Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: space-comments

com.bhut.space-comments-new-plugin:space-comments:3.4.9

Scan Information (show all):

Analysis Exceptions


Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
CommentComponent.js 00
CommentsList.js 00
CommentsListTable.js 00
FastInfoset-1.2.15.jarcpe:2.3:a:fast_ber_project:fast_ber:1.2.15:*:*:*:*:*:*:*pkg:maven/com.sun.xml.fastinfoset/FastInfoset@1.2.15 0Low44
HdrHistogram-2.1.11.jarpkg:maven/org.hdrhistogram/HdrHistogram@2.1.11 030
Header.js 00
HikariCP-2.5.1.jarpkg:maven/com.zaxxer/HikariCP@2.5.1 033
LatencyUtils-2.0.3.jarpkg:maven/org.latencyutils/LatencyUtils@2.0.3 020
Profile.js 00
Select-7552e2b8.js 00
activation-1.0.2.jarpkg:maven/javax.activation/activation@1.0.2 028
activeobjects-dbex-3.3.1.jarpkg:maven/com.atlassian.activeobjects/activeobjects-dbex@3.3.1 022
activeobjects-spi-3.3.1.jarpkg:maven/com.atlassian.activeobjects/activeobjects-spi@3.3.1 024
adal4j-1.6.6.jarcpe:2.3:a:microsoft:azure_active_directory:1.6.6:*:*:*:*:*:*:*pkg:maven/com.microsoft.azure/adal4j@1.6.6MEDIUM1Low25
aether-api-1.0.0.v20140518.jarpkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518 027
aether-api-1.7.jarpkg:maven/org.sonatype.aether/aether-api@1.7 022
aether-impl-1.7.jarpkg:maven/org.sonatype.aether/aether-impl@1.7 025
aether-spi-1.7.jarpkg:maven/org.sonatype.aether/aether-spi@1.7 025
aether-util-1.0.0.v20140518.jarpkg:maven/org.eclipse.aether/aether-util@1.0.0.v20140518 029
aether-util-1.7.jarpkg:maven/org.sonatype.aether/aether-util@1.7 026
aho-corasick-double-array-trie-1.2.3.jarpkg:maven/com.hankcs/aho-corasick-double-array-trie@1.2.3 030
analytics-api-5.8.10.jarpkg:maven/com.atlassian.analytics/analytics-api@5.8.10 029
android-json-0.0.20131108.vaadin1.jarpkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1 034
animal-sniffer-annotations-1.14.jarpkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.14 023
ant-1.10.9.jarcpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*pkg:maven/org.apache.ant/ant@1.10.9MEDIUM2Highest24
antisamy-1.5.3-atlassian-7.jarcpe:2.3:a:antisamy_project:antisamy:1.5.3.ian-7:*:*:*:*:*:*:*pkg:maven/org.owasp.antisamy/antisamy@1.5.3-atlassian-7HIGH6Highest22
antlr-2.7.7.jarpkg:maven/antlr/antlr@2.7.7 024
antlr-runtime-3.5.2.jarpkg:maven/org.antlr/antlr-runtime@3.5.2 039
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 020
applinks-api-7.2.7.jarpkg:maven/com.atlassian.applinks/applinks-api@7.2.7 024
applinks-host-7.2.7.jarpkg:maven/com.atlassian.applinks/applinks-host@7.2.7 024
applinks-spi-7.2.7.jarcpe:2.3:a:atlassian:application_links:7.2.7:*:*:*:*:*:*:*pkg:maven/com.atlassian.applinks/applinks-spi@7.2.7 0Low26
asm-7.1.jarpkg:maven/org.ow2.asm/asm@7.1 053
aspectjweaver-1.9.6.jarpkg:maven/org.aspectj/aspectjweaver@1.9.6 033
atlassian-annotations-2.1.0.jarpkg:maven/com.atlassian.annotations/atlassian-annotations@2.1.0 020
atlassian-audit-api-1.12.4.jarpkg:maven/com.atlassian.audit/atlassian-audit-api@1.12.4 026
atlassian-audit-core-1.12.4.jarpkg:maven/com.atlassian.audit/atlassian-audit-core@1.12.4 022
atlassian-audit-spi-1.12.4.jarpkg:maven/com.atlassian.audit/atlassian-audit-spi@1.12.4 022
atlassian-bandana-3.1.jarpkg:maven/com.atlassian.bandana/atlassian-bandana@3.1 023
atlassian-bonnie-8.0.0.jarpkg:maven/com.atlassian.bonnie/atlassian-bonnie@8.0.0 027
atlassian-brave-spancollector-core-1.0.0.jarcpe:2.3:a:pki-core_project:pki-core:1.0.0:*:*:*:*:*:*:*pkg:maven/io.atlassian.zipkin/atlassian-brave-spancollector-core@1.0.0MEDIUM1Highest27
atlassian-cache-api-5.3.4.jarpkg:maven/com.atlassian.cache/atlassian-cache-api@5.3.4 020
atlassian-cache-common-impl-5.3.4.jarpkg:maven/com.atlassian.cache/atlassian-cache-common-impl@5.3.4 024
atlassian-cache-memory-5.3.4.jarpkg:maven/com.atlassian.cache/atlassian-cache-memory@5.3.4 024
atlassian-collectors-util-1.1.jarpkg:maven/com.atlassian.collectors/atlassian-collectors-util@1.1 021
atlassian-config-1.1.1.jarpkg:maven/com.atlassian.config/atlassian-config@1.1.1 025
atlassian-core-7.0.2.jarpkg:maven/com.atlassian.core/atlassian-core@7.0.2 020
atlassian-core-thumbnail-7.0.2.jarpkg:maven/com.atlassian.core/atlassian-core-thumbnail@7.0.2 025
atlassian-core-user-7.0.2.jarcpe:2.3:a:user_project:user:7.0.2:*:*:*:*:*:*:*pkg:maven/com.atlassian.core/atlassian-core-user@7.0.2 0Highest25
atlassian-diagnostics-api-1.1.10.jarpkg:maven/com.atlassian.diagnostics/atlassian-diagnostics-api@1.1.10 020
atlassian-diagnostics-core-1.1.10.jarpkg:maven/com.atlassian.diagnostics/atlassian-diagnostics-core@1.1.10 022
atlassian-diagnostics-platform-1.1.10.jarpkg:maven/com.atlassian.diagnostics/atlassian-diagnostics-platform@1.1.10 025
atlassian-embedded-crowd-atlassian-user-7.13.0.jarcpe:2.3:a:atlassian:confluence:7.13.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:crowd:7.13.0:*:*:*:*:*:*:*
cpe:2.3:a:user_project:user:7.13.0:*:*:*:*:*:*:*		pkg:maven/com.atlassian.confluence/atlassian-embedded-crowd-atlassian-user@7.13.0 0Highest23
atlassian-event-4.0.1.jarpkg:maven/com.atlassian.event/atlassian-event@4.0.1 029
atlassian-extras-api-3.4.1.jarpkg:maven/com.atlassian.extras/atlassian-extras-api@3.4.1 024
atlassian-extras-common-3.4.1.jarpkg:maven/com.atlassian.extras/atlassian-extras-common@3.4.1 024
atlassian-extras-core-3.4.1.jarpkg:maven/com.atlassian.extras/atlassian-extras-core@3.4.1 024
atlassian-extras-decoder-api-3.4.1.jarpkg:maven/com.atlassian.extras/atlassian-extras-decoder-api@3.4.1 027
atlassian-extras-decoder-v2-3.4.1.jarpkg:maven/com.atlassian.extras/atlassian-extras-decoder-v2@3.4.1 027
atlassian-extras-legacy-3.4.1.jarpkg:maven/com.atlassian.extras/atlassian-extras-legacy@3.4.1 022
atlassian-flushable-gzipoutputstream-1.1.jarpkg:maven/com.atlassian.gzipfilter/atlassian-flushable-gzipoutputstream@1.1 028
atlassian-graphql-annotations-1.3.7.jarpkg:maven/com.atlassian.graphql/atlassian-graphql-annotations@1.3.7 024
atlassian-gzipfilter-3.0.0.jarpkg:maven/com.atlassian.gzipfilter/atlassian-gzipfilter@3.0.0 020
atlassian-h2-server-integration-2.2.0.jarpkg:maven/com.atlassian.h2/atlassian-h2-server-integration@2.2.0 025
atlassian-healthcheck-plugin-check-api-6.0.0.jarpkg:maven/com.atlassian.healthcheck/atlassian-healthcheck-plugin-check-api@6.0.0 025
atlassian-healthcheck-spi-6.0.0.jarpkg:maven/com.atlassian.healthcheck/atlassian-healthcheck-spi@6.0.0 025
atlassian-hibernate2-extras-6.2.5.jarpkg:maven/com.atlassian.hibernate/atlassian-hibernate2-extras@6.2.5 024
atlassian-hsqdlb-server-integration-1.1.0.jarpkg:maven/com.atlassian.hsqldb/atlassian-hsqdlb-server-integration@1.1.0 025
atlassian-html-encoder-1.5.jarpkg:maven/com.atlassian.html/atlassian-html-encoder@1.5 023
atlassian-http-2.0.8.jarpkg:maven/com.atlassian.http/atlassian-http@2.0.8 034
atlassian-image-consumer-1.0.1.jarpkg:maven/com.atlassian.image/atlassian-image-consumer@1.0.1 020
atlassian-instrumentation-core-3.0.0.jarpkg:maven/com.atlassian.instrumentation/atlassian-instrumentation-core@3.0.0 022
atlassian-ip-3.1.jarpkg:maven/com.atlassian.ip/atlassian-ip@3.1 025
atlassian-jdk-utilities-0.6.jarpkg:maven/com.atlassian.jdk.utilities/atlassian-jdk-utilities@0.6 030
atlassian-johnson-core-4.0.0.jarpkg:maven/com.atlassian.johnson/atlassian-johnson-core@4.0.0 020
atlassian-johnson-plugins-4.0.0.jarpkg:maven/com.atlassian.johnson/atlassian-johnson-plugins@4.0.0 025
atlassian-json-api-0.11.jarpkg:maven/com.atlassian.json/atlassian-json-api@0.11 023
atlassian-json-jsonorg-0.11.jarpkg:maven/com.atlassian.json/atlassian-json-jsonorg@0.11 024
atlassian-localhost-1.1.0.jarpkg:maven/com.atlassian/atlassian-localhost@1.1.0 022
atlassian-mail-5.0.6.jarpkg:maven/com.atlassian.mail/atlassian-mail@5.0.6 025
atlassian-marshalling-api-1.0.0.jarpkg:maven/com.atlassian.marshalling/atlassian-marshalling-api@1.0.0 029
atlassian-marshalling-gson-3.0.1.jarpkg:maven/com.atlassian.marshalling/atlassian-marshalling-gson@3.0.1 029
atlassian-marshalling-jdk-1.1.0.jarpkg:maven/com.atlassian.marshalling/atlassian-marshalling-jdk@1.1.0 029
atlassian-marshalling-protobuf-1.0.0.jarpkg:maven/com.atlassian.marshalling/atlassian-marshalling-protobuf@1.0.0 029
atlassian-password-encoder-3.2.10.jarpkg:maven/com.atlassian.security/atlassian-password-encoder@3.2.10 024
atlassian-plugin-point-safety-1.0.0.jarpkg:maven/com.atlassian.ozymandias/atlassian-plugin-point-safety@1.0.0 020
atlassian-plugins-api-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-api@5.3.11 016
atlassian-plugins-core-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-core@5.3.11 018
atlassian-plugins-osgi-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-osgi@5.3.11 023
atlassian-plugins-osgi-events-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-osgi-events@5.3.11 023
atlassian-plugins-schema-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-schema@5.3.11 023
atlassian-plugins-servlet-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-servlet@5.3.11 022
atlassian-plugins-spring-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-spring@5.3.11 022
atlassian-plugins-webfragment-5.0.0.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-webfragment@5.0.0 022
atlassian-plugins-webfragment-api-5.0.0.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-webfragment-api@5.0.0 024
atlassian-plugins-webresource-4.1.6.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-webresource@4.1.6 022
atlassian-plugins-webresource-api-4.1.6.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-webresource-api@4.1.6 024
atlassian-plugins-webresource-common-5.3.11.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-webresource-common@5.3.11 020
atlassian-plugins-webresource-spi-4.1.6.jarpkg:maven/com.atlassian.plugins/atlassian-plugins-webresource-spi@4.1.6 024
atlassian-profiling-3.4.3.jarpkg:maven/com.atlassian.profiling/atlassian-profiling@3.4.3 024
atlassian-profiling-dropwizard-metrics-3.4.3.jarpkg:maven/com.atlassian.profiling/atlassian-profiling-dropwizard-metrics@3.4.3 025
atlassian-profiling-micrometer-3.4.3.jarpkg:maven/com.atlassian.profiling/atlassian-profiling-micrometer@3.4.3 025
atlassian-renderer-legacy-6.2.25.jarpkg:maven/com.atlassian.renderer/atlassian-renderer-legacy@6.2.25 025
atlassian-scheduler-api-3.0.0.jarpkg:maven/com.atlassian.scheduler/atlassian-scheduler-api@3.0.0 020
atlassian-scheduler-caesium-3.0.0.jarpkg:maven/com.atlassian.scheduler.caesium/atlassian-scheduler-caesium@3.0.0 025
atlassian-scheduler-core-3.0.0.jarpkg:maven/com.atlassian.scheduler/atlassian-scheduler-core@3.0.0 024
atlassian-secure-random-3.2.10.jarpkg:maven/com.atlassian.security/atlassian-secure-random@3.2.10 024
atlassian-secure-utils-3.2.11.jarpkg:maven/com.atlassian.security/atlassian-secure-utils@3.2.11 025
atlassian-secure-xml-3.2.14.jarpkg:maven/com.atlassian.security/atlassian-secure-xml@3.2.14 024
atlassian-seraph-4.1.0.jarpkg:maven/com.atlassian.seraph/atlassian-seraph@4.1.0 023
atlassian-spring-2.0.8.jarpkg:maven/com.atlassian.spring/atlassian-spring@2.0.8 020
atlassian-spring-hibernate2-2.0.8.jarpkg:maven/com.atlassian.spring/atlassian-spring-hibernate2@2.0.8 023
atlassian-spring-interceptor-adapter-spi-1.1.jarpkg:maven/com.atlassian.plugins/atlassian-spring-interceptor-adapter-spi@1.1 029
atlassian-spring-scanner-annotation-2.1.7.jarpkg:maven/com.atlassian.plugin/atlassian-spring-scanner-annotation@2.1.7 033
atlassian-template-renderer-api-3.0.0.jarpkg:maven/com.atlassian.templaterenderer/atlassian-template-renderer-api@3.0.0 030
atlassian-tenancy-api-3.0.1.jarpkg:maven/com.atlassian.tenancy/atlassian-tenancy-api@3.0.1 024
atlassian-threadlocal-1.4.jarpkg:maven/com.atlassian.threadlocal/atlassian-threadlocal@1.4 023
atlassian-trackback-0.10.jarpkg:maven/com.atlassian.trackback/atlassian-trackback@0.10 023
atlassian-trusted-apps-core-5.0.1.jarpkg:maven/com.atlassian.security.auth.trustedapps/atlassian-trusted-apps-core@5.0.1 027
atlassian-trusted-apps-seraph-integration-5.0.1.jarpkg:maven/com.atlassian.security.auth.trustedapps/atlassian-trusted-apps-seraph-integration@5.0.1 029
atlassian-user-3.0.jarcpe:2.3:a:user_project:user:3.0:*:*:*:*:*:*:*pkg:maven/com.atlassian.user/atlassian-user@3.0 0Highest27
atlassian-util-concurrent-3.0.0.jarpkg:maven/com.atlassian.util.concurrent/atlassian-util-concurrent@3.0.0 034
atlassian-util-concurrent-4.0.1.jarpkg:maven/io.atlassian.util.concurrent/atlassian-util-concurrent@4.0.1 038
atlassian-vcache-api-1.12.2.jarpkg:maven/com.atlassian.vcache/atlassian-vcache-api@1.12.2 020
atlassian-vcache-internal-api-1.12.2.jarpkg:maven/com.atlassian.vcache/atlassian-vcache-internal-api@1.12.2 024
atlassian-vcache-internal-core-1.12.2.jarpkg:maven/com.atlassian.vcache/atlassian-vcache-internal-core@1.12.2 027
atlassian-vcache-internal-legacy-1.12.2.jarpkg:maven/com.atlassian.vcache/atlassian-vcache-internal-legacy@1.12.2 027
atlassian-velocity-1.3.jarpkg:maven/com.atlassian.velocity/atlassian-velocity@1.3 025
atlassian-webhooks-api-6.2.0.jarpkg:maven/com.atlassian.webhooks/atlassian-webhooks-api@6.2.0 020
atlassian-webhooks-spi-6.2.0.jarpkg:maven/com.atlassian.webhooks/atlassian-webhooks-spi@6.2.0 020
atlassian-whitelist-api-plugin-5.0.5.jarpkg:maven/com.atlassian.plugins/atlassian-whitelist-api-plugin@5.0.5 029
atlassian-xwork-10-2.1.0.jarpkg:maven/com.atlassian.xwork/atlassian-xwork-10@2.1.0 020
atlassian-xwork-core-2.1.0.jarpkg:maven/com.atlassian.xwork/atlassian-xwork-core@2.1.0 020
avatar-plugin-api-1.3.5.jarpkg:maven/com.atlassian.plugins/avatar-plugin-api@1.3.5 024
avatar.js 00
base-a385f246.js 00
batik-css-1.14.jarcpe:2.3:a:apache:batik:1.14:*:*:*:*:*:*:*pkg:maven/org.apache.xmlgraphics/batik-css@1.14HIGH5Highest25
batik-i18n-1.14.jarpkg:maven/org.apache.xmlgraphics/batik-i18n@1.14 022
bcmail-jdk15on-1.68.jarcpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.68:*:*:*:*:*:*:*pkg:maven/org.bouncycastle/bcmail-jdk15on@1.68 0Low52
bcpg-jdk18on-1.71.jarcpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71:*:*:*:*:*:*:*
cpe:2.3:a:openpgp:openpgp:1.71:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcpg-jdk18on@1.71 0Low54
bcpkix-jdk15on-1.68.jarcpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.68:*:*:*:*:*:*:*pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.68 0Low66
bcprov-jdk15on-1.68.jarcpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.68:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.68:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.68:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.68:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.68:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68 0Low60
bcprov-jdk18on-1.71.jarcpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.71:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.71:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.71:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.71:*:*:*:*:*:*:*		pkg:maven/org.bouncycastle/bcprov-jdk18on@1.71 0Low60
beehive-api-2.0.0.jarpkg:maven/com.atlassian.beehive/beehive-api@2.0.0 020
biz.aQute.bndlib-3.5.0.jarcpe:2.3:a:ferry_project:ferry:3.5.0:*:*:*:*:*:*:*pkg:maven/biz.aQute.bnd/biz.aQute.bndlib@3.5.0 0Low53
botocss-core-6.3.jarcpe:2.3:a:atlassian:bitbucket:6.3:*:*:*:*:*:*:*pkg:maven/com.atlassian.botocss/botocss-core@6.3CRITICAL6Low22
brave-apache-http-interceptors-3.0.0.jarcpe:2.3:a:apache:httpclient:3.0.0:*:*:*:*:*:*:*pkg:maven/com.github.kristofa/brave-apache-http-interceptors@3.0.0MEDIUM1Low27
brave-core-3.0.0.jarpkg:maven/com.github.kristofa/brave-core@3.0.0 026
brave-http-3.0.0.jarpkg:maven/com.github.kristofa/brave-http@3.0.0 029
brave-web-servlet-filter-3.0.0.jarpkg:maven/com.github.kristofa/brave-web-servlet-filter@3.0.0 025
button-b301ec95.js 00
button.js 00
c3p0-0.9.5.5.jarcpe:2.3:a:mchange:c3p0:0.9.5.5:*:*:*:*:*:*:*pkg:maven/com.mchange/c3p0@0.9.5.5 0Highest31
cglib-3.2.12.jarpkg:maven/cglib/cglib@3.2.12 018
checker-qual-2.8.2.jarpkg:maven/org.checkerframework/checker-qual@2.8.2 062
classmate-1.3.0.jarpkg:maven/com.fasterxml/classmate@1.3.0 055
cluster-monitoring-spi-3.0.2.jarpkg:maven/com.atlassian.cluster.monitoring/cluster-monitoring-spi@3.0.2 027
colors-25aad6bf.js 00
comment.js 00
common-io-3.4.1.jarcpe:2.3:a:twelvemonkeys_project:twelvemonkeys:3.4.1:*:*:*:*:*:*:*pkg:maven/com.twelvemonkeys.common/common-io@3.4.1CRITICAL1Highest22
commons-beanutils-1.9.4.jarcpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.4 0Highest170
commons-codec-1.14.jarpkg:maven/commons-codec/commons-codec@1.14 0110
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest86
commons-collections4-4.3.jarcpe:2.3:a:apache:commons_collections:4.3:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-collections4@4.3 0Highest107
commons-compress-1.19.jarcpe:2.3:a:apache:commons_compress:1.19:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-compress@1.19HIGH4Highest97
commons-dbcp2-2.9.0.jarpkg:maven/org.apache.commons/commons-dbcp2@2.9.0 0112
commons-digester-1.5.jarpkg:maven/commons-digester/commons-digester@1.5 063
commons-discovery-0.5.jarcpe:2.3:a:spirit-project:spirit:0.5:*:*:*:*:*:*:*pkg:maven/commons-discovery/commons-discovery@0.5MEDIUM1Low86
commons-fileupload-1.4.jarcpe:2.3:a:apache:commons_fileupload:1.4:*:*:*:*:*:*:*pkg:maven/commons-fileupload/commons-fileupload@1.4 0Highest117
commons-httpclient-3.1-atlassian-2.jarcpe:2.3:a:apache:commons-httpclient:3.1.ian-2:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1.ian-2:*:*:*:*:*:*:*		pkg:maven/commons-httpclient/commons-httpclient@3.1-atlassian-2MEDIUM2Highest91
commons-io-2.8.0.jarcpe:2.3:a:apache:commons_io:2.8.0:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.8.0 0Highest121
commons-jcs-core-2.2.1.jarpkg:maven/org.apache.commons/commons-jcs-core@2.2.1 037
commons-jrcs-diff-0.1.7.jarpkg:maven/commons-jrcs/commons-jrcs@diff-0.1.7 018
commons-lang-2.6.jarpkg:maven/commons-lang/commons-lang@2.6 0122
commons-lang3-3.9.jarpkg:maven/org.apache.commons/commons-lang3@3.9 0141
commons-logging-1.0.4.jarpkg:maven/commons-logging/commons-logging@1.0.4 086
commons-math3-3.6.1.jarpkg:maven/org.apache.commons/commons-math3@3.6.1 0137
commons-pool-1.6.jarpkg:maven/commons-pool/commons-pool@1.6 075
commons-pool2-2.6.2.jarpkg:maven/org.apache.commons/commons-pool2@2.6.2 086
commons-text-1.6.jarcpe:2.3:a:apache:commons_text:1.6:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-text@1.6CRITICAL1Highest69
commons-validator-1.5.1.jarpkg:maven/commons-validator/commons-validator@1.5.1 0128
compiler-0.9.6.jarpkg:maven/com.github.spullara.mustache.java/compiler@0.9.6 027
confluence-7.13.0.jarcpe:2.3:a:atlassian:confluence:7.13.0:*:*:*:*:*:*:*pkg:maven/com.atlassian.confluence/confluence@7.13.0 0Highest22
confluence-compat-lib-1.0.0.jarcpe:2.3:a:atlassian:confluence:1.0.0:*:*:*:*:*:*:*pkg:maven/com.atlassian.confluence.compat/confluence-compat-lib@1.0.0CRITICAL16Highest26
confluence-extractor-api-plugin-2.0.9.jarcpe:2.3:a:atlassian:confluence:2.0.9:*:*:*:*:*:*:*pkg:maven/com.atlassian.confluence.plugins/confluence-extractor-api-plugin@2.0.9CRITICAL17Highest28
content-type-2.0.jarpkg:maven/com.nimbusds/content-type@2.0 047
core.js 00
cpe-parser-2.0.2.jarpkg:maven/us.springett/cpe-parser@2.0.2 037
createAndFireEvent-5db755ab.js 00
crowd-server-api-4.2.2.jarcpe:2.3:a:atlassian:crowd:4.2.2:*:*:*:*:*:*:*pkg:maven/com.atlassian.crowd/crowd-server-api@4.2.2CRITICAL3Highest22
daisydiff-1.1.20-atlassian-hosted.jarpkg:maven/org.outerj.daisy/daisydiff@1.1.20-atlassian-hosted 027
datetime-picker.js 00
defineProperty-dce7b5ef.js 00
dependency-check-core-7.3.2.jarcpe:2.3:a:owasp:dependency-check:7.3.2:*:*:*:*:*:*:*pkg:maven/org.owasp/dependency-check-core@7.3.2 0Highest28
dependency-check-core-7.3.2.jar: GrokAssembly.zip: GrokAssembly.dll 02
dependency-check-core-7.3.2.jar: jquery-3.5.1.min.js 00
dom4j-1.6.1-atlassian-2.jarcpe:2.3:a:dom4j_project:dom4j:1.6.1.ian-2:*:*:*:*:*:*:*pkg:maven/dom4j/dom4j@1.6.1-atlassian-2CRITICAL1Highest19
doxia-logging-api-1.11.1.jarpkg:maven/org.apache.maven.doxia/doxia-logging-api@1.11.1 028
doxia-sink-api-1.11.1.jarpkg:maven/org.apache.maven.doxia/doxia-sink-api@1.11.1 028
dragonfly-api-1.1.jarpkg:maven/com.atlassian.dragonfly/dragonfly-api@1.1 024
dragonfly-core-1.1.jarpkg:maven/com.atlassian.dragonfly/dragonfly-core@1.1 024
dragonfly-spi-1.1.jarpkg:maven/com.atlassian.dragonfly/dragonfly-spi@1.1 025
dt-filestore-client-api-1.3.0.jarpkg:maven/com.atlassian.filestore/dt-filestore-client-api@1.3.0 027
dt-filestore-client-core-1.3.0.jarpkg:maven/com.atlassian.filestore/dt-filestore-client-core@1.3.0 025
dt-filestore-httpclient-1.3.0.jarpkg:maven/com.atlassian.filestore/dt-filestore-httpclient@1.3.0 025
dt-media-api-client-api-2.0.4.jarpkg:maven/com.atlassian.media/dt-media-api-client-api@2.0.4 027
dt-media-api-client-core-2.0.4.jarpkg:maven/com.atlassian.media/dt-media-api-client-core@2.0.4 025
dt-media-api-httpclient-2.0.4.jarpkg:maven/com.atlassian.media/dt-media-api-httpclient@2.0.4 025
dynamic-table.js 00
embedded-crowd-core-4.2.2.jarcpe:2.3:a:atlassian:crowd:4.2.2:*:*:*:*:*:*:*pkg:maven/com.atlassian.crowd/embedded-crowd-core@4.2.2CRITICAL3Highest27
error_prone_annotations-2.4.0.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.4.0 021
fast-classpath-scanner-2.18.1.jarpkg:maven/io.github.lukehutch/fast-classpath-scanner@2.18.1 043
file-management-3.1.0.jarpkg:maven/org.apache.maven.shared/file-management@3.1.0 027
filestore-api-0.4.0.jarcpe:2.3:a:atlassian:data_center:0.4.0:*:*:*:*:*:*:*pkg:maven/com.atlassian.datacenter.filestore/filestore-api@0.4.0HIGH37Highest23
filters-2.0.235.jarcpe:2.3:a:image-processing_project:image-processing:2.0.235:*:*:*:*:*:*:*
cpe:2.3:a:image_processing_software:image_processing_software:2.0.235:*:*:*:*:*:*:*		pkg:maven/com.jhlabs/filters@2.0.235LOW1Low21
findbugs-annotations-3.0.1.jarpkg:maven/com.google.code.findbugs/findbugs-annotations@3.0.1 041
fontbox-2.0.24.jarpkg:maven/org.apache.pdfbox/fontbox@2.0.24 037
fugue-2.7.0.jarpkg:maven/com.atlassian.fugue/fugue@2.7.0 023
fugue-4.7.2.jarpkg:maven/io.atlassian.fugue/fugue@4.7.2 027
fugue-deprecated-4.7.2.jarpkg:maven/io.atlassian.fugue/fugue-deprecated@4.7.2 029
fugue-guava-4.7.2.jarpkg:maven/io.atlassian.fugue/fugue-guava@4.7.2 027
fugue-optics-4.7.2.jarcpe:2.3:a:atlassian:http_library:4.7.2:*:*:*:*:*:*:*pkg:maven/io.atlassian.fugue/fugue-optics@4.7.2 0Low27
fugue-retry-4.7.2.jarpkg:maven/io.atlassian.fugue/fugue-retry@4.7.2 029
future-converter-common-1.2.0.jarpkg:maven/net.javacrumbs.future-converter/future-converter-common@1.2.0 021
future-converter-guava-common-1.2.0.jarpkg:maven/net.javacrumbs.future-converter/future-converter-guava-common@1.2.0 021
future-converter-java8-common-1.2.0.jarpkg:maven/net.javacrumbs.future-converter/future-converter-java8-common@1.2.0 021
future-converter-java8-guava-1.2.0.jarpkg:maven/net.javacrumbs.future-converter/future-converter-java8-guava@1.2.0 021
get-is-only-single-icon-3e32a817.js 00
gmbal-api-only-3.1.0-b001.jarpkg:maven/org.glassfish.gmbal/gmbal-api-only@3.1.0-b001 029
gson-2.2.2-atlassian-1.jarcpe:2.3:a:google:gson:2.2.2.ian-1:*:*:*:*:*:*:*pkg:maven/com.google.code.gson/gson@2.2.2-atlassian-1HIGH1Highest40
guava-26.0-jre.jarcpe:2.3:a:google:guava:26.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@26.0-jreLOW1Highest25
h2-1.4.200.jarcpe:2.3:a:h2database:h2:1.4.200:*:*:*:*:*:*:*pkg:maven/com.h2database/h2@1.4.200CRITICAL3Highest44
h2-1.4.200.jar: data.zip: table.js 00
h2-1.4.200.jar: data.zip: tree.js 00
ha-api-3.1.9.jarpkg:maven/org.glassfish.ha/ha-api@3.1.9 049
hibernate-2.1.8-atlassian-34.jarpkg:maven/hibernate/hibernate@2.1.8-atlassian-34 019
hibernate-commons-annotations-5.0.1.Final.jarpkg:maven/org.hibernate.common/hibernate-commons-annotations@5.0.1.Final 042
hibernate-core-5.2.18.Final.jarcpe:2.3:a:hibernate:hibernate_orm:5.2.18:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-core@5.2.18.FinalHIGH2Low44
hibernate-envers-5.2.2.Final.jarcpe:2.3:a:hibernate:hibernate_orm:5.2.2:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-envers@5.2.2.FinalHIGH2Low44
hibernate-jpa-2.1-api-1.0.0.Final.jarpkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.1-api@1.0.0.Final 047
hibernate-validator-6.0.21.Final.jarcpe:2.3:a:redhat:hibernate_validator:6.0.21:*:*:*:*:*:*:*pkg:maven/org.hibernate.validator/hibernate-validator@6.0.21.Final 0Highest34
hibernate.adapter-1.0.3.jarpkg:maven/com.atlassian.hibernate/hibernate.adapter@1.0.3 028
hsqldb-2.3.0.jarcpe:2.3:a:hsqldb:hypersql_database:2.3.0:*:*:*:*:*:*:*pkg:maven/org.hsqldb/hsqldb@2.3.0CRITICAL1Low41
httpclient-4.5.5.jarcpe:2.3:a:apache:httpclient:4.5.5:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.5MEDIUM1Highest34
httpclient-cache-4.5.3.jarcpe:2.3:a:apache:httpclient:4.5.3:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient-cache@4.5.3MEDIUM1Highest32
httpcore-4.4.9.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.9 030
httpmime-4.5.5.jarpkg:maven/org.apache.httpcomponents/httpmime@4.5.5 032
icu4j-64.1.jarcpe:2.3:a:icu-project:international_components_for_unicode:64.1:*:*:*:*:*:*:*
cpe:2.3:a:unicode:international_components_for_unicode:64.1:*:*:*:*:*:*:*		pkg:maven/com.ibm.icu/icu4j@64.1 0Low79
imageio-core-3.4.1.jarcpe:2.3:a:twelvemonkeys_project:twelvemonkeys:3.4.1:*:*:*:*:*:*:*pkg:maven/com.twelvemonkeys.imageio/imageio-core@3.4.1CRITICAL1Highest22
index-50b0b662.js 00
index-a6389306.js 00
index-ae389540.js 00
index-ed440ea1.js 00
index.js 00
istack-commons-runtime-3.0.7.jarcpe:2.3:a:oracle:java_se:3.0.7:*:*:*:*:*:*:*pkg:maven/com.sun.istack/istack-commons-runtime@3.0.7 0Low34
j2objc-annotations-1.1.jarpkg:maven/com.google.j2objc/j2objc-annotations@1.1 024
jackson-core-2.12.1.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.12.1:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.1 0Low49
jackson-core-asl-1.9.13-atlassian-5.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.13-atlassian-5 036
jackson-databind-2.12.1.jarcpe:2.3:a:fasterxml:jackson-databind:2.12.1:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.1:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.1HIGH3Highest43
jackson-dataformat-yaml-2.14.0.jarcpe:2.3:a:fasterxml:jackson-dataformat-xml:2.14.0:*:*:*:*:*:*:*
cpe:2.3:a:yaml_project:yaml:2.14.0:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.14.0 0Highest41
jackson-datatype-joda-2.12.1.jarpkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-joda@2.12.1 043
jackson-jaxrs-1.9.2.jarpkg:maven/org.codehaus.jackson/jackson-jaxrs@1.9.2 032
jackson-mapper-asl-1.9.13-atlassian-5.jarcpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13.ian-5:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13-atlassian-5 0High34
jackson-module-afterburner-2.14.0.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-afterburner@2.14.0 041
jackson-module-blackbird-2.14.0.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-blackbird@2.14.0 041
jackson-xc-1.9.2.jarcpe:2.3:a:fasterxml:jackson-databind:1.9.2:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-xc@1.9.2CRITICAL4Low32
jai_codec-1.1.3.jarpkg:maven/com.sun/jai_codec@1.1.3 025
jai_core-1.1.3.jarpkg:maven/com.sun/jai_core@1.1.3 025
jakarta-regexp-1.4.jarpkg:maven/jakarta-regexp/jakarta-regexp@1.4 014
jakarta.mail-1.6.5.jarcpe:2.3:a:oracle:java_se:1.6.5:*:*:*:*:*:*:*pkg:maven/com.sun.mail/jakarta.mail@1.6.5 0Low46
jandex-2.0.3.Final.jarpkg:maven/org.jboss/jandex@2.0.3.Final 040
javassist-3.22.0-GA.jarpkg:maven/org.javassist/javassist@3.22.0-GA 058
javax.activation-1.2.0.jarpkg:maven/com.sun.activation/javax.activation@1.2.0 040
javax.activation-api-1.2.0.jarpkg:maven/javax.activation/javax.activation-api@1.2.0 039
javax.annotation-api-1.3.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.3.2 046
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 020
javax.json-1.1.4.jarpkg:maven/org.glassfish/javax.json@1.1.4 034
javax.jws-api-1.1.jarcpe:2.3:a:oracle:java_se:1.1:*:*:*:*:*:*:*pkg:maven/javax.jws/javax.jws-api@1.1 0Low46
javax.mail-1.5.6.jarpkg:maven/com.sun.mail/javax.mail@1.5.6 040
javax.mail-api-1.5.6.jarpkg:maven/javax.mail/javax.mail-api@1.5.6 039
javax.servlet-api-3.0.1.jarcpe:2.3:a:oracle:java_se:3.0.1:*:*:*:*:*:*:*pkg:maven/javax.servlet/javax.servlet-api@3.0.1 0Medium51
javax.transaction-api-1.2.jarpkg:maven/javax.transaction/javax.transaction-api@1.2 044
javax.ws.rs-api-2.0.1.jarcpe:2.3:a:oracle:java_se:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 0Low59
javax.xml.soap-api-1.4.0.jarcpe:2.3:a:oracle:java_se:1.4.0:*:*:*:*:*:*:*pkg:maven/javax.xml.soap/javax.xml.soap-api@1.4.0 0Low50
jaxb-api-2.3.1.jarpkg:maven/javax.xml.bind/jaxb-api@2.3.1 037
jaxb-runtime-2.3.1.jarpkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1 032
jaxen-1.1.6.jarpkg:maven/jaxen/jaxen@1.1.6 0117
jaxws-api-2.3.1.jarcpe:2.3:a:oracle:web_services:2.3.1:*:*:*:*:*:*:*pkg:maven/javax.xml.ws/jaxws-api@2.3.1 0Low57
jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:httpspi-servlet:2.3.1)pkg:maven/com.sun.xml.ws/httpspi-servlet@2.3.1 011
jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:jaxws-rt-bundle:2.3.1)pkg:maven/com.sun.xml.ws/jaxws-rt-bundle@2.3.1 011
jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:rt-fi:2.3.1)pkg:maven/com.sun.xml.ws/rt-fi@2.3.1 011
jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:rt:2.3.1)pkg:maven/com.sun.xml.ws/rt@2.3.1 011
jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:servlet:2.3.1)pkg:maven/com.sun.xml.ws/servlet@2.3.1 011
jaxws-rt-2.3.1.jarcpe:2.3:a:oracle:web_services:2.3.1:*:*:*:*:*:*:*pkg:maven/com.sun.xml.ws/jaxws-rt@2.3.1 0Low44
jboss-logging-3.3.1.Final.jarpkg:maven/org.jboss.logging/jboss-logging@3.3.1.Final 042
jboss-logging-annotations-2.0.0.Final.jarpkg:maven/org.jboss.logging/jboss-logging-annotations@2.0.0.Final 033
jcaptcha-api-2.0.0.jarpkg:maven/io.leopard.thirdparty/jcaptcha-api@2.0.0 014
jcaptcha-core-2.0.0.jarpkg:maven/io.leopard.thirdparty/jcaptcha-core@2.0.0 019
jcip-annotations-1.0.jarpkg:maven/net.jcip/jcip-annotations@1.0 020
jcl-over-slf4j-1.7.25.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.25 023
jdiagnostics-1.0.7.jarpkg:maven/org.anarres.jdiagnostics/jdiagnostics@1.0.7 045
jdom-1.1.3.jarcpe:2.3:a:jdom:jdom:1.1.3:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom@1.1.3HIGH1Highest65
jersey-core-1.19.4.jarcpe:2.3:a:jersey_project:jersey:1.19.4:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-core@1.19.4 0Highest30
jettison-1.1.jarcpe:2.3:a:jettison_project:jettison:1.1:*:*:*:*:*:*:*pkg:maven/org.codehaus.jettison/jettison@1.1HIGH2Highest23
jira-integration-spi-6.2.4.jarcpe:2.3:a:atlassian:jira:6.2.4:*:*:*:*:*:*:*pkg:maven/com.atlassian.integration.jira/jira-integration-spi@6.2.4CRITICAL127Highest25
jna-5.6.0.jarcpe:2.3:a:oracle:java_se:5.6.0:*:*:*:*:*:*:*pkg:maven/net.java.dev.jna/jna@5.6.0 0Low48
jna-5.6.0.jar: jnidispatch.dll 02
jna-5.6.0.jar: jnidispatch.dll 02
jna-platform-5.6.0.jarpkg:maven/net.java.dev.jna/jna-platform@5.6.0 044
joda-time-2.10.9.jarpkg:maven/joda-time/joda-time@2.10.9 047
jose4j-0.4.2.jarpkg:maven/org.bitbucket.b_c/jose4j@0.4.2 032
json-smart-1.3.1.jarcpe:2.3:a:ini-parser_project:ini-parser:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:json-smart_project:json-smart-v1:1.3.1:*:*:*:*:*:*:*		pkg:maven/net.minidev/json-smart@1.3.1CRITICAL2Low27
jsoup-1.8.3.jarcpe:2.3:a:jsoup:jsoup:1.8.3:*:*:*:*:*:*:*pkg:maven/org.jsoup/jsoup@1.8.3HIGH2Highest35
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
jsr311-api-1.1.1.jarpkg:maven/javax.ws.rs/jsr311-api@1.1.1 036
jstyleparser-1.16-atlassian-1.jarpkg:maven/net.sf.cssbox/jstyleparser@1.16-atlassian-1 034
jtds-1.3.1.jarcpe:2.3:a:momo_project:momo:1.3.1:*:*:*:*:*:*:*pkg:maven/net.sourceforge.jtds/jtds@1.3.1 0Low32
jtidy-r8-20060801.jarpkg:maven/jtidy/jtidy@8.0-SNAPSHOT
pkg:maven/org.hibernate/jtidy@r8-20060801		 057
jul-to-slf4j-1.7.25.jarpkg:maven/org.slf4j/jul-to-slf4j@1.7.25 026
lang-tag-1.4.4.jarpkg:maven/com.nimbusds/lang-tag@1.4.4 050
libthrift-0.9.0.jarcpe:2.3:a:apache:thrift:0.9.0:*:*:*:*:*:*:*pkg:maven/org.apache.thrift/libthrift@0.9.0HIGH4Highest88
licensing-api-2.21.4.jarcpe:2.3:a:atlassian:universal_plugin_manager:2.21.4:*:*:*:*:*:*:*pkg:maven/com.atlassian.upm/licensing-api@2.21.4MEDIUM3Low25
log4j-1.2-api-2.13.3.jarcpe:2.3:a:apache:log4j:2.13.3:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.3CRITICAL4Highest40
log4j-1.2.7.jarcpe:2.3:a:apache:log4j:1.2.7:*:*:*:*:*:*:*pkg:maven/log4j/log4j@1.2.7CRITICAL6Highest15
log4j-api-2.13.3.jarcpe:2.3:a:apache:log4j:2.13.3:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-api@2.13.3 0Highest44
lozenge.js 00
lucene-analyzers-common-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-analyzers-common@4.4.0-atlassian-4 025
lucene-analyzers-kuromoji-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-analyzers-kuromoji@4.4.0-atlassian-4 025
lucene-analyzers-stempel-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-analyzers-stempel@4.4.0-atlassian-4 027
lucene-core-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-core@4.4.0-atlassian-4 025
lucene-highlighter-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-highlighter@4.4.0-atlassian-4 025
lucene-memory-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-memory@4.4.0-atlassian-4 029
lucene-misc-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-misc@4.4.0-atlassian-4 027
lucene-queries-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-queries@4.4.0-atlassian-4 027
lucene-queryparser-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-queryparser@4.4.0-atlassian-4 027
lucene-sandbox-4.4.0-atlassian-4.jarpkg:maven/org.apache.lucene/lucene-sandbox@4.4.0-atlassian-4 027
lucene-upgrader-1.0-lucene36.jarpkg:maven/com.atlassian.bonnie/lucene-upgrader@1.0 025
management-api-3.0.0-b012.jarpkg:maven/org.glassfish.external/management-api@3.0.0-b012 023
maven-aether-provider-3.0.jarpkg:maven/org.apache.maven/maven-aether-provider@3.0 023
maven-artifact-3.0.jarpkg:maven/org.apache.maven/maven-artifact@3.0 025
maven-artifact-transfer-0.13.1.jarpkg:maven/org.apache.maven.shared/maven-artifact-transfer@0.13.1 033
maven-common-artifact-filters-3.1.0.jarpkg:maven/org.apache.maven.shared/maven-common-artifact-filters@3.1.0 030
maven-core-3.0.jarcpe:2.3:a:apache:maven:3.0:*:*:*:*:*:*:*pkg:maven/org.apache.maven/maven-core@3.0CRITICAL1Highest23
maven-dependency-tree-3.2.0.jarpkg:maven/org.apache.maven.shared/maven-dependency-tree@3.2.0 029
maven-model-3.0.jarpkg:maven/org.apache.maven/maven-model@3.0 025
maven-model-builder-3.0.jarpkg:maven/org.apache.maven/maven-model-builder@3.0 025
maven-plugin-api-3.0.jarpkg:maven/org.apache.maven/maven-plugin-api@3.0 025
maven-reporting-api-3.1.1.jarpkg:maven/org.apache.maven.reporting/maven-reporting-api@3.1.1 035
maven-repository-metadata-3.0.jarpkg:maven/org.apache.maven/maven-repository-metadata@3.0 025
maven-settings-3.0.jarpkg:maven/org.apache.maven/maven-settings@3.0HIGH125
maven-settings-builder-3.0.jarpkg:maven/org.apache.maven/maven-settings-builder@3.0 025
maven-shared-utils-3.1.0.jarcpe:2.3:a:apache:maven_shared_utils:3.1.0:*:*:*:*:*:*:*pkg:maven/org.apache.maven.shared/maven-shared-utils@3.1.0CRITICAL1Highest30
mchange-commons-java-0.2.19.jarpkg:maven/com.mchange/mchange-commons-java@0.2.19 029
memoize-one.esm-42a55c10.js 00
metrics-core-4.0.3.jarpkg:maven/io.dropwizard.metrics/metrics-core@4.0.3 026
metrics-jmx-4.0.6.jarpkg:maven/io.dropwizard.metrics/metrics-jmx@4.0.6 028
metrics-sql-3.1.0-atlassian-4.jarcpe:2.3:a:www-sql_project:www-sql:3.1.0.ian-4:*:*:*:*:*:*:*pkg:maven/com.github.gquintana.metrics/metrics-sql@3.1.0-atlassian-4 0Highest33
micrometer-core-1.2.0.jar (shaded: org.pcollections:pcollections:3.0.3)pkg:maven/org.pcollections/pcollections@3.0.3 015
micrometer-core-1.2.0.jarpkg:maven/io.micrometer/micrometer-core@1.2.0 051
micrometer-registry-influx-1.5.0.jarpkg:maven/io.micrometer/micrometer-registry-influx@1.5.0 053
minlog-1.3.1.jarpkg:maven/com.esotericsoftware/minlog@1.3.1 035
modz-detector-0.14.jarpkg:maven/com.atlassian.modzdetector/modz-detector@0.14 022
mssql-jdbc-6.3.0.jre8-preview.jarcpe:2.3:a:www-sql_project:www-sql:6.3.0.jre8:*:*:*:*:*:*:*pkg:maven/com.microsoft.sqlserver/mssql-jdbc@6.3.0.jre8-preview 0Highest38
mxparser-1.2.1.jarpkg:maven/io.github.x-stream/mxparser@1.2.1 058
nekohtml-1.9.22.jarcpe:2.3:a:nekohtml_project:nekohtml:1.9.22:*:*:*:*:*:*:*pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.22HIGH1Highest28
nimbus-jose-jwt-8.14.1.jarcpe:2.3:a:connect2id:nimbus_jose\+jwt:8.14.1:*:*:*:*:*:*:*pkg:maven/com.nimbusds/nimbus-jose-jwt@8.14.1 0Highest52
oauth2-oidc-sdk-7.4.jarpkg:maven/com.nimbusds/oauth2-oidc-sdk@7.4 058
odmg-3.0.jarpkg:maven/odmg/odmg@3.0 015
ognl-2.6.5-atlassian-3.jarcpe:2.3:a:ognl_project:ognl:2.6.5.ian-3:*:*:*:*:*:*:*pkg:maven/ognl/ognl@2.6.5-atlassian-3MEDIUM1Highest11
org.apache.felix.framework-5.6.12.jarpkg:maven/org.apache.felix/org.apache.felix.framework@5.6.12 032
oro-2.0.8.jarpkg:maven/oro/oro@2.0.8 016
oscache-2.2.jarpkg:maven/oscache/oscache@2.2 015
oscore-2.2.7-atlassian-1.jarpkg:maven/opensymphony/oscore@2.2.7-atlassian-1 013
oshi-core-5.3.6.jarpkg:maven/com.github.oshi/oshi-core@5.3.6 051
ossindex-service-api-1.8.2.jarpkg:maven/org.sonatype.ossindex/ossindex-service-api@1.8.2 025
ossindex-service-client-1.8.2.jarcpe:2.3:a:service_project:service:1.8.2:*:*:*:*:*:*:*pkg:maven/org.sonatype.ossindex/ossindex-service-client@1.8.2 0Highest25
osuser-atl.user.jarcpe:2.3:a:user_project:user:atl.user:*:*:*:*:*:*:*pkg:maven/osuser/osuser@atl.user 0High13
package-scanner-0.9.5.jarpkg:maven/org.twdata.pkgscanner/package-scanner@0.9.5 020
package-url-java-1.1.1.jarpkg:maven/org.sonatype.goodies/package-url-java@1.1.1 027
packager-core-0.19.0.jarpkg:maven/org.eclipse.packager/packager-core@0.19.0 027
packager-rpm-0.19.0.jarpkg:maven/org.eclipse.packager/packager-rpm@0.19.0 021
packageurl-java-1.4.1.jarpkg:maven/com.github.package-url/packageurl-java@1.4.1 027
pagination-1f6ff1e0.js 00
pagination.js 00
panopticon-api-1.0.3.jarcpe:2.3:a:atlassian:crowd:1.0.3:*:*:*:*:*:*:*pkg:maven/com.atlassian.plugins/panopticon-api@1.0.3CRITICAL17Low22
pdfbox-2.0.24.jarcpe:2.3:a:apache:pdfbox:2.0.24:*:*:*:*:*:*:*pkg:maven/org.apache.pdfbox/pdfbox@2.0.24 0Highest37
pecoff4j-0.0.2.1.jarpkg:maven/org.whitesource/pecoff4j@0.0.2.1 024
plexus-cipher-1.4.jarpkg:maven/org.sonatype.plexus/plexus-cipher@1.4 030
plexus-classworlds-2.2.3.jarpkg:maven/org.codehaus.plexus/plexus-classworlds@2.2.3 025
plexus-component-annotations-2.0.0.jarpkg:maven/org.codehaus.plexus/plexus-component-annotations@2.0.0 027
plexus-interpolation-1.14.jarpkg:maven/org.codehaus.plexus/plexus-interpolation@1.14 025
plexus-sec-dispatcher-1.4.jarpkg:maven/org.sonatype.plexus/plexus-sec-dispatcher@1.4 030
plexus-utils-3.5.0.jarcpe:2.3:a:plexus-utils_project:plexus-utils:3.5.0:*:*:*:*:*:*:*pkg:maven/org.codehaus.plexus/plexus-utils@3.5.0 0Highest26
policy-2.7.5.jarcpe:2.3:a:oracle:web_services:2.7.5:*:*:*:*:*:*:*pkg:maven/com.sun.xml.ws/policy@2.7.5 0Low49
postgresql-42.2.18.jarcpe:2.3:a:postgresql:postgresql_jdbc_driver:42.2.18:*:*:*:*:*:*:*pkg:maven/org.postgresql/postgresql@42.2.18CRITICAL3Low71
propertyset-1.3-21Nov03.jarpkg:maven/opensymphony/propertyset@1.3-21Nov03 021
quartz-1.8.7-atlassian-3.jarcpe:2.3:a:softwareag:quartz:1.8.7.ian-3:*:*:*:*:*:*:*pkg:maven/org.quartz-scheduler/quartz@1.8.7-atlassian-3CRITICAL1Highest20
radeox-1.0b2-forked-22Apr2004.jarpkg:maven/radeox/radeox@1.0b2-forked-22Apr2004 011
react-dom.js 00
react.js 00
retirejs-core-3.0.4.jarpkg:maven/com.h3xstream.retirejs/retirejs-core@3.0.4 020
rome-1.0.jarcpe:2.3:a:oracle:system_utilities:1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:1.0:*:*:*:*:*:*:*		pkg:maven/rome/rome@1.0 0Low44
runtime-20070801.jarpkg:maven/org.eclipse.core/runtime@20070801 020
saaj-impl-1.5.0.jarpkg:maven/com.sun.xml.messaging.saaj/saaj-impl@1.5.0 047
sal-core-4.1.0.jarcpe:2.3:a:sal_project:sal:4.1.0:*:*:*:*:*:*:*pkg:maven/com.atlassian.sal/sal-core@4.1.0MEDIUM1Highest24
select.js 00
semver4j-3.1.0.jarpkg:maven/com.vdurmont/semver4j@3.1.0 024
serializer-2.7.2.jarcpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*pkg:maven/xalan/serializer@2.7.2HIGH1Low32
servlet-api-2.4.jarpkg:maven/javax.servlet/servlet-api@2.4 016
sisu-guice-2.1.7-noaop.jarpkg:maven/org.sonatype.sisu/sisu-guice@2.1.7 023
sisu-inject-bean-1.4.2.jarpkg:maven/org.sonatype.sisu/sisu-inject-bean@1.4.2 031
sisu-inject-plexus-1.4.2.jarpkg:maven/org.sonatype.sisu/sisu-inject-plexus@1.4.2 029
sitemesh-2.5-atlassian-6.jarcpe:2.3:a:mesh_project:mesh:2.5.ian-6:*:*:*:*:*:*:*pkg:maven/opensymphony/sitemesh@2.5-atlassian-6 0High21
slf4j-api-1.7.25.jarpkg:maven/org.slf4j/slf4j-api@1.7.25 025
slicedToArray-a5de7267.js 00
snakeyaml-1.33.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.33:*:*:*:*:*:*:*
cpe:2.3:a:yaml_project:yaml:1.33:*:*:*:*:*:*:*		pkg:maven/org.yaml/snakeyaml@1.33 0Highest42
snappy-java-1.1.1.7.jarpkg:maven/org.xerial.snappy/snappy-java@1.1.1.7 037
snappy-java-1.1.1.7.jar: snappyjava.dll 02
snappy-java-1.1.1.7.jar: snappyjava.dll 02
sourcemap-1.7.6.jarpkg:maven/com.atlassian.sourcemap/sourcemap@1.7.6 021
soy-template-renderer-api-5.0.0.jarpkg:maven/com.atlassian.soy/soy-template-renderer-api@5.0.0 024
soy-template-renderer-plugin-api-5.0.0.jarpkg:maven/com.atlassian.soy/soy-template-renderer-plugin-api@5.0.0 024
space-comments.js 00
spinner-b9bead52.js 00
spinner.js 00
spring-context-support-5.0.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:5.0.10:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:5.0.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:5.0.10:release:*:*:*:*:*:*		pkg:maven/org.springframework/spring-context-support@5.0.10.RELEASECRITICAL6Highest32
spring-core-5.3.20.jarcpe:2.3:a:pivotal_software:spring_framework:5.3.20:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:5.3.20:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:5.3.20:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-core@5.3.20 0Highest37
spring-dao-2.0.6.jarcpe:2.3:a:pivotal_software:spring_framework:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:2.0.6:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-dao@2.0.6CRITICAL14Highest28
spring-ldap-core-2.3.3.RELEASE.jarcpe:2.3:a:pivotal_software:spring-ldap:2.3.3:release:*:*:*:*:*:*pkg:maven/org.springframework.ldap/spring-ldap-core@2.3.3.RELEASE 0Highest53
spring-quartz1-0.1.2.jarpkg:maven/com.atlassian.spring/spring-quartz1@0.1.2 027
spring-security-core-4.2.16.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:4.2.16:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:4.2.16:release:*:*:*:*:*:*		pkg:maven/org.springframework.security/spring-security-core@4.2.16.RELEASECRITICAL3Highest43
spring-tx-4.3.27.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.27:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.27:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.3.27:release:*:*:*:*:*:*		pkg:maven/org.springframework/spring-tx@4.3.27.RELEASECRITICAL5Highest32
spring-web-2.0.6.jarcpe:2.3:a:pivotal_software:spring_framework:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:2.0.6:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-web@2.0.6CRITICAL16Highest28
spring-webmvc-5.0.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:5.0.10:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:5.0.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:5.0.10:release:*:*:*:*:*:*		pkg:maven/org.springframework/spring-webmvc@5.0.10.RELEASECRITICAL8Highest36
stax-ex-1.8.jarcpe:2.3:a:oracle:java_se:1.8:*:*:*:*:*:*:*pkg:maven/org.jvnet.staxex/stax-ex@1.8 0Low48
streambuffer-1.5.6.jarcpe:2.3:a:oracle:java_se:1.5.6:*:*:*:*:*:*:*pkg:maven/com.sun.xml.stream.buffer/streambuffer@1.5.6 0Low58
super-csv-2.1.0.jarpkg:maven/net.sf.supercsv/super-csv@2.1.0 021
taggedTemplateLiteral-12969f7e.js 00
theme-742e153b.js 00
tika-core-1.22.jarcpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*pkg:maven/org.apache.tika/tika-core@1.22MEDIUM7Highest42
toml4j-0.7.2.jarpkg:maven/com.moandjiezana.toml/toml4j@0.7.2 026
txw2-2.3.1.jarpkg:maven/org.glassfish.jaxb/txw2@2.3.1 034
upm-api-2.21.jarcpe:2.3:a:atlassian:universal_plugin_manager:2.21:*:*:*:*:*:*:*pkg:maven/com.atlassian.upm/upm-api@2.21MEDIUM3Low25
urlrewritefilter-4.0.4.jarpkg:maven/org.tuckey/urlrewritefilter@4.0.4 029
use-controlled-d7253071.js 00
useAnalyticsEvents-2e16b30c.js 00
useTrackedRef-308a7e05.js 00
validation-api-2.0.1.Final.jarpkg:maven/javax.validation/validation-api@2.0.1.Final 052
velocity-1.6.4-atlassian-21.jarcpe:2.3:a:apache:velocity_engine:1.6.4:*:*:*:*:*:*:*pkg:maven/org.apache.velocity/velocity@1.6.4-atlassian-21HIGH1Low68
velocity-engine-core-2.3.jarcpe:2.3:a:apache:velocity_engine:2.3:*:*:*:*:*:*:*pkg:maven/org.apache.velocity/velocity-engine-core@2.3 0Highest36
velocity-htmlsafe-3.1.1.jarpkg:maven/com.atlassian.velocity.htmlsafe/velocity-htmlsafe@3.1.1 030
velocity-tools-1.4.jarcpe:2.3:a:apache:velocity_tools:1.4:*:*:*:*:*:*:*pkg:maven/velocity-tools/velocity-tools@1.4MEDIUM1Highest24
webwork-2.1.5-atlassian-3.jarcpe:2.3:a:opensymphony:webwork:2.1.5.ian-3:*:*:*:*:*:*:*pkg:maven/opensymphony/webwork@2.1.5-atlassian-3CRITICAL4Highest17
wsdl4j-1.6.3.jarpkg:maven/wsdl4j/wsdl4j@1.6.3 027
wstx-asl-3.2.9-atlassian-1.jarpkg:maven/org.codehaus.woodstox/wstx-asl@3.2.9-atlassian-1HIGH127
xalan-2.7.2.jarcpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*pkg:maven/xalan/xalan@2.7.2HIGH1Low66
xercesImpl-2.12.0.jarcpe:2.3:a:apache:xerces-j:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:xerces2_java:2.12.0:*:*:*:*:*:*:*		pkg:maven/xerces/xercesImpl@2.12.0MEDIUM2Low86
xml-apis-1.4.01.jarpkg:maven/xml-apis/xml-apis@1.4.01 087
xml-apis-ext-1.3.04.jarpkg:maven/xml-apis/xml-apis-ext@1.3.04 035
xmlgraphics-commons-2.6.jarcpe:2.3:a:apache:xmlgraphics_commons:2.6:*:*:*:*:*:*:*pkg:maven/org.apache.xmlgraphics/xmlgraphics-commons@2.6 0Highest29
xmlpull-1.1.3.1.jarpkg:maven/xmlpull/xmlpull@1.1.3.1 018
xmlrpc-2.0+xmlrpc61.1+sbfix.jarcpe:2.3:a:apache:xml-rpc:2.0.rpc61.1:*:*:*:*:*:*:*pkg:maven/xmlrpc/xmlrpc@2.0%2Bxmlrpc61.1%2Bsbfix 0Low13
xmlrpc-supplementary-character-support-0.2.jarcpe:2.3:a:apache:xml-rpc:0.2:*:*:*:*:*:*:*pkg:maven/com.atlassian.xmlrpc/xmlrpc-supplementary-character-support@0.2 0Low21
xmpbox-2.0.24.jarcpe:2.3:a:apache:pdfbox:2.0.24:*:*:*:*:*:*:*pkg:maven/org.apache.pdfbox/xmpbox@2.0.24 0Highest35
xstream-1.4.17.jarcpe:2.3:a:xstream_project:xstream:1.4.17:*:*:*:*:*:*:*pkg:maven/com.thoughtworks.xstream/xstream@1.4.17HIGH21Highest55
xwork-1.0.3.6.jarcpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*pkg:maven/opensymphony/xwork@1.0.3.6HIGH10Highest16
xz-1.9.jarcpe:2.3:a:tukaani:xz:1.9:*:*:*:*:*:*:*pkg:maven/org.tukaani/xz@1.9 0Highest33

Dependencies

CommentComponent.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/src/CommentComponent.js
MD5: f604e3836e3e5b07bd1eb3a56aff87ef
SHA1: 76878fccff6799e9dad6d45c2c7d712126d3b191
SHA256:9a35214888ae993a828897e6a082f762afb73a91b01d255979a761b4f99b30da
Referenced In Project/Scope:space-comments

Identifiers

  • None

CommentsList.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/src/CommentsList.js
MD5: 24577052f327a98f59343628104fda57
SHA1: ea8973c83cb28ed7c2f622b6e0b8f7b72a5885a6
SHA256:fd7fc72ecafa0af0f963b7e8c1cd6fd193a6ebdc16f6a3db1bb60e5d2df9a41b
Referenced In Project/Scope:space-comments

Identifiers

  • None

CommentsListTable.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/src/CommentsListTable.js
MD5: 9deba8c86d98d7c790971cd15fb80400
SHA1: ef2b4c463397b40b259cd549b346ece6a29a1588
SHA256:69f764a06392e3c4611c6d8f3574a7039aef6ead5415be4b2ce56ca091e4fba2
Referenced In Project/Scope:space-comments

Identifiers

  • None

FastInfoset-1.2.15.jar

Description:

Open Source implementation of the Fast Infoset Standard for Binary XML (http://www.itu.int/ITU-T/asn1/).

License:

http://www.opensource.org/licenses/apache2.0.php
File Path: /home/andrii/.m2/repository/com/sun/xml/fastinfoset/FastInfoset/1.2.15/FastInfoset-1.2.15.jar
MD5: 57f3894ad7e069ae740b277d92d10fa0
SHA1: bb7b7ec0379982b97c62cd17465cb6d9155f68e8
SHA256:785861db11ca1bd0d1956682b974ad73eb19cd3e01a4b3fa82d62eca97210aec
Referenced In Project/Scope:space-comments:provided

Identifiers

HdrHistogram-2.1.11.jar

Description:

        HdrHistogram supports the recording and analyzing sampled data value
        counts across a configurable integer value range with configurable value
        precision within the range. Value precision is expressed as the number of
        significant digits in the value recording, and provides control over value
        quantization behavior across the value range and the subsequent value
        resolution at any given level.

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
BSD-2-Clause: https://opensource.org/licenses/BSD-2-Clause
File Path: /home/andrii/.m2/repository/org/hdrhistogram/HdrHistogram/2.1.11/HdrHistogram-2.1.11.jar
MD5: f3a8c558c7786948ff98819f8eac191f
SHA1: 1b035a1a4ce5d3441a4a1a331d04839ef487ec49
SHA256:96671e0898b35d602869efd9339b1929cdac855d2bc64922efbbcdd2209816bc
Referenced In Project/Scope:space-comments:provided

Identifiers

Header.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/src/components/Header.js
MD5: bfb3be919ff22b414815f7b95ce90f2f
SHA1: 55f1378910bb06280791d4a929538761881d6135
SHA256:d0dc6faf13d0e692aa6852fe152adf9ae66b7b7995b3e401e2b907f508177ec9
Referenced In Project/Scope:space-comments

Identifiers

  • None

HikariCP-2.5.1.jar

Description:

Ultimate JDBC Connection Pool

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/zaxxer/HikariCP/2.5.1/HikariCP-2.5.1.jar
MD5: 4fd401dee8e525cbb8403476381e34cd
SHA1: b896b711e2d98fedf403de590559a123b5fbf1a6
SHA256:3cf7bc5258414b77613e8d8ef0ce63b3ae1c53a441fd95b9ea335ec051c652b2
Referenced In Project/Scope:space-comments:provided

Identifiers

LatencyUtils-2.0.3.jar

Description:

        LatencyUtils is a package that provides latency recording and reporting utilities.

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /home/andrii/.m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar
MD5: 2ad12e1ef7614cecfb0483fa9ac6da73
SHA1: 769c0b82cb2421c8256300e907298a9410a2a3d3
SHA256:a32a9ffa06b2f4e01c5360f8f9df7bc5d9454a5d373cd8f361347fa5a57165ec
Referenced In Project/Scope:space-comments:provided

Identifiers

Profile.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/src/Profile.js
MD5: 7010338352cbac6fbb39cf9e45c9f861
SHA1: 89b9c79b3f52d2d6ff87efc96f9025e564f1fc2a
SHA256:5fdf376e4f07d4905550fe069852311f20e13a13526a32b30ce8b315f4f11019
Referenced In Project/Scope:space-comments

Identifiers

  • None

Select-7552e2b8.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/Select-7552e2b8.js
MD5: 633817c17f07db70dab12018d3d1125d
SHA1: 9dba0ed054a9ec5cf449a7d275859e9d1b478324
SHA256:f15ff74055fe99b81430b46cf847b8c896260d1c6e82ed8282401c3bad37c238
Referenced In Project/Scope:space-comments

Identifiers

  • None

activation-1.0.2.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).

File Path: /home/andrii/.m2/repository/javax/activation/activation/1.0.2/activation-1.0.2.jar
MD5: 5ff36dc2285e21d8628e92fdcc63f6a4
SHA1: a2a2e2e89d143d24ddba9a76e5c36603969db30f
SHA256:846f22648b244e521ec8478b1e3c9606f487f0577022d3c0c6f7b9d5d843ffe1
Referenced In Project/Scope:space-comments:provided

Identifiers

activeobjects-dbex-3.3.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/activeobjects/activeobjects-dbex/3.3.1/activeobjects-dbex-3.3.1.jar
MD5: f3658eee5bc7326eb7cd90e822198094
SHA1: 532fb0da1761b86ff32b7bb6ad52324ab4e89cc8
SHA256:c7ef3546c23aba7408cb3023ed1a84bbccceaae6cb33633c81a7a53a68627a91
Referenced In Project/Scope:space-comments:provided

Identifiers

activeobjects-spi-3.3.1.jar

Description:

This is the SPI that Atlassian product need to implement in order to support ActiveObjects.

File Path: /home/andrii/.m2/repository/com/atlassian/activeobjects/activeobjects-spi/3.3.1/activeobjects-spi-3.3.1.jar
MD5: 48802dda593a18f0160290b603aaf474
SHA1: 6934b3dc0ba7dceea31c63ac7e39b44cf3f40ab2
SHA256:889f9ab723b26d551ef9bcbfb5a9ed65e727e915a80c61f439f8b7cffae59314
Referenced In Project/Scope:space-comments:provided

Identifiers

adal4j-1.6.6.jar

Description:

    Azure active directory library for Java gives you the ability to add Windows Azure Active Directory 
    authentication to your web application with just a few lines of additional code. Using our ADAL SDKs you 
    can quickly and easily extend your existing application to all the employees that use Windows Azure 
    AD and Active Directory on-premises using Active Directory Federation Services, including Office365 
    customers.

License:

MIT License
File Path: /home/andrii/.m2/repository/com/microsoft/azure/adal4j/1.6.6/adal4j-1.6.6.jar
MD5: 611ee5f9a29bdb17454ed39b53d5e75b
SHA1: 44a306f7974f1e10e077efb60fdc478bf312dfd0
SHA256:87c5b1739f29587f2d7784e53a4ef4091e6a60373783773aed2ff6b6d8b7dd7e
Referenced In Project/Scope:space-comments:provided

Identifiers

aether-api-1.0.0.v20140518.jar

Description:

    The application programming interface for the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/andrii/.m2/repository/org/eclipse/aether/aether-api/1.0.0.v20140518/aether-api-1.0.0.v20140518.jar
MD5: b05ef5410dad83a4e9ba50e08e0dbbf4
SHA1: be68e917f454dcd841865ad7cf9b7615b26a51f7
SHA256:84b98521684ab22f9528470fa6d8ab68a230e1b211623c989ba7016c306eb773
Referenced In Project/Scope:space-comments:compile

Identifiers

aether-api-1.7.jar

Description:

    The application programming interface for the repository system.

File Path: /home/andrii/.m2/repository/org/sonatype/aether/aether-api/1.7/aether-api-1.7.jar
MD5: fa35448855735ad6aa16952b0efc7a4e
SHA1: 0c491a637ee6795143b6708ce5f112e6a9f548f4
SHA256:1c5c5ac5e8f29aefc8faa051ffa14eccd85b9e20f4bb35dc82fba7d5da50d326
Referenced In Project/Scope:space-comments:compile

Identifiers

aether-impl-1.7.jar

Description:

    An implementation of the repository system.

File Path: /home/andrii/.m2/repository/org/sonatype/aether/aether-impl/1.7/aether-impl-1.7.jar
MD5: 88f67bb92b68df022a22ca837b0ebeee
SHA1: 5cc1803eb7126f759d34007b74e6dc44e9a9fb08
SHA256:288149850d8d131763df4151f7e443fd2739e48510a6e4cfe49ca082c76130fa
Referenced In Project/Scope:space-comments:compile

Identifiers

aether-spi-1.7.jar

Description:

    The service provider interface for repository system implementations and repository connectors.

File Path: /home/andrii/.m2/repository/org/sonatype/aether/aether-spi/1.7/aether-spi-1.7.jar
MD5: ba2419eb80b2eca0c804e21b58fb3e1f
SHA1: 1ea472b28d9d891d353c0311593f5e2a0e73d4be
SHA256:f54a0a28ce3d62af0e1cfe41dde616f645c28e452e77f77b78bc36e74d5e1a69
Referenced In Project/Scope:space-comments:compile

Identifiers

aether-util-1.0.0.v20140518.jar

Description:

    A collection of utility classes to ease usage of the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/andrii/.m2/repository/org/eclipse/aether/aether-util/1.0.0.v20140518/aether-util-1.0.0.v20140518.jar
MD5: 08495ee7ecf90f0b528e7d65471532af
SHA1: 7df5ba98ce8b78985d75fdd8c2981fe69234ef85
SHA256:aff0951639837c4e3a4699a421fa79f410032f603f5c6a5bba435e98531f3984
Referenced In Project/Scope:space-comments:compile

Identifiers

aether-util-1.7.jar

Description:

    A collection of utility classes to ease usage of the repository system.

File Path: /home/andrii/.m2/repository/org/sonatype/aether/aether-util/1.7/aether-util-1.7.jar
MD5: df02504fdf485555fc8bec459325d4ba
SHA1: 38485c9c086c3c867c2dd5371909337bd056c492
SHA256:ff690ffc550b7ada3a4b79ef4ca89bf002b24f43a13a35d10195c3bba63d7654
Referenced In Project/Scope:space-comments:compile

Identifiers

aho-corasick-double-array-trie-1.2.3.jar

Description:

        An extremely fast implementation of Aho Corasick algorithm based on Double Array Trie.

License:

Apache License Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/andrii/.m2/repository/com/hankcs/aho-corasick-double-array-trie/1.2.3/aho-corasick-double-array-trie-1.2.3.jar
MD5: e19c35a59076f62613b6aa49f03ae116
SHA1: 7692c7e46a056a87ce01fa0d0b733ad3586552e5
SHA256:564f0fc690d50702a313510b9a72e9505ace6e81108e84f65de4feb0da244eb8
Referenced In Project/Scope:space-comments:compile

Identifiers

analytics-api-5.8.10.jar

Description:

API for analytics event publishers

License:

http://www.atlassian.com/end-user-agreement/
File Path: /home/andrii/.m2/repository/com/atlassian/analytics/analytics-api/5.8.10/analytics-api-5.8.10.jar
MD5: 4f75cfcfbced356f9608aab56232a2d3
SHA1: 953955aa6328c915a84975904fe9506973ff58e2
SHA256:71c6141c056504fd0a7779f745347bd4cfd7bfd3c7c6282a48342bb2673b1341
Referenced In Project/Scope:space-comments:provided

Identifiers

android-json-0.0.20131108.vaadin1.jar

Description:

      JSON (JavaScript Object Notation) is a lightweight data-interchange format.
      This is the org.json compatible Android implementation extracted from the Android SDK
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/vaadin/external/google/android-json/0.0.20131108.vaadin1/android-json-0.0.20131108.vaadin1.jar
MD5: 10612241a9cc269501a7a2b8a984b949
SHA1: fa26d351fe62a6a17f5cda1287c1c6110dec413f
SHA256:dfb7bae2f404cfe0b72b4d23944698cb716b7665171812a0a4d0f5926c0fac79
Referenced In Project/Scope:space-comments:compile

Identifiers

animal-sniffer-annotations-1.14.jar

File Path: /home/andrii/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.14/animal-sniffer-annotations-1.14.jar
MD5: 9d42e46845c874f1710a9f6a741f6c14
SHA1: 775b7e22fb10026eed3f86e8dc556dfafe35f2d5
SHA256:2068320bd6bad744c3673ab048f67e30bef8f518996fa380033556600669905d
Referenced In Project/Scope:space-comments:compile

Identifiers

ant-1.10.9.jar

File Path: /home/andrii/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar
MD5: 92251abf72cdcededfad473cc40dcbe2
SHA1: a8a0c9bc4473acdac25832d0a9da2ca9fd9cd35f
SHA256:0715478af585ea80a18985613ebecdc7922122d45b2c3c970ff9b352cddb75fc
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2021-36373  

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36374  

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

antisamy-1.5.3-atlassian-7.jar

File Path: /home/andrii/.m2/repository/org/owasp/antisamy/antisamy/1.5.3-atlassian-7/antisamy-1.5.3-atlassian-7.jar
MD5: 98e9400909949399ed425dd5d1b13f21
SHA1: 306157c709a3fba8b3e3ac14371bc00206170dda
SHA256:1c977f43c176be8f639fd3cfafdbd72069e8ebb8104ffdea5cac73e55cbc0fd1
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-28366  

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2016-10006  

In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-14735  

OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2021-35043  

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-28367  

OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2022-29577  

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

antlr-2.7.7.jar

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html
File Path: /home/andrii/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope:space-comments:provided

Identifiers

antlr-runtime-3.5.2.jar

Description:

A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /home/andrii/.m2/repository/org/antlr/antlr-runtime/3.5.2/antlr-runtime-3.5.2.jar
MD5: 1fbbae2cb72530207c20b797bdabd029
SHA1: cd9cd41361c155f3af0f653009dcecb08d8b4afd
SHA256:ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734
Referenced In Project/Scope:space-comments:provided

Identifiers

aopalliance-1.0.jar

Description:

AOP Alliance

License:

Public Domain
File Path: /home/andrii/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:space-comments:provided

Identifiers

applinks-api-7.2.7.jar

Description:

[PUBLIC] API JAR library for the AppLinks plugin

File Path: /home/andrii/.m2/repository/com/atlassian/applinks/applinks-api/7.2.7/applinks-api-7.2.7.jar
MD5: cd714033228987cb9ea28204f6e781d6
SHA1: 8bf49db094c936b4120ef5c6b1a1f407c3f9a426
SHA256:5c09a558e65003e97fae7597585c80b6db7c13a73b11694634e58939daa974ac
Referenced In Project/Scope:space-comments:provided

Identifiers

applinks-host-7.2.7.jar

Description:

[PUBLIC] Host integration classes for the AppLinks plugin

File Path: /home/andrii/.m2/repository/com/atlassian/applinks/applinks-host/7.2.7/applinks-host-7.2.7.jar
MD5: 1116558f5cff78ead84d4bd9466fb536
SHA1: 3f18165758ed049687dcfc8fcd6137fe9ca56ec9
SHA256:432b1d3086ebb04b57b5263d237b948bbdeb9f33f4b71b3f2e92ceb751d54856
Referenced In Project/Scope:space-comments:provided

Identifiers

applinks-spi-7.2.7.jar

Description:

[PUBLIC] Application Links SPI components. Allows developers to implement their own authentication providers and
        application types.

File Path: /home/andrii/.m2/repository/com/atlassian/applinks/applinks-spi/7.2.7/applinks-spi-7.2.7.jar
MD5: f745ac96bab2e98ca85cf53a35370da3
SHA1: a0770598de58613bfe8f5421f515611d82f10690
SHA256:577cd5f134ba5a843450cf93087dc1c59406c7d2c53a133caa242fd17c2a99d5
Referenced In Project/Scope:space-comments:provided

Identifiers

asm-7.1.jar

Description:

ASM, a very small and fast Java bytecode manipulation framework

License:

BSD: http://asm.ow2.org/license.html
File Path: /home/andrii/.m2/repository/org/ow2/asm/asm/7.1/asm-7.1.jar
MD5: 04fc92647ce25b41121683674a50dfdf
SHA1: fa29aa438674ff19d5e1386d2c3527a0267f291e
SHA256:4ab2fa2b6d2cc9ccb1eaa05ea329c407b47b13ed2915f62f8c4b8cc96258d4de
Referenced In Project/Scope:space-comments:provided

Identifiers

aspectjweaver-1.9.6.jar

Description:

The AspectJ weaver introduces advices to java classes

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/andrii/.m2/repository/org/aspectj/aspectjweaver/1.9.6/aspectjweaver-1.9.6.jar
MD5: cc461d78c6b67a7c31712c694213b0e1
SHA1: ee3b73aa16df35179255f17354d9dfd8e7822835
SHA256:3167577eaa4be02817295d320c5a6578de8b80d15615d719d5be0a0d65d16165
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-annotations-2.1.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/annotations/atlassian-annotations/2.1.0/atlassian-annotations-2.1.0.jar
MD5: c6692f67afc832299a48de114f8d55a3
SHA1: beeec862f2f5c864ed6aab1c2ef3f9512a4b4d1e
SHA256:1d097beb78dd8e8af8b121f5bc305fa764b6f0e81d496b6a9231404d59fa3450
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-audit-api-1.12.4.jar

Description:

APIs for producing and consuming audit events

File Path: /home/andrii/.m2/repository/com/atlassian/audit/atlassian-audit-api/1.12.4/atlassian-audit-api-1.12.4.jar
MD5: 7abbbe2db24951815da1d9519ad401a1
SHA1: 6d801b29e774384414e771145141b74f112e1887
SHA256:b8f908c80ec02c049563fed6ca5278ff975d24a8e155d120a8f6731821b37b96
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-audit-core-1.12.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/audit/atlassian-audit-core/1.12.4/atlassian-audit-core-1.12.4.jar
MD5: bd2e4abf7cf57fe3483602d9115f9690
SHA1: b6c5b998c08c95108809a56dffa474d642f459a3
SHA256:f74d039dd76de4eea88ba538f1122cc9180173a1e74d3cafc38ff247cb9fc0a2
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-audit-spi-1.12.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/audit/atlassian-audit-spi/1.12.4/atlassian-audit-spi-1.12.4.jar
MD5: 12e0c86ca75cc3678f8c833e0dae6d9a
SHA1: 7d96420cda0afc3f80fb60d69a50325fdb7b6035
SHA256:ffc4ae46828f4bf1c44bf1f8f2de1cecbe0bbd604e22703a217b0ef7659bb96d
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-bandana-3.1.jar

Description:

        A library to provide nested configuration contexts to applications, persisted to anywhere.

File Path: /home/andrii/.m2/repository/com/atlassian/bandana/atlassian-bandana/3.1/atlassian-bandana-3.1.jar
MD5: 2bfb036bf96e3cfde3d6495122f9ece8
SHA1: 2091d961f3ed157a8619035bfcd47b80601fdbf0
SHA256:3c1a8f182e3187d3479ca6d8ede3e6fc4b4d7c8d32371272499bde6e9c3ab60b
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-bonnie-8.0.0.jar

Description:

Bonnie contains Lucene indexing and utility classes.

File Path: /home/andrii/.m2/repository/com/atlassian/bonnie/atlassian-bonnie/8.0.0/atlassian-bonnie-8.0.0.jar
MD5: 5c63540f705ccb92e0af967f716ba635
SHA1: 4cd64fc5dfdccf0c6e59510e2bce001ca5bcc7a8
SHA256:381a16ed88b06d1dae56eb63b0ee5cd6dbb3f96bd30d1c5245b4427b035b2557
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-brave-spancollector-core-1.0.0.jar

File Path: /home/andrii/.m2/repository/io/atlassian/zipkin/atlassian-brave-spancollector-core/1.0.0/atlassian-brave-spancollector-core-1.0.0.jar
MD5: ac8a55118c404cd478a757e1effb23ee
SHA1: 087c2cf9b94b791f4f6c372a176efa5d2f2d7898
SHA256:f0d4e9ab82a6c5500572e227bd1e39fa0c65e66efc5793ddc78e076b97da0920
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-2393  

A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: MEDIUM (5.7)
  • Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

atlassian-cache-api-5.3.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/cache/atlassian-cache-api/5.3.4/atlassian-cache-api-5.3.4.jar
MD5: e7a008d2177ff3e04e71df6d206afcb6
SHA1: 5eb7cb3dfab32a089de9ac29e39b3ba7723217a4
SHA256:05c5fb35fee0ea5ae5e057d0ccede435dfbf4de8b6c01f4c03678ffa374720d0
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-cache-common-impl-5.3.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/cache/atlassian-cache-common-impl/5.3.4/atlassian-cache-common-impl-5.3.4.jar
MD5: bf3adeabdc5cb540f5f1cff0f97a23a6
SHA1: 52cd936db1a89367e4fe170f762f8ceca41172ec
SHA256:8bfc76b940e119068686276ede03b72b8eeca64207ae771f94f5633aa70d08d6
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-cache-memory-5.3.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/cache/atlassian-cache-memory/5.3.4/atlassian-cache-memory-5.3.4.jar
MD5: 60bbf7eeede1cc14d2a1faa253b5cd4f
SHA1: 11dd17302f9057da4a8cfac2dbddcdae60718771
SHA256:a85a0a40a00e5ec79c8cc01d546570113114a0152643e4b39db0d2ef191e614d
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-collectors-util-1.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/collectors/atlassian-collectors-util/1.1/atlassian-collectors-util-1.1.jar
MD5: 82924c05235aa61cfb8dd00da7b4cdc3
SHA1: ca1b7d3996501b0cbf0128ec6ce75392d0249017
SHA256:4f7cd4ee38b40b8ccbe591a575ba2bcf119f7c44e26647309d32e50aa73dc414
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-config-1.1.1.jar

Description:

Basic application configuration classes.

File Path: /home/andrii/.m2/repository/com/atlassian/config/atlassian-config/1.1.1/atlassian-config-1.1.1.jar
MD5: 283f205dc861142ac5120a400c380b31
SHA1: 7c84d953a4dd53dfda9c6bc7bce6891150e3bfad
SHA256:066c38c618ff5ec9b787ea80374116dc7cff1728ca6d4230e2ca676e35f9c62b
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-core-7.0.2.jar

Description:

Atlassian Core Tools.

File Path: /home/andrii/.m2/repository/com/atlassian/core/atlassian-core/7.0.2/atlassian-core-7.0.2.jar
MD5: 69e31727cf962b980eb18f5f71ecb6a1
SHA1: ede0dcb31d3690c4a1628049c39eb5523497a5c5
SHA256:8e990efe091506d4ff7100f252fe1c692c3674cbbd31ce3f97ef380577d5c44c
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-core-thumbnail-7.0.2.jar

Description:

Atlassian Core Tools for Thumbnailing of images

File Path: /home/andrii/.m2/repository/com/atlassian/core/atlassian-core-thumbnail/7.0.2/atlassian-core-thumbnail-7.0.2.jar
MD5: 6d5f960bc6905d62a6205f9fb37df7ef
SHA1: f7ec7020b70fa0419a2a4f9cda582649af016416
SHA256:3d99b43772dd2095cede206bb186e982581d553eb8460711884113befb7d6c88
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-core-user-7.0.2.jar

Description:

Atlassian Core Tools for User management

File Path: /home/andrii/.m2/repository/com/atlassian/core/atlassian-core-user/7.0.2/atlassian-core-user-7.0.2.jar
MD5: 3b697a6df0844956aa7708c201f15e45
SHA1: df6a73ba85a4abfc7cfe70c24d1a3186a2fed74a
SHA256:d341e5d1fbab543f6124d59e0c1689ade182eb45c6194c40b3653ca17e96cb4a
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-diagnostics-api-1.1.10.jar

Description:

API for Atlassian Diagnostics

File Path: /home/andrii/.m2/repository/com/atlassian/diagnostics/atlassian-diagnostics-api/1.1.10/atlassian-diagnostics-api-1.1.10.jar
MD5: f02df8ce7f60e27374da7ff6c72f8f2e
SHA1: 8532ad25a53dbb238fdb9757ee136b0420a22ba3
SHA256:6a68e2e608b38d69bbfd0fec810ab0536465ae609576ce5eb12bc12203aeff5f
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-diagnostics-core-1.1.10.jar

Description:

Components for embedding atlassian-diagnostics in host applications

File Path: /home/andrii/.m2/repository/com/atlassian/diagnostics/atlassian-diagnostics-core/1.1.10/atlassian-diagnostics-core-1.1.10.jar
MD5: 35f871abd9e9fb839bf2b2e75f3e4e8a
SHA1: e83de3c29d51c8063dfceb133d5bd69a717b5a8b
SHA256:6df2d4e007bc86c1158d3e44adddb13fc156db7bf6c785466ec7da2488a32ac6
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-diagnostics-platform-1.1.10.jar

Description:

Monitors for the Atlassian Platform

File Path: /home/andrii/.m2/repository/com/atlassian/diagnostics/atlassian-diagnostics-platform/1.1.10/atlassian-diagnostics-platform-1.1.10.jar
MD5: 937ebb0fefbb5fbe507e9b8b814974f5
SHA1: faf36e854eb4252bd05d27c05accb2dc7f52494c
SHA256:6a19615d236aa62c6cc27f3f9308ca616b9f451d0e9579153d215fc043eef25f
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-embedded-crowd-atlassian-user-7.13.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/confluence/atlassian-embedded-crowd-atlassian-user/7.13.0/atlassian-embedded-crowd-atlassian-user-7.13.0.jar
MD5: eda8f1a9e29b9a21f8578413120517b6
SHA1: e4a68117641381344d40c97feeb0ee929add5c17
SHA256:dbe527b47d8e7997d175cfa1658c04e8582cb33918bd37ee39714e9372fe32fc
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-event-4.0.1.jar

Description:

Atlassian eventing system for use with Spring projects

License:

BSD License: http://opensource.org/licenses/BSD-3-Clause
File Path: /home/andrii/.m2/repository/com/atlassian/event/atlassian-event/4.0.1/atlassian-event-4.0.1.jar
MD5: 443687a7fd327157b1d4b5b927d211e5
SHA1: 12e8cd48b125049d66d564986567749ef87f91c7
SHA256:7505ea897ad9c16e3faa834c49e93f235ce390f01cbd0586eefdb574a5a2cfc1
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-extras-api-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/extras/atlassian-extras-api/3.4.1/atlassian-extras-api-3.4.1.jar
MD5: 42cb6b763ae13f403db1fd9a5c15bd19
SHA1: 103796443cd2156ab785b4bd1cd3714a008b396b
SHA256:d1ba89f1c9c0cef19860bece0124ee689aa4a89973b45a94e825a736467bdad8
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-extras-common-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/extras/atlassian-extras-common/3.4.1/atlassian-extras-common-3.4.1.jar
MD5: ee0a3bf9626ed9b642f0a179dcb17fa6
SHA1: 400767c17365a22ccadd5343bde8557fcbc3e8c0
SHA256:a4be6806b3aaf5db9178b620f7a4ee1d725356f70cdd503d0491edc832a53fa2
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-extras-core-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/extras/atlassian-extras-core/3.4.1/atlassian-extras-core-3.4.1.jar
MD5: 5eecd7e6dcafc092be21ffcd0d4caecf
SHA1: 750bf5df3b3846e8ac6709438084020f33345c66
SHA256:f3e0c46fe2d09f8390c1bfbff8137a7dd60fcea2b61fabf688d469a31acc470c
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-extras-decoder-api-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/extras/atlassian-extras-decoder-api/3.4.1/atlassian-extras-decoder-api-3.4.1.jar
MD5: 2ef536159c7b4b4a8b16915816d240f5
SHA1: f3d4beac9ccb105f1a397fa737130ff1572d6094
SHA256:f905dbf509b5164a9453d2ad5a9c6fe8b950cde1453518011f2b510d82f87063
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-extras-decoder-v2-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/extras/atlassian-extras-decoder-v2/3.4.1/atlassian-extras-decoder-v2-3.4.1.jar
MD5: 1fa8f760b08a7109cfc2d5c256550677
SHA1: da5f3f0552c7a30afcdbf855581370e51283cef0
SHA256:9c44f684dbb9e26b30581ca850ad640f9f358cef4bc6c970c312359a38760285
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-extras-legacy-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/extras/atlassian-extras-legacy/3.4.1/atlassian-extras-legacy-3.4.1.jar
MD5: 2108da575eadc162122970fb6f8e533e
SHA1: 6844548e0c793663b55e8ae1c536c7069eac9ad6
SHA256:d549dcd2d64e459f8ee8a99851d676937407eff0ebece045b501b62ce58a0439
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-flushable-gzipoutputstream-1.1.jar

License:

APL 2.0 License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/atlassian/gzipfilter/atlassian-flushable-gzipoutputstream/1.1/atlassian-flushable-gzipoutputstream-1.1.jar
MD5: 8ef8fe767f9600a0fb1ee9f0bfb16ca7
SHA1: 3c4f49949c6021f396273e2afba4d6593450091c
SHA256:509bd01ed08190755a174bcb71d9933b4da6d0cc7360bb6f0827427a58f2fa9a
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-graphql-annotations-1.3.7.jar

File Path: /home/andrii/.m2/repository/com/atlassian/graphql/atlassian-graphql-annotations/1.3.7/atlassian-graphql-annotations-1.3.7.jar
MD5: 996f41411820d46b5d48a4da6eb810e8
SHA1: 3f5091b63def4ab8e366625c90ae9f54c11172c8
SHA256:e02a9f58bbe6ed65cc91231c28d5766ca3bbe43638a7d4974a0c1b9c366b2a75
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-gzipfilter-3.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/gzipfilter/atlassian-gzipfilter/3.0.0/atlassian-gzipfilter-3.0.0.jar
MD5: 2b4780173856f6505483860679f1ec21
SHA1: 7f423cfb3dcad5b07b094323980315e340154fcd
SHA256:a66b00a9f59cbcc0854f3ac684a2e3b4aa3d5673c08811d7236fe3ba2e8a4e52
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-h2-server-integration-2.2.0.jar

Description:

H2 server integration into Atlassian's application configuration framework

License:

Atlassian 3.0 End User License Agreement: http://www.atlassian.com/end-user-agreement/
File Path: /home/andrii/.m2/repository/com/atlassian/h2/atlassian-h2-server-integration/2.2.0/atlassian-h2-server-integration-2.2.0.jar
MD5: 3ead3224505016e7e3225fa0edd3b398
SHA1: 15d692f501b6630af336cd0b59284b80cdb89c26
SHA256:df554d29c5e30472aafe117c821e9925be64e129a9fb987fb9ff968c3d008097
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-healthcheck-plugin-check-api-6.0.0.jar

Description:

Provides code for reuse by JIRA, Confluence and Refapp TestHealthChecks, TestPluginStartup etc. which call atlassian-healthcheck plugin healthchecks.

File Path: /home/andrii/.m2/repository/com/atlassian/healthcheck/atlassian-healthcheck-plugin-check-api/6.0.0/atlassian-healthcheck-plugin-check-api-6.0.0.jar
MD5: 056fa4585108ed633cd94d3e19fe0cb8
SHA1: 1dee0a6f07449f61ce8cd035dec6ba2a99bd80f0
SHA256:cc3af2a8c6914a42b37da7da53ba4642bdc2c94af763bdc6c9e1e5489c7be1fa
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-healthcheck-spi-6.0.0.jar

Description:

Provides components provided to atlassian-healthcheck by product core.

File Path: /home/andrii/.m2/repository/com/atlassian/healthcheck/atlassian-healthcheck-spi/6.0.0/atlassian-healthcheck-spi-6.0.0.jar
MD5: d6d22531b0447a16b87c6da29b13da3a
SHA1: 145613db7efcf32e35cb5eb219c90c48b0a09851
SHA256:8f332058bb272eeb15679b590f643270f591e12be1510fe17d8b62a04f85a8d6
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-hibernate2-extras-6.2.5.jar

File Path: /home/andrii/.m2/repository/com/atlassian/hibernate/atlassian-hibernate2-extras/6.2.5/atlassian-hibernate2-extras-6.2.5.jar
MD5: 0e563b7f914816a3d9c7b19ee63bf8c5
SHA1: d9aaf868bbca5085dcfd3f2ae459e8236bb275c6
SHA256:c4efaba04786acce8b173144123f8c918e5d699617ddcceea37af6ff7a1e65cd
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-hsqdlb-server-integration-1.1.0.jar

Description:

HSQLDB server integration into Atlassian's application configuration framework

License:

Atlassian 3.0 End User License Agreement: http://www.atlassian.com/end-user-agreement/
File Path: /home/andrii/.m2/repository/com/atlassian/hsqldb/atlassian-hsqdlb-server-integration/1.1.0/atlassian-hsqdlb-server-integration-1.1.0.jar
MD5: 8feca11266ffc9ed9384c6b055a201c1
SHA1: 7ca10950fc090499fdc5eb513391f036ac4f04c8
SHA256:cb950173c505be16abd8d65b00d2f5bd13a53e2fe34d2032560b8a7c053566b3
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-html-encoder-1.5.jar

License:

BSD: http://opensource.org/licenses/BSD-3-Clause
File Path: /home/andrii/.m2/repository/com/atlassian/html/atlassian-html-encoder/1.5/atlassian-html-encoder-1.5.jar
MD5: c1527fcbf1f40a5b58348c7bc8b888b5
SHA1: 40bd03045da35d1e3019a5bc76ca90c360217dd3
SHA256:d492fd77181b2bf68a53e0ca961789cc69b76e26a5cbefe9f333122bb1bcc959
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-http-2.0.8.jar

Description:

        This project contains utility classes for manipulation of http concepts, such as
        cookies, MIME types, and browser agent sniffing.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/atlassian/http/atlassian-http/2.0.8/atlassian-http-2.0.8.jar
MD5: e7505091f16f66bdc4ce2ed19d840600
SHA1: d895b554f0f023dd466b90b8cbcebea03b836ece
SHA256:e99285c07259321746c868f9d2ee580cbcfce10d042e2c14375a78ddc46d1687
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-image-consumer-1.0.1.jar

License:

LGPL 2.1 License: http://www.gnu.org/licenses/lgpl-2.1.txt
File Path: /home/andrii/.m2/repository/com/atlassian/image/atlassian-image-consumer/1.0.1/atlassian-image-consumer-1.0.1.jar
MD5: 28bbc9e0d0d31fcf258fea467201dae1
SHA1: 3e85562e44c029d8fe7944ad0119b998e57a7110
SHA256:6b9da341d7ef47fe3d053e83afdd24e4654da4cf5fdab992bb96a7d233555d4e
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-instrumentation-core-3.0.0.jar

Description:

        Core library to give systems the ability to instrument their internal state through the
        use of counters / gauges and general operation profiling

File Path: /home/andrii/.m2/repository/com/atlassian/instrumentation/atlassian-instrumentation-core/3.0.0/atlassian-instrumentation-core-3.0.0.jar
MD5: c361878da34251de86d90388c55f8ea8
SHA1: 7940f31e37dcb67d6aaf16aeed6ea27b43c4025a
SHA256:af8845fd2eb47dc72a9f27b00ce5e4de962416d5e95c7426b525c39c50cfbba9
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-ip-3.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/ip/atlassian-ip/3.1/atlassian-ip-3.1.jar
MD5: cf295c31c48dd7e42e5441a6a9c6a256
SHA1: 3dd393bd3e9004f72ca48a4f098a90886d544d69
SHA256:284e8ff2bf1620eb2d0e9ffa55a402de65736717688ea99daa03b42d250aee90
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-jdk-utilities-0.6.jar

Description:

A set of utilities that work with a JDK.

File Path: /home/andrii/.m2/repository/com/atlassian/jdk/utilities/atlassian-jdk-utilities/0.6/atlassian-jdk-utilities-0.6.jar
MD5: 0e8d78323799855328e08ad47dcc92f5
SHA1: 542bd5b872240175427b0cd5bf6e556ddaa6ca48
SHA256:70edc5c7f0855f7fece10dd3710e5647b8c1c05eb56b2b4d3385d627bac089e7
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-johnson-core-4.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/johnson/atlassian-johnson-core/4.0.0/atlassian-johnson-core-4.0.0.jar
MD5: 47432b89ce7413a911def497536d1f4c
SHA1: 52f24677e5199b9579fd54a9d1077157cae1dcbb
SHA256:8e91458afbb47f9d5832f066c394381e400db50906cb79afa23c9a44cfa14c41
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-johnson-plugins-4.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/johnson/atlassian-johnson-plugins/4.0.0/atlassian-johnson-plugins-4.0.0.jar
MD5: 8e90b774a89faaff34b5e4fab869f5d1
SHA1: 8946d63832e1b7f96e662f34b2f8030cbc62d37c
SHA256:62ed16ace366c1911d2335b9e4ea6a59bd214c4d19688ae7b767994d4e2c5973
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-json-api-0.11.jar

File Path: /home/andrii/.m2/repository/com/atlassian/json/atlassian-json-api/0.11/atlassian-json-api-0.11.jar
MD5: c55e7d4b0ef3edb9f8ffee7f662b2a0e
SHA1: 84374bc858c65e8663b1a33bb4d8ff7ef9ca850e
SHA256:f1b6cfc4addfcd10e4a378417656ffeaedc3e11d18406a6b14d443d5767ab0da
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-json-jsonorg-0.11.jar

File Path: /home/andrii/.m2/repository/com/atlassian/json/atlassian-json-jsonorg/0.11/atlassian-json-jsonorg-0.11.jar
MD5: 7fad99f50cb3ac1e26207f46024b9fea
SHA1: a83e00cc4e37fde293b6dd2715b67a767a4feb6f
SHA256:88056f81d07421daf9e6441298c8f4512d38fdb4ffb2729b50eaca49b08b0295
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-localhost-1.1.0.jar

Description:

        Provides library method(s) for establishing the fully-qualified hostname (FQHN)
        of the local machine. Created to shim the slightly changed behaviour of
        java.net.InetAddress.getLocalHost().getHostName() in java8 compared to java7.

File Path: /home/andrii/.m2/repository/com/atlassian/atlassian-localhost/1.1.0/atlassian-localhost-1.1.0.jar
MD5: c601fbd8b8778db8ab2211e8111e79fa
SHA1: 74c10ea79995a53e8a33d43abf7632d279be9518
SHA256:ab56b636ec686350507b68a71d6abd37310347b9c5b1754082a99e9c37ef204c
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-mail-5.0.6.jar

Description:

Atlassian Mail is a generic mail sending component used by Atlassian applications.

License:

BSD: LICENSE.txt
File Path: /home/andrii/.m2/repository/com/atlassian/mail/atlassian-mail/5.0.6/atlassian-mail-5.0.6.jar
MD5: 63f32c79f60b44e9fe998f411c91baeb
SHA1: f6da3ecc6695ada3b6cfca19b515c011e468c15e
SHA256:9cbe9ccd95b9da0523f01d5e2dfcd1e7a55975e7ef56a377d12c453b53ab5125
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-marshalling-api-1.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/marshalling/atlassian-marshalling-api/1.0.0/atlassian-marshalling-api-1.0.0.jar
MD5: 873cd17f998ad28d0df6cf32068df034
SHA1: d09fcc51162406304dcbed853ea918b642c13ac0
SHA256:bcf1c4781f6094de71bc57a3585c1c9f4e2429c804cd177ca4f6f949bdb7d80d
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-marshalling-gson-3.0.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/marshalling/atlassian-marshalling-gson/3.0.1/atlassian-marshalling-gson-3.0.1.jar
MD5: 0c25ffd5fc88d7ee23f070fc37640ff2
SHA1: cfc09455a17bd412145e2fd1bdc798f7717b3034
SHA256:259e52d8198b4b4a2eea746783eb7a6f29697b47dfc8d5d35968ac8dcf059768
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-marshalling-jdk-1.1.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/marshalling/atlassian-marshalling-jdk/1.1.0/atlassian-marshalling-jdk-1.1.0.jar
MD5: e44737df383073ee5fdb55c0b205ae57
SHA1: 24214acccc6eb2b01eba1afb85333bae6920ee92
SHA256:6723fdaf380ae921cffc62f2c14c2b8b91f9b1c55eeb8d6cfe9b4c5d19070d74
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-marshalling-protobuf-1.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/marshalling/atlassian-marshalling-protobuf/1.0.0/atlassian-marshalling-protobuf-1.0.0.jar
MD5: 7a8e1abd64408e23f6bd91c595221767
SHA1: e6011e2f8beeca0c6176b26852e31b806b2ae7f1
SHA256:dcd524faf2440025caa6b9124c374dcb2a0e9473ed13cec0947b87096101ecef
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-password-encoder-3.2.10.jar

Description:

Password encoder interface and default implementation for Atlassian applications.

File Path: /home/andrii/.m2/repository/com/atlassian/security/atlassian-password-encoder/3.2.10/atlassian-password-encoder-3.2.10.jar
MD5: e530758dc17d3d63a398851817175bee
SHA1: 2be29a732b14c9426c2261107cf95a6d27f28126
SHA256:c0ba9fcc078862d9ce53f270bcad36e4c4b2aa771f8c672227421b5b65ded018
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugin-point-safety-1.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/ozymandias/atlassian-plugin-point-safety/1.0.0/atlassian-plugin-point-safety-1.0.0.jar
MD5: c6a4ea2561efb5682c1cd1b6d2d5c77a
SHA1: 7ae0837bac6f52b9a836a19acfba5039147e47fb
SHA256:54cb294f734f3249fdc74abc993197dc403b2f879d186ecd04e9708fb64fa8d9
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-api-5.3.11.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-api/5.3.11/atlassian-plugins-api-5.3.11.jar
MD5: 5e0239fde5b44af18730ed8e32444a2d
SHA1: e589a3c552bcf3e26284217e30dc24b07598bcb0
SHA256:5263efb14d3550a8de0ac861dce13c1b6de985606437ab64896c787d88361878
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-core-5.3.11.jar

Description:

        A library to give systems the ability to have plugins, make them more pluggable and hence add pluggability
        (it's late - that makes sense in my head).

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-core/5.3.11/atlassian-plugins-core-5.3.11.jar
MD5: 0cc95a860d3e66861a89c0e57e5a3d85
SHA1: 6674276088c5a4ebde61dfee7d716f3e3fda8558
SHA256:6df87b7de6793872d354d519c48dac3ce9edf381e2135e0507bb14acff488280
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-osgi-5.3.11.jar

Description:

        An extension to Atlassian Plugins that provides a loader that loads plugins into OSGi

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-osgi/5.3.11/atlassian-plugins-osgi-5.3.11.jar
MD5: bfdf07909c25dd937b22d785344fc7e0
SHA1: 6e5395048a45c0c91548362403679c8511fcd60f
SHA256:055f82e1f8fa0dda350ec89a7595f8969c5d0f3acc5c3aedd6b760efda5cc713
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-osgi-events-5.3.11.jar

Description:

        Events used to better bridge OSGi actions into the Atlassian Plugins framework

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-osgi-events/5.3.11/atlassian-plugins-osgi-events-5.3.11.jar
MD5: c6de8d722ddae54cfd4249983b69b645
SHA1: f77883c96e66d113c24e1bc49868b1865cb948f0
SHA256:a79e893f50ea2911d34cde8f8f0c4f02fc1f98cfb48e2c84b436a4d5110028b8
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-schema-5.3.11.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-schema/5.3.11/atlassian-plugins-schema-5.3.11.jar
MD5: 0e8f251222d98cb21e3a801aeb9e4c1a
SHA1: 2b746621b5a2314239c8b0ec078d486f38334492
SHA256:2ab684e1865315fa1207fecb19adb80b7424f55811ed9cfc5ae9b6975d1733ca
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-servlet-5.3.11.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-servlet/5.3.11/atlassian-plugins-servlet-5.3.11.jar
MD5: 6dfbd5832c1f219f723fdab17e7278da
SHA1: 4954478828f7ccb48891924ddcf033f58c1357c8
SHA256:e12bebd4484b2072aa6ff5ecb333e1c71beac9e5ef5f2722d6566073765aaa20
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-spring-5.3.11.jar

Description:

        Integration classes that tie Atlassian Plugins and Spring together

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-spring/5.3.11/atlassian-plugins-spring-5.3.11.jar
MD5: 8d4e7e7d9dc03f61db90b352bd635ffe
SHA1: fb1ffec2a9f23fd0708ed485ca0b42d644c2a9ae
SHA256:7c1e06fd31766ded90237f6651adc7a721ce6c69603250f467c99d537d8eb327
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-webfragment-5.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-webfragment/5.0.0/atlassian-plugins-webfragment-5.0.0.jar
MD5: 9132f7492167ca473269f55682a7a929
SHA1: 9a37f5eb59111bc605fe58e0219732790de00f02
SHA256:be529f88975589896adb3d4b1d5fbf8315d8d251db8e6b47d6163fcc7cd18316
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-webfragment-api-5.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-webfragment-api/5.0.0/atlassian-plugins-webfragment-api-5.0.0.jar
MD5: a4fd934f3f492303ac6664ef4e0995ef
SHA1: 93f39798e09e4d0683d58a5cdce6a7abdabf434d
SHA256:ccff309c947de4e20f2062fe57d022c91cfc8b4c7e617d63d748b067585da4d5
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-webresource-4.1.6.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-webresource/4.1.6/atlassian-plugins-webresource-4.1.6.jar
MD5: 14d63a85b735722450124b6d2bd571ba
SHA1: fec87edbe09f3b0a5c49d0555683251866fe2888
SHA256:68dcc508e913aea8bab84ccc6a0c75fe9a9e392f481e8a0f1726cd852fae99d5
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-webresource-api-4.1.6.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-webresource-api/4.1.6/atlassian-plugins-webresource-api-4.1.6.jar
MD5: 86a847b65d927fd73a426be1fdc09ffd
SHA1: 43629deb9d557b9b738c9b86ee436cd337906ae3
SHA256:4865e53c6ab522149dfafb8c2f132dbc30a3051bfe0f4cd16d03ae0d85f30097
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-webresource-common-5.3.11.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-webresource-common/5.3.11/atlassian-plugins-webresource-common-5.3.11.jar
MD5: 172c2e0af1179c586c4a09503192abf7
SHA1: 84f83ddb01e90086c80019decbf4494998462a0b
SHA256:31ec5afdc540de740c668ecc1a535b07399f41491c42fd714b0f506a5e70d0d7
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-plugins-webresource-spi-4.1.6.jar

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-plugins-webresource-spi/4.1.6/atlassian-plugins-webresource-spi-4.1.6.jar
MD5: 0dc7c6be43a0b3a8878e183659909c41
SHA1: 1fea50d31afff8f6304cd846f64cfe67e1c7bd6d
SHA256:c2cf9b7dbe77cf023f62a44892d585495aea64ee545aa0225910273aca642617
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-profiling-3.4.3.jar

Description:

A simple framework for run-time profiling an application, focused on JEE web applications.

File Path: /home/andrii/.m2/repository/com/atlassian/profiling/atlassian-profiling/3.4.3/atlassian-profiling-3.4.3.jar
MD5: c692bf3e1e76390ff56f962d0e050495
SHA1: 753346e768bd2c3c3a9272e258964c39f11679a7
SHA256:4f890ed7e10c6fbf69c89ced62c5295a530aa2a832f2dd8d6dd6db80ac8a5c49
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-profiling-dropwizard-metrics-3.4.3.jar

Description:

Dropwizard Metrics based implementation of MetricStrategy

File Path: /home/andrii/.m2/repository/com/atlassian/profiling/atlassian-profiling-dropwizard-metrics/3.4.3/atlassian-profiling-dropwizard-metrics-3.4.3.jar
MD5: c723a204a91d2f958b7ac87eac0587a2
SHA1: 33b1c49a08e8ce26ed984ea57453532ef6b574b0
SHA256:01a7acd48ada67cf54f36cfe5b2a9ae81c1494116e8eac084730405d1fa88feb
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-profiling-micrometer-3.4.3.jar

Description:

Micrometer-based implementation of MetricStrategy

File Path: /home/andrii/.m2/repository/com/atlassian/profiling/atlassian-profiling-micrometer/3.4.3/atlassian-profiling-micrometer-3.4.3.jar
MD5: f6efdfcabcf2149de0d0c935abe2376c
SHA1: 42be933b3f53ff72364ec715d9f3337b7289a174
SHA256:5bd5efb89134a5cac07532df3f80f376eee2de8f0b01191272701eec87976eba
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-renderer-legacy-6.2.25.jar

Description:

The library that renders wiki markup for Confluence and JIRA.

File Path: /home/andrii/.m2/repository/com/atlassian/renderer/atlassian-renderer-legacy/6.2.25/atlassian-renderer-legacy-6.2.25.jar
MD5: 4ec3d0b5e9dc9d1c8fa752d5c5775a7f
SHA1: e090c00197a1378ebf9699bc127e48964ca30cab
SHA256:6edf838c29b1e663aa2035076dd88c9670be86b0e2e6def9ed4290fc3770a44b
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-scheduler-api-3.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/scheduler/atlassian-scheduler-api/3.0.0/atlassian-scheduler-api-3.0.0.jar
MD5: 863d14e2534880ac184c25f33856e977
SHA1: c609daefcad0208b6b8553b1b54af245d029555d
SHA256:31960ebda1751157fd5956a24c8f0e5a2f13f6bb83491a5bd402a1050b8cf0c1
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-scheduler-caesium-3.0.0.jar

Description:

        Caesium is like Quartz, in that it can be used to keep track of scheduled things.
        However, it is much simpler and hopefully does not have has many bugs.

        The name derives from the fact that since 1967 the definition of 1 second has
        been "The duration of 9,192,631,770 periods of the radiation corresponding to
        the transition between the two hyperfine levels of the ground state of the
        caesium-133 atom."

        Note: I would have preferred to spell this "cesium," but IUPAC says otherwise.

File Path: /home/andrii/.m2/repository/com/atlassian/scheduler/caesium/atlassian-scheduler-caesium/3.0.0/atlassian-scheduler-caesium-3.0.0.jar
MD5: d6511b9aa19f704500f88dd397095d51
SHA1: 98611dc21e49f62e76a684132eb3c12a918ee4ee
SHA256:4ef1146b8af1b030f885b8bda898cd23c711c2f0036750c71ea97c00f5c81b79
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-scheduler-core-3.0.0.jar

Description:

Provides reusable core classes that most implementations are likely to need

File Path: /home/andrii/.m2/repository/com/atlassian/scheduler/atlassian-scheduler-core/3.0.0/atlassian-scheduler-core-3.0.0.jar
MD5: 98afce24578a777458892a5484bf59ae
SHA1: e33f847c660e641d9afd6732d42f6dbb527ec507
SHA256:a089718bb41ec12d96f9440e80c5db6ecb53346ee9c90f348be250d58d133d96
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-secure-random-3.2.10.jar

Description:

Random generator service for producing cryptographically secure random data.

File Path: /home/andrii/.m2/repository/com/atlassian/security/atlassian-secure-random/3.2.10/atlassian-secure-random-3.2.10.jar
MD5: 0d573e8c730327ef9d67078a4c294e9e
SHA1: 15364f167f32887ad9f8131c19c4cd4468625be4
SHA256:e185cae3199daa31f5d7161611b58422a5852985c52b6fb0720f98f6d363491c
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-secure-utils-3.2.11.jar

Description:

A bunch of secure utilities.

File Path: /home/andrii/.m2/repository/com/atlassian/security/atlassian-secure-utils/3.2.11/atlassian-secure-utils-3.2.11.jar
MD5: 3869ab335eca8ae36e2f4269cc271c36
SHA1: 9a7a1a16ecf020a435a54ba67e6a530b134042c4
SHA256:d89f267c8ca87dcdc696556b87ede94df7a0b696f7a808218f1647eeee049818
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-secure-xml-3.2.14.jar

Description:

Utility methods to construct parsers suitable for XML from untrusted sources.

File Path: /home/andrii/.m2/repository/com/atlassian/security/atlassian-secure-xml/3.2.14/atlassian-secure-xml-3.2.14.jar
MD5: af9be6e00c2e3a43a38502811df42bff
SHA1: dd19972f2606f6bbc8b22d1d74e572b943deec24
SHA256:e6a238e8717cb97041c59cf8784091cf3e223a8c8b46273c84f513c30de04205
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-seraph-4.1.0.jar

Description:

Seraph is a Servlet security framework for use in Java EE web applications.

File Path: /home/andrii/.m2/repository/com/atlassian/seraph/atlassian-seraph/4.1.0/atlassian-seraph-4.1.0.jar
MD5: d0eefd13d46c3765a74094920a5def72
SHA1: 392695177de5edf662fe83e4039e4dac98415fa1
SHA256:c389abfc237893c1abb8509b1e1b367a8cc3df9cb40eacfce6b79deb80a311c0
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-spring-2.0.8.jar

Description:

Common Atlassian Spring Components

File Path: /home/andrii/.m2/repository/com/atlassian/spring/atlassian-spring/2.0.8/atlassian-spring-2.0.8.jar
MD5: 6b5d48e55158b8d14d2722e237c27df2
SHA1: ea07f2757114efe2440c7797f3883ef95e0073ba
SHA256:218be0f9f81be41d209733b9637f98b27208aa18583ddf8a6752b320f53630ec
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-spring-hibernate2-2.0.8.jar

Description:

Common Atlassian Spring+Hibernate 2 Components

File Path: /home/andrii/.m2/repository/com/atlassian/spring/atlassian-spring-hibernate2/2.0.8/atlassian-spring-hibernate2-2.0.8.jar
MD5: 013bdbbf5ed9d7343b518d8298a4d8f3
SHA1: aba40d266af1c4aa3ae185a88ba971d1f6d6cfaf
SHA256:bd46f0ec2c7a6e1473ffabfd7a255a66c5409bee288c467530bf36f5645d974a
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-spring-interceptor-adapter-spi-1.1.jar

Description:

Host application-side library of the Spring Interceptor Adapter plugin.

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-spring-interceptor-adapter-spi/1.1/atlassian-spring-interceptor-adapter-spi-1.1.jar
MD5: 3867eba2f428678dc6133c80cf1f7a3a
SHA1: 40835db7e396d4be3bf9c5a1ef48354bdf43bd94
SHA256:c9999ed6be9a6d6e4db1f110d0717e198b81dfefab8dfca6f71f55bf6a4f4e3b
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-spring-scanner-annotation-2.1.7.jar

Description:

A set of tools and libraries to ease in creating no-transform Atlassian plugins using java annotations

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/atlassian/plugin/atlassian-spring-scanner-annotation/2.1.7/atlassian-spring-scanner-annotation-2.1.7.jar
MD5: 68364763f9db56b95df35601ff8434d2
SHA1: fa11c70a59763069a95e885038c8aee56d495ba8
SHA256:2d3d91607229e03565a2a58fdd4a5a2c9b500e8cd5ccf2cf967ee7f100ab5d26
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-template-renderer-api-3.0.0.jar

Description:

API and plugins for easily rendering content from different template engines.

License:

http://opensource.org/licenses/BSD-3-Clause
File Path: /home/andrii/.m2/repository/com/atlassian/templaterenderer/atlassian-template-renderer-api/3.0.0/atlassian-template-renderer-api-3.0.0.jar
MD5: 644b3b2d6ee96fa002cd43ed17c15e79
SHA1: a4853f74bbb296912de29c0b9c3269e154a98abb
SHA256:c499ab8b445a6eaa17482ad206612a4f79c43007bce4915c5b3efb0a77ad5d58
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-tenancy-api-3.0.1.jar

Description:

API for interacting with the tenancy lifecycle of an application

File Path: /home/andrii/.m2/repository/com/atlassian/tenancy/atlassian-tenancy-api/3.0.1/atlassian-tenancy-api-3.0.1.jar
MD5: 7899d266c6bb6f2a7def14540e3e38a1
SHA1: 72b6f494e1343b79bd0332c6390e3e332e2d2a34
SHA256:e3d0ed9ab54b41c77cc6b40c51c1fcd76d0379655ee4e41f8ee39c0a2157e693
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-threadlocal-1.4.jar

Description:

A library of code dealing with that most wonderful of programminng idioms - ThreadLocal

File Path: /home/andrii/.m2/repository/com/atlassian/threadlocal/atlassian-threadlocal/1.4/atlassian-threadlocal-1.4.jar
MD5: bb65e84df52456707f7da83ff0532d29
SHA1: ebf872b864a2fc74bf77c5920b8f7b19a54794b0
SHA256:4b8b9a9802316f644173e993d5deb15fb3d8b5778371b387cd10ff60d2e3bc0d
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-trackback-0.10.jar

Description:

A very simple component to send and receive trackback pings.

File Path: /home/andrii/.m2/repository/com/atlassian/trackback/atlassian-trackback/0.10/atlassian-trackback-0.10.jar
MD5: 40f6f47cd223be5e392621ef2a05f4be
SHA1: 905e31e7719b7e5df1216404f059c3c87b20c6c1
SHA256:d839cf1fd3c2c160e10c945dc93ff4caef5791dca3b468ae106c1b7f374db3ba
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-trusted-apps-core-5.0.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/security/auth/trustedapps/atlassian-trusted-apps-core/5.0.1/atlassian-trusted-apps-core-5.0.1.jar
MD5: 5f1fdd2be7a4c6ec651890b8593fb90a
SHA1: 40880cdce9c42e80f1994231a06a5055fa3c03ae
SHA256:097e82f525af7576a5b6225a40c3ce5294410bee03f57c5f6776895bcbc8598a
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-trusted-apps-seraph-integration-5.0.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/security/auth/trustedapps/atlassian-trusted-apps-seraph-integration/5.0.1/atlassian-trusted-apps-seraph-integration-5.0.1.jar
MD5: b8afbcee21da74bd7550e0505a20dacf
SHA1: 7939591daec0ecac362c42285165b8cf4e751b7b
SHA256:164beb557d03de30dad44a3ba43790991c25fa5686e0ba15c60062805f7cec07
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-user-3.0.jar

Description:

Atlassian-user is an internal project, modelling users and groups for all Atlassian applications.

File Path: /home/andrii/.m2/repository/com/atlassian/user/atlassian-user/3.0/atlassian-user-3.0.jar
MD5: 42dcca5ff9b7171daa87bf1f2116ea09
SHA1: 38697a7d52d17953097c41304e770b5ac15580de
SHA256:43dfeba0757f12cb6da929ac96b1e4c976b67476eef721a1353e5b16d45fa41b
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-util-concurrent-3.0.0.jar

Description:

This project contains utility classes that are used by
		various products and projects inside Atlassian and may have some
		utility to the world at large.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/atlassian/util/concurrent/atlassian-util-concurrent/3.0.0/atlassian-util-concurrent-3.0.0.jar
MD5: 5ce073b4e866f9afe741b466b32c62f6
SHA1: 26480e5153e6574157a114844275c37fc9fd38e1
SHA256:45566c43c61c80bb75b5a203018f6f348efaef4c2b4c6fb3e4ba31bd099cb3f7
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-util-concurrent-4.0.1.jar

Description:

This project contains utility classes that are used by
		various products and projects inside Atlassian and may have some
		utility to the world at large.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/io/atlassian/util/concurrent/atlassian-util-concurrent/4.0.1/atlassian-util-concurrent-4.0.1.jar
MD5: 64d75ee6a8eb440831c1d4d96351bfd1
SHA1: 34fdb324a609ff5e008e707de7c0741aeaa4b981
SHA256:8b89b72fd29b646ac2bb86e40c2353a05741d56bad6d3a28d27df44e7d351e74
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-vcache-api-1.12.2.jar

File Path: /home/andrii/.m2/repository/com/atlassian/vcache/atlassian-vcache-api/1.12.2/atlassian-vcache-api-1.12.2.jar
MD5: 7fc89df8d04e2b73bd7f5df3aa0051a6
SHA1: f04c72359ada400ef27141e6d5225485e4913bb9
SHA256:c8ff10ec84e64813fd6ee4a55b66e47a2a065cca921117c313e97f3584b19662
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-vcache-internal-api-1.12.2.jar

File Path: /home/andrii/.m2/repository/com/atlassian/vcache/atlassian-vcache-internal-api/1.12.2/atlassian-vcache-internal-api-1.12.2.jar
MD5: 0716c95b9301f3d4d41d07e04d3ec416
SHA1: e28f69a9a1cddf330be147af81f33a3a9f003775
SHA256:b7797ec715429f83e9c1f453826ed3cf69c6394090b72d49f18d20e26c203486
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-vcache-internal-core-1.12.2.jar

File Path: /home/andrii/.m2/repository/com/atlassian/vcache/atlassian-vcache-internal-core/1.12.2/atlassian-vcache-internal-core-1.12.2.jar
MD5: 9512d9bd79ed6969feffd0ede654343a
SHA1: a2e5a36988a6e0a2f0ddc481e2dcb605b80e7ad0
SHA256:d264872ec08934ba2c467d830fb0e3c510c5e26cb6ba78045cc1e127a179ff29
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-vcache-internal-legacy-1.12.2.jar

File Path: /home/andrii/.m2/repository/com/atlassian/vcache/atlassian-vcache-internal-legacy/1.12.2/atlassian-vcache-internal-legacy-1.12.2.jar
MD5: ac5511d053356b5592145e017a78940d
SHA1: 3df39eeeba320dc81d98d240b07f9cd7e1977f3a
SHA256:683fb4f65c1ef7da5a33d6e1a4eb3586eaccedb5c34ed2c90ef2be2af29bca31
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-velocity-1.3.jar

Description:

Atlassian Velocity

File Path: /home/andrii/.m2/repository/com/atlassian/velocity/atlassian-velocity/1.3/atlassian-velocity-1.3.jar
MD5: 481f196dd01b472f0e38e1e4d08779b0
SHA1: b51cf1ab3cadc4e2e1bc46957b2eef1c501e3ab7
SHA256:45c43615f9facef594160db07920e54f7b331fe973b3f7de3d4e841b9f621668
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-webhooks-api-6.2.0.jar

Description:

API for Atlassian Webhooks

File Path: /home/andrii/.m2/repository/com/atlassian/webhooks/atlassian-webhooks-api/6.2.0/atlassian-webhooks-api-6.2.0.jar
MD5: a277f2e18b8386cb9285b22e11db67d1
SHA1: 2880369200c2f04c15872f1f81b059e4b0617369
SHA256:2330bf87c615bc7c786a502cccf1e29f6a65a23ab806dc364764f9c5f58d669d
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-webhooks-spi-6.2.0.jar

Description:

The SPI for Atlassian Webhooks that host applications are expected to implement

File Path: /home/andrii/.m2/repository/com/atlassian/webhooks/atlassian-webhooks-spi/6.2.0/atlassian-webhooks-spi-6.2.0.jar
MD5: 6d597e610681cbdd9be7871ec83ed1c9
SHA1: dc8035458bb166533a11f680df354e85d17cf0c2
SHA256:7d2b997dea99afe4b692b8c4338a14db9d51a3a87545bb9bff5a6e73e8575727
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-whitelist-api-plugin-5.0.5.jar

Description:

API for Whitelist publishers.

License:

https://www.atlassian.com/legal/customer-agreement
File Path: /home/andrii/.m2/repository/com/atlassian/plugins/atlassian-whitelist-api-plugin/5.0.5/atlassian-whitelist-api-plugin-5.0.5.jar
MD5: 219b1d18ce390d6465c9d95ae608ae9f
SHA1: 777bd41b4636d875091ef5f206f80a674e73fb0b
SHA256:e422562be9298fba3a8282d26f39ee11f6d75ef534576fee0016c8cfc5eb64e7
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-xwork-10-2.1.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/xwork/atlassian-xwork-10/2.1.0/atlassian-xwork-10-2.1.0.jar
MD5: a97b4bc30807131cbd962448f75779e7
SHA1: 4c968fa8fd4fbc6d97f8b0d6e5c8bbfd5f5f09d2
SHA256:a90d725178adc4b05eb68a892d6dccc7c5532b3704c557d283a1cd4c9081e2fc
Referenced In Project/Scope:space-comments:provided

Identifiers

atlassian-xwork-core-2.1.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/xwork/atlassian-xwork-core/2.1.0/atlassian-xwork-core-2.1.0.jar
MD5: 6d62b718d3db32b800e41c3724886620
SHA1: 09a53ffc09a042eeaf33645fb5ba96fdf5f07aab
SHA256:ccb8853745e33d375704781ba7e31b04cb8652d2c6e493df47f4b749d259079e
Referenced In Project/Scope:space-comments:provided

Identifiers

avatar-plugin-api-1.3.5.jar

Description:

Defines the cross-product Avatar API.

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/avatar-plugin-api/1.3.5/avatar-plugin-api-1.3.5.jar
MD5: 219776861137378c01903e06596b240d
SHA1: 7e7a90ad8324f051a79b01472517ddf4f889d296
SHA256:026d210d98100d62e314ec1c7ac90b5757de4f315148a1602d00d2626d34966a
Referenced In Project/Scope:space-comments:provided

Identifiers

avatar.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/avatar.js
MD5: 9093401e0c2f1f8413e9b211d30eed89
SHA1: edbbe5b11ee2e9ef21071a4745f79d3e568f6130
SHA256:08e3bdb446439fd034178b9a337db491e0cdb00443f5a7279b2ad0c25e157698
Referenced In Project/Scope:space-comments

Identifiers

  • None

base-a385f246.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/base-a385f246.js
MD5: df913f17c56e213f4c451b5e8457ad45
SHA1: 6ef493f1ffa29270160c04169b1762f139f17706
SHA256:d0d82e9d06bdb12f469ae0328309418a3456f5e5aca5e59b9470f50d4d6191d9
Referenced In Project/Scope:space-comments

Identifiers

  • None

batik-css-1.14.jar

Description:

Batik CSS engine

File Path: /home/andrii/.m2/repository/org/apache/xmlgraphics/batik-css/1.14/batik-css-1.14.jar
MD5: 7ddd4cfd4b3ab7576c3e1ae116fd8ff8
SHA1: 3118d46f4879ec08c6c6471c7c0825652ed659ee
SHA256:968ba271cab6dfdd0458eb9ff42cc51e258d471499225b9063edbda61becbe17
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-40146  

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-41704  

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-42890  

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-38398  

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-38648  

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

batik-i18n-1.14.jar

Description:

Batik i18n library

File Path: /home/andrii/.m2/repository/org/apache/xmlgraphics/batik-i18n/1.14/batik-i18n-1.14.jar
MD5: aa98b2f42450d4767d5345b4cf7c37a0
SHA1: a4e7b0cda9132904f21b25ab29a0b73e1867e7fd
SHA256:fb1ad02ccaa36f5a60c4115316e15ac071386f96445e5d89bdad0c7e45da9560
Referenced In Project/Scope:space-comments:provided

Identifiers

bcmail-jdk15on-1.68.jar

Description:

The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/andrii/.m2/repository/org/bouncycastle/bcmail-jdk15on/1.68/bcmail-jdk15on-1.68.jar
MD5: 612e03e1c69a53e7165b4765cf47815e
SHA1: e7bf3026b44293f2213f369d8c9051d2e6b828cf
SHA256:a5bc386101e85aa5dbe6a47963415f472674d5ee0b2229642b23c195e3da6820
Referenced In Project/Scope:space-comments:provided

Identifiers

bcpg-jdk18on-1.71.jar

Description:

The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html
Apache Software License, Version 1.1: https://www.apache.org/licenses/LICENSE-1.1
File Path: /home/andrii/.m2/repository/org/bouncycastle/bcpg-jdk18on/1.71/bcpg-jdk18on-1.71.jar
MD5: dbc4cb1dcb79a19a809e29f4be3f6eb7
SHA1: d42ad9fe1b89246bb4ca2a45c0646bf6f6066013
SHA256:57f9ab76a8358abbea90ba1ef8e553b8ae3d07b2337078a4ca20b1cbd48b4ec5
Referenced In Project/Scope:space-comments:compile

Identifiers

  • pkg:maven/org.bouncycastle/bcpg-jdk18on@1.71  (Confidence:High)
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:openpgp:openpgp:1.71:*:*:*:*:*:*:*  (Confidence:Low)  

bcpkix-jdk15on-1.68.jar

Description:

The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/andrii/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.68/bcpkix-jdk15on-1.68.jar
MD5: 37e058210e056a04d4521d8185fb0051
SHA1: 81da950604ff0b2652348cbd2b48fde46ced9867
SHA256:fb8d0f8f673ad6e16c604732093d7aa31b26ff4e0bd9cae1d7f99984c06b8a0f
Referenced In Project/Scope:space-comments:provided

Identifiers

bcprov-jdk15on-1.68.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/andrii/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.68/bcprov-jdk15on-1.68.jar
MD5: f34043ac8be2793843364b4406a15543
SHA1: 46a080368d38b428d237a59458f9bc915222894d
SHA256:f732a46c8de7e2232f2007c682a21d1f4cc8a8a0149b6b7bd6aa1afdc65a0f8d
Referenced In Project/Scope:space-comments:provided

Identifiers

  • pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68  (Confidence:High)
  • cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.68:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.68:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.68:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.68:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.68:*:*:*:*:*:*:*  (Confidence:Low)  

bcprov-jdk18on-1.71.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html
File Path: /home/andrii/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.71/bcprov-jdk18on-1.71.jar
MD5: bf1578f78f5db468a5f21ee8f8e42b0d
SHA1: 943e8d0c2bd592ad78759c39d6f749fafaf29cf4
SHA256:f3433a97d780fe9fa3dc3d562a41decd59b2e617ce884de9060349ac14750045
Referenced In Project/Scope:space-comments:compile

Identifiers

  • pkg:maven/org.bouncycastle/bcprov-jdk18on@1.71  (Confidence:High)
  • cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.71:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.71:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.71:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.71:*:*:*:*:*:*:*  (Confidence:Low)  

beehive-api-2.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/beehive/beehive-api/2.0.0/beehive-api-2.0.0.jar
MD5: efae979b42ca470486ab1e3bc337c460
SHA1: db5355bfe7202c4139c1912b1396349d89828420
SHA256:2334230d7f2c85fd4e01f13b0b2706572656e462b436d7362608ae035574f5af
Referenced In Project/Scope:space-comments:provided

Identifiers

biz.aQute.bndlib-3.5.0.jar

Description:

A Swiss Army Knife for OSGi

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/biz/aQute/bnd/biz.aQute.bndlib/3.5.0/biz.aQute.bndlib-3.5.0.jar
MD5: 17c66eb51d1e11ab9545ae317aa864de
SHA1: 31d8a6d8c951d954d02a37323c10c26aaa6e8c8b
SHA256:884322bca122810402776527496ac6faa7eca5463b4f806587fe708cb6ca862c
Referenced In Project/Scope:space-comments:provided

Identifiers

botocss-core-6.3.jar

Description:

Pronounced "botox". Injects CSS into your HTML markup for sending via email.

File Path: /home/andrii/.m2/repository/com/atlassian/botocss/botocss-core/6.3/botocss-core-6.3.jar
MD5: 7f480efc1adcc99879bfde941f660306
SHA1: 1634cef977baab0321f3cdc4cd4201af9aa6c41f
SHA256:00ec56cf6fc53d2eca564a28ec6351a5467a73fa08a5a87f4d3acd92672ba0a9
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-26136  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26137  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-346 Origin Validation Error

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36233  

The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (4.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14171  

Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
CWE-319 Cleartext Transmission of Sensitive Information

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2019-15005  

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14170  

Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

brave-apache-http-interceptors-3.0.0.jar

Description:

    Apache http client request and response interceptor implementations.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/github/kristofa/brave-apache-http-interceptors/3.0.0/brave-apache-http-interceptors-3.0.0.jar
MD5: be26a2572bcc062af1e8515d6e3e5389
SHA1: df53928eefc797f48ba726efa8bd344a475fb6e6
SHA256:8e9de9cfc0b88fd0eafc10953b923baddcc560ee52e4a86c318c72898eb18e9a
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

brave-core-3.0.0.jar

Description:

  	Brave core.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/github/kristofa/brave-core/3.0.0/brave-core-3.0.0.jar
MD5: b643ee0d38f3d98ef95565028aa5857b
SHA1: 4203bd1367b0fceb261faa1f3606c232da28f9e5
SHA256:9dbc877cb7317d1ad0f86f160d7dab43cd07584eee406569517b9bb26802430a
Referenced In Project/Scope:space-comments:provided

Identifiers

brave-http-3.0.0.jar

Description:

        Abstraction that makes it easier to implement brave in http clients and servers.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/github/kristofa/brave-http/3.0.0/brave-http-3.0.0.jar
MD5: 2eb3cb5b8bd35cc6e1385c0778c8f23d
SHA1: b2f2655e1144a3258cdf9712c5b6ee98d44e855e
SHA256:4396da6ce72cc0d9559eb27f3cf9dfae91c2e27541ab50f476cb2abcc1e284c6
Referenced In Project/Scope:space-comments:provided

Identifiers

brave-web-servlet-filter-3.0.0.jar

Description:

        Servlet Filter implementation.

File Path: /home/andrii/.m2/repository/com/github/kristofa/brave-web-servlet-filter/3.0.0/brave-web-servlet-filter-3.0.0.jar
MD5: f6d3afcaaf587c101acb05559dc28257
SHA1: 40eee12656bd80766d0c4763f2e6eadc6669a251
SHA256:3e360af55da9c54117350d4d77a212bda206d3b9d9ddd35cb6c6bcfcf6def516
Referenced In Project/Scope:space-comments:provided

Identifiers

button-b301ec95.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/button-b301ec95.js
MD5: 3dd082cb5a76022a3a0cb63e8b362628
SHA1: 2146283af55631cb5250dcf7b004e0a1ab778e1b
SHA256:45eb3aef9ea0bfe6369265beb2b233a71546b238ed01054fe214ce08902e7f18
Referenced In Project/Scope:space-comments

Identifiers

  • None

button.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/button.js
MD5: 4781908ccadd86441377b11f141f7bfe
SHA1: 702d5430338ba25c68bc33ef2d2137b023c334a8
SHA256:0a94f7721c42b795bc06c33871df1cacc44c9ed1836e749b38b92f92e7660e2b
Referenced In Project/Scope:space-comments

Identifiers

  • None

c3p0-0.9.5.5.jar

Description:

a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/andrii/.m2/repository/com/mchange/c3p0/0.9.5.5/c3p0-0.9.5.5.jar
MD5: 9fc982b4b179e44cec986ea86fe1bff7
SHA1: 37dfc3021e5589d65ff2ae0becf811510b87ab01
SHA256:96cec5ddfe2f08b8407125d8228eb0392121e1bf2239ca621bb19228b67f741a
Referenced In Project/Scope:space-comments:provided

Identifiers

cglib-3.2.12.jar

File Path: /home/andrii/.m2/repository/cglib/cglib/3.2.12/cglib-3.2.12.jar
MD5: dd6eef2e7cc00d0314f2bce471121d4c
SHA1: 16c0d1d8b5d50ea9ad38c1f6f9f1e35a42727bf0
SHA256:82f941d7d60989433d61893cb0d0ec742e31925a471ed9d5a4ed786f5c9614a1
Referenced In Project/Scope:space-comments:provided

Identifiers

checker-qual-2.8.2.jar

Description:

        Checker Qual is the set of annotations (qualifiers) and supporting classes
        used by the Checker Framework to type check Java source code.  Please
        see artifact:
        org.checkerframework:checker

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: /home/andrii/.m2/repository/org/checkerframework/checker-qual/2.8.2/checker-qual-2.8.2.jar
MD5: a1a80f11f9345cadb5fad1df898f43f5
SHA1: c1e0de498581b923865ff5c9c6f22db7be223b2e
SHA256:65b684eb34c8236ac89af713ba1d35a8dd8d8d496fc349b7d20410cc7988311a
Referenced In Project/Scope:space-comments:compile

Identifiers

classmate-1.3.0.jar

Description:

Library for introspecting types with full generic information
        including resolving of field and method types.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/classmate/1.3.0/classmate-1.3.0.jar
MD5: 80a7f4753882087669739bc119136da5
SHA1: 183407ff982e9375f1a1c4a51ed0a9307c598fc7
SHA256:11f836b0f3eba1544967317c052917c2987d78f0d1fb1e5a2bf93265174b9d77
Referenced In Project/Scope:space-comments:provided

Identifiers

cluster-monitoring-spi-3.0.2.jar

Description:

SPI the Cluster Monitoring plugin -- Allows developers to implement their own monitoring data suppliers.

File Path: /home/andrii/.m2/repository/com/atlassian/cluster/monitoring/cluster-monitoring-spi/3.0.2/cluster-monitoring-spi-3.0.2.jar
MD5: 34365ace291ee6bb31305d4cc568ac83
SHA1: 6163c14b81e2771ef2752c3b641ff636fa28cf5b
SHA256:2403418b9c8ceeb7e62562802b1f55d3b9119f79f9a64751265e1cbdf4ad0a47
Referenced In Project/Scope:space-comments:provided

Identifiers

colors-25aad6bf.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/colors-25aad6bf.js
MD5: a727666f430ee17dc01658b4256cfea0
SHA1: 06f20a2f54e9694b0a5b5c6893894aed7380b8ea
SHA256:985c65edeb31d25ec0e225309ad9577fcce69ed291d74ab03859fe9b939c37dc
Referenced In Project/Scope:space-comments

Identifiers

  • None

comment.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/comment.js
MD5: bbdb6b26b614567a472a6335dea4247a
SHA1: e1e1e450f6896e7a759d0c7c43ad70dc4e355bac
SHA256:77dd214284c17e2dffa0e28e8050c3c95d1d51f3b0196d3a62ce9e1d02509b02
Referenced In Project/Scope:space-comments

Identifiers

  • None

common-io-3.4.1.jar

Description:

        The TwelveMonkeys Common IO support

File Path: /home/andrii/.m2/repository/com/twelvemonkeys/common/common-io/3.4.1/common-io-3.4.1.jar
MD5: 331071330075f62d047cb9f119fe4f1e
SHA1: 21f183828ef9431e007a67957cab3ad4ea1561ce
SHA256:cb734241b1c11f7aede68e49d1ae8e71ce7e307abebfc4fe99535a2b3ddecde5
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2021-23792  

The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

commons-beanutils-1.9.4.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-codec-1.14.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-codec/commons-codec/1.14/commons-codec-1.14.jar
MD5: e9158e0983096d3df09236f7b53125aa
SHA1: 3cb1181b2141a7e752f5bdc998b7ef1849f726cf
SHA256:a128e4f93fabe5381ded64cf2873019e06030b718eb43ceeae0b0e5d17ad33e9
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-collections4-4.3.jar

Description:

The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-collections4/4.3/commons-collections4-4.3.jar
MD5: 20d1ebd548752d0d75aaae9faee66d6a
SHA1: 1c262f70f9b3c2351f1d13a9a9bd10d2ec7cfbc4
SHA256:62f8db7da73e551f82d70fd533834177af6bd953de4b5e85c44dc2100de4beb8
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-compress-1.19.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar
MD5: fe897bced43468450b785b66c1cff455
SHA1: 7e65777fb451ddab6a9c054beb879e521b7eab78
SHA256:ff2d59fad74e867630fbc7daab14c432654712ac624dbee468d220677b124dd5
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2021-35515  

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35516  

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35517  

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36090  

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

commons-dbcp2-2.9.0.jar

Description:

Apache Commons DBCP software implements Database Connection Pooling

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-dbcp2/2.9.0/commons-dbcp2-2.9.0.jar
MD5: c2a72212a55d105b0eaeaab26557e6e7
SHA1: 16d808749cf3dac900c073dd834b5e288562a59c
SHA256:887720912c5cbbcdff6e0e21d5034937555f8ffc597381eff8fa77f33ce6d64e
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-digester-1.5.jar

Description:

The Digester package lets you configure an XML->Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.

File Path: /home/andrii/.m2/repository/commons-digester/commons-digester/1.5/commons-digester-1.5.jar
MD5: 4bab2d22aa4dc855b13780237831d1f4
SHA1: c1dd42b0c244ad2a354219192881be8f4140cddd
SHA256:5b43bd226c9de50fc507a30f964a8d1725b0a3d0e90ea3a0fcaeb33e641b1fc3
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-discovery-0.5.jar

Description:

The Apache Commons Discovery component is about discovering, or finding,
  implementations for pluggable interfaces.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-discovery/commons-discovery/0.5/commons-discovery-0.5.jar
MD5: b35120680c3a22cec7a037fce196cd97
SHA1: 3a8ac816bbe02d2f88523ef22cbf2c4abd71d6a8
SHA256:e5b7d58ae62e5b309d5c0ffa5a5b1d9d1e0f0c4c3cc18d1fe3103fd29f90149d
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-0869  

Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

commons-fileupload-1.4.jar

Description:

    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-fileupload/commons-fileupload/1.4/commons-fileupload-1.4.jar
MD5: 0c3b924dcaaa90c3fb93fe04ae96a35e
SHA1: f95188e3d372e20e7328706c37ef366e5d7859b0
SHA256:a4ec02336f49253ea50405698b79232b8c5cbf02cb60df3a674d77a749a1def7
Referenced In Project/Scope:space-comments:provided

Identifiers

commons-httpclient-3.1-atlassian-2.jar

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/commons-httpclient/commons-httpclient/3.1-atlassian-2/commons-httpclient-3.1-atlassian-2.jar
MD5: 283a27560da413ac4e7305e87a269dfa
SHA1: 1e4ff544b54f14355360aa5908e518f22567215e
SHA256:522a4695d87fb0809ce335a92ee4c0a01105273ad6b45203eb1495362e6406c3
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2012-5783 (OSSINDEX)  

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:commons-httpclient:commons-httpclient:3.1-atlassian-2:*:*:*:*:*:*:*

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-io-2.8.0.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
MD5: 21ba575792e2694c39af13918a80550b
SHA1: 92999e26e6534606b5678014e66948286298a35c
SHA256:02f291e5d1243dc143496e3cbbb40a1ced47aa58f2d633d3e38780cd068d5074
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-jcs-core-2.2.1.jar

Description:

Apache Commons JCS is a distributed, versatile caching system.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-jcs-core/2.2.1/commons-jcs-core-2.2.1.jar
MD5: fd41b509c3853faf088e5c340402d609
SHA1: 3ffac1956b0d88fff8adefdf1e68d69cfe296191
SHA256:7f98edf1e69b32137a2181722dadd1220f61d184414df17061a0e10e40535a2d
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-jrcs-diff-0.1.7.jar

File Path: /home/andrii/.m2/repository/commons-jrcs/commons-jrcs/diff-0.1.7/commons-jrcs-diff-0.1.7.jar
MD5: 713d64be8b4501f9a16300015cb1f06e
SHA1: 36e7256f61983431dc218f9353a53e88c136c058
SHA256:7eea7d16fb486f25a27c312b9e99c69043be8ca30efa3c2569767b07bb4451d2
Referenced In Project/Scope:space-comments:provided

Identifiers

commons-lang-2.6.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:space-comments:provided

Identifiers

commons-lang3-3.9.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-lang3/3.9/commons-lang3-3.9.jar
MD5: fa752c3cb5474b05e14bf2ed7e242020
SHA1: 0122c7cee69b53ed4a7681c03d4ee4c0e2765da5
SHA256:de2e1dcdcf3ef917a8ce858661a06726a9a944f28e33ad7f9e08bea44dc3c230
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-logging-1.0.4.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /home/andrii/.m2/repository/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar
MD5: 8a507817b28077e0478add944c64586a
SHA1: f029a2aefe2b3e1517573c580f948caac31b1056
SHA256:e94af49749384c11f5aa50e8d0f5fe679be771295b52030338d32843c980351e
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-math3-3.6.1.jar

Description:

The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
MD5: 5b730d97e4e6368069de1983937c508e
SHA1: e4ba98f1d4b3c80ec46392f25e094a6a2e58fcbf
SHA256:1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308
Referenced In Project/Scope:space-comments:provided

Identifiers

commons-pool-1.6.jar

Description:

Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
SHA256:46c42b4a38dc6b2db53a9ee5c92c63db103665d56694e2cfce2c95d51a6860cc
Referenced In Project/Scope:space-comments:provided

Identifiers

commons-pool2-2.6.2.jar

Description:

The Apache Commons Object Pooling Library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-pool2/2.6.2/commons-pool2-2.6.2.jar
MD5: 696197d79439773526f300b1a5eb38c9
SHA1: 775a8072995b29eafe8fb0a828a190589f71cede
SHA256:689091759a3a4d8da3be38480e3df3fbcb3c3c9d81811d40cb64c56ae62e68f7
Referenced In Project/Scope:space-comments:compile

Identifiers

commons-text-1.6.jar

Description:

Apache Commons Text is a library focused on algorithms working on strings.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/commons/commons-text/1.6/commons-text-1.6.jar
MD5: a1fb840c3963ed43c78291b5e61d55ac
SHA1: ba72cf0c40cf701e972fe7720ae844629f4ecca2
SHA256:df45e56549b63e0fe716953c9d43cc158f8bf008baf60498e7c17f3faa00a70b
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2022-42889  

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

commons-validator-1.5.1.jar

Description:

    Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
    It may be used standalone or with a framework like Struts.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/commons-validator/commons-validator/1.5.1/commons-validator-1.5.1.jar
MD5: 67fad26aa0c1e884a6aa4249a6126a88
SHA1: 86d05a46e8f064b300657f751b5a98c62807e2a0
SHA256:142f83e56fed6d46d0472779cdbd52cd856894bc5189ac73f3e02b79f84b3dd6
Referenced In Project/Scope:space-comments:compile

Identifiers

compiler-0.9.6.jar

Description:

Implementation of mustache.js for Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/github/spullara/mustache/java/compiler/0.9.6/compiler-0.9.6.jar
MD5: 9245fdbf50ad59ea81781ebdaa8cdb02
SHA1: 1b8707299c34406ed0ba40bbf8513352ac4765c9
SHA256:c4d697fd3619cb616cc5e22e9530c8a4fd4a8e9a76953c0655ee627cb2d22318
Referenced In Project/Scope:space-comments:compile

Identifiers

confluence-7.13.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/confluence/confluence/7.13.0/confluence-7.13.0.jar
MD5: 1ccb8b898e0e3d2343b292d04deceef6
SHA1: 59d799a3b0a47783f4a1a4f3f4ebf9c63b91e06f
SHA256:05e67dd3a7f62abf26909a4b2f472299329c8e903f2dfbb191391eada297ddb6
Referenced In Project/Scope:space-comments:provided

Identifiers

confluence-compat-lib-1.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/confluence/compat/confluence-compat-lib/1.0.0/confluence-compat-lib-1.0.0.jar
MD5: 816090fdf2e323f32a7afabba27f5eb2
SHA1: 48fb39610a4eec4dbb96339ce24bb0bc19e6fac3
SHA256:1800005119ec2da5cd18d66a6d482dc942c37e03b7a53d19196528306d56c40a
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2019-3395  

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3396  

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2012-2926  

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20406  

The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability.
CWE-427 Uncontrolled Search Path Element

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2015-8398  

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2016-6283  

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-16856  

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18085  

The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18086  

Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2016-4317  

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18083  

The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18084  

The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-13389  

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2020-4027  

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2015-8399  

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2019-15005  

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

confluence-extractor-api-plugin-2.0.9.jar

License:

BSD License: https://maven.atlassian.com/public/licenses/license.txt
File Path: /home/andrii/.m2/repository/com/atlassian/confluence/plugins/confluence-extractor-api-plugin/2.0.9/confluence-extractor-api-plugin-2.0.9.jar
MD5: 1b97fcee37b798559829e425dcb41b3a
SHA1: fdcbc19677fb9d05e43883c11e4a04fbf726a866
SHA256:86e471689512c5e016c7a545baa13d28d47d82d1e0b1cd9a7bf27bf23be0d069
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2019-3395  

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3396  

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2012-2926  

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3398  

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20406  

The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability.
CWE-427 Uncontrolled Search Path Element

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2015-8398  

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2016-6283  

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-16856  

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18085  

The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18086  

Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2016-4317  

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18083  

The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18084  

The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-13389  

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2020-4027  

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2015-8399  

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2019-15005  

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

content-type-2.0.jar

Description:

Java library for Content (Media) Type representation

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/nimbusds/content-type/2.0/content-type-2.0.jar
MD5: 34127db525a09b004e298bcfa8806834
SHA1: 12ebb1f6b7794684e4c56918fe59df3d7aab72b0
SHA256:d54f0f6bc9faebf66490702da8ed57d3fb5f5578c4f26f76b13c06ea0f9b88f6
Referenced In Project/Scope:space-comments:provided

Identifiers

core.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@js-joda/core.js
MD5: a6f56150560d1a52126574761435539f
SHA1: ba2310952cc1abc2af3699d5d3720543ef601f9b
SHA256:1f3c81abd08c919048a66924fb30cd19df847c6d3a4c0be694de9efbf10038de
Referenced In Project/Scope:space-comments

Identifiers

  • None

cpe-parser-2.0.2.jar

Description:

A utility for validating and parsing Common Platform Enumeration (CPE) v2.2 and v2.3 as originally defined by MITRE and maintained by NIST.

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/us/springett/cpe-parser/2.0.2/cpe-parser-2.0.2.jar
MD5: f07de5ae8549a93b912a223a83c30655
SHA1: 677cff319cdc8bd9578a3d04c1fd9c366cc9ff6e
SHA256:8fddc10cf23ad8d3329dd8343ea1e291e1eb39344dd6e61b676a0cde88cf6375
Referenced In Project/Scope:space-comments:compile

Identifiers

createAndFireEvent-5db755ab.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/createAndFireEvent-5db755ab.js
MD5: c1c9c6e007917c4dfc41427f80457ced
SHA1: 3957331d91688fdac29145a9cfe16276cb599a03
SHA256:5fca054e95aecb8252ffa2c601743da59c39d48d7980f1740dab934c058da440
Referenced In Project/Scope:space-comments

Identifiers

  • None

crowd-server-api-4.2.2.jar

Description:

API which only applies to Crowd as a standalone application. Consumed by plugins.

File Path: /home/andrii/.m2/repository/com/atlassian/crowd/crowd-server-api/4.2.2/crowd-server-api-4.2.2.jar
MD5: 3c8da6653f0b1c7f1f041ef0ccd9e683
SHA1: c08c741a63d8ea100144dea1f92bea890ad3961e
SHA256:08baef896aa6854e1d749be69be1bb92d4c7637199c6386a7ebc5c1b7753d2c7
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-26136  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-43782  

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26137  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-346 Origin Validation Error

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

daisydiff-1.1.20-atlassian-hosted.jar

Description:

Daisy Diff is a Java library that diffs (compares) HTML files. It highlights added and removed words
        and annotates changes to the styling.

License:

Apache License: http://www.apache.org/licenses/
File Path: /home/andrii/.m2/repository/org/outerj/daisy/daisydiff/1.1.20-atlassian-hosted/daisydiff-1.1.20-atlassian-hosted.jar
MD5: 866832693eedf3e41840644f06f83e3e
SHA1: 7339ff559bead10bd3c3a767a89b6e854822cd46
SHA256:c641a811eb79ecf30a01edc14e0afabc0386861ab1710c361eab4be39b85e028
Referenced In Project/Scope:space-comments:provided

Identifiers

datetime-picker.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/datetime-picker.js
MD5: 75f1497e0477ba2f2229a755d2e45068
SHA1: ad9cc1519995694e34b6153b2cf0615944ea9120
SHA256:67613dc6c9781cff0ae726ef08e654c420ae5a8d91f6fcb85fb66ebb9b3c301d
Referenced In Project/Scope:space-comments

Identifiers

  • None

defineProperty-dce7b5ef.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/defineProperty-dce7b5ef.js
MD5: 5aa07531287954dad811bf0fc1ae4087
SHA1: 8ecd400719a1d5f6af1cd04e9be77dd683932288
SHA256:7f494dbc69178de71a43a61e1cda6747398dfd902bdec6ef36cc283e0eba09db
Referenced In Project/Scope:space-comments

Identifiers

  • None

dependency-check-core-7.3.2.jar

Description:

dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.

File Path: /home/andrii/.m2/repository/org/owasp/dependency-check-core/7.3.2/dependency-check-core-7.3.2.jar
MD5: 882692d7648fc45c3af42c94f65c48f7
SHA1: d5525a67e8e61190c683dbf2cae6d5d83e237459
SHA256:5ee0d402b913e272ee49ab36257e424d0b484c99e59f4c973f414919717d24eb
Referenced In Project/Scope:space-comments:compile

Identifiers

dependency-check-core-7.3.2.jar: GrokAssembly.zip: GrokAssembly.dll

File Path: /home/andrii/.m2/repository/org/owasp/dependency-check-core/7.3.2/dependency-check-core-7.3.2.jar/GrokAssembly.zip/GrokAssembly.dll
MD5: bb47dc65b1b26b32dc5cf58ac2c1af7f
SHA1: bad180af19c0573834f7cecde9698215e80fe04f
SHA256:af0a0ffd2cfa7170db914ab7dd7a2290dcd13f9df4a0928edaae904c2a1e803a
Referenced In Project/Scope:space-comments:compile

Identifiers

  • None

dependency-check-core-7.3.2.jar: jquery-3.5.1.min.js

File Path: /home/andrii/.m2/repository/org/owasp/dependency-check-core/7.3.2/dependency-check-core-7.3.2.jar/templates/scripts/jquery-3.5.1.min.js
MD5: 12b69d0ae6c6f0c42942ae6da2896e84
SHA1: d2cc8d43ce1c854b1172e42b1209502ad563db83
SHA256:6150a35c0f486c46cadf0e230e2aa159c7c23ecfbb5611b64ee3f25fcbff341f
Referenced In Project/Scope:space-comments:compile

Identifiers

  • None

dom4j-1.6.1-atlassian-2.jar

Description:

dom4j: the flexible XML framework for Java

License:

MetaStuff, Ltd License: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /home/andrii/.m2/repository/dom4j/dom4j/1.6.1-atlassian-2/dom4j-1.6.1-atlassian-2.jar
MD5: ddc67ad23e6f0d51326a89d7ef36db08
SHA1: b1d430a321c4830a98e244ced6e06c2e216851a5
SHA256:0ee71e778117ff750c16d96cecb2f3e0d2eb3b4e8a14ab2cbc85b5b2e2140085
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-10683  

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

doxia-logging-api-1.11.1.jar

Description:

Doxia Logging API.

File Path: /home/andrii/.m2/repository/org/apache/maven/doxia/doxia-logging-api/1.11.1/doxia-logging-api-1.11.1.jar
MD5: 6452e33a36b87939630e0b18f8ffcff0
SHA1: ee28757cce6ee0215bac550dead25074c97c532d
SHA256:243c66f842cd2b3ded7c6d2c36b177a65c3f5d94800cef988ba3e29ec8cf60c9
Referenced In Project/Scope:space-comments:compile

Identifiers

doxia-sink-api-1.11.1.jar

Description:

Doxia Sink API.

File Path: /home/andrii/.m2/repository/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.jar
MD5: b1bd5c9efde9f14969fa881b87fe709b
SHA1: 59c2255f58c78fbbcb7e638e82bd2914e78aec8b
SHA256:39ac38bb7d752ea003be17a0065522e4e1b076a4f7e374bea55259f3e133f28f
Referenced In Project/Scope:space-comments:compile

Identifiers

dragonfly-api-1.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/dragonfly/dragonfly-api/1.1/dragonfly-api-1.1.jar
MD5: e616977a9e1904da4ac99cdd8836fdf2
SHA1: e172aa98e42b86a48e5711f0e64c58b768d5200f
SHA256:a272e48412c15b8df095176581a054d3ae2f37607e7c846a9d7474c5fd6f5fce
Referenced In Project/Scope:space-comments:provided

Identifiers

dragonfly-core-1.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/dragonfly/dragonfly-core/1.1/dragonfly-core-1.1.jar
MD5: 6bdcbde93194669ae9004a9f19c17092
SHA1: c5925ccaa572c58a0a5aee397c6e1cc5fea4c1cd
SHA256:033e59c5ff64826969148017c0cb3e34dd7197c7c859ebd719ed3d85a12627e2
Referenced In Project/Scope:space-comments:provided

Identifiers

dragonfly-spi-1.1.jar

File Path: /home/andrii/.m2/repository/com/atlassian/dragonfly/dragonfly-spi/1.1/dragonfly-spi-1.1.jar
MD5: 72ea20692440d5731ed977786dfc5f98
SHA1: ff0363519b9a3665f8caa0587505459421a475b4
SHA256:88f6ac7ef998fe9f963ca1f06f8ac6d597abd30fc369735fa5cce4b46af0c6b3
Referenced In Project/Scope:space-comments:provided

Identifiers

dt-filestore-client-api-1.3.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/filestore/dt-filestore-client-api/1.3.0/dt-filestore-client-api-1.3.0.jar
MD5: 6e0acdc25a37465341e6eba0f3581487
SHA1: 841fd905fe123ebea7e2224d73a7cff15d98d8fb
SHA256:0542a04706f610a0927b34787acdfa0f1842a8fce78d1fd50637c4cf26242906
Referenced In Project/Scope:space-comments:provided

Identifiers

dt-filestore-client-core-1.3.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/filestore/dt-filestore-client-core/1.3.0/dt-filestore-client-core-1.3.0.jar
MD5: c0f887127860ed86ee9b40df2aa4f33d
SHA1: 64edde6b7e71bd97663b4a3659119f9489d4ec4c
SHA256:8cfcb9071b64ba237ec9dea9c9ae5eb9e620356f83de25f8ac102e8252153e23
Referenced In Project/Scope:space-comments:provided

Identifiers

dt-filestore-httpclient-1.3.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/filestore/dt-filestore-httpclient/1.3.0/dt-filestore-httpclient-1.3.0.jar
MD5: 6f6c12afaf5f1a5925819fedd31bbb92
SHA1: e51ca8b35de7747e50a1a80dc28a262473b7b697
SHA256:bcdbc79b729c112477b23f75feabdd227a6140661e796f677e68662d48dd3ed2
Referenced In Project/Scope:space-comments:provided

Identifiers

dt-media-api-client-api-2.0.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/media/dt-media-api-client-api/2.0.4/dt-media-api-client-api-2.0.4.jar
MD5: f3f2c977001bde8b12009517b0274bbd
SHA1: 50403ac53430e6b4d639ad841517675dd164c57f
SHA256:613b9497274ac757f73881e8678c85a065c57a2607466b03b5f2fa85718c310b
Referenced In Project/Scope:space-comments:provided

Identifiers

dt-media-api-client-core-2.0.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/media/dt-media-api-client-core/2.0.4/dt-media-api-client-core-2.0.4.jar
MD5: 879293f36dee8a1ae64c105dee87f4bd
SHA1: e4327c4e463c238a6b27226819534e5ee3e1e191
SHA256:bac3a5fb96c57674546a93a091662b6c0aa970b9985d5bc5fdd8bd7cdded0394
Referenced In Project/Scope:space-comments:provided

Identifiers

dt-media-api-httpclient-2.0.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/media/dt-media-api-httpclient/2.0.4/dt-media-api-httpclient-2.0.4.jar
MD5: 46193d683ac809608323cf790b9a9105
SHA1: ea53f3fac69038ed302c6c48cd7de9527f46eae7
SHA256:706f618bf4e6c495b5b6842d7d9070505ba6775ee789c6a3fe1688e466358d31
Referenced In Project/Scope:space-comments:provided

Identifiers

dynamic-table.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/dynamic-table.js
MD5: f186a0e7f7394ef1d38bca851ac66e3f
SHA1: 4ba0178b853d1e5980c06bd91fde953bdba69c49
SHA256:b16346c3d8e19413647f2d24f6510174b6012e844d5de571fb5f6bfb26b33d61
Referenced In Project/Scope:space-comments

Identifiers

  • None

embedded-crowd-core-4.2.2.jar

File Path: /home/andrii/.m2/repository/com/atlassian/crowd/embedded-crowd-core/4.2.2/embedded-crowd-core-4.2.2.jar
MD5: b323781d6fe04cf279d1baba1d8ccf7d
SHA1: 65a1bc95f629b3c01cf7d8bd723af6ec2742c438
SHA256:fdc0f55e5cb2d16a71f4700468772b418f242bb144bb4aaaa85c2dbade222ff2
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-26136  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-43782  

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26137  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-346 Origin Validation Error

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

error_prone_annotations-2.4.0.jar

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/google/errorprone/error_prone_annotations/2.4.0/error_prone_annotations-2.4.0.jar
MD5: bac854c25d354c9fd973f73956c06916
SHA1: 32ecccc595e4e4d813a80ee9e3ab5813d65874eb
SHA256:5f2a0648230a662e8be049df308d583d7369f13af683e44ddf5829b6d741a228
Referenced In Project/Scope:space-comments:compile

Identifiers

fast-classpath-scanner-2.18.1.jar

Description:

	Uber-fast, ultra-lightweight Java classpath scanner. Scans the classpath by parsing the classfile  binary format directly rather than by using reflection.
	See https://github.com/lukehutch/fast-classpath-scanner

License:

The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /home/andrii/.m2/repository/io/github/lukehutch/fast-classpath-scanner/2.18.1/fast-classpath-scanner-2.18.1.jar
MD5: 91244322e274de00e948e1b92a58ba82
SHA1: 89d34f84d7119c97df018e20b31f80ea3e0ea321
SHA256:e1cf8c3ab10a9a838adc898d47a9f9e7cc61f7313e7bc6c778ff20c22cd2f75c
Referenced In Project/Scope:space-comments:provided

Identifiers

file-management-3.1.0.jar

Description:

API to collect files from a given directory using several include/exclude rules.

File Path: /home/andrii/.m2/repository/org/apache/maven/shared/file-management/3.1.0/file-management-3.1.0.jar
MD5: 94be12af3d234da86b130cb297234bef
SHA1: f87a3a54c856714e4157b9ce7a5ff6ffc310d447
SHA256:2e8cb2d546a01c2259cb17f1e06732db3d14b079d19622bf8400c82cb1ee6b96
Referenced In Project/Scope:space-comments:compile

Identifiers

filestore-api-0.4.0.jar

Description:

The Data Center FileStore API

File Path: /home/andrii/.m2/repository/com/atlassian/datacenter/filestore/filestore-api/0.4.0/filestore-api-0.4.0.jar
MD5: 66301bf791dbb93386a57752d8bcf804
SHA1: be8ea74d48ee6822855d0aad4fc952e30d4424c9
SHA256:486ba23c910cd9ec655937be4e138210a0d0966d857ab30a18db4659fb8034f9
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2017-18113  

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39113  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39123  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41312  

Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26070  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43947  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36288  

The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26078  

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26079  

The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39111  

The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41304  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26082  

The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26083  

Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20101  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14181  

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36237  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36238  

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36286  

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36287  

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36289  

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26069  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26081  

REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39118  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39119  

Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39122  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39125  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36234  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39112  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39117  

The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43945  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-29451  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26075  

The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39121  

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39124  

The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43953  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26076  

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26071  

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

filters-2.0.235.jar

Description:

A collection of image processing filters.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/jhlabs/filters/2.0.235/filters-2.0.235.jar
MD5: d91073d6b28e2505e96620709626495f
SHA1: af6a2dfefef70f1ab2d7a8d1f8173f67e276b3f4
SHA256:be6a1d54ebb043495e31e25e72b440f69156a5624cdd7e1c55c47e30d4fae308
Referenced In Project/Scope:space-comments:provided

Identifiers

  • pkg:maven/com.jhlabs/filters@2.0.235  (Confidence:High)
  • cpe:2.3:a:image-processing_project:image-processing:2.0.235:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:image_processing_software:image_processing_software:2.0.235:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2005-0406  

A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

findbugs-annotations-3.0.1.jar

Description:

Annotation defined by the FindBugs tool

License:

GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html
File Path: /home/andrii/.m2/repository/com/google/code/findbugs/findbugs-annotations/3.0.1/findbugs-annotations-3.0.1.jar
MD5: 5bcf1f717f297f87c55e8e3131758b09
SHA1: 0bf2342edabc0fc37fc0b1de0b03f071bef935c3
SHA256:8de57cec5c240788a4d5301f67d51921d584fb25bff3899695a53e7e46205a71
Referenced In Project/Scope:space-comments:provided

Identifiers

fontbox-2.0.24.jar

Description:

    The Apache FontBox library is an open source Java tool to obtain low level information
    from font files. FontBox is a subproject of Apache PDFBox.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/pdfbox/fontbox/2.0.24/fontbox-2.0.24.jar
MD5: 6c2066df0d706d85e950fe8c73d52ed8
SHA1: df8ecb3006dfcd52355a5902096e5ec34f06112e
SHA256:2e8c0a569a90b04734fbc0c805d77f4ec03f98c11f5705055ccd7718c1953d68
Referenced In Project/Scope:space-comments:provided

Identifiers

fugue-2.7.0.jar

Description:

This is a version of atlassian-public-pom:3.x.y that allows releasing to artifactory

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/atlassian/fugue/fugue/2.7.0/fugue-2.7.0.jar
MD5: b9eaa7c0d9da891ebab26b7d3f66270d
SHA1: 7e5e1933563375e0d55ddfdca361eaf960e58c89
SHA256:021e8b7b139ccca1b6e5878bd5b0a14fc7c4d78daf25c31d590e76d541b4d779
Referenced In Project/Scope:space-comments:provided

Identifiers

fugue-4.7.2.jar

Description:

Base POM for Atlassian projects

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/io/atlassian/fugue/fugue/4.7.2/fugue-4.7.2.jar
MD5: 9350f264bbd7056e0264c6d158f8477c
SHA1: 77a4cb8ddeb9f00193289dfa5dca624268cb049d
SHA256:bd421e60013a10e1b9eb6328123fa28fbe8736711d282070ac43f5366274d18d
Referenced In Project/Scope:space-comments:provided

Identifiers

fugue-deprecated-4.7.2.jar

Description:

Base POM for Atlassian projects

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/io/atlassian/fugue/fugue-deprecated/4.7.2/fugue-deprecated-4.7.2.jar
MD5: f6ca36c2fc6786c94aeb50f7d888b49f
SHA1: eeebda060ab587bf90fec5268b41cebbfe8acae1
SHA256:1c7f1def0de1b6e3c2206c4d4ac4f88eb4c40d94e4861cf084445e24894f7e27
Referenced In Project/Scope:space-comments:provided

Identifiers

fugue-guava-4.7.2.jar

Description:

Base POM for Atlassian projects

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/io/atlassian/fugue/fugue-guava/4.7.2/fugue-guava-4.7.2.jar
MD5: a4850bfee8e1c4f5cda7096541dbca69
SHA1: 2c8c73dd6e1d1ddd73fba6c8c22457487171e5ff
SHA256:d525c74cb90bf75a54215b3969e9eae1963bf141d52dc5aa80b8c3c179b38849
Referenced In Project/Scope:space-comments:provided

Identifiers

fugue-optics-4.7.2.jar

Description:

Base POM for Atlassian projects

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/io/atlassian/fugue/fugue-optics/4.7.2/fugue-optics-4.7.2.jar
MD5: ddfb1b197dab4656de8acdd3cc4b3a79
SHA1: 806e6f6aee86475986df5440ac47de65d029ed64
SHA256:767af26f8205a9d0e8966a6101a3a7e6617465990026dfefb4e84330474dd28d
Referenced In Project/Scope:space-comments:provided

Identifiers

fugue-retry-4.7.2.jar

Description:

Base POM for Atlassian projects

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/io/atlassian/fugue/fugue-retry/4.7.2/fugue-retry-4.7.2.jar
MD5: cc6ab0639eb81a61ca482ceeb869c68d
SHA1: 0ec6f81964b27f774b681fa0354121f41b32ec0e
SHA256:db85785b781ab0f247bbd756bb84415854511c12c9461544ec1d5bfa5acb7e9c
Referenced In Project/Scope:space-comments:provided

Identifiers

future-converter-common-1.2.0.jar

File Path: /home/andrii/.m2/repository/net/javacrumbs/future-converter/future-converter-common/1.2.0/future-converter-common-1.2.0.jar
MD5: 56ab39a9226af02748c144a7b0dfd46d
SHA1: 5fc7ea7c58ee0ce950e6104d5dda899f81959d7b
SHA256:567aeb2907088298fe5e67fd0fb1843571c24b46ef5b369f495c3d52c654b67b
Referenced In Project/Scope:space-comments:provided

Identifiers

future-converter-guava-common-1.2.0.jar

File Path: /home/andrii/.m2/repository/net/javacrumbs/future-converter/future-converter-guava-common/1.2.0/future-converter-guava-common-1.2.0.jar
MD5: 1bdb022fda4325f68c179f875bfe734b
SHA1: b329c26e298bd77994cc2e304e4ac20da6f1569f
SHA256:82bfab706005ea51c3e76958a62564367cf9cae207c0b1d55b9734876b9780c1
Referenced In Project/Scope:space-comments:provided

Identifiers

future-converter-java8-common-1.2.0.jar

File Path: /home/andrii/.m2/repository/net/javacrumbs/future-converter/future-converter-java8-common/1.2.0/future-converter-java8-common-1.2.0.jar
MD5: e4b2ae44b8a4ffa5f2a5ed1fc76da7fd
SHA1: 575932e773d58ddd459af417b2df31e2d07c4afc
SHA256:bed25293fabbf59e048f67f88e55140ebc1cfa4fa899e397545d0193e866a65c
Referenced In Project/Scope:space-comments:provided

Identifiers

future-converter-java8-guava-1.2.0.jar

File Path: /home/andrii/.m2/repository/net/javacrumbs/future-converter/future-converter-java8-guava/1.2.0/future-converter-java8-guava-1.2.0.jar
MD5: c43d5a3c364e851b169195a69eab8d77
SHA1: 9d6d59ee4e8f337ccf69ddd66e291a1ef77fbf4e
SHA256:3b47ae8e2b2bfad810586c37537f002273c05237bd3adecafe9f9f57a2b18fde
Referenced In Project/Scope:space-comments:provided

Identifiers

get-is-only-single-icon-3e32a817.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/get-is-only-single-icon-3e32a817.js
MD5: 4d6c67c1ea54d414ae63900785410dc3
SHA1: d2f5e961f48002dceb7e49912329401c1704e1e9
SHA256:41d1b553d3c32b0b403cb00f6342a7dea763fe00f48307359d1dc174458ebe51
Referenced In Project/Scope:space-comments

Identifiers

  • None

gmbal-api-only-3.1.0-b001.jar

Description:

gmbal API

License:

CDDL+GPL: https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /home/andrii/.m2/repository/org/glassfish/gmbal/gmbal-api-only/3.1.0-b001/gmbal-api-only-3.1.0-b001.jar
MD5: 5c18e371a6ef8dd3608d74396ece0d29
SHA1: 3502c55c7ad2085ece6b38202b5169dd9177e0a2
SHA256:4b7c8dd878264bd4ab913b0cfe3e28bdf82fa81757e8cb8b373202e265cdbdbc
Referenced In Project/Scope:space-comments:provided

Identifiers

gson-2.2.2-atlassian-1.jar

Description:

Google Gson library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/google/code/gson/gson/2.2.2-atlassian-1/gson-2.2.2-atlassian-1.jar
MD5: 7c0993c455ed52bf9c6d6696f1df3534
SHA1: 0cfb0ac68acdb3a5ce496fd98a21791015d5ec25
SHA256:c898fee525753377d3d0f9f3bde910602e423a4a5b2c80e51d05d71da6811237
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2022-25647  

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

guava-26.0-jre.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/google/guava/guava/26.0-jre/guava-26.0-jre.jar
MD5: db2d6eae3ec08b0fd752ef0c5672aab7
SHA1: 6a806eff209f36f635f943e16d97491f00f6bfab
SHA256:a0e9cabad665bc20bcd2b01f108e5fc03f756e13aea80abaadb9f407033bea2c
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

h2-1.4.200.jar

Description:

H2 Database Engine

License:

MPL 2.0 or EPL 1.0: https://h2database.com/html/license.html
File Path: /home/andrii/.m2/repository/com/h2database/h2/1.4.200/h2-1.4.200.jar
MD5: 18c05829a03b92c0880f22a3c4d1d11d
SHA1: f7533fe7cb8e99c87a43d325a77b4b678ad9031a
SHA256:3ad9ac4b6aae9cd9d3ac1c447465e1ed06019b851b893dd6a8d76ddb6d85bca6
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2021-42392  

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23221  

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-23463  

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions:

h2-1.4.200.jar: data.zip: table.js

File Path: /home/andrii/.m2/repository/com/h2database/h2/1.4.200/h2-1.4.200.jar/org/h2/util/data.zip/org/h2/server/web/res/table.js
MD5: 0e4b062032d1a5ea21b7ad0d878d3c31
SHA1: c5efb4c787ace5210d545d68742f415d28a61bdc
SHA256:0e1bf9d8833063242e13836bd0fca607763676308acf8b6e6992e7d7d8008d45
Referenced In Project/Scope:space-comments:compile

Identifiers

  • None

h2-1.4.200.jar: data.zip: tree.js

File Path: /home/andrii/.m2/repository/com/h2database/h2/1.4.200/h2-1.4.200.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.js
MD5: 98225c0658feee5efb09b28c76e25884
SHA1: 6b84951f0a2febfbb1046e768d12f784047ce48c
SHA256:e9ee4656df4c1db81dcf20b7dcdcf08701c3b63f929ae8d8af69c334212c169e
Referenced In Project/Scope:space-comments:compile

Identifiers

  • None

ha-api-3.1.9.jar

Description:

Java.net - The Source for Java Technology Collaboration

File Path: /home/andrii/.m2/repository/org/glassfish/ha/ha-api/3.1.9/ha-api-3.1.9.jar
MD5: c347dede33d4a25276c7d6a4af22b8ff
SHA1: c68b600634d4d4bae3fc54575ae850e734dc1af5
SHA256:ef3c515399e7ff43836d58e76baa1e876cfdd27c358baab12a96a7e0032c30a3
Referenced In Project/Scope:space-comments:provided

Identifiers

hibernate-2.1.8-atlassian-34.jar

Description:

Atlassian's fork of Hibernate 2.1.8.

License:

LGPL 2.1 License: http://www.gnu.org/licenses/lgpl-2.1.txt
File Path: /home/andrii/.m2/repository/hibernate/hibernate/2.1.8-atlassian-34/hibernate-2.1.8-atlassian-34.jar
MD5: e2f476aa6aca1f97a7370e7d5e7e5eda
SHA1: 320cf229f5d108767612337d03039b3c64a0793b
SHA256:6560f94ebc9aa26784fc755842afcff221fd941230051a9a4a558c890a3f8edb
Referenced In Project/Scope:space-comments:provided

Identifiers

hibernate-commons-annotations-5.0.1.Final.jar

Description:

Common reflection code used in support of annotation processing

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/andrii/.m2/repository/org/hibernate/common/hibernate-commons-annotations/5.0.1.Final/hibernate-commons-annotations-5.0.1.Final.jar
MD5: 2a9d6f5a4ece96557bc4300ecc4486fb
SHA1: 71e1cff3fcb20d3b3af4f3363c3ddb24d33c6879
SHA256:9431ca05c335f9b6ec550f5d65ad56047a5f336e2d41cce4067591d20c4e51df
Referenced In Project/Scope:space-comments:provided

Identifiers

hibernate-core-5.2.18.Final.jar

Description:

The core O/RM functionality as provided by Hibernate

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/andrii/.m2/repository/org/hibernate/hibernate-core/5.2.18.Final/hibernate-core-5.2.18.Final.jar
MD5: a5e6ac320c1b5fd739d213dc050cfc29
SHA1: c1861a015d47f55ffc6cb120216d17af177e0b90
SHA256:4688003fc081063f0d73f43424b309bac9bd8589fecb5767e0ad26788a5bfdff
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

hibernate-envers-5.2.2.Final.jar

Description:

ENtity VERSioning support

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/andrii/.m2/repository/org/hibernate/hibernate-envers/5.2.2.Final/hibernate-envers-5.2.2.Final.jar
MD5: b481ebff6eef67cb2254fc4f41872ab8
SHA1: 34d9a72456f84269d1cd1d6ad01bab5e0c3f7828
SHA256:728edc2d76ba799ccfe4d4008b6dc2027acd917097ac52bfd5d11349dcc81708
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

hibernate-jpa-2.1-api-1.0.0.Final.jar

Description:

Clean-room definition of JPA APIs intended for use in developing Hibernate JPA implementation.  See README.md for details

License:

Eclipse Public License (EPL), Version 1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License (EDL), Version 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/andrii/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.1-api/1.0.0.Final/hibernate-jpa-2.1-api-1.0.0.Final.jar
MD5: 01b091825023c97fdfd6d2bceebe03ff
SHA1: 5e731d961297e5a07290bfaf3db1fbc8bbbf405a
SHA256:ab46597e3a057f99c8339fffe14c1d27f9dbd2409ae840c62121b00d983c78bd
Referenced In Project/Scope:space-comments:provided

Identifiers

hibernate-validator-6.0.21.Final.jar

Description:

Hibernate's Bean Validation (JSR-380) reference implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.21.Final/hibernate-validator-6.0.21.Final.jar
MD5: d7889b64835a9134fe880d9f358a9d70
SHA1: 7a78bd29f9931b2d4fd92edd05085e664f357bfe
SHA256:7010ca3c3a47626fa482ef5476ca2f1485fd0d7cb5f201419446fe265ec56755
Referenced In Project/Scope:space-comments:provided

Identifiers

hibernate.adapter-1.0.3.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
Atlassian Customer Agreement: https://www.atlassian.com/customer-agreement/
File Path: /home/andrii/.m2/repository/com/atlassian/hibernate/hibernate.adapter/1.0.3/hibernate.adapter-1.0.3.jar
MD5: b8c98d71fd21e9b8bddbea7a68de4907
SHA1: 9a10153a88a63d80324358a2e3e42d21e187e0f8
SHA256:46efe609cd5b0f727a7eefb7e5b714c78759ba7593a18f6d928e864f844edde6
Referenced In Project/Scope:space-comments:provided

Identifiers

hsqldb-2.3.0.jar

Description:

HSQLDB - Lightweight 100% Java SQL Database Engine

License:

HSQLDB License, a BSD open source license: http://hsqldb.org/web/hsqlLicense.html
File Path: /home/andrii/.m2/repository/org/hsqldb/hsqldb/2.3.0/hsqldb-2.3.0.jar
MD5: c168667de846cafe5bf2a4d268f4665d
SHA1: 93306187b1a782f2b929d12536022185487037d2
SHA256:ff82a3a8b768b237ff71d71f040b005e37d844a715d4b6205ded0fad1fc28019
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-41853  

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

httpclient-4.5.5.jar

Description:

   Apache HttpComponents Client

File Path: /home/andrii/.m2/repository/org/apache/httpcomponents/httpclient/4.5.5/httpclient-4.5.5.jar
MD5: 97e7e5b135476b7d25a5ab31e1ea4922
SHA1: 1603dfd56ebcd583ccdf337b6c3984ac55d89e58
SHA256:7e97724443ad2a25ad8c73183431d47cc7946271bcbbdfa91a8a17522a566573
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

httpclient-cache-4.5.3.jar

Description:

   Apache HttpComponents HttpClient - Cache

File Path: /home/andrii/.m2/repository/org/apache/httpcomponents/httpclient-cache/4.5.3/httpclient-cache-4.5.3.jar
MD5: cf3f254ca1228dd59818a2dff708e247
SHA1: baa6474c7f9b9f027a02fbbee375263ac482e343
SHA256:8c9cf6355ab7b3cfd812f9bfaddf8f8c02f1a3a59496abc0d6717b98ce989599
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

httpcore-4.4.9.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/andrii/.m2/repository/org/apache/httpcomponents/httpcore/4.4.9/httpcore-4.4.9.jar
MD5: b89455507839c09d6119661defd2166a
SHA1: a86ce739e5a7175b4b234c290a00a5fdb80957a0
SHA256:1b4a1c0b9b4222eda70108d3c6e2befd4a6be3d9f78ff53dd7a94966fdf51fc5
Referenced In Project/Scope:space-comments:provided

Identifiers

httpmime-4.5.5.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /home/andrii/.m2/repository/org/apache/httpcomponents/httpmime/4.5.5/httpmime-4.5.5.jar
MD5: 519a5a3902d446926764f568784adbff
SHA1: 8281b24b8a493374cd2aa8a90c4156588f7dbcb6
SHA256:e46206931b7426102e658f086f74ee582761264a8f9977fba02c1e200c51a9c5
Referenced In Project/Scope:space-comments:provided

Identifiers

icu4j-64.1.jar

Description:

    International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
    providing Unicode and Globalization support

License:

Unicode/ICU License: https://raw.githubusercontent.com/unicode-org/icu/master/icu4c/LICENSE
File Path: /home/andrii/.m2/repository/com/ibm/icu/icu4j/64.1/icu4j-64.1.jar
MD5: 5135c14813b6bc28e8afd1b5ea5f4818
SHA1: 1ab5b994d5882dd949e2293e82973ed5decd3dc6
SHA256:c9f4093e5788dec652dfc0744ec1bfee7e68c0e13e36880712aeaea28cb9cd35
Referenced In Project/Scope:space-comments:provided

Identifiers

  • pkg:maven/com.ibm.icu/icu4j@64.1  (Confidence:High)
  • cpe:2.3:a:icu-project:international_components_for_unicode:64.1:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:unicode:international_components_for_unicode:64.1:*:*:*:*:*:*:*  (Confidence:Low)  

imageio-core-3.4.1.jar

File Path: /home/andrii/.m2/repository/com/twelvemonkeys/imageio/imageio-core/3.4.1/imageio-core-3.4.1.jar
MD5: f981bf55862728f35856a61e8789be28
SHA1: e6a2ab00c5b39c70c024e85ed277698177cbf3e0
SHA256:21a42e88d3c9f7c8255ce77428f1f3bd377ea497ff4d42baec3b1ec68aba22b9
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2021-23792  

The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

index-50b0b662.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/index-50b0b662.js
MD5: 8b2d3f1856f9199fde3105a515e92018
SHA1: b1ac3668162d95555dd6397775ff525446e5f0b2
SHA256:996a0d7b2b1e089b83c3853c9a99f09473b97f103a2680f9c4430b05191a0570
Referenced In Project/Scope:space-comments

Identifiers

  • None

index-a6389306.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/index-a6389306.js
MD5: d7caafac4fe58b83bf7a13f35ffc7f3f
SHA1: a1883775e48b8c90e57553775c8266ff17a648a9
SHA256:111f01e1adfb3a9ece4cdf858f39626cb51508b0ce3db2b3e5da93f17a35ed69
Referenced In Project/Scope:space-comments

Identifiers

  • None

index-ae389540.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/index-ae389540.js
MD5: 1ca37270eca588ace11108632349508f
SHA1: 70e629a96532be92bbcc9f02910ca3ff53c9ed4f
SHA256:d51674991097379c240821773053bff52ff46d53d70b7cf35f3f09a0684f1648
Referenced In Project/Scope:space-comments

Identifiers

  • None

index-ed440ea1.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/index-ed440ea1.js
MD5: bc250d081983329a59b18e1359b2ad34
SHA1: bd6943bf5293cef8b879f6e92477265720cdf6d2
SHA256:95885cd0cbbef7e21687a1bc64f28e62e84d653ccb612c02b49f09eced4198f0
Referenced In Project/Scope:space-comments

Identifiers

  • None

index.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/src/index.js
MD5: ff15e4e69d6022f11f1b11ae1209a46b
SHA1: b74f89799952aa9bc55e1857bd21b7c58ba0df1c
SHA256:245661b80984685b504d7fa7a008a55107ad3d8be93f7b61df1d1a1f95bf3797
Referenced In Project/Scope:space-comments

Identifiers

  • None

istack-commons-runtime-3.0.7.jar

Description:

istack common utility code

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html, https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/com/sun/istack/istack-commons-runtime/3.0.7/istack-commons-runtime-3.0.7.jar
MD5: 83e9617b86023b91bd54f65c09838f4b
SHA1: c197c86ceec7318b1284bffb49b54226ca774003
SHA256:6443e10ba2e259fb821d9b6becf10db5316285fc30c53cec9d7b19a3877e7fdf
Referenced In Project/Scope:space-comments:provided

Identifiers

j2objc-annotations-1.1.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/google/j2objc/j2objc-annotations/1.1/j2objc-annotations-1.1.jar
MD5: 49ae3204bb0bb9b2ac77062641f4a6d7
SHA1: ed28ded51a8b1c6b112568def5f4b455e6809019
SHA256:2994a7eb78f2710bd3d3bfb639b2c94e219cedac0d4d084d516e78c16dddecf6
Referenced In Project/Scope:space-comments:compile

Identifiers

jackson-core-2.12.1.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.12.1/jackson-core-2.12.1.jar
MD5: 6a65df7a5e62df2754726857b4ab0257
SHA1: 7c5493930e439be6fcec80a9afd6516b8e5e8760
SHA256:cc899cb6eae0c80b87d590eea86528797369cc4feb7b79463207d6bb18f0c257
Referenced In Project/Scope:space-comments:compile

Identifiers

jackson-core-asl-1.9.13-atlassian-5.jar

Description:

Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.13-atlassian-5/jackson-core-asl-1.9.13-atlassian-5.jar
MD5: c747f577dd55f7b19ee6231b98823525
SHA1: be9b997685e10367f5ad1b28c6e9483bde9b53f3
SHA256:11153210bfdbd838165b4c97643a10f428620a150b9c43702b686fe584e2fdb5
Referenced In Project/Scope:space-comments:provided

Identifiers

jackson-databind-2.12.1.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.1/jackson-databind-2.12.1.jar
MD5: 1925b6e2feac7e63e164f57e6fb42c9d
SHA1: 8a97e00e429c42f74757b0a8cd1d39dddd41524f
SHA256:f2ca3c28ebded59c98447d51afe945323df961540af66a063c015597af936aa0
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-dataformat-yaml-2.14.0.jar

Description:

Support for reading and writing YAML-encoded data via Jackson abstractions.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.14.0/jackson-dataformat-yaml-2.14.0.jar
MD5: 7c7b82bb5c2332d9df899689bbcb93ef
SHA1: 06c635ef06d3e4e72a7e9868da41ffa1a0f98d28
SHA256:76e8a33ef1f5f8cce9668ebaf8999626846ccacb36dea81bcdaf79e32443de33
Referenced In Project/Scope:space-comments:compile

Identifiers

jackson-datatype-joda-2.12.1.jar

Description:

Add-on module for Jackson (http://github.com/FasterXML/jackson) to support Joda (https://www.joda.org/joda-time/) data types.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.12.1/jackson-datatype-joda-2.12.1.jar
MD5: 8461dd73c521b761fe789f6d024497a4
SHA1: d35d1de7d9651e849dfd76c602e0f4d19f68603d
SHA256:b5b90042bf1febbf4eb1cf5c8de5c76e12d2a3a8cf49dcc2a7e374c01430ef0e
Referenced In Project/Scope:space-comments:provided

Identifiers

jackson-jaxrs-1.9.2.jar

Description:

Jax-RS provider for JSON content type, based on 
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /home/andrii/.m2/repository/org/codehaus/jackson/jackson-jaxrs/1.9.2/jackson-jaxrs-1.9.2.jar
MD5: 98fad059e87a847a1ef8e2d278b17e74
SHA1: aedf43f1d5005561e531b6bf0d067e4d20f58aba
SHA256:99c3cb687c2d1c458c34bc582f22bb34e8ee12eba532df47b849454aa2fd7092
Referenced In Project/Scope:space-comments:provided

Identifiers

jackson-mapper-asl-1.9.13-atlassian-5.jar

Description:

Data Mapper package is a high-performance data binding package
built on Jackson JSON processor

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13-atlassian-5/jackson-mapper-asl-1.9.13-atlassian-5.jar
MD5: d347ff5d0050debcd1243b2d729a2c1f
SHA1: 6986526440063c92f2a0c1268504f4e3b515d5c7
SHA256:8f3103bf14416ed623c15ce86e5640424a7b32e375cea152bf2cf9186f97fb8f
Referenced In Project/Scope:space-comments:provided

Identifiers

jackson-module-afterburner-2.14.0.jar

Description:

Jackson (https://github.com/FasterXML/jackson) extension module
used to enhance performance using bytecode generation to replace use of Reflection for
field access and method calls

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.14.0/jackson-module-afterburner-2.14.0.jar
MD5: e6ae821f1eb230dbaf21ecaa6ab68f40
SHA1: f613906269364011c225204dd1580f0dc0ae9bb8
SHA256:8b226bd25f1ab3ceb83588ba9511007755d40efed48809885ca473b0cb3b3348
Referenced In Project/Scope:space-comments:compile

Identifiers

jackson-module-blackbird-2.14.0.jar

Description:

Jackson (https://github.com/FasterXML/jackson) extension module
that uses LambdaMetafactory based code generation to replace reflection calls.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/fasterxml/jackson/module/jackson-module-blackbird/2.14.0/jackson-module-blackbird-2.14.0.jar
MD5: aaa5c88f79c1ba748a66c5a34cf7dcbf
SHA1: c7eca36524232173406b0caf7553f42a80c0ca8d
SHA256:ec7d98afad49b2264a216a7e6b7cd28035d40fe3ac5fa1229fc8be4a4a8ba451
Referenced In Project/Scope:space-comments:compile

Identifiers

jackson-xc-1.9.2.jar

Description:

Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /home/andrii/.m2/repository/org/codehaus/jackson/jackson-xc/1.9.2/jackson-xc-1.9.2.jar
MD5: d9d4d69e16e45595f0542eb6f2cf1117
SHA1: 437c991a8eb2c8b69ef1dba2eba27fccb9b98448
SHA256:97ddd164678c2705da7b22e9db3110c416b39cdfc50f385d23b586551d76a195
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jai_codec-1.1.3.jar

Description:

Java Advanced Imaging Codec

File Path: /home/andrii/.m2/repository/com/sun/jai_codec/1.1.3/jai_codec-1.1.3.jar
MD5: 1b0f328c9eda0992167ce503b0a5afcc
SHA1: 34a67ba62097778e4695c951156bf189c2c8e016
SHA256:6d7824d972c0b6e10daa95f430f917d2256954535e62def9d287e79bf7824200
Referenced In Project/Scope:space-comments:provided

Identifiers

jai_core-1.1.3.jar

Description:

Java Advanced Imaging Core

File Path: /home/andrii/.m2/repository/com/sun/jai_core/1.1.3/jai_core-1.1.3.jar
MD5: f398bc038307ee434bac1b93ba3ab02d
SHA1: b179d2efb1174658483e8b41bf4ac9d2eb5de438
SHA256:8b696cf067533545f44c2f68339e24ab1a2669153ed2081aa5be8749f4d592bf
Referenced In Project/Scope:space-comments:provided

Identifiers

jakarta-regexp-1.4.jar

File Path: /home/andrii/.m2/repository/jakarta-regexp/jakarta-regexp/1.4/jakarta-regexp-1.4.jar
MD5: 5d8b8c601c21b37aa6142d38f45c0297
SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298
SHA256:85ea3985d7fec552d6de6f02d8e18789c3fcd539081eb8c7c444eabf6cb3f7bc
Referenced In Project/Scope:space-comments:compile

Identifiers

jakarta.mail-1.6.5.jar

Description:

Jakarta Mail API

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html, http://www.eclipse.org/org/documents/edl-v10.php
File Path: /home/andrii/.m2/repository/com/sun/mail/jakarta.mail/1.6.5/jakarta.mail-1.6.5.jar
MD5: 214c580ee5913b9c69926cec66919f64
SHA1: d08124137cf42397d00b71b5985fd1dc248ac07f
SHA256:f4b500a1dd9ffd03ed7d8b2062fa5fd10d5beca4c42611672764bf4365751b53
Referenced In Project/Scope:space-comments:provided

Identifiers

jandex-2.0.3.Final.jar

Description:

Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/jboss/jandex/2.0.3.Final/jandex-2.0.3.Final.jar
MD5: 77db6e55da888349f5466d2dcf150b14
SHA1: bfc4d6257dbff7a33a357f0de116be6ff951d849
SHA256:a3a65250cf954f102e74bab23df12540780878231195b585a7a86f4364a53727
Referenced In Project/Scope:space-comments:provided

Identifiers

javassist-3.22.0-GA.jar

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /home/andrii/.m2/repository/org/javassist/javassist/3.22.0-GA/javassist-3.22.0-GA.jar
MD5: 69f277ed4c6631e45ec4cacd0e6e46c6
SHA1: 3e83394258ae2089be7219b971ec21a8288528ad
SHA256:59531c00f3e3aa1ff48b3a8cf4ead47d203ab0e2fd9e0ad401f764e05947e252
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.activation-1.2.0.jar

Description:

JavaBeans Activation Framework

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /home/andrii/.m2/repository/com/sun/activation/javax.activation/1.2.0/javax.activation-1.2.0.jar
MD5: be7c430df50b330cffc4848a3abedbfb
SHA1: bf744c1e2776ed1de3c55c8dac1057ec331ef744
SHA256:993302b16cd7056f21e779cc577d175a810bb4900ef73cd8fbf2b50f928ba9ce
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.activation-api-1.2.0.jar

Description:

JavaBeans Activation Framework API jar

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /home/andrii/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Project/Scope:space-comments:compile

Identifiers

javax.annotation-api-1.3.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE
File Path: /home/andrii/.m2/repository/javax/annotation/javax.annotation-api/1.3.2/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256:e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.json-1.1.4.jar

Description:

Default provider for JSR 374:Java API for Processing JSON

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/andrii/.m2/repository/org/glassfish/javax.json/1.1.4/javax.json-1.1.4.jar
MD5: ac67218fb9716fec512be8d0d877bde2
SHA1: 943f240a509d3c70b448a55c6735591ecbd37c88
SHA256:17fdeb7e22375a7fb40bb0551306f6dcf2b5743078668adcdf6c642c9a9ec955
Referenced In Project/Scope:space-comments:compile

Identifiers

javax.jws-api-1.1.jar

Description:

Java EE Web Services Metadata API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/andrii/.m2/repository/javax/jws/javax.jws-api/1.1/javax.jws-api-1.1.jar
MD5: 69723c79242ebda0d321b5ec8fbdf4fb
SHA1: c623941ebd225bb05ea546dc81590a62e40e4fce
SHA256:9f20ab1fea3f9571ed52a9d98e3c651cc7c04c8a709addf238312b60987c6f2c
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.mail-1.5.6.jar

Description:

JavaMail API

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/com/sun/mail/javax.mail/1.5.6/javax.mail-1.5.6.jar
MD5: 5e6a70a6deed03bbbae6322af632b34c
SHA1: ab5daef2f881c42c8e280cbe918ec4d7fdfd7efe
SHA256:40ca806a724848616d88461ea565bc597d92b8a90ba426ab92e4c471552dd097
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.mail-api-1.5.6.jar

Description:

JavaMail API jar

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/javax/mail/javax.mail-api/1.5.6/javax.mail-api-1.5.6.jar
MD5: ef5bb8caf9c5e11c70e530272ae37d39
SHA1: 51c7a973efb1123558b62e95e31ab03cfa00fa7a
SHA256:bde0f921bb08ec62eca77eb61b39becf3072e9fcbdbc2aaade84b8e6394d7560
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.servlet-api-3.0.1.jar

Description:

Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/andrii/.m2/repository/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar
MD5: 3ef236ac4c24850cd54abff60be25f35
SHA1: 6bf0ebb7efd993e222fc1112377b5e92a13b38dd
SHA256:377d8bde87ac6bc7f83f27df8e02456d5870bb78c832dac656ceacc28b016e56
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.transaction-api-1.2.jar

Description:

Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/andrii/.m2/repository/javax/transaction/javax.transaction-api/1.2/javax.transaction-api-1.2.jar
MD5: 2dfee184286530e726ad155816e15b4c
SHA1: d81aff979d603edd90dcd8db2abc1f4ce6479e3e
SHA256:9528449583c34d9d63aa1d8d15069790f925ae1f27b33784773b8099eff4c9ff
Referenced In Project/Scope:space-comments:provided

Identifiers

javax.ws.rs-api-2.0.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Project/Scope:space-comments:compile

Identifiers

javax.xml.soap-api-1.4.0.jar

Description:

SAAJ API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.xml.soap/blob/master/LICENSE
File Path: /home/andrii/.m2/repository/javax/xml/soap/javax.xml.soap-api/1.4.0/javax.xml.soap-api-1.4.0.jar
MD5: fb8bbe2cdda8ff7bd945fcb9f0f6b61c
SHA1: 667ef2eee594ca7e05a1cbe0b37a428f7b57778f
SHA256:141374e33be99768611a2d42b9d33571a0c5b9763beca9c2dc90900d8cc8f767
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxb-api-2.3.1.jar

Description:

JAXB (JSR 222) API

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/andrii/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Project/Scope:space-comments:compile

Identifiers

jaxb-runtime-2.3.1.jar

Description:

JAXB (JSR 222) Reference Implementation

File Path: /home/andrii/.m2/repository/org/glassfish/jaxb/jaxb-runtime/2.3.1/jaxb-runtime-2.3.1.jar
MD5: 848098e3eda0d37738d51a7acacd8e95
SHA1: dd6dda9da676a54c5b36ca2806ff95ee017d8738
SHA256:45fecfa5c8217ce1f3652ab95179790ec8cc0dec0384bca51cbeb94a293d9f2f
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxen-1.1.6.jar

Description:

Jaxen is a universal Java XPath engine.

License:

http://jaxen.codehaus.org/license.html
File Path: /home/andrii/.m2/repository/jaxen/jaxen/1.1.6/jaxen-1.1.6.jar
MD5: a140517286b56eea981e188dcc3a13f6
SHA1: 3f8c36d9a0578e8e98f030c662b69888b1430ac0
SHA256:5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-api-2.3.1.jar

Description:

JAX-WS (JSR 224) API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/jax-ws-spec/blob/master/LICENSE.md
File Path: /home/andrii/.m2/repository/javax/xml/ws/jaxws-api/2.3.1/jaxws-api-2.3.1.jar
MD5: 5a6f94e95cc2054bc840cc2f2fedc5d8
SHA1: 15e46dba25b1f767a3f517721badf6cce8dbb13d
SHA256:a447f84f95658ea68b347acffe156f7700c62a37ede15d81e5298fb8e5fe6dcf
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:httpspi-servlet:2.3.1)

Description:

HTTP SPI for JAX-WS RI

File Path: /home/andrii/.m2/repository/com/sun/xml/ws/jaxws-rt/2.3.1/jaxws-rt-2.3.1.jar/META-INF/maven/com.sun.xml.ws/httpspi-servlet/pom.xml
MD5: b11888c915a4b1dce1722311c730f330
SHA1: 0d9b69bfa23a03e1134ba10a14d02e069b037fc9
SHA256:67b176735bdb09cad0f157f8568c9a9098dafca2e33d71a76e854184164a9c8c
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:jaxws-rt-bundle:2.3.1)

Description:

JAXWS bundle with module descriptor

File Path: /home/andrii/.m2/repository/com/sun/xml/ws/jaxws-rt/2.3.1/jaxws-rt-2.3.1.jar/META-INF/maven/com.sun.xml.ws/jaxws-rt-bundle/pom.xml
MD5: ebf9326f0c17f7ddfa6090bbbfb611b4
SHA1: 58005377fe2930f46854ee9ada8656d811ce0c2b
SHA256:32254c8942284b86fe3a364b9210868766408cb146ce67debe7c470be707f2d3
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:rt-fi:2.3.1)

Description:

Fast Infoset Support for JAX-WS RI

File Path: /home/andrii/.m2/repository/com/sun/xml/ws/jaxws-rt/2.3.1/jaxws-rt-2.3.1.jar/META-INF/maven/com.sun.xml.ws/rt-fi/pom.xml
MD5: ae23371e47d9d33a25c3bebf6f5c6252
SHA1: cfc70e00b3c0677ff68999e04e0f9a55abca9431
SHA256:b327b50506d2e1b30587af89eea7281a41cd28dbf463315e33c886da55a62031
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:rt:2.3.1)

Description:

JAX-WS Reference Implementation Runtime

File Path: /home/andrii/.m2/repository/com/sun/xml/ws/jaxws-rt/2.3.1/jaxws-rt-2.3.1.jar/META-INF/maven/com.sun.xml.ws/rt/pom.xml
MD5: 156befd8a968e91ed22117b8c50159a4
SHA1: 7e6fca97592b9480a681a5dc5df9a96ae12b826d
SHA256:1b79d5181a8e10058718c1d341e3540d8edab7702ffa50b4effa904e1779c761
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-rt-2.3.1.jar (shaded: com.sun.xml.ws:servlet:2.3.1)

Description:

Servlet Support for JAX-WS RI

File Path: /home/andrii/.m2/repository/com/sun/xml/ws/jaxws-rt/2.3.1/jaxws-rt-2.3.1.jar/META-INF/maven/com.sun.xml.ws/servlet/pom.xml
MD5: 7588542d091a45765afae4f63f6c4b85
SHA1: 03d29d8f253540b412db3888b8aab2581a7ec0c1
SHA256:aae4fcdbdd7be2620ae1617bbe49aaeb343483f9eb32005a1014ebe91ca90a67
Referenced In Project/Scope:space-comments:provided

Identifiers

jaxws-rt-2.3.1.jar

File Path: /home/andrii/.m2/repository/com/sun/xml/ws/jaxws-rt/2.3.1/jaxws-rt-2.3.1.jar
MD5: 9db69eec606e9d3023d09256c2102d87
SHA1: faada6fe82b87adf410bd0c59886fff0122d7512
SHA256:4f8d8d4008e0dffe575ce6d4a37cf1dc84ac32441679a4de13924202572d1b72
Referenced In Project/Scope:space-comments:provided

Identifiers

jboss-logging-3.3.1.Final.jar

Description:

The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/jboss/logging/jboss-logging/3.3.1.Final/jboss-logging-3.3.1.Final.jar
MD5: 93cf8945ff84aaf9f0ed9a76991338fb
SHA1: c46217ab74b532568c0ed31dc599db3048bd1b67
SHA256:9f7d8b884370763b131bf48a0fc91edec89ad80e0e40c47658098a686a905bb2
Referenced In Project/Scope:space-comments:provided

Identifiers

jboss-logging-annotations-2.0.0.Final.jar

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/jboss/logging/jboss-logging-annotations/2.0.0.Final/jboss-logging-annotations-2.0.0.Final.jar
MD5: 9858a903b55d4f36ace8eaadf05541ab
SHA1: f69fbbab3a164589e1ac09e603a3948de56e31b1
SHA256:f8624863d3725359eac214aed1269935f5ba91260e7440aa7e5d854f3a87de23
Referenced In Project/Scope:space-comments:provided

Identifiers

jcaptcha-api-2.0.0.jar

File Path: /home/andrii/.m2/repository/io/leopard/thirdparty/jcaptcha-api/2.0.0/jcaptcha-api-2.0.0.jar
MD5: 622199963f8467668ffa14ca3350196b
SHA1: aad8675f07d8923db2d1d558d2039d1cf6c2d51d
SHA256:d8192d1146136f7eddc5962339daadcf989fa2b548ceab1a871470e07dd6eb57
Referenced In Project/Scope:space-comments:provided

Identifiers

jcaptcha-core-2.0.0.jar

File Path: /home/andrii/.m2/repository/io/leopard/thirdparty/jcaptcha-core/2.0.0/jcaptcha-core-2.0.0.jar
MD5: 4d8703e3e0329002ef4d5764ec59fc38
SHA1: bb9d5a295aabefcaf4957fca745bf4f13b8ec479
SHA256:4477976ef53ebbd730b1bb0c4a1bd93c064e247c33c10bd1ef93b5ccbc21bc51
Referenced In Project/Scope:space-comments:provided

Identifiers

jcip-annotations-1.0.jar

File Path: /home/andrii/.m2/repository/net/jcip/jcip-annotations/1.0/jcip-annotations-1.0.jar
MD5: ead9d5ffa6e89b529667d9f1bca26207
SHA1: 6055a7559d9e7ba1ff8fa62b55f0eaad3af7046e
SHA256:bfb83cc9e49f8d58275e19c53ff715193edcd7d69fa54ba2aff745be57926696
Referenced In Project/Scope:space-comments:provided

Identifiers

jcl-over-slf4j-1.7.25.jar

Description:

JCL 1.2 implemented over SLF4J

File Path: /home/andrii/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.25/jcl-over-slf4j-1.7.25.jar
MD5: 56b22adc639b09b2e917f42d68b26600
SHA1: f8c32b13ff142a513eeb5b6330b1588dcb2c0461
SHA256:5e938457e79efcbfb3ab64bc29c43ec6c3b95fffcda3c155f4a86cc320c11e14
Referenced In Project/Scope:space-comments:compile

Identifiers

jdiagnostics-1.0.7.jar

Description:

Support bundle builder and classpath debugger for Java applications

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/andrii/.m2/repository/org/anarres/jdiagnostics/jdiagnostics/1.0.7/jdiagnostics-1.0.7.jar
MD5: 1b8cbb9aaab34e975a739cf7c4ae9226
SHA1: 80e5376cae663b057da66204cb5ff0d79b5a0f47
SHA256:7c7fe5347ce2d147ff7bc372f4b2e110d60261fb0f2809e719e3c56ca52ee3d7
Referenced In Project/Scope:space-comments:compile

Identifiers

jdom-1.1.3.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/andrii/.m2/repository/org/jdom/jdom/1.1.3/jdom-1.1.3.jar
MD5: 140bfed13341fe2039eee0f26a16d705
SHA1: 8bdfeb39fa929c35f5e4f0b02d34350db39a1efc
SHA256:02bd61a725e8af9b0176b43bf29816d0c748b8ab951385bd127be37489325a0a
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2021-33813  

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jersey-core-1.19.4.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/com/sun/jersey/jersey-core/1.19.4/jersey-core-1.19.4.jar
MD5: cf0c3489cb307a1ef3bce3a5e63dde9b
SHA1: 21c5319c82ca29705715b315553a16f11b16655e
SHA256:64b03198e0264849d0fc341857ebcc9c882b1909a2dc35a0972fe7d901b826e5
Referenced In Project/Scope:space-comments:provided

Identifiers

jettison-1.1.jar

Description:

A StAX implementation for JSON.

File Path: /home/andrii/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-40149  

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40150  

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jira-integration-spi-6.2.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/integration/jira/jira-integration-spi/6.2.4/jira-integration-spi-6.2.4.jar
MD5: 57406d39a8c0f330d624e8f63e5105bc
SHA1: 35e484faea06b38fc3a84c0cfd8a04fac16a44c4
SHA256:b49d081d036d517987679a3adf7df6d4886fa2cc4581ee11307b363818b640ea
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2017-5983  

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11581  

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20409  

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14172  

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2016-4319  

Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2017-18113  

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-8443  

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-5231  

The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20413  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20898  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3399  

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-8442  

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14167  

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14178  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39113  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39123  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41305  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..
CWE-639 Authorization Bypass Through User-Controlled Key

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41306  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
CWE-639 Authorization Bypass Through User-Controlled Key

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41307  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
CWE-639 Authorization Bypass Through User-Controlled Key

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41312  

Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26070  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43947  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2008-6531  

The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18033  

The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18101  

Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11583  

The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2019-11587  

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20410  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20418  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20897  

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
CWE-434 Unrestricted Upload of File with Dangerous Type

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41308  

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2016-6285  

Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-14594  

The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-16863  

The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-16864  

The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18039  

The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18098  

The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18100  

The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-13387  

The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-13395  

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-13401  

The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-13402  

Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-20824  

The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-5230  

The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-5232  

The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11584  

The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2019-11585  

The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20417  

NOTE: This candidate is a duplicate of CVE-2019-15011. All CVE users should reference CVE-2019-15011 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerable Software & Versions: (show all)

CVE-2019-20901  

The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3402  

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14164  

The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14169  

The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36236  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36288  

The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-4022  

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26078  

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26079  

The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39111  

The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41304  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18104  

The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14168  

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18097  

The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-13403  

The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-20232  

The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20414  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14173  

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14184  

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-4021  

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-4024  

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26082  

The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26083  

Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-16865  

The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-13391  

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20101  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20408  

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2019-20412  

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20899  

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3401  

The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-3403  

The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-8449  

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-14165  

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14181  

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14185  

Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36235  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36237  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36238  

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36286  

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36287  

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36289  

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-4028  

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
CWE-203 Information Exposure Through Discrepancy

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26069  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26081  

REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39118  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39119  

Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39122  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39125  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39127  

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20402  

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.9)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2016-4318  

Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2019-20416  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36234  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-4025  

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39112  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39117  

The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43945  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-13400  

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2017-16862  

The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-20826  

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
CWE-285 Improper Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2019-11586  

The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11588  

The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2019-15005  

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-15013  

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20106  

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20411  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20415  

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14174  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.
CWE-639 Authorization Bypass Through User-Controlled Key

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14183  

Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-29451  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36231  

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.
CWE-639 Authorization Bypass Through User-Controlled Key

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-4029  

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26075  

The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39121  

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39124  

The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43953  

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2018-13404  

The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26076  

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-26071  

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

jna-5.6.0.jar

Description:

Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/net/java/dev/jna/jna/5.6.0/jna-5.6.0.jar
MD5: 56892d6f4d27019833fd53b7cc57ec86
SHA1: 330f2244e9030119ab3030fc3fededc86713d9cc
SHA256:5557e235a8aa2f9766d5dc609d67948f2a8832c2d796cea9ef1d6cbe0b3b7eaf
Referenced In Project/Scope:space-comments:provided

Identifiers

jna-5.6.0.jar: jnidispatch.dll

File Path: /home/andrii/.m2/repository/net/java/dev/jna/jna/5.6.0/jna-5.6.0.jar/com/sun/jna/win32-x86-64/jnidispatch.dll
MD5: e02979ecd43bcc9061eb2b494ab5af50
SHA1: 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256:a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
Referenced In Project/Scope:space-comments:provided

Identifiers

  • None

jna-5.6.0.jar: jnidispatch.dll

File Path: /home/andrii/.m2/repository/net/java/dev/jna/jna/5.6.0/jna-5.6.0.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: 28d895a3cb7e9a0b6a5ae5ed6a62b254
SHA1: 703d8604a8d04d29c52c0ebcde1e86f3bc8ff824
SHA256:04c9a8ab43d1eb616b84d0686c8ae1d881ef03fe4f3aa26511e5b19d35ef16af
Referenced In Project/Scope:space-comments:provided

Identifiers

  • None

jna-platform-5.6.0.jar

Description:

Java Native Access Platform

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/net/java/dev/jna/jna-platform/5.6.0/jna-platform-5.6.0.jar
MD5: 3c345206c4f2243e5d1d7caceb9243cd
SHA1: d18424ffb8bbfd036d71bcaab9b546858f2ef986
SHA256:9ecea8bf2b1b39963939d18b70464eef60c508fed8820f9dcaba0c35518eabf7
Referenced In Project/Scope:space-comments:provided

Identifiers

joda-time-2.10.9.jar

Description:

Date and time library to replace JDK date handling

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/joda-time/joda-time/2.10.9/joda-time-2.10.9.jar
MD5: f5a8839f853ba5ba8c7637f4d092afe4
SHA1: 2227c292c0ee4f57205dbdc65fd57a94694050ec
SHA256:b36dd8c325b7afa19e92cf5879a9fe6780bad42fdc18f67c93cafe1fcf6375ae
Referenced In Project/Scope:space-comments:compile

Identifiers

jose4j-0.4.2.jar

Description:

     The jose.4.j library is a robust and easy to use open source implementation of JSON Web Token (JWT) and the JOSE specification suite (JWS, JWE, and JWK).
     It is written in Java and relies solely on the JCA APIs for cryptography.
     Please see https://bitbucket.org/b_c/jose4j/wiki/Home for more info, examples, etc..

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/bitbucket/b_c/jose4j/0.4.2/jose4j-0.4.2.jar
MD5: 552e25826e1ef81643908c3e7258cb64
SHA1: 8bdb6e177b782c955f3e0c1cab413340a9bd7eeb
SHA256:f81622e546fe76fe689f2a18fa872e7f554d5d37a305e614b5717c15f9bf53ad
Referenced In Project/Scope:space-comments:provided

Identifiers

json-smart-1.3.1.jar

Description:

    JSON (JavaScript Object Notation) is a lightweight data-interchange format.
    It is easy for humans to read and write. It is easy for machines to parse and generate.
    It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
    - December 1999. JSON is a text format that is completely language independent but uses
    conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
    Java, JavaScript, Perl, Python, and many others.
    These properties make JSON an ideal data-interchange language.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/net/minidev/json-smart/1.3.1/json-smart-1.3.1.jar
MD5: b4f09b247c03cc2d091502d5b1db1f7f
SHA1: 69b3835e96d282ec85fc2e1517b8164c45ed639e
SHA256:ac3689112788e042088755e63ecd1f689adfeb04d7fb1cfd244513f94f82522c
Referenced In Project/Scope:space-comments:provided

Identifiers

  • pkg:maven/net.minidev/json-smart@1.3.1  (Confidence:High)
  • cpe:2.3:a:ini-parser_project:ini-parser:1.3.1:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:json-smart_project:json-smart-v1:1.3.1:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2021-27568  

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
CWE-754 Improper Check for Unusual or Exceptional Conditions

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-31684  

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jsoup-1.8.3.jar

Description:

jsoup HTML parser

License:

The MIT License: http://jsoup.org/license
File Path: /home/andrii/.m2/repository/org/jsoup/jsoup/1.8.3/jsoup-1.8.3.jar
MD5: 80adb5b301ed840a4b6db97abc02a8b0
SHA1: 65fd012581ded67bc20945d85c32b4598c3a9cf1
SHA256:abeaf34795a4de70f72aed6de5966d2955ec7eb348eeb813324f23c999575473
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2021-37714  

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
CWE-248 Uncaught Exception, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-36033  

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-87 Improper Neutralization of Alternate XSS Syntax

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:space-comments:compile

Identifiers

jsr311-api-1.1.1.jar

License:

                CDDL License
            : http://www.opensource.org/licenses/cddl1.php
File Path: /home/andrii/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a
Referenced In Project/Scope:space-comments:provided

Identifiers

jstyleparser-1.16-atlassian-1.jar

Description:

jStyleParser is a CSS parser written in Java. It has its own application interface that is designed to allow an efficient CSS processing in Java and mapping the values to the Java data types. It parses CSS 2.1 style sheets into structures that can be efficiently assigned to DOM elements. It is intended be the primary CSS parser for the CSSBox library. While handling errors, it is user agent conforming according to the CSS specification.

License:

GNU Lesser General Public License 3.0: http://www.gnu.org/licenses/lgpl-3.0.txt
File Path: /home/andrii/.m2/repository/net/sf/cssbox/jstyleparser/1.16-atlassian-1/jstyleparser-1.16-atlassian-1.jar
MD5: 1f49d4c825b32ac75c401994e1710864
SHA1: 8c7f7afa8282801cfd00619ca19d090b6f8ab338
SHA256:70056e30b51fab433ab98bb6fe0271e784d540cb1b8446c9e78d9a0336810297
Referenced In Project/Scope:space-comments:provided

Identifiers

jtds-1.3.1.jar

Description:

jTDS is an open source 100% pure Java (type 4) JDBC 3.0 driver 
    for Microsoft SQL Server (6.5, 7, 2000, 2005, 2008, 2012) and Sybase ASE
    (10, 11, 12, 15). jTDS is based on FreeTDS and is currently the fastest
    production-ready JDBC driver for SQL Server and Sybase. jTDS is 100% JDBC
    3.0 compatible, supporting forward-only and scrollable/updateable ResultSets
    and implementing all the DatabaseMetaData and ResultSetMetaData methods.

License:

LGPL: http://www.gnu.org/copyleft/lesser.html
File Path: /home/andrii/.m2/repository/net/sourceforge/jtds/jtds/1.3.1/jtds-1.3.1.jar
MD5: a0fe47907babf3bdb555e0b6f9dedd24
SHA1: 1527f2fc2f040898625370a1687d902aa0743bcc
SHA256:aac05ebf5504c91b29420129b02dd878a86c52f8fa6eccf9235e0bfd7a60bef1
Referenced In Project/Scope:space-comments:provided

Identifiers

jtidy-r8-20060801.jar

Description:

    JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be
    used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the
    document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.

License:

Java HTML Tidy License: http://svn.sourceforge.net/viewvc/*checkout*/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: /home/andrii/.m2/repository/org/hibernate/jtidy/r8-20060801/jtidy-r8-20060801.jar
MD5: 3c0739c6778e4d3a53e2348b3147c727
SHA1: 788e89775eeaa0f4e77742ec8336c75b7cff6146
SHA256:35ed23ae123627f91e200e2efbf7964749b72d514225ab954e34d5cbfb2bc9c2
Referenced In Project/Scope:space-comments:provided

Identifiers

jul-to-slf4j-1.7.25.jar

Description:

JUL to SLF4J bridge

File Path: /home/andrii/.m2/repository/org/slf4j/jul-to-slf4j/1.7.25/jul-to-slf4j-1.7.25.jar
MD5: ab28124cb05fec600f2ffe37b94629e0
SHA1: 0af5364cd6679bfffb114f0dec8a157aaa283b76
SHA256:416c5a0c145ad19526e108d44b6bf77b75412d47982cce6ce8d43abdbdbb0fac
Referenced In Project/Scope:space-comments:provided

Identifiers

lang-tag-1.4.4.jar

Description:

Java implementation of "Tags for Identifying Languages"
        (RFC 5646).

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/nimbusds/lang-tag/1.4.4/lang-tag-1.4.4.jar
MD5: 4eac3f24cee18edaae2cdd8b87f25b73
SHA1: 1db9a709239ae473a69b5424c7e78d0b7108229d
SHA256:e49d2c694bb80c7036c177f2aabf53b7156061a68bd19dfd60e2bd370709e0c5
Referenced In Project/Scope:space-comments:provided

Identifiers

libthrift-0.9.0.jar

Description:

Thrift is a software framework for scalable cross-language services development.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/thrift/libthrift/0.9.0/libthrift-0.9.0.jar
MD5: c47774349b7b58c1ac957f5591c192ba
SHA1: 9ba8df332b5db95ce7f3b7a83e44d796c3d014d3
SHA256:f94e32da1aff791566002345f3913fce7d1f68e4019719d515f8dcaa1364f97d
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2016-5397  

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-1320  

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0205  

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2015-3254  

The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

licensing-api-2.21.4.jar

File Path: /home/andrii/.m2/repository/com/atlassian/upm/licensing-api/2.21.4/licensing-api-2.21.4.jar
MD5: 5d1615367d83fb8a53f47ca81ea072a8
SHA1: 1063b85c0bbebd567d9753da64c37a875c26f321
SHA256:c44160ac62cc0e180d05b78ea5a8508605b29677840d5a0ce8f85eb337068541
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2018-20233  

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2018-5229  

The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2019-14999  

The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

log4j-1.2-api-2.13.3.jar

Description:

The Apache Log4j 1.x Compatibility API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/logging/log4j/log4j-1.2-api/2.13.3/log4j-1.2-api-2.13.3.jar
MD5: b7ef2435eee943221f4539b506af1854
SHA1: 6060aef755239b82bbc84bd92eb80ff9f4e48dd7
SHA256:86cc75ae4b9f7c643412dda3bc2de05af6dfa760b80ab7ba96dc4ce505f8a05b
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2021-44228  

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (10.0)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-45046  

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.1)
  • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.0)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-44832  

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (8.5)
  • Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: MEDIUM (6.6)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-45105  

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CWE-20 Improper Input Validation, CWE-674 Uncontrolled Recursion

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

log4j-1.2.7.jar

File Path: /home/andrii/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar
MD5: 8631619c6becebaac70862ac9c36af44
SHA1: 5b8a2a161048eb7481407ef0a81c2d90489ed412
SHA256:aa04b7d49d0c4c3c2d4605a3dda1796c440a1fdf1ea99d6fe2931ca3986dfd35
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2019-17571  

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9493  

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23305  

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23302  

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23307  

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-4104 (OSSINDEX)  

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:log4j:log4j:1.2.7:*:*:*:*:*:*:*

log4j-api-2.13.3.jar

Description:

The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/logging/log4j/log4j-api/2.13.3/log4j-api-2.13.3.jar
MD5: 236b9969df6b394e88283a9f813b9b95
SHA1: ec1508160b93d274b1add34419b897bae84c6ca9
SHA256:2b4b1965c9dce7f3732a0fbf5c8493199c1e6bf8cf65c3e235b57d98da5f36af
Referenced In Project/Scope:space-comments:provided

Identifiers

lozenge.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/lozenge.js
MD5: 5b301fcc9786b05d42ed79fe10d4e8e9
SHA1: f0d9957f52d6d32222f35a714491a5f5a4b77985
SHA256:5d74e303c271e1c50ecd7e729becb736f957686efecc7a91de2a61c91b77321e
Referenced In Project/Scope:space-comments

Identifiers

  • None

lucene-analyzers-common-4.4.0-atlassian-4.jar

Description:

Additional Analyzers

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-analyzers-common/4.4.0-atlassian-4/lucene-analyzers-common-4.4.0-atlassian-4.jar
MD5: 9facfb5520ff5d48976a78a1fd3b8904
SHA1: 629204cbcbd80281b82fa3407c51fe0eb5e72979
SHA256:8045e575e408163ad253033ad71daf0c3d362d256abf0e4a0e40d222603236f4
Referenced In Project/Scope:space-comments:compile

Identifiers

lucene-analyzers-kuromoji-4.4.0-atlassian-4.jar

Description:

        Lucene Kuromoji Japanese Morphological Analyzer

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-analyzers-kuromoji/4.4.0-atlassian-4/lucene-analyzers-kuromoji-4.4.0-atlassian-4.jar
MD5: a7fc5d4797c3994853a8f13a33d0d50d
SHA1: 2cceb3f27d02e49a769e90fa003b1c425d3c2199
SHA256:a9ec93473b7f72e27cd4f8bf89db10fce6732fcb9f58380ac52da0d809db2d91
Referenced In Project/Scope:space-comments:provided

Identifiers

lucene-analyzers-stempel-4.4.0-atlassian-4.jar

Description:

Stempel Analyzer

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-analyzers-stempel/4.4.0-atlassian-4/lucene-analyzers-stempel-4.4.0-atlassian-4.jar
MD5: 64ad16fc5b57b0ad02a35b3ec2fbbef6
SHA1: e91258abf9416608c2ad96dcaf34f03944605e13
SHA256:8383f6649a7561acaa8ddf162a1ce155968e9303fa6a23d5a0b6d70d514125ee
Referenced In Project/Scope:space-comments:provided

Identifiers

lucene-core-4.4.0-atlassian-4.jar

Description:

Apache Lucene Java Core

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-core/4.4.0-atlassian-4/lucene-core-4.4.0-atlassian-4.jar
MD5: da5424f9177346bb36be35532e76f134
SHA1: 14a15eaa24c1b29db1e7d61c93e84ba96d6c3415
SHA256:1bda1c523f4cc3466baa5bad4b3094c1c8002e9448fed866df36ca07b98bdb86
Referenced In Project/Scope:space-comments:compile

Identifiers

lucene-highlighter-4.4.0-atlassian-4.jar

Description:

        This is the highlighter for apache lucene java

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-highlighter/4.4.0-atlassian-4/lucene-highlighter-4.4.0-atlassian-4.jar
MD5: 4fce411e57a5dfcbc4a19225d370aaca
SHA1: 7252546dea8644a2737a26c680a75e1aceb1ff61
SHA256:d4eb6785504c023817a6239aef88d851900f01a534a0e8e41735dce3dd9809e7
Referenced In Project/Scope:space-comments:provided

Identifiers

lucene-memory-4.4.0-atlassian-4.jar

Description:

        High-performance single-document index to compare against Query

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-memory/4.4.0-atlassian-4/lucene-memory-4.4.0-atlassian-4.jar
MD5: 982928883d9c995649d4c7b6cc3822a3
SHA1: ee0f3d640b7219c322db1b8acb4a20d08b29e593
SHA256:293d2c9e23694a16f490858de6315d70258d128ef4cfebf192f8bbc459f2c91d
Referenced In Project/Scope:space-comments:provided

Identifiers

lucene-misc-4.4.0-atlassian-4.jar

Description:

Miscellaneous Lucene extensions

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-misc/4.4.0-atlassian-4/lucene-misc-4.4.0-atlassian-4.jar
MD5: 8ebadb813f3dd150f983b9cbe1f20bf5
SHA1: fa59e15d1db74bc5341280d3e1654a8631f1fda2
SHA256:dcab33a9fe71a2e64349299ee7c01eed6c727e698b1c13a5e61908dd48d07964
Referenced In Project/Scope:space-comments:provided

Identifiers

lucene-queries-4.4.0-atlassian-4.jar

Description:

Lucene Queries Module

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-queries/4.4.0-atlassian-4/lucene-queries-4.4.0-atlassian-4.jar
MD5: 9a97168a0bdcf47dfb5b5820568bec46
SHA1: eab4d3870874b93ed9457c7b8d26322fe8acd1c7
SHA256:50447ccd4c5c389ef942351a1873858725cc3114cef5cd5fa55a390f8b5da559
Referenced In Project/Scope:space-comments:compile

Identifiers

lucene-queryparser-4.4.0-atlassian-4.jar

Description:

Lucene QueryParsers module

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-queryparser/4.4.0-atlassian-4/lucene-queryparser-4.4.0-atlassian-4.jar
MD5: 58d9adbabedaee8c29ba51e177b6d9dc
SHA1: b99af1ebe794c199abcb1759dc210473ba2e2809
SHA256:4ae4897d25d3edc4be8df252581be44abc285b2b53164070ce73f8aad4c1fa95
Referenced In Project/Scope:space-comments:compile

Identifiers

lucene-sandbox-4.4.0-atlassian-4.jar

Description:

Lucene Sandbox

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/lucene/lucene-sandbox/4.4.0-atlassian-4/lucene-sandbox-4.4.0-atlassian-4.jar
MD5: db61c75fd04a96a8ed6e5b9a2de8dab7
SHA1: 3eaa2be6fa5e82677a6f2e47915be316a9f64092
SHA256:ab7ac9e01f577e440756e5ce561a95add6d0926baee846a3111a99c640f297b9
Referenced In Project/Scope:space-comments:compile

Identifiers

lucene-upgrader-1.0-lucene36.jar

File Path: /home/andrii/.m2/repository/com/atlassian/bonnie/lucene-upgrader/1.0/lucene-upgrader-1.0-lucene36.jar
MD5: bce5a43415951f91db0504878262506c
SHA1: df318e96879f0d3f4e408557ab30f2c0ef21205c
SHA256:9fddbf4ec9867acf7573df836e99275d639dc0b2425bee6cf94835508a539c0c
Referenced In Project/Scope:space-comments:provided

Identifiers

management-api-3.0.0-b012.jar

Description:

GlassFish Common APIs

License:

CDDL+GPL: https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /home/andrii/.m2/repository/org/glassfish/external/management-api/3.0.0-b012/management-api-3.0.0-b012.jar
MD5: 428636427bb6d92484320a9565f67394
SHA1: 707686d845faede060b79bdf018a25a469a611b4
SHA256:e114d4f4cf4261ab76d144c49d6ee1d75ddcfbb7c195260d1a782ebe0c34cb87
Referenced In Project/Scope:space-comments:provided

Identifiers

maven-aether-provider-3.0.jar

Description:

    This module provides extensions to Aether for utilizing the Maven POM and Maven metadata.

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-aether-provider/3.0/maven-aether-provider-3.0.jar
MD5: 859740166efa8857d7a598b05249ac24
SHA1: 419f5eb63cf743a1a0f2a80ea5dde37fd1a4fec0
SHA256:1205a1f229999170dcadcfb885a278ad0bc2295540a251f4c438f887ead7bbd9
Referenced In Project/Scope:space-comments:runtime

Identifiers

maven-artifact-3.0.jar

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-artifact/3.0/maven-artifact-3.0.jar
MD5: 43e506190356b85edccfdc7db1f630d8
SHA1: c29cfa43ce2ba09975a07c40d7241655d7c2fa29
SHA256:759079b9cf0cddae5ba06c96fd72347d82d0bc1d903c95d398c96522b139e470
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-artifact-transfer-0.13.1.jar

Description:

An API to install, deploy and resolving artifacts with Maven 3

File Path: /home/andrii/.m2/repository/org/apache/maven/shared/maven-artifact-transfer/0.13.1/maven-artifact-transfer-0.13.1.jar
MD5: 5a73136d65cfc2dd8af0fd365dbda4fb
SHA1: 9f6d2088ae64dd926b8ec445afdb7e148eb08060
SHA256:1ac88accde99ed71e65253bd130868c0e654f940f01ade073b895eb2f817cf06
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-common-artifact-filters-3.1.0.jar

Description:

A collection of ready-made filters to control inclusion/exclusion of artifacts during dependency resolution.

File Path: /home/andrii/.m2/repository/org/apache/maven/shared/maven-common-artifact-filters/3.1.0/maven-common-artifact-filters-3.1.0.jar
MD5: fcd2e81ecc9836ba892333a299a9cd2e
SHA1: 7d1eda9af6db77618766f31cb1971baed2ca3fa3
SHA256:82a584c58bd6a1b13861e2d4cc194b5afc09ca0adad9fda741f16337dcda2e96
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-core-3.0.jar

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-core/3.0/maven-core-3.0.jar
MD5: 9bd377874764a4fad7209021abfe7cf7
SHA1: 73728ce32c9016c8bd05584301fa3ba3a6f5d20a
SHA256:ba03294ee53e7ba31838e4950f280d033c7744c6c7b31253afc75aa351fbd989
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2021-26291  

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
CWE-346 Origin Validation Error

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

maven-dependency-tree-3.2.0.jar

Description:

A tree-based API for resolution of Maven project dependencies

File Path: /home/andrii/.m2/repository/org/apache/maven/shared/maven-dependency-tree/3.2.0/maven-dependency-tree-3.2.0.jar
MD5: 8ba689823847f668283077c69726d0a1
SHA1: dc1dcdfbfbcca93ab165880538badd3d748bf59d
SHA256:03d3102672863761c2a39da09c444cc7dea74cc4a9efa2107f8f0bfd2519d330
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-model-3.0.jar

Description:

Maven Model

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-model/3.0/maven-model-3.0.jar
MD5: 562636665b6ac87297513246c5bdccd2
SHA1: 24ce598c94a78341c42556fe9192dad6a2822405
SHA256:27e426d73f8662b47f60df0e43439b3dec2909c42b89175a6e4431dfed3edafd
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-model-builder-3.0.jar

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-model-builder/3.0/maven-model-builder-3.0.jar
MD5: b995b6ca151d6d74f5a64047807e6318
SHA1: bedc161a3b07a4bcd175b9428cdf18725d292b37
SHA256:1c98a4ec9eb0cb86ecf01710aa75c0346ee3f96edc6edeabcb21ed984120e154
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-plugin-api-3.0.jar

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-plugin-api/3.0/maven-plugin-api-3.0.jar
MD5: 1d67a37a5822b12abc55e5133e47ca0e
SHA1: 98f886f59bb0e69f8e86cdc082e69f2f4c13d648
SHA256:f5ecc6eaa4a32ee0c115d31525f588f491b2cc75fdeb4ed3c0c662c12ac0c32f
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-reporting-api-3.1.1.jar

Description:

API to manage report generation.

File Path: /home/andrii/.m2/repository/org/apache/maven/reporting/maven-reporting-api/3.1.1/maven-reporting-api-3.1.1.jar
MD5: 1e1e0b2f189c861995e33a2a746501bb
SHA1: 74ca00a13e46d065071cdf6376d7d231e0208916
SHA256:25be6603c97d28fa3dcd122073054271c8fcaf667d220dce7a26a61a6f3cffd1
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-repository-metadata-3.0.jar

Description:

Per-directory repository metadata.

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-repository-metadata/3.0/maven-repository-metadata-3.0.jar
MD5: 5a8cee4b67ea39a141b9579323b70e27
SHA1: e3c41f7565b1e189ff7a312796b9d2c470c09a8b
SHA256:c938e4d8cdf0674496749a87e6d3b29aa41b1b35a39898a1ade2bc9eae214c17
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-settings-3.0.jar

Description:

Maven Settings

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-settings/3.0/maven-settings-3.0.jar
MD5: 1ae2f464cfe3c9ba4bbfdfd3255b6ac7
SHA1: 8ee129adae535dd610f2dc952fddce68ac42fd86
SHA256:3b1a46b4bc26a0176acaf99312ff2f3a631faf3224b0996af546aa48bd73c647
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2021-26291 (OSSINDEX)  

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
CWE-346 Origin Validation Error

CVSSv2:
  • Base Score: HIGH (9.1)
  • Vector: /AV:N/AC:L/Au:/C:H/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.maven:maven-settings:3.0:*:*:*:*:*:*:*

maven-settings-builder-3.0.jar

File Path: /home/andrii/.m2/repository/org/apache/maven/maven-settings-builder/3.0/maven-settings-builder-3.0.jar
MD5: 134523c7b38175615b26504e642c960d
SHA1: 08234c1bdf7a9a28c671b0abf11f8adaa66440cd
SHA256:e17e706c6f03c453f6000599cab607c2af5f1cc6e3a3b1e6fce27e5ef4999eab
Referenced In Project/Scope:space-comments:compile

Identifiers

maven-shared-utils-3.1.0.jar

Description:

Shared utils without any further dependencies

File Path: /home/andrii/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.1.0/maven-shared-utils-3.1.0.jar
MD5: fae66822468c5f3e7853d1193f98b849
SHA1: 78d8798fe84d5e095577221d299e9a3c8e696bca
SHA256:88e5334c4c29a6e81c74a1d814c54a9a3b1e4fc6560a95da196fe16928095471
Referenced In Project/Scope:space-comments:compile

Identifiers

CVE-2022-29599  

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

mchange-commons-java-0.2.19.jar

Description:

mchange-commons-java

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.html
File Path: /home/andrii/.m2/repository/com/mchange/mchange-commons-java/0.2.19/mchange-commons-java-0.2.19.jar
MD5: 795d7e75026388f4d90aa9719666e5db
SHA1: 7a4bee38ea02bd7dee776869b19fb3f6861d6acf
SHA256:03761838ba2a7c9cce56ba84781633f107c8befb4e3607b336ee3010f915165d
Referenced In Project/Scope:space-comments:provided

Identifiers

memoize-one.esm-42a55c10.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/memoize-one.esm-42a55c10.js
MD5: a37a427d0a9b223d9fef26c824659b0a
SHA1: 3a613116c1198880b8590e9346f0d32ccc56d7f3
SHA256:3dd205b86eb0bc59f4841faa0865700bd2464e6464a8b4fe7a2b25730dc92ff2
Referenced In Project/Scope:space-comments

Identifiers

  • None

metrics-core-4.0.3.jar

Description:

        Metrics is a Java library which gives you unparalleled insight into what your code does in
        production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
        components in your production environment.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/andrii/.m2/repository/io/dropwizard/metrics/metrics-core/4.0.3/metrics-core-4.0.3.jar
MD5: 051abff31424a2e6632c48f5ddf017d7
SHA1: bb562ee73f740bb6b2bf7955f97be6b870d9e9f0
SHA256:7eff1a8d8cecbb2d3023b3d389d4d14a5212c4853199e39c094def46b6866cde
Referenced In Project/Scope:space-comments:provided

Identifiers

metrics-jmx-4.0.6.jar

Description:

        A set of classes which allow you to report metrics via JMX.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/andrii/.m2/repository/io/dropwizard/metrics/metrics-jmx/4.0.6/metrics-jmx-4.0.6.jar
MD5: 9962568ea5bd6ea9c93c4a5a3b152b1d
SHA1: dc9b9de4649b54e770c15509a3403b34a5d5dc11
SHA256:07cca8fe8b5dcc1d1d08a7b534179c7bd4f68e1510700a63a3106e37ac902dc3
Referenced In Project/Scope:space-comments:provided

Identifiers

metrics-sql-3.1.0-atlassian-4.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/andrii/.m2/repository/com/github/gquintana/metrics/metrics-sql/3.1.0-atlassian-4/metrics-sql-3.1.0-atlassian-4.jar
MD5: fdf6905a28f3b1cc269b09f70367f43e
SHA1: 82c0cd776bea41768095d8334164a697a3280b2b
SHA256:de37c0f4aa0fc24543595d3e9c920f130521ed8ede60a5929d4282f46b9acb6d
Referenced In Project/Scope:space-comments:provided

Identifiers

micrometer-core-1.2.0.jar (shaded: org.pcollections:pcollections:3.0.3)

Description:

A Persistent Java Collections Library

License:

The MIT License: https://opensource.org/licenses/mit-license.php
File Path: /home/andrii/.m2/repository/io/micrometer/micrometer-core/1.2.0/micrometer-core-1.2.0.jar/META-INF/maven/org.pcollections/pcollections/pom.xml
MD5: 35ba5e5a8572be83189294f2607ee97b
SHA1: 312cf913d2d027395cf9cb15a46af2e763e876c6
SHA256:dbd55a6571ebc17f31e4ba012d35aae6d6384d35287e12cb69a02a5597547a42
Referenced In Project/Scope:space-comments:provided

Identifiers

micrometer-core-1.2.0.jar

Description:

Application monitoring instrumentation facade

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/io/micrometer/micrometer-core/1.2.0/micrometer-core-1.2.0.jar
MD5: 2d61ce6aa26bfe578bfbdc5c9fecfe78
SHA1: 0e085f337633b807020596b37dc9c9ccd3ee1a1f
SHA256:9aacd657e0904f0b9c2f5bccbc92456b73debd2106cf0232b33f86dea57ab1c7
Referenced In Project/Scope:space-comments:provided

Identifiers

micrometer-registry-influx-1.5.0.jar

Description:

Application monitoring instrumentation facade

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/io/micrometer/micrometer-registry-influx/1.5.0/micrometer-registry-influx-1.5.0.jar
MD5: a1e6255e2fe052587b48fd1a5db2cb29
SHA1: ac67b51c779906903f94246842c1cfd6f40e54ec
SHA256:7c8d2107cf0d3e0f6d885e7bd99a8751b82bac495a339fb0cbc271ca1063c898
Referenced In Project/Scope:space-comments:provided

Identifiers

minlog-1.3.1.jar

Description:

Minimal overhead Java logging

License:

3-Clause BSD License: https://opensource.org/licenses/BSD-3-Clause
File Path: /home/andrii/.m2/repository/com/esotericsoftware/minlog/1.3.1/minlog-1.3.1.jar
MD5: 46908e11b408080d53246e4be44e66db
SHA1: a406e29d3a44d5f020d7b3218aee6d0952db4f73
SHA256:5d4d632cfbebfe0a7644501cc303570b691406181bee65e9916b921c767d7c72
Referenced In Project/Scope:space-comments:compile

Identifiers

modz-detector-0.14.jar

File Path: /home/andrii/.m2/repository/com/atlassian/modzdetector/modz-detector/0.14/modz-detector-0.14.jar
MD5: 4018ce198d12bb32fefc4252a598056a
SHA1: 9b8b545d4f88de469acfb5813b236db53cb36a4e
SHA256:8944886d9da18766e0defed5eda5a3c8dbcc2a34e9e846c3cc0c92f6c88c349d
Referenced In Project/Scope:space-comments:provided

Identifiers

mssql-jdbc-6.3.0.jre8-preview.jar

Description:

		Microsoft JDBC Driver for SQL Server.
		The Azure Key Vault feature in Microsoft JDBC Driver for SQL Server depends on 
		Azure SDK for JAVA and Azure Active Directory Library For Java.

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /home/andrii/.m2/repository/com/microsoft/sqlserver/mssql-jdbc/6.3.0.jre8-preview/mssql-jdbc-6.3.0.jre8-preview.jar
MD5: e100cd62bb083ba60321a72952d6ddac
SHA1: 21fcee593c8829ded0c0c5d3365e6698f7c5ed79
SHA256:4bf49a73ed6a966ec742c9324614a9748da93f0979cdb6ff67fb47b8fa1e23ad
Referenced In Project/Scope:space-comments:provided

Identifiers

mxparser-1.2.1.jar

Description:

    MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged changes of the Plexus fork.

License:

Indiana University Extreme! Lab Software License: https://raw.githubusercontent.com/x-stream/mxparser/master/LICENSE.txt
File Path: /home/andrii/.m2/repository/io/github/x-stream/mxparser/1.2.1/mxparser-1.2.1.jar
MD5: 06012e8b74cfef8f09149320272fccab
SHA1: 2a7e50b9831efc7785a4d276d94eadee343a4729
SHA256:860eab19076fa6fe93643be7a0895a2ca698b514029734ec84eaf1f9de2468e2
Referenced In Project/Scope:space-comments:provided

Identifiers

nekohtml-1.9.22.jar

Description:

An HTML parser and tag balancer.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.22/nekohtml-1.9.22.jar
MD5: a97dfe2d0ceb81ffbdd15436961b0f23
SHA1: 4f54af68ecb345f2453fb6884672ad08414154e3
SHA256:452978e8b6667c7b8357fd3f0a2f2f405e4560a7148143a69181735da5d19045
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-24839  

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

nimbus-jose-jwt-8.14.1.jar

Description:

        Java library for Javascript Object Signing and Encryption (JOSE) and
        JSON Web Tokens (JWT)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/nimbusds/nimbus-jose-jwt/8.14.1/nimbus-jose-jwt-8.14.1.jar
MD5: ca5294a5c21cc180924579050f6d07ee
SHA1: a5fd931fb5b0080f91cf3ac2f0ba347a2e285aa9
SHA256:7327f0dec6f729a424e0a10316905aba7960d17a4daaa672bf76405fdc1d63ba
Referenced In Project/Scope:space-comments:provided

Identifiers

oauth2-oidc-sdk-7.4.jar

Description:

		OAuth 2.0 SDK with OpenID Connection extensions for developing
		client and server applications.

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html‎
File Path: /home/andrii/.m2/repository/com/nimbusds/oauth2-oidc-sdk/7.4/oauth2-oidc-sdk-7.4.jar
MD5: 4026895a3beb12199e7ff6da374f7b34
SHA1: bc205ffbfcabf0c8f451e8ffd5121e3b8769cd12
SHA256:c76c4255dbcdcebc215d2b40344ad9d1b2990961db034d0d3300258cf23b9a17
Referenced In Project/Scope:space-comments:provided

Identifiers

odmg-3.0.jar

File Path: /home/andrii/.m2/repository/odmg/odmg/3.0/odmg-3.0.jar
MD5: 8c1bd7dfbf457c7302f62cd866f48877
SHA1: 5f894225c221bd1e6f1f072caf911f7a2870ad9f
SHA256:0771a190536380f8cb63d4d070d9e2df60db047e12a1aaa6c9573f8c0fd0e5ef
Referenced In Project/Scope:space-comments:provided

Identifiers

ognl-2.6.5-atlassian-3.jar

File Path: /home/andrii/.m2/repository/ognl/ognl/2.6.5-atlassian-3/ognl-2.6.5-atlassian-3.jar
MD5: b94ed657ba28e75baad64075affc82bf
SHA1: 87b6783e518dcf346991c75e8cebdba30231ea23
SHA256:385df86c3b8b047227255d5ebb16cbf315952ad9e54399b25b7f35cb68c1f82d
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2016-3093  

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

org.apache.felix.framework-5.6.12.jar

Description:

OSGi R6 framework implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/felix/org.apache.felix.framework/5.6.12/org.apache.felix.framework-5.6.12.jar
MD5: f82d5e54b307719c46f39c1a6dbe013d
SHA1: dad6b36b87bced1536bf70ebda578b82a78f4173
SHA256:326c58622ddc123016075ea62498bf7eb97d9d0ca2428bf83cfae4c1dfb8cbb1
Referenced In Project/Scope:space-comments:provided

Identifiers

oro-2.0.8.jar

File Path: /home/andrii/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Project/Scope:space-comments:provided

Identifiers

oscache-2.2.jar

File Path: /home/andrii/.m2/repository/oscache/oscache/2.2/oscache-2.2.jar
MD5: 5fc6eb8aaec7113f4df71cbbd0dc9397
SHA1: dda31848632610cc8188fcebd53b4af16d9d5985
SHA256:6f7b95a21638f6849bf3fcda1925fc7d4711480b06eb25972b28f35d43bf7ad2
Referenced In Project/Scope:space-comments:provided

Identifiers

oscore-2.2.7-atlassian-1.jar

File Path: /home/andrii/.m2/repository/opensymphony/oscore/2.2.7-atlassian-1/oscore-2.2.7-atlassian-1.jar
MD5: 9cb0d387b65cd6447fc5776cf8b2deda
SHA1: 921a5768fffcb82bdf23bfb1b4a5b175a94a7dd5
SHA256:973d97ee731eb2d3099aad756ce8f78a5acca231ab6a68e46947a3a5ffd4baa0
Referenced In Project/Scope:space-comments:provided

Identifiers

oshi-core-5.3.6.jar

Description:

A JNA-based (native) operating system information library for Java that aims to provide a cross-platform implementation to retrieve system information, such as version, memory, CPU, disk, battery, etc.

License:

"MIT License";link="https://opensource.org/licenses/MIT"
File Path: /home/andrii/.m2/repository/com/github/oshi/oshi-core/5.3.6/oshi-core-5.3.6.jar
MD5: ff3367c536b345d593f5a869ee5f2b24
SHA1: 0e69383dc7b7d84926262e90e720927f10d25f0a
SHA256:a65d3146085d42bbf19f76e561870f1d48b69977380c5c51e2da784691279feb
Referenced In Project/Scope:space-comments:provided

Identifiers

ossindex-service-api-1.8.2.jar

File Path: /home/andrii/.m2/repository/org/sonatype/ossindex/ossindex-service-api/1.8.2/ossindex-service-api-1.8.2.jar
MD5: 538c88889c560c0bcd8ded0a16c5dee6
SHA1: b1eaa5940bed67fad9d596839500d2559bc57e36
SHA256:61fb04e93cf2991718057956f92534cbf1494ed5e74250b9dfd6c012bc379aa8
Referenced In Project/Scope:space-comments:compile

Identifiers

ossindex-service-client-1.8.2.jar

File Path: /home/andrii/.m2/repository/org/sonatype/ossindex/ossindex-service-client/1.8.2/ossindex-service-client-1.8.2.jar
MD5: c9ecd5ddb7bc3ceecc33da606ec0d2f7
SHA1: 3fc65bd57dbdfd40b62424feb22949095b20e4d0
SHA256:ef692b99e11e558524036447daedf7cb98285407d4db7af579a5914c265f981b
Referenced In Project/Scope:space-comments:compile

Identifiers

osuser-atl.user.jar

File Path: /home/andrii/.m2/repository/osuser/osuser/atl.user/osuser-atl.user.jar
MD5: 799f19e8dda07c74a7bb51affad9875f
SHA1: e68810e3ba7d973ae4c4da9bfd56a551e593577d
SHA256:3e6ec30cf1a0cf17c1b438c93e5795a6e10cd6fe586124adabb9a7ce18d9debd
Referenced In Project/Scope:space-comments:provided

Identifiers

package-scanner-0.9.5.jar

File Path: /home/andrii/.m2/repository/org/twdata/pkgscanner/package-scanner/0.9.5/package-scanner-0.9.5.jar
MD5: 792f15883f0ddaded50410fc595a8b8d
SHA1: 0bbf358db80c6db8f1bc8ad179e4f52542a2b5eb
SHA256:6ffb92fca267769047dbba925fe6bed2f4ad7a3788672b1d1b69e535151f903a
Referenced In Project/Scope:space-comments:provided

Identifiers

package-url-java-1.1.1.jar

License:

ASL2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/sonatype/goodies/package-url-java/1.1.1/package-url-java-1.1.1.jar
MD5: f1536b94a22379278b0480ea89e7028a
SHA1: d6822ea23182ce388cb67086d92ba40fad6f8e16
SHA256:15297862342b494a535742fba90ea8a321cd13e1d0dc4c61b7a3b18ce385e1a8
Referenced In Project/Scope:space-comments:compile

Identifiers

packager-core-0.19.0.jar

Description:

Work with software packagers.

License:

http://www.eclipse.org/legal/epl-2.0
File Path: /home/andrii/.m2/repository/org/eclipse/packager/packager-core/0.19.0/packager-core-0.19.0.jar
MD5: 1c9bcf1fb9c82adf9e52c3d33fccb1ef
SHA1: be78989d7ad07e1a81b41e3ba3705eeaaffcec52
SHA256:f57988a8b36da005353ba5d5a3414766e198aa54e1fb7d363aff1e3dd847d48a
Referenced In Project/Scope:space-comments:compile

Identifiers

packager-rpm-0.19.0.jar

File Path: /home/andrii/.m2/repository/org/eclipse/packager/packager-rpm/0.19.0/packager-rpm-0.19.0.jar
MD5: 57eee2da2e2c2e949a66ee22586ad235
SHA1: fd59d3de5d77cf2ac49a808eb60a9b1d28853769
SHA256:f2550b2f4eb1d667e766815d98a3d43c95a3de7e68cb19065515980be689f13d
Referenced In Project/Scope:space-comments:compile

Identifiers

packageurl-java-1.4.1.jar

Description:

The official Java implementation of the PackageURL specification. PackageURL (purl) is a minimal
        specification for describing a package via a "mostly universal" URL.

License:

MIT: https://opensource.org/licenses/MIT
File Path: /home/andrii/.m2/repository/com/github/package-url/packageurl-java/1.4.1/packageurl-java-1.4.1.jar
MD5: f8b3a23e6402d317b612251c83d292e7
SHA1: 0a0d1009191c1cf6b04f40d26e4717596f3a90e0
SHA256:8e23280221afd1e6561d433dfb133252cd287167acb0eca5a991667118ff10a2
Referenced In Project/Scope:space-comments:compile

Identifiers

pagination-1f6ff1e0.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/pagination-1f6ff1e0.js
MD5: b9801badbec1a79668fd4e016dd38ceb
SHA1: dd9f790794ab2b1bcc3d8ef81836793671ef7eda
SHA256:db9f4f2ad4e53dd7c66217674f7641789f410ac09d39576027f9699ba395ab9c
Referenced In Project/Scope:space-comments

Identifiers

  • None

pagination.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/pagination.js
MD5: c58053687f2fde941b07ce381bf3cc5e
SHA1: 4b49fd4e7533d40dc09bb1ffbe4a5669c54bd1eb
SHA256:6b9a624a51b879838a481c3fa4b6868c32356b746e25e96ae1a1a0dc0f5dcc20
Referenced In Project/Scope:space-comments

Identifiers

  • None

panopticon-api-1.0.3.jar

Description:

This is the module exposing APIs related to Panopticon

File Path: /home/andrii/.m2/repository/com/atlassian/plugins/panopticon-api/1.0.3/panopticon-api-1.0.3.jar
MD5: 540fdf25ed9de58dd62c218d11f4c4ce
SHA1: 3f546a43a64ce31370c9419c797315fd29184130
SHA256:b252fd86852eadea678ba168e3d8f437c578b0613f4281a1a94132a4e7bf0279
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2016-6496  

The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26136  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-287 Improper Authentication

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2012-2926  

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26137  

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
CWE-346 Origin Validation Error

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18105  

The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability.
CWE-384 Session Fixation

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-20238  

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
CWE-384 Session Fixation

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18106  

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-20104  

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20902  

Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18108  

The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.2)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2017-18107  

Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2017-18110  

The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-18109  

The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-20239  

Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36240  

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2016-10740  

Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.9)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2019-15005  

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

pdfbox-2.0.24.jar

Description:

        The Apache PDFBox library is an open source Java tool for working with PDF documents.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/pdfbox/pdfbox/2.0.24/pdfbox-2.0.24.jar
MD5: 9e97fc59c662738a5fb82dcc447d1e2f
SHA1: cb562ee5f43e29415af4477e62fbe668ef88d18b
SHA256:3c2c0553ec0e7533c490b4c952e1af113621de5275af6e380e11d0d9a0a4f3d6
Referenced In Project/Scope:space-comments:provided

Identifiers

pecoff4j-0.0.2.1.jar

Description:

PE/COFF 4J is a java engineering library for portable executables, the format used by Windows.

License:

Common Public 1.0: https://github.com/kichik/pecoff4j/blob/master/cpl-v10.html
File Path: /home/andrii/.m2/repository/org/whitesource/pecoff4j/0.0.2.1/pecoff4j-0.0.2.1.jar
MD5: b7cfcbf8cd6adb01bbe4c2df9b15be60
SHA1: a1ff9aa49167ae52e42dcc532f9e81728e057a45
SHA256:847373828e0490babdfaed2b048ed3908dc1a8de82d4c8e6ebab9bfd0a294ed6
Referenced In Project/Scope:space-comments:compile

Identifiers

plexus-cipher-1.4.jar

File Path: /home/andrii/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
MD5: 7b2d6fcf0d5800d5b1ce09d98d98dcaf
SHA1: 50ade46f23bb38cd984b4ec560c46223432aac38
SHA256:5a15fdba22669e0fdd06e10dcce6320879e1f7398fbc910cd0677b50672a78c4
Referenced In Project/Scope:space-comments:compile

Identifiers

plexus-classworlds-2.2.3.jar

Description:

A class loader framework

File Path: /home/andrii/.m2/repository/org/codehaus/plexus/plexus-classworlds/2.2.3/plexus-classworlds-2.2.3.jar
MD5: e6673b3089c11931211b77d24bbc4f8e
SHA1: 93b34d7a40ed56fe33274480c5792b656d3697a9
SHA256:7d95ad21733b060bfda2142b62439a196bde7644f9f127c299ae86d92179b518
Referenced In Project/Scope:space-comments:compile

Identifiers

plexus-component-annotations-2.0.0.jar

Description:

    Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with
    standard annotations instead of javadoc annotations.

File Path: /home/andrii/.m2/repository/org/codehaus/plexus/plexus-component-annotations/2.0.0/plexus-component-annotations-2.0.0.jar
MD5: be18d50372002ba958de0ae4850b18a7
SHA1: 6897b9fa8b67c900b52996f845e2d179eea13441
SHA256:405eef6fc9188241ec88579c3e473f5c8997455c69bcd62e142492aca15106bc
Referenced In Project/Scope:space-comments:compile

Identifiers

plexus-interpolation-1.14.jar

File Path: /home/andrii/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.14/plexus-interpolation-1.14.jar
MD5: f92db8b194fc417d72cc74c428afacf8
SHA1: c88dd864fe8b8256c25558ce7cd63be66ba07693
SHA256:7fc63378d3e84663619b9bedace9f9fe78b276c2be3c62ca2245449294c84176
Referenced In Project/Scope:space-comments:compile

Identifiers

plexus-sec-dispatcher-1.4.jar

File Path: /home/andrii/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jar
MD5: 0a46e5bc9bc2fbd3b68091066aff2737
SHA1: 43fde524e9b94c883727a9fddb8669181b890ea7
SHA256:da73e32b58132e64daf12269fd9d011c0b303f234840f179908725a632b6b57c
Referenced In Project/Scope:space-comments:compile

Identifiers

plexus-utils-3.5.0.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.

File Path: /home/andrii/.m2/repository/org/codehaus/plexus/plexus-utils/3.5.0/plexus-utils-3.5.0.jar
MD5: a692f46bd0bb8e23a76f254077fbb085
SHA1: ff9f0881396a06b31ff548048256e9a7c8f1207a
SHA256:e5182eb3e5e73cf89d6426ca7f5cbae2e72819b9bed68d872f80f3b535269cb8
Referenced In Project/Scope:space-comments:compile

Identifiers

policy-2.7.5.jar

Description:

WS-Policy implementation for Project Metro

License:

Dual License: CDDL 1.0 and GPL V2 with Classpath Exception: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/com/sun/xml/ws/policy/2.7.5/policy-2.7.5.jar
MD5: 5d3ce1646312f2e5dde0fde0c3028edd
SHA1: 5e3ec7b4a9d6b3ae800e382de16e4663fab67f41
SHA256:34e254f415b94eab04bad700e9109359b60e01bcb9a7873bc2c934c424a2f965
Referenced In Project/Scope:space-comments:provided

Identifiers

postgresql-42.2.18.jar

Description:

PostgreSQL JDBC Driver Postgresql

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html
File Path: /home/andrii/.m2/repository/org/postgresql/postgresql/42.2.18/postgresql-42.2.18.jar
MD5: d6895bb05ac7b9c85c4e89f3880127e3
SHA1: a0a9c1d43c7727eeaf1b729477891185d3c71751
SHA256:0c891979f1eb2fe44432da114d09760b5063dad9e669ac0ac6b0b6bfb91bb3ba
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-21724  

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
CWE-665 Improper Initialization

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26520 (OSSINDEX)  

** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (9.8)
  • Vector: /AV:N/AC:L/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.postgresql:postgresql:42.2.18:*:*:*:*:*:*:*

CVE-2022-31197  

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv3:
  • Base Score: HIGH (8.0)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

propertyset-1.3-21Nov03.jar

File Path: /home/andrii/.m2/repository/opensymphony/propertyset/1.3-21Nov03/propertyset-1.3-21Nov03.jar
MD5: 32a2861ca3da31870e5477d2e881b8d5
SHA1: 32f4c621ec0c300e3f616fdd231cf06dfecfd481
SHA256:df71d0ebe127dbbca0b51a3eaffdc8e779363748a7dd8e947a9458f2e484131b
Referenced In Project/Scope:space-comments:provided

Identifiers

quartz-1.8.7-atlassian-3.jar

File Path: /home/andrii/.m2/repository/org/quartz-scheduler/quartz/1.8.7-atlassian-3/quartz-1.8.7-atlassian-3.jar
MD5: e04fd26979dc7316859cb11caa64ffb9
SHA1: 5746835468ac6f0270cf947c0865cd844bc58233
SHA256:1be790d79170ca293d00c626b7bee32ed2e84be839289e57f063b724b55709a3
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2019-13990  

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

radeox-1.0b2-forked-22Apr2004.jar

File Path: /home/andrii/.m2/repository/radeox/radeox/1.0b2-forked-22Apr2004/radeox-1.0b2-forked-22Apr2004.jar
MD5: 627cda3b3e1c3e85500b9e403b92e5a4
SHA1: f42bc7d5da8cd90b291bef9319f77676aa3360c4
SHA256:e10dc6d5bb70aaf78cf054105f6c46035b0b852b914b10dbe069e6cb2961ed33
Referenced In Project/Scope:space-comments:provided

Identifiers

react-dom.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/react-dom.js
MD5: c75579608761cc3abf37385e21581d91
SHA1: b17fc559e153353c62d6e48e73c45441eda786b1
SHA256:33fe01204d07db14efee015c2487eaaf82a12c5033052884339b59a569e664a8
Referenced In Project/Scope:space-comments

Identifiers

  • None

react.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/react.js
MD5: a5a6549f21d56efcd4568562b1ec6bd3
SHA1: 10b3c1232656fd8bf890a6b90df0db5c00cd7163
SHA256:f2fd2080b86c03a7e574a8e0dcfa57fef206afb513fd869f18d72269d3e63424
Referenced In Project/Scope:space-comments

Identifiers

  • None

retirejs-core-3.0.4.jar

File Path: /home/andrii/.m2/repository/com/h3xstream/retirejs/retirejs-core/3.0.4/retirejs-core-3.0.4.jar
MD5: ed40efbc46913c245e5a29e11f74eba4
SHA1: 47e3a13cf17e40f03b8f5713f261f164d63bee9a
SHA256:ef429049b1e828bfce0a98869765a7f10d7daf41acb03201fcd3404f424d0c37
Referenced In Project/Scope:space-comments:compile

Identifiers

rome-1.0.jar

Description:

All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
		easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
		(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
		a set of parsers and generators for the various flavors of feeds, as well as converters
		to convert from one format to another. The parsers can give you back Java objects that
		are either specific for the format you want to work with, or a generic normalized
		SyndFeed object that lets you work on with the data without bothering about the
		underlying format.

File Path: /home/andrii/.m2/repository/rome/rome/1.0/rome-1.0.jar
MD5: 53d38c030287b939f4e6d745ba1269a7
SHA1: 022b33347f315833e9348cec2751af1a5d5656e4
SHA256:cd2cfd3b4e2af9eb8fb09d6a2384328e5b9cf1138bccaf7e31f971e5f7678c6c
Referenced In Project/Scope:space-comments:provided

Identifiers

  • pkg:maven/rome/rome@1.0  (Confidence:High)
  • cpe:2.3:a:oracle:system_utilities:1.0:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:oracle:utilities_framework:1.0:*:*:*:*:*:*:*  (Confidence:Low)  

runtime-20070801.jar

File Path: /home/andrii/.m2/repository/org/eclipse/core/runtime/20070801/runtime-20070801.jar
MD5: 5bb33b1c934e4a6c6536b31e73e2f9f0
SHA1: 474e99ed838d5721569d658b68025134f920278f
SHA256:7bdc0ec00ed11f7413f979120ef34639536a2341671b7956cf635c762cdc20ab
Referenced In Project/Scope:space-comments:provided

Identifiers

saaj-impl-1.5.0.jar

Description:

        Open source Reference Implementation of JSR-67: SOAP with Attachments API for Java (SAAJ MR: 1.4)

License:

CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/andrii/.m2/repository/com/sun/xml/messaging/saaj/saaj-impl/1.5.0/saaj-impl-1.5.0.jar
MD5: 26c5736bd15fa374c231238683d475a2
SHA1: 83fe72c41bab1acc351185bdbfea6a3e67c4960b
SHA256:24b944ff858055c0c5680bce947b9bec8283bef1132058d4d47ff5478b543c9f
Referenced In Project/Scope:space-comments:provided

Identifiers

sal-core-4.1.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/sal/sal-core/4.1.0/sal-core-4.1.0.jar
MD5: 0c18cf6f17a2e455cceb4d17b79f7950
SHA1: 281b6a08c9d280ce000024d7107a754b332b8a27
SHA256:fd21a273de2f7fa89adb8b7206357e7a7b522abd71a6177bc8df3a30fa6c9812
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-26205  

Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

select.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/select.js
MD5: 5eee816de5fc74668397fba29a806034
SHA1: 4fd66d40d82d478bf6158a4df46e57a390953c9f
SHA256:fb9f9c059d6c52e0a5548f47a74daf85fb56838a76e991d3c8a39ad32f2890dc
Referenced In Project/Scope:space-comments

Identifiers

  • None

semver4j-3.1.0.jar

Description:

Semantic versioning for Java apps.

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /home/andrii/.m2/repository/com/vdurmont/semver4j/3.1.0/semver4j-3.1.0.jar
MD5: b39112afda0af7dba1f160f7284d402f
SHA1: 0de1248f09dfe8df3b021c84e0642ee222cceb13
SHA256:0f33724dd012099f0737e3d9203e28f4a804435526998d4f5841993058651cb8
Referenced In Project/Scope:space-comments:compile

Identifiers

serializer-2.7.2.jar

Description:

    Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
    SAX events.

File Path: /home/andrii/.m2/repository/xalan/serializer/2.7.2/serializer-2.7.2.jar
MD5: e8325763fd4235f174ab7b72ed815db1
SHA1: 24247f3bb052ee068971393bdb83e04512bb1c3c
SHA256:e8f5b4340d3b12a0cfa44ac2db4be4e0639e479ae847df04c4ed8b521734bb4a
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-34169  

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

servlet-api-2.4.jar

File Path: /home/andrii/.m2/repository/javax/servlet/servlet-api/2.4/servlet-api-2.4.jar
MD5: f6cf3fde0b992589ed3d87fa9674015f
SHA1: 3fc542fe8bb8164e8d3e840fe7403bc0518053c0
SHA256:243f8b5577f59bffdd30fd15cc25fc13004a6b08773a61cc32e48726c3633b7c
Referenced In Project/Scope:space-comments:provided

Identifiers

sisu-guice-2.1.7-noaop.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/org/sonatype/sisu/sisu-guice/2.1.7/sisu-guice-2.1.7-noaop.jar
MD5: f1d341b68fc25c53321eb00cf87b82b0
SHA1: 8cb56e976b8e0e7b23f2969c32bef7b830c6d6ed
SHA256:240113a2f22fd1f0b182b32baecf0e7876b3a8e41f3c4da3335eeb9ffb24b9f4
Referenced In Project/Scope:space-comments:compile

Identifiers

sisu-inject-bean-1.4.2.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/sonatype/sisu/sisu-inject-bean/1.4.2/sisu-inject-bean-1.4.2.jar
MD5: 400f9ca3cb77d34f159127769cb89e92
SHA1: 5cf37202afbaae899d63dd51b46d173df650af1b
SHA256:fb3160e1e3a7852b441016dbcc97a34e3cf4eeb8ceb9e82edf2729439858f080
Referenced In Project/Scope:space-comments:compile

Identifiers

sisu-inject-plexus-1.4.2.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/sonatype/sisu/sisu-inject-plexus/1.4.2/sisu-inject-plexus-1.4.2.jar
MD5: 9c1bfd74a76af0757b348554d9a1facc
SHA1: 53d863ed4879d4a43ad7aee7bc63f935cc513353
SHA256:a65e27aefbe74102d73cd7e3c5c7637021d294a9e7f33132f3c782a76714d0a3
Referenced In Project/Scope:space-comments:compile

Identifiers

sitemesh-2.5-atlassian-6.jar

Description:

Atlassian's fork of SiteMesh

File Path: /home/andrii/.m2/repository/opensymphony/sitemesh/2.5-atlassian-6/sitemesh-2.5-atlassian-6.jar
MD5: 830e6bb6e62ff95b3733d69dbc60b643
SHA1: daf95200790e362a39beab3a1243fbcae2177415
SHA256:0f57d14ce26088860c63fdd6bc7d7693d30f9a0528c9b93de73a431dc98bd97b
Referenced In Project/Scope:space-comments:provided

Identifiers

slf4j-api-1.7.25.jar

Description:

The slf4j API

File Path: /home/andrii/.m2/repository/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar
MD5: caafe376afb7086dcbee79f780394ca3
SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256:18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Referenced In Project/Scope:space-comments:compile

Identifiers

slicedToArray-a5de7267.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/slicedToArray-a5de7267.js
MD5: 4128a05be008958384918a5c64970c97
SHA1: 8a246c3b907a05b3005a0149d8e388cf9427351f
SHA256:110298bb05848f58b8b5712bff5f24622849cb7eceaeb8ecd043c244e43851bf
Referenced In Project/Scope:space-comments

Identifiers

  • None

snakeyaml-1.33.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar
MD5: e0164a637c691c8cf01d29f90a709c02
SHA1: 2cd0a87ff7df953f810c344bdf2fe3340b954c69
SHA256:11ff459788f0a2d781f56a4a86d7e69202cebacd0273d5269c4ae9f02f3fd8f0
Referenced In Project/Scope:space-comments:compile

Identifiers

snappy-java-1.1.1.7.jar

Description:

snappy-java: A fast compression/decompression library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/xerial/snappy/snappy-java/1.1.1.7/snappy-java-1.1.1.7.jar
MD5: 99cc452eb056539a99709fd60f191239
SHA1: 33b6965e9364145972035c30a45a996aad2bf789
SHA256:121e54a8a376fd85b3cbae2e4113cd6275039ecc584dd13652bfc404168c5726
Referenced In Project/Scope:space-comments:provided

Identifiers

snappy-java-1.1.1.7.jar: snappyjava.dll

File Path: /home/andrii/.m2/repository/org/xerial/snappy/snappy-java/1.1.1.7/snappy-java-1.1.1.7.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dll
MD5: c35f7d232d05fd0b8440153cb4224a5a
SHA1: 45b5f3fdd2bac156b8d100ce2c29ac7126454fef
SHA256:15fb95c2168bb78cf94f61bbff7fc0bb5611db9d8509dd1322a40d735c3109bc
Referenced In Project/Scope:space-comments:provided

Identifiers

  • None

snappy-java-1.1.1.7.jar: snappyjava.dll

File Path: /home/andrii/.m2/repository/org/xerial/snappy/snappy-java/1.1.1.7/snappy-java-1.1.1.7.jar/org/xerial/snappy/native/Windows/x86_64/snappyjava.dll
MD5: eae816277d795d3397f08ad43d236576
SHA1: 283068f6b5cd8bb3449867558624fe19c432d909
SHA256:dfcc13605edabf70e7bec87f68bc2a1c7d06bebecd72a0d4e122eee2e695948e
Referenced In Project/Scope:space-comments:provided

Identifiers

  • None

sourcemap-1.7.6.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/atlassian/sourcemap/sourcemap/1.7.6/sourcemap-1.7.6.jar
MD5: d6ec092a031dfb3cf7d55ddf9ac60983
SHA1: 62eb5eab3be06f7e24b6426b08764e7d27d78c63
SHA256:31ab400839405f40879f200d0a25cb70e8c1a1aa182f00548a057ee1c33c8142
Referenced In Project/Scope:space-comments:provided

Identifiers

soy-template-renderer-api-5.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/soy/soy-template-renderer-api/5.0.0/soy-template-renderer-api-5.0.0.jar
MD5: ab2d35cf92369cc24a6c2c09cee3a05a
SHA1: 9a8d191e4ec2b3ea58b65d7a249fc6b363874bcb
SHA256:1c09252bfceed337b85890fcba95dbb423e625d41146068e484e2f7f2138a451
Referenced In Project/Scope:space-comments:provided

Identifiers

soy-template-renderer-plugin-api-5.0.0.jar

File Path: /home/andrii/.m2/repository/com/atlassian/soy/soy-template-renderer-plugin-api/5.0.0/soy-template-renderer-plugin-api-5.0.0.jar
MD5: f8415f9dec51c5a72bb0d5cfe77c4c40
SHA1: 77c6be361378a59e1c0c4fd6a8bbe010cd7b1508
SHA256:08801a4e067378d248f9e841ee8e1c4b231470a5b2dfb70c9a88c0ae42b62d27
Referenced In Project/Scope:space-comments:provided

Identifiers

space-comments.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/space-comments.js
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Referenced In Project/Scope:space-comments

Identifiers

  • None

spinner-b9bead52.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/spinner-b9bead52.js
MD5: 436dbf7e35410abd0edbd32a486a2b98
SHA1: 3421a7c844f2486ee2234e8cca728f0d71e0e397
SHA256:d26a73d8ce94ac2035c18aab0790eaeb05b0b4ce33dfa13eb1cf59efa26dde2e
Referenced In Project/Scope:space-comments

Identifiers

  • None

spinner.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/@atlaskit/spinner.js
MD5: 0bc5f3f57eb9677c70f767a648a75288
SHA1: 8e485d2b7fd88f8a86ad70a89e0e2b187c880d71
SHA256:34f9a6b4bf87ffdd8eb77939d62e0dbeaa785a36c99451fa0c1cf4d6ab5c9996
Referenced In Project/Scope:space-comments

Identifiers

  • None

spring-context-support-5.0.10.RELEASE.jar

Description:

Spring Context Support

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/org/springframework/spring-context-support/5.0.10.RELEASE/spring-context-support-5.0.10.RELEASE.jar
MD5: c81b39196eec95eaca85e20f4f09d91a
SHA1: 61b3159aceaae05118bfe2a7fcd4141921986a78
SHA256:6a74c0402a4d2150acb7ff6695ffddb5fed110a0a533fcf25ca84de06866b427
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5398  

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
CWE-494 Download of Code Without Integrity Check

CVSSv2:
  • Base Score: HIGH (7.6)
  • Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-core-5.3.20.jar

Description:

Spring Core

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/org/springframework/spring-core/5.3.20/spring-core-5.3.20.jar
MD5: 2716746463c37172898010391db93ef2
SHA1: 4b88aa3c401ede3d6c8ac78ea0c646cf326ec24b
SHA256:42d70d78b8822601a3b61c88dadf4be6a0021dde169a772c3fd4a6b8b2b61c90
Referenced In Project/Scope:space-comments:provided

Identifiers

spring-dao-2.0.6.jar

Description:

Spring Framework: DAO

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/springframework/spring-dao/2.0.6/spring-dao-2.0.6.jar
MD5: f2d3ed5024f794486fd0d45324f08990
SHA1: facdcd4a06cd1a1b516aef8bf8f2188843ac5df1
SHA256:e13657283a0fb2547ead221de605415d7696bc78597274e24a34c4655913b17d
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2011-2730  

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
CWE-16 Configuration

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-ldap-core-2.3.3.RELEASE.jar

Description:

spring-ldap-core

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/springframework/ldap/spring-ldap-core/2.3.3.RELEASE/spring-ldap-core-2.3.3.RELEASE.jar
MD5: d0370c7db5aa126571a435aab1999b0d
SHA1: fe9f87fb96056662bfb5d41365f796bf6644c325
SHA256:1aee8707b3ff29e9de22767a3a7edd992978d652679fdfbd1bf3e7153811aeb6
Referenced In Project/Scope:space-comments:provided

Identifiers

spring-quartz1-0.1.2.jar

Description:

Forward port of the Spring 4.0.9 Quartz Scheduler library, to keep Quartz 1.8.x support working

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/com/atlassian/spring/spring-quartz1/0.1.2/spring-quartz1-0.1.2.jar
MD5: c3810c35a3565cc795daa98775de3171
SHA1: f803048a33fa6ed44658aa6d0e4c46ddbd5dc820
SHA256:b84bc5c3785c34606b625ceed90f710ca8f005cc9059e55f05aedd2ae653042b
Referenced In Project/Scope:space-comments:provided

Identifiers

spring-security-core-4.2.16.RELEASE.jar

Description:

spring-security-core

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/springframework/security/spring-security-core/4.2.16.RELEASE/spring-security-core-4.2.16.RELEASE.jar
MD5: d5c53f8cd55d3169ab674f45145dec8e
SHA1: 003cbf6e020b5ee6e039c4e4086fdb356f4529fe
SHA256:f2e3948a96d142406f66da9d36417cc39da72a86274d455890f4e3ff54b1140f
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-22978  

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-22112  

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22976  

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

spring-tx-4.3.27.RELEASE.jar

Description:

Spring Transaction

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/org/springframework/spring-tx/4.3.27.RELEASE/spring-tx-4.3.27.RELEASE.jar
MD5: bf29945418ac3e492685824282077570
SHA1: d3acbba626f3d45062201ed27a17a7f2c08e2ab0
SHA256:c2b1e6e747c00e8060d13b53d2a2e12c31332f791b5d22507f2753df4b4dc546
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-web-2.0.6.jar

Description:

Spring Framework: Web

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/springframework/spring-web/2.0.6/spring-web-2.0.6.jar
MD5: b518cca93d4ebb2ed49189979773c867
SHA1: 19ef5a0c1558fe83816106507b2461c18b6ddf5c
SHA256:ceea1e117633f0f42bfa4ee97bb54ddf404e68e8a174634984f81b3e3b4895c0
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2016-1000027  

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-1270  

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2011-2730  

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
CWE-16 Configuration

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11039  

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2013-6430 (OSSINDEX)  

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (5.4)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.springframework:spring-web:2.0.6:*:*:*:*:*:*:*

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spring-webmvc-5.0.10.RELEASE.jar

Description:

Spring Web MVC

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/andrii/.m2/repository/org/springframework/spring-webmvc/5.0.10.RELEASE/spring-webmvc-5.0.10.RELEASE.jar
MD5: df6301cd4b866ce3aa56ed0872410919
SHA1: 88a601321e2b4e3b84eed0909c24b9dd8e453b5f
SHA256:e55751061b496106777739938c89c1eca943d962db76fb149b5cb9303ec72e54
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-22965  

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5398  

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
CWE-494 Download of Code Without Integrity Check

CVSSv2:
  • Base Score: HIGH (7.6)
  • Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22950  

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-5397 (OSSINDEX)  

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/Au:/C:N/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.springframework:spring-webmvc:5.0.10.RELEASE:*:*:*:*:*:*:*

CVE-2022-22968  

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-22970  

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-22060 (OSSINDEX)  

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
CWE-117 Improper Output Neutralization for Logs

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:L/Au:/C:N/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.springframework:spring-webmvc:5.0.10.RELEASE:*:*:*:*:*:*:*

stax-ex-1.8.jar

Description:

Extensions to JSR-173 StAX API.

License:

                Dual license consisting of the CDDL v1.1 and GPL v2
            : https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/org/jvnet/staxex/stax-ex/1.8/stax-ex-1.8.jar
MD5: a0ebfdbc6b5a34b174a1d1f732d1bdda
SHA1: 8cc35f73da321c29973191f2cf143d29d26a1df7
SHA256:95b05d9590af4154c6513b9c5dc1fb2e55b539972ba0a9ef28e9a0c01d83ad77
Referenced In Project/Scope:space-comments:provided

Identifiers

streambuffer-1.5.6.jar

Description:

Stream based representation for XML infoset

License:

                Dual license consisting of the CDDL v1.1 and GPL v2
            : https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: /home/andrii/.m2/repository/com/sun/xml/stream/buffer/streambuffer/1.5.6/streambuffer-1.5.6.jar
MD5: b0c5ef33eaf97577cc2ea48cdf26796a
SHA1: 8288761f6f6b8cd110b32ce32e8dfd7c4b1c5f7f
SHA256:d7bc9543b33a40e9f90cfbd02cf45f7b454a11d4a2703569a457438dab626a59
Referenced In Project/Scope:space-comments:provided

Identifiers

super-csv-2.1.0.jar

Description:

Super CSV is a fast, programmer-friendly, free CSV package for Java

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/andrii/.m2/repository/net/sf/supercsv/super-csv/2.1.0/super-csv-2.1.0.jar
MD5: a069a5578c574f715facf22da805fb11
SHA1: c6466dd0e28c034272b9f70a3f1896c03f1f2b27
SHA256:5e8efd1b42eced204fb350ca9b54358683f424e444fc9896ed4a15150aa80103
Referenced In Project/Scope:space-comments:provided

Identifiers

taggedTemplateLiteral-12969f7e.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/taggedTemplateLiteral-12969f7e.js
MD5: 95365d42834383e9cb049156f3c6dcba
SHA1: 6647ba0a745f872ec2c3fbf114d341d3889cd100
SHA256:1584bf7722fdfabfdafddb1df02d59229a180293d6587abc7c82c5d4fdb15112
Referenced In Project/Scope:space-comments

Identifiers

  • None

theme-742e153b.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/theme-742e153b.js
MD5: 3fe6002bdde264373fccba8b3bbd8f02
SHA1: b6e5b32778de72a62d52a628a7c6c986411f487f
SHA256:ef879a19f75abe070afe662e5e8a55e1984ac9ea0dc632b074767964e32abfb2
Referenced In Project/Scope:space-comments

Identifiers

  • None

tika-core-1.22.jar

Description:

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
    includes the core facades for the Tika API.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/tika/tika-core/1.22/tika-core-1.22.jar
MD5: 078d3798a32e444b3e3425457402dce3
SHA1: b193f1f977e64ff77025a4cecd7997cff344c4bc
SHA256:81a9e28c9fa9d6b00d1e5d85795403fb773d4c571175487b35b83a8c02599dd7
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-1950  

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1951  

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28657  

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-25169  

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-30126  

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-30973  

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-33879  

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.
NVD-CWE-Other

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

toml4j-0.7.2.jar

Description:

A parser for TOML

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /home/andrii/.m2/repository/com/moandjiezana/toml/toml4j/0.7.2/toml4j-0.7.2.jar
MD5: efaec2fac998dce5bc118362bf724527
SHA1: 0a03337911d0bd2c40932aca3946edb30d0e7d0c
SHA256:f5475e63e7e89e5db62223489aec7a56bd303543772077a17c2cb54c19ca3a20
Referenced In Project/Scope:space-comments:compile

Identifiers

txw2-2.3.1.jar

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/andrii/.m2/repository/org/glassfish/jaxb/txw2/2.3.1/txw2-2.3.1.jar
MD5: 0fed730907ba86376ef392ee7eb42d5f
SHA1: a09d2c48d3285f206fafbffe0e50619284e92126
SHA256:34975dde1c6920f1a39791142235689bc3cd357e24d05edd8ff93b885bd68d60
Referenced In Project/Scope:space-comments:provided

Identifiers

upm-api-2.21.jar

File Path: /home/andrii/.m2/repository/com/atlassian/upm/upm-api/2.21/upm-api-2.21.jar
MD5: befab820657442f0269193432838e9f7
SHA1: b32d5e709d23e7abc014cf1f288fdf5105d1aef6
SHA256:c0fb75b067047eee6d295ad541dc2c8916bd3174e6018d86ebd249db77b18c56
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2018-20233  

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2018-5229  

The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2019-14999  

The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

urlrewritefilter-4.0.4.jar

Description:

A Java Web Filter for any J2EE compliant web application server (such as Resin, Orion or Tomcat), which
        allows you to rewrite URLs before they get to your code. It is a very powerful tool just like Apache's
        mod_rewrite.

License:

BSD: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/andrii/.m2/repository/org/tuckey/urlrewritefilter/4.0.4/urlrewritefilter-4.0.4.jar
MD5: b2440a8fb96bf2e2634216067a5db0b1
SHA1: b22c2658a325688bb87903033ae9f041f668aad2
SHA256:aeba8c192abe336af1a0d426ab4bcdbf657e518983cc4cb51c1cce462781e2db
Referenced In Project/Scope:space-comments:provided

Identifiers

use-controlled-d7253071.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/use-controlled-d7253071.js
MD5: 27a3085d3bae388751fc76f5a6bcd1e3
SHA1: 14422298aec3e60cad0716ad4663ae28c243095b
SHA256:58c874360e43db7c477cad972e7823204133f8c421d11bd88373f42ca16b2902
Referenced In Project/Scope:space-comments

Identifiers

  • None

useAnalyticsEvents-2e16b30c.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/useAnalyticsEvents-2e16b30c.js
MD5: 2e6969e831de8d3a9d579dbcfc25ed71
SHA1: 0d319f17e22420f3a935c6a9208d9b7035e9ebac
SHA256:98a8a4eecef3b6c8b244d6b96f46dd254eb64bbe3c3dba8447c40d733023a581
Referenced In Project/Scope:space-comments

Identifiers

  • None

useTrackedRef-308a7e05.js

File Path: /home/andrii/IdeaProjects/confluence-comments-server/src/main/resources/js/build/_snowpack/pkg/common/useTrackedRef-308a7e05.js
MD5: bef33f5652eb286bf4ae7fe165ebbfc4
SHA1: eff3f44c4142c29323b789d497c5de177d777a81
SHA256:490f82db80dbf3a5f9d65ae090662c13d8685681abac33b41526033943e9562c
Referenced In Project/Scope:space-comments

Identifiers

  • None

validation-api-2.0.1.Final.jar

Description:

        Bean Validation API

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/javax/validation/validation-api/2.0.1.Final/validation-api-2.0.1.Final.jar
MD5: 5d02c034034a7a16725ceff787e191d6
SHA1: cb855558e6271b1b32e716d24cb85c7f583ce09e
SHA256:9873b46df1833c9ee8f5bc1ff6853375115dadd8897bcb5a0dffb5848835ee6c
Referenced In Project/Scope:space-comments:provided

Identifiers

velocity-1.6.4-atlassian-21.jar

Description:

Apache Velocity is a general purpose template engine.

File Path: /home/andrii/.m2/repository/org/apache/velocity/velocity/1.6.4-atlassian-21/velocity-1.6.4-atlassian-21.jar
MD5: b4f23e994b43a5e952b1b3f77422a1c0
SHA1: 34a2ac32e2bf8f470a63189d75216c2e6bd5381f
SHA256:937057094c37870adae489664179aa7622157be2857819999e64b1704ce33305
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-13936  

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

velocity-engine-core-2.3.jar

Description:

Apache Velocity is a general purpose template engine.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/velocity/velocity-engine-core/2.3/velocity-engine-core-2.3.jar
MD5: e761e6088b946b42289c5d676a515581
SHA1: e2133b723d0e42be74880d34de6bf6538ea7f915
SHA256:b086cee8fd8183e240b4afcf54fe38ec33dd8eb0da414636e5bf7aa4d9856629
Referenced In Project/Scope:space-comments:compile

Identifiers

velocity-htmlsafe-3.1.1.jar

Description:

Base POM for Atlassian projects

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/atlassian/velocity/htmlsafe/velocity-htmlsafe/3.1.1/velocity-htmlsafe-3.1.1.jar
MD5: 3c3fc9882fad7f1068d9cac6604a76e9
SHA1: 5a8f18e0f9b6200d8ea1f9e62a04fbd97d4c1b87
SHA256:ff249a061c9cf3f7afa752fde2dbbdbc8e29c99920f82cb5521bb866994aa04a
Referenced In Project/Scope:space-comments:provided

Identifiers

velocity-tools-1.4.jar

File Path: /home/andrii/.m2/repository/velocity-tools/velocity-tools/1.4/velocity-tools-1.4.jar
MD5: 2ef7ed8b728186558b5d587c38900b84
SHA1: 4e1f4d507030a00959f4c0c7fcc60b3565617d08
SHA256:0736bd626e343ee4c5837fb64f8ac4a4dcb06afba811dbfaf2d8aa5fcad850f3
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2020-13959  

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

webwork-2.1.5-atlassian-3.jar

File Path: /home/andrii/.m2/repository/opensymphony/webwork/2.1.5-atlassian-3/webwork-2.1.5-atlassian-3.jar
MD5: 348ea1f5a0ebd5ab23827d551ef33fce
SHA1: c9f58dd800c9b525be6d3f6fe4642720446e91c7
SHA256:b40db1a8a0e3b1d24f3b205c8de4b66c5795ab319e54ef309eec6e5f7c95edb1
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2016-3082 (OSSINDEX)  

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:webwork:2.1.5-atlassian-3:*:*:*:*:*:*:*

CVE-2017-12611 (OSSINDEX)  

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:webwork:2.1.5-atlassian-3:*:*:*:*:*:*:*

CVE-2018-11776 (OSSINDEX)  

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:webwork:2.1.5-atlassian-3:*:*:*:*:*:*:*

CVE-2011-1772  

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

wsdl4j-1.6.3.jar

Description:

Java stub generator for WSDL

License:

CPL: http://www.opensource.org/licenses/cpl1.0.txt
File Path: /home/andrii/.m2/repository/wsdl4j/wsdl4j/1.6.3/wsdl4j-1.6.3.jar
MD5: cfc28d89625c5e88589aec7a9aee0208
SHA1: 6d106a6845a3d3477a1560008479312888e94f2f
SHA256:740f448e6b3bc110e02f4a1e56fb57672e732d2ecaf29ae15835051ae8af4725
Referenced In Project/Scope:space-comments:provided

Identifiers

wstx-asl-3.2.9-atlassian-1.jar

Description:

Woodstox is a high-performance XML processor that implements Stax (JSR-173) API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/codehaus/woodstox/wstx-asl/3.2.9-atlassian-1/wstx-asl-3.2.9-atlassian-1.jar
MD5: ad41a90de4c140189d5a1171bc5efa57
SHA1: b600b9192823aaac229b438d9f798ab062cf3798
SHA256:cf6c04db9a4c0c89b59afdc8bb346839b18cfa99472d44e1c6180b236e2454b3
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2019-12401 (OSSINDEX)  

Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.woodstox:wstx-asl:3.2.9-atlassian-1:*:*:*:*:*:*:*

xalan-2.7.2.jar

Description:

    Xalan-Java is an XSLT processor for transforming XML documents into HTML,
    text, or other XML document types. It implements XSL Transformations (XSLT)
    Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
    the command line, in an applet or a servlet, or as a module in other program.

File Path: /home/andrii/.m2/repository/xalan/xalan/2.7.2/xalan-2.7.2.jar
MD5: 6aa6607802502c8016b676f25f8e4873
SHA1: d55d3f02a56ec4c25695fe67e1334ff8c2ecea23
SHA256:a44bd80e82cb0f4cfac0dac8575746223802514e3cec9dc75235bc0de646af14
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2022-34169  

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

xercesImpl-2.12.0.jar

Description:

      Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

    The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

    Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

    Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

    Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar
MD5: b89632b53c4939a2982bcb52806f6dec
SHA1: f02c844149fd306601f20e0b34853a670bef7fa2
SHA256:b50d3a4ca502faa4d1c838acb8aa9480446953421f7327e338c5dda3da5e76d0
Referenced In Project/Scope:space-comments:provided

Identifiers

  • pkg:maven/xerces/xercesImpl@2.12.0  (Confidence:High)
  • cpe:2.3:a:apache:xerces-j:2.12.0:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:apache:xerces2_java:2.12.0:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2022-23437  

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv2:
  • Base Score: HIGH (7.1)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-10355 (OSSINDEX)  

sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
CWE-833 Deadlock

CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:xerces:xercesImpl:2.12.0:*:*:*:*:*:*:*

xml-apis-1.4.01.jar

Description:

xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: /home/andrii/.m2/repository/xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar
MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d
SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3
SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad
Referenced In Project/Scope:space-comments:compile

Identifiers

xml-apis-ext-1.3.04.jar

Description:

xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

File Path: /home/andrii/.m2/repository/xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.jar
MD5: bcb07d3b8d2397db7a3013b6465d347b
SHA1: 41a8b86b358e87f3f13cf46069721719105aff66
SHA256:d0b4887dc34d57de49074a58affad439a013d0baffa1a8034f8ef2a5ea191646
Referenced In Project/Scope:space-comments:provided

Identifiers

xmlgraphics-commons-2.6.jar

Description:

    Apache XML Graphics Commons is a library that consists of several reusable 
    components used by Apache Batik and Apache FOP. Many of these components 
    can easily be used separately outside the domains of SVG and XSL-FO.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/2.6/xmlgraphics-commons-2.6.jar
MD5: e10f2ebebd7e2790add49a7303ac630f
SHA1: 8779b8d8f426f24fdb4a512f8bc4248cb3775bd2
SHA256:25f21c93462d767d05e340f1dc754862995b9bf8b4618ab5b07cd703d400d413
Referenced In Project/Scope:space-comments:provided

Identifiers

xmlpull-1.1.3.1.jar

License:

Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txt
File Path: /home/andrii/.m2/repository/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
MD5: cc57dacc720eca721a50e78934b822d2
SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa
SHA256:34e08ee62116071cbb69c0ed70d15a7a5b208d62798c59f2120bb8929324cb63
Referenced In Project/Scope:space-comments:provided

Identifiers

xmlrpc-2.0+xmlrpc61.1+sbfix.jar

File Path: /home/andrii/.m2/repository/xmlrpc/xmlrpc/2.0+xmlrpc61.1+sbfix/xmlrpc-2.0+xmlrpc61.1+sbfix.jar
MD5: e05e11c783b9226d867d73f48b8f4c2e
SHA1: 9f283031cccc87b6a797cb4dfc9851d8337e5e00
SHA256:e80f5f9e230c53ec08c2b6d6464f5b44d6e975414b950072887664c5a19e7948
Referenced In Project/Scope:space-comments:provided

Identifiers

xmlrpc-supplementary-character-support-0.2.jar

License:

Apache License Version 2.0: https://maven.atlassian.com/public/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/com/atlassian/xmlrpc/xmlrpc-supplementary-character-support/0.2/xmlrpc-supplementary-character-support-0.2.jar
MD5: b0c0b142a4f006beeef6e3268721ade1
SHA1: cc8b5f4d04a2d3e05fdbee173fb560f00515cfef
SHA256:e4a4f62352293f3dfab2557d3a664f1a9c088decf254e1fd2ad15690a18d4974
Referenced In Project/Scope:space-comments:provided

Identifiers

xmpbox-2.0.24.jar

Description:

    The Apache XmpBox library is an open source Java tool that implements Adobe's XMP(TM)
    specification. It can be used to parse, validate and create xmp contents.
    It is mainly used by subproject preflight of Apache PDFBox. 
    XmpBox is a subproject of Apache PDFBox.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/andrii/.m2/repository/org/apache/pdfbox/xmpbox/2.0.24/xmpbox-2.0.24.jar
MD5: b540c277bcbd8061dcef2629c8581057
SHA1: df8b7a6a363281f9f1365ed4b37580aa5d3f38f1
SHA256:27383df2285b9e228c39f2c755adeebbef774793d33c4f20f0dc99e9ebaaf673
Referenced In Project/Scope:space-comments:provided

Identifiers

xstream-1.4.17.jar

Description:

XStream is a serialization library from Java objects to XML and back.

License:

BSD-3-Clause
File Path: /home/andrii/.m2/repository/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
MD5: 6c756db449d3f22367b0297d78ec4ff9
SHA1: 646da0e0fa6c56ff2f1b81601fb8934393718217
SHA256:0dd5e24bdaf2a8782cd3642d18e6f01cca8867ae243c74d9445d06269f612844
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2021-39139  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39141  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39144  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-502 Deserialization of Untrusted Data, CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39145  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39146  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39147  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39148  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39149  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39150  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39151  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39152  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39153  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-39154  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43859  

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-40151  

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40152  

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40153  

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40154  

Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40155  

Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40156  

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2021-39140  

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-502 Deserialization of Untrusted Data, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (6.3)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:C
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

xwork-1.0.3.6.jar

File Path: /home/andrii/.m2/repository/opensymphony/xwork/1.0.3.6/xwork-1.0.3.6.jar
MD5: 59c8950b1129637bb63aea94b4139d7f
SHA1: 6ce687ad0967100e8c9031e51de1888b4ed7ff0d
SHA256:b548454dcf030646478131f67614a8475330d1894de34e7bc57a47e7202516f3
Referenced In Project/Scope:space-comments:provided

Identifiers

CVE-2012-0838 (OSSINDEX)  

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2011-3923 (OSSINDEX)  

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: HIGH (9.8)
  • Vector: /AV:N/AC:L/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2016-4461 (OSSINDEX)  

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2007-4556  

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2012-0392 (OSSINDEX)  

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2008-6504 (OSSINDEX)  

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2010-1870 (OSSINDEX)  

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
CWE-285 Improper Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2011-2088 (OSSINDEX)  

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2012-4387 (OSSINDEX)  

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:opensymphony:xwork:1.0.3.6:*:*:*:*:*:*:*

CVE-2011-1772  

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

xz-1.9.jar

Description:

XZ data compression

License:

Public Domain
File Path: /home/andrii/.m2/repository/org/tukaani/xz/1.9/xz-1.9.jar
MD5: 57c2fbfeb55e307ccae52e5322082e02
SHA1: 1ea4bec1a921180164852c65006d928617bd2caf
SHA256:211b306cfc44f8f96df3a0a3ddaf75ba8c5289eed77d60d72f889bb855f535e5
Referenced In Project/Scope:space-comments:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.