You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
Vulnerable Library - openapi-generator-maven-plugin-6.6.0.jar
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-1000487
Vulnerable Library - plexus-utils-1.5.8.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Library home page: http://www.codehaus.org/
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
Dependency Hierarchy:
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Found in base branch: develop
Vulnerability Details
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16
Step up your Open Source Security Game with Mend here
CVE-2022-4244
Vulnerable Library - plexus-utils-1.5.8.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Library home page: http://www.codehaus.org/
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
Dependency Hierarchy:
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Found in base branch: develop
Vulnerability Details
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.
Publish Date: 2023-09-25
URL: CVE-2022-4244
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2023-09-25
Fix Resolution: org.codehaus.plexus:plexus-utils:3.0.24
Step up your Open Source Security Game with Mend here
WS-2016-7057
Vulnerable Library - plexus-utils-1.5.8.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Library home page: http://www.codehaus.org/
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
Dependency Hierarchy:
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Found in base branch: develop
Vulnerability Details
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
Step up your Open Source Security Game with Mend here
CVE-2023-2976
Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Dependency Hierarchy:
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Found in base branch: develop
Vulnerability Details
Use of Java's default temporary directory for file creation in
FileBackedOutputStream
in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
Step up your Open Source Security Game with Mend here
WS-2016-7062
Vulnerable Library - plexus-utils-1.5.8.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Library home page: http://www.codehaus.org/
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
Dependency Hierarchy:
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Found in base branch: develop
Vulnerability Details
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
Step up your Open Source Security Game with Mend here
CVE-2022-4245
Vulnerable Library - plexus-utils-1.5.8.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Library home page: http://www.codehaus.org/
Path to dependency file: /server/application-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
Dependency Hierarchy:
Found in HEAD commit: aa7b783ae4c90058c094080a69288fe20549f115
Found in base branch: develop
Vulnerability Details
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
Publish Date: 2023-09-25
URL: CVE-2022-4245
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.suse.com/show_bug.cgi?id=1205930
Release Date: 2023-09-25
Fix Resolution: org.codehaus.plexus:plexus-utils:3.0.24
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: