This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Problem Code | Impact Analysis | Action |
|---|---|---|---|---|
| oparent | commons-beanutils | CVE-2014-0114 | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. | All versions of commons-beanutils have security vulnerabilities. SECCOM recommends upgrading to 1.9.4 in order to use a more current version of the package |
| oparent | org.apache.tomcat.embed | CVE-2019-0232 | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). | SECCOM recommends oparent upgrade to 9.0.20, 9.0.21, 9.0.22 or 9.0.24. None of these versions have security vulnerabilities. |
| oparent | org.apache.tomcat.embed | CVE-2019-0199 | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. The Apache tomcat-coyote package is vulnerable to a Denial of Service (DoS) attack. The Http2Protocol class, the reserveWindowSize() method in the Stream class, the process() method in the StreamProcessor class, the upgradeDispatch(), writeBody(), startRequestBodyFrame(), reprioritise(), setting(), and pingReceive() methods in the Http2UpgradeHandler class, the end() method in the Stream$StreamOutputBuffer class, and the doRead() method in the Stream$StreamInputBuffer class fail to enforce proper timeout restrictions on open connections and allow excessive numbers of SETTINGS frames. Consequently, clients are able to keep connections alive without reading or writing any request or response data. If the open streams utilize the Servlet API's blocking I/O capabilities, clients can abuse this functionality to block server-side threads. A remote attacker can exploit this vulnerability by establishing never-ending connections to the affected server, or by issuing excessive numbers of SETTINGS frames. These connections will exhaust server-side threads and eventually result in a DoS condition. The application is vulnerable by using this component if it utilizes the Servlet API's blocking I/O functionality. | SECCOM recommends oparent upgrade to 9.0.20, 9.0.21, 9.0.22 or 9.0.24. None of these versions have security vulnerabilities. |
| oparent | org.apache.tomcat.embed | CVE-2019-0221 | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. The tomcat-catalina package is vulnerable to Cross-Site Scripting (XSS). The process method in SSIPrintenv.class prints application environment variables without sanitizing them. A remote attacker could exploit this vulnerability by sending a malicious payload as part of the HTTP request, which may be automatically set as an environment variable. This can be used to inject JavaScript in a victim's browser. The application is vulnerable by using this component with SSI enabled, which is disabled by default. The SSI component is toggled on or off in the $CATALINA_BASE/conf/web.xml file. For more information see https://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html | SECCOM recommends oparent upgrade to 9.0.20, 9.0.21, 9.0.22 or 9.0.24. None of these versions have security vulnerabilities. |
| oparent | org.codehaus.jackson | CVE-2017-7525 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. | All versions of jackson-mapper-asl have security vulnerabilities. |
| oparent | org.webjars | N/A | The jquery package is vulnerable to Prototype Pollution. | SECCOM recommends upgrading to 3.4.0 or higher. |
| oparent | commons-codec | N/A | The Apache commons-codec package contains an Improper Input Validation vulnerability. | SECCOM recommends upgrading to 1.13. |
| oparent | org.exist-db.thirdparty.xerces | N/A | Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. | There is no newer version of the package. |