyberneko.html.SecuritySupport12 (Extension)
        -> ❌ org.cyberneko.html.SecuritySupport12$5 (Vulnerable Component)

Vulnerability Details

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

Publish Date: 2022-04-21

URL: CVE-2022-28366

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g9hh-vvx3-v37v

Release Date: 2022-04-21

Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.27

CVE-2022-23457

Vulnerable Library - esapi-2.1.0.1.jar

The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

Library home page: http://www.owasp.org/index.php

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar

Dependency Hierarchy:

• ❌ esapi-2.1.0.1.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.InitializationListener (Application)
  -> org.owasp.esapi.ESAPI (Extension)
   -> org.owasp.esapi.reference.crypto.JavaEncryptor (Extension)
    -> ❌ org.owasp.esapi.crypto.SecurityProviderLoader (Vulnerable Component)

Vulnerability Details

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

Publish Date: 2022-04-25

URL: CVE-2022-23457

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8m5h-hrqm-pxm2

Release Date: 2022-04-25

Fix Resolution: 2.3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-4104

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.web.context.support.GenericWebApplicationContext (Extension)
   -> org.springframework.web.filter.CorsFilter (Extension)
    -> org.apache.commons.logging.LogFactory$1 (Extension)
    ...
      -> org.apache.commons.logging.impl.Log4JLogger (Extension)
       -> org.apache.log4j.Logger (Extension)
        -> ❌ org.apache.log4j.net.JMSAppender (Vulnerable Component)

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

CVE-2016-3092

Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.web.context.support.GenericWebApplicationContext (Extension)
   -> org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
    -> org.apache.commons.fileupload.FileUploadBase (Extension)
     -> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl$FileItemStreamImpl (Extension)
      -> ❌ org.apache.commons.fileupload.MultipartStream (Vulnerable Component)

Vulnerability Details

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Publish Date: 2016-07-04

URL: CVE-2016-3092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

Release Date: 2016-07-04

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2

Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2012-0881

Vulnerable Library - xercesImpl-2.8.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • xom-1.2.5.jar
    • ❌ xercesImpl-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
  -> org.apache.xerces.parsers.AbstractSAXParser$AttributesProxy (Extension)
   -> org.apache.xerces.parsers.AbstractSAXParser (Extension)
    -> org.apache.xerces.parsers.BasicParserConfiguration (Extension)
     -> org.apache.xerces.impl.dtd.BalancedDTDGrammar (Extension)
      -> ❌ org.apache.xerces.impl.dtd.DTDGrammar$QNameHashtable (Vulnerable Component)

Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

Release Date: 2017-10-30

Fix Resolution (xerces:xercesImpl): 2.12.0

Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10086

Vulnerable Library - commons-beanutils-core-1.8.3.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ commons-beanutils-core-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
  -> org.apache.commons.configuration.XMLPropertiesConfiguration$XMLPropertiesHandler (Extension)
   -> org.apache.commons.configuration.XMLPropertiesConfiguration (Extension)
    -> org.apache.commons.configuration.MultiFileHierarchicalConfiguration (Extension)
     -> org.apache.commons.beanutils.BeanUtils (Extension)
      -> org.apache.commons.beanutils.BeanUtilsBean (Extension)
       -> ❌ org.apache.commons.beanutils.PropertyUtilsBean (Vulnerable Component)

Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4

CVE-2016-1000031

Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy:

• esapi-2.1.0.1.jar (Root Library)
  • ❌ commons-fileupload-1.3.1.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.vulnerabilities.XEEandXXEController (Application)
  -> org.springframework.web.multipart.commons.CommonsMultipartFile (Extension)
   -> ❌ org.apache.commons.fileupload.disk.DiskFileItem (Vulnerable Component)

Vulnerability Details

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Publish Date: 2016-10-25

URL: CVE-2016-1000031

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

Release Date: 2016-10-25

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3

Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.