Third Party Jars Scanning Report

Dependency-Check Report 03/03/20, 1231 PM

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues Project: AdeptiaConnect_3_2_10Feb2020

Scan Information (show all): dependency-check version: 5.2.2 Report Generated On: Thu, 13 Feb 2020 12:18:25 +0530 Dependencies Scanned: 3023 (2125 unique) Vulnerable Dependencies: 23 Vulnerabilities Found: 36 Vulnerabilities Suppressed: 0 ...

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependency Vulnerability IDs Package Highest Severity CVE Count

jquery.min.js pkg:javascript/[email protected] MEDIUM 2

spring-security- cpe:2.3:a:pivotal_software:spring_security:5.2.1.release:*:*:*:*:*:*:* pkg:maven/org.springframework.security/spring- HIGH 1 core- cpe:2.3:a:security-framework_project:security-framework:5.2.1.release:*:*:*:*:*:*:* [email protected] 5.2.1.RELEASE.jar

commons-jelly- cpe:2.3:a:apache:commons-jelly:1.0.1:*:*:*:*:*:*:* CRITICAL 1 1.0.1-beta-4- oldstyle.jar

castor-0.9.6.2.jar cpe:2.3:a:castor_project:castor:0.9.6.2:*:*:*:*:*:*:* MEDIUM 1

handlebars- pkg:javascript/[email protected] medium 3 2.0.0.js

opensaml-2.6.4.jar cpe:2.3:a:shibboleth:opensaml:2.6.4:*:*:*:*:*:*:* pkg:maven/org.opensaml/[email protected] MEDIUM 1

jakarta.json- cpe:2.3:a:processing:processing:1.1.5:*:*:*:*:*:*:* pkg:maven/org.glassfish/[email protected] MEDIUM 1 1.1.5.jar

jquery-1.8.0.min.js pkg:javascript/[email protected] MEDIUM 3

axis-1.1.1.jar cpe:2.3:a:apache:axis:1.1:*:*:*:*:*:*:* MEDIUM 3

jquery-1.12.4.js pkg:javascript/[email protected] MEDIUM 2

filters-2.0.235.jar cpe:2.3:a:image_processing_software:image_processing_software:2.0.235:*:*:*:*:*:*:* pkg:maven/com.jhlabs/[email protected] LOW 1

jakarta-slide- cpe:2.3:a:apache:jakarta_slide:2.1:*:*:*:*:*:*:* LOW 1 webdavlib-2.1.jar

apache-jsp- cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:* pkg:maven/org.mortbay.jasper/apache- HIGH 2 9.0.29.jar cpe:2.3:a:apache_software_foundation:tomcat:9.0.29:*:*:*:*:*:*:* [email protected]

python36.dll cpe:2.3:a:python:python:36:*:*:*:*:*:*:* MEDIUM 1 cpe:2.3:a:python_software_foundation:python:36:*:*:*:*:*:*:*

log4j-1.2.17.jar cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* pkg:maven/log4j/[email protected] HIGH 1

not-yet-commons- cpe:2.3:a:not_yet_commons_ssl_project:not_yet_commons_ssl:0.3.9:*:*:*:*:*:*:* pkg:maven/ca.juliusdavies/not-yet-commons- MEDIUM 1 ssl-0.3.9.jar [email protected]

spring-core- cpe:2.3:a:pivotal_software:spring_framework:5.2.2.release:*:*:*:*:*:*:* pkg:maven/org.springframework/spring- HIGH 2 5.2.2.RELEASE.jar cpe:2.3:a:springsource:spring_framework:5.2.2.release:*:*:*:*:*:*:* [email protected] cpe:2.3:a:vmware:springsource_spring_framework:5.2.2:*:*:*:*:*:*:*

PDFxStream- cpe:2.3:a:snowtide:pdfxstream:1.0:*:*:*:*:*:*:* MEDIUM 1 1.0.jar

castor-doclet- cpe:2.3:a:castor_project:castor:0.4.6:*:*:*:*:*:*:* MEDIUM 1 0.4.6.jar

spring-tx- cpe:2.3:a:pivotal_software:spring_framework:5.2.2.release:*:*:*:*:*:*:* pkg:maven/org.springframework/spring- HIGH 2 5.2.2.RELEASE.jar cpe:2.3:a:springsource:spring_framework:5.2.2.release:*:*:*:*:*:*:* [email protected] cpe:2.3:a:vmware:springsource_spring_framework:5.2.2:*:*:*:*:*:*:*

spring-web- cpe:2.3:a:pivotal_software:spring_framework:5.2.1.release:*:*:*:*:*:*:* pkg:maven/org.springframework/spring- HIGH 2 5.2.1.RELEASE.jar cpe:2.3:a:springsource:spring_framework:5.2.1.release:*:*:*:*:*:*:* [email protected] cpe:2.3:a:vmware:springsource_spring_framework:5.2.1:*:*:*:*:*:*:*

jquery- pkg:javascript/[email protected] MEDIUM 2 1.11.1.min.js file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 1 of 26 Dependency-Check Report 03/03/20, 1231 PM

bcpg-jdk15on- cpe:2.3:a:openpgp:openpgp:1.64:*:*:*:*:*:*:* pkg:maven/org.bouncycastle/bcpg- MEDIUM 1 1.64.jar [email protected]

Dependencies

jquery.min.js

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\ROOT\jquery\jquery.min.js MD5: 28dd060f863dd353fac8ec0585d2ab79 SHA1: b8abf6e6a9c086d5df6fedb1f0a7a2d7aff85238 SHA256:b3b6da61b0654e356955b9c12744ec7ad8b9f02235976285d9b3bf7f975636b5

Evidence

Related Dependencies

Identifiers

pkg:javascript/[email protected] (Confidence:Highest)

Published Vulnerabilities

CVE-2015-9251 suppress

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References: BID - 105658 BUGTRAQ - 20190509 dotCMS v5.1.1 Vulnerabilities CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html CONFIRM - https://www.tenable.com/security/tns-2019-08 FULLDISC - 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 Vulnerabilities MISC - http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MISC - http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html MISC - https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc MISC - https://github.com/jquery/jquery/issues/2432 MISC - https://github.com/jquery/jquery/pull/2588 MISC - https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2 MISC - https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04 MISC - https://snyk.io/vuln/npm:jquery:20150627 MISC - https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf MISC - https://www.oracle.com/security-alerts/cpujan2020.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html MISC - https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [flink-dev] 20190811 Apache flink 1.7.2 security issues MLIST - [flink-user] 20190811 Apache flink 1.7.2 security issues MLIST - [flink-user] 20190813 Apache flink 1.7.2 security issues MLIST - [flink-user] 20190813 Re: Apache flink 1.7.2 security issues MLIST - [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js info - info info - info info - info info - info

Vulnerable Software & Versions (NVD):

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 2 of 26 Dependency-Check Report 03/03/20, 1231 PM

cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

CVE-2019-11358 suppress

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

FEDORA - FEDORA-2019-1a3edd7e8a FEDORA - FEDORA-2019-2a0ce0c58c FEDORA - FEDORA-2019-7eaf0bbe7c FEDORA - FEDORA-2019-a06dffab1c FEDORA - FEDORA-2019-eba8e44ee6 FEDORA - FEDORA-2019-f563e66380 FULLDISC - 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 Vulnerabilities MISC - http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MISC - http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html MISC - https://backdropcms.org/security/backdrop-sa-core-2019-009 MISC - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ MISC - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b MISC - https://github.com/jquery/jquery/pull/4333 MISC - https://snyk.io/vuln/SNYK-JS-JQUERY-174006 MISC - https://www.drupal.org/sa-core-2019-006 MISC - https://www.oracle.com/security-alerts/cpujan2020.html MISC - https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MISC - https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ MLIST - [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update MLIST - [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html MLIST - [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html MLIST - [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) MLIST - [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js REDHAT - RHBA-2019:1570 REDHAT - RHSA-2019:1456 REDHAT - RHSA-2019:2587 REDHAT - RHSA-2019:3023 REDHAT - RHSA-2019:3024 SUSE - openSUSE-SU-2019:1839 SUSE - openSUSE-SU-2019:1872 info - info info - info info - info

Vulnerable Software & Versions (NVD):

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6

spring-security-core-5.2.1.RELEASE.jar

Description:

spring-security-core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\ROOT\WEB-INF\lib\spring-security-core-5.2.1.RELEASE.jar MD5: 8dad6a85f53ab899d210ed36994528de SHA1: f1265ecdd4636a2038768c2ab9da4b79961a3465 SHA256:97e138c645df205b15e044a2e7fe6ebad0b5ce5ff9d9d4aacc689bd1ce828c77

Evidence

Related Dependencies

Identifiers

pkg:maven/org.springframework.security/[email protected] (Confidence:High) cpe:2.3:a:pivotal_software:spring_security:5.2.1.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:security-framework_project:security-framework:5.2.1.release:*:*:*:*:*:*:* (Confidence:Highest) suppress

Published Vulnerabilities

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 4 of 26 Dependency-Check Report 03/03/20, 1231 PM

CVE-2018-1258 suppress

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

CWE-863 Incorrect Authorization

CVSSv2: Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3: Base Score: HIGH (8.8) Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References: BID - 104222 CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM - https://pivotal.io/security/cve-2018-1258 CONFIRM - https://security.netapp.com/advisory/ntap-20181018-0002/ CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html MISC - https://www.oracle.com/security-alerts/cpujan2020.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html MISC - https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html REDHAT - RHSA-2019:2413 SECTRACK - 1041888 SECTRACK - 1041896

Vulnerable Software & Versions: (show all)

cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:* ...

commons-jelly-1.0.1-beta-4-oldstyle.jar

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\commons-jelly-1.0.1-beta-4- oldstyle.jar MD5: 576b700cc3670544cbc557f29c2fa0ab SHA1: 9d65558beef63bb61fe67209d3c1e7822ec5b8dc SHA256:af378a4670e980a264620c0b5f21ea4fdb7ab652afa35729cff88fc0749adc86

Evidence

Identifiers

cpe:2.3:a:apache:commons-jelly:1.0.1:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2017-12621 suppress

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2: Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3: Base Score: CRITICAL (9.8) Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References: BID - 101052 CONFIRM - https://issues.apache.org/jira/browse/JELLY-293 MLIST - [dev] 20170927 [SECURITY] CVE-2017-12621 Apache Commons Jelly connects to URL with custom doctype definitions. SECTRACK - 1039444

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons-jelly:*:rc6:*:*:*:*:*:* versions up to (including) 1.0.1

castor-0.9.6.2.jar

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 5 of 26 Dependency-Check Report 03/03/20, 1231 PM

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\castor-0.9.6.2.jar MD5: 0e34b96d6d9411c77275ea26db471a0f SHA1: 990729ca550afaa0c73a9d0f576ce1e175dce884 SHA256:c3a8d1e0f73b0bb5222472200285dc32d6f2c41521837a847da483ac35ce8150

Evidence

Identifiers

cpe:2.3:a:castor_project:castor:0.9.6.2:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2014-3004 suppress

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References: BID - 67676 FULLDISC - 20140527 CVE-2014-3004 - Castor Library Default Config could lead to XML External Entity (XXE) Attacks MISC - http://packetstormsecurity.com/files/126854/Castor-Library-XXE-Disclosure.html MISC - https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm56811 MISC - https://www.oracle.com/security-alerts/cpujan2020.html SECUNIA - 59427 SUSE - openSUSE-SU-2014:0822

Vulnerable Software & Versions: (show all)

cpe:2.3:a:castor_project:castor:*:*:*:*:*:*:*:* versions up to (including) 1.3.2 ...

handlebars-2.0.0.js

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\web\swagger\lib\handlebars-2.0.0.js MD5: ac0e095cb4e8b64c0494f9ae03b7d8c5 SHA1: e5b94b9ba8f698f6e111108a4a65ab9b52577732 SHA256:2c8ff2829ade9d1a256ee33fcbaa54c3a8038be7321e73885bb7d46c0869038e

Evidence

Related Dependencies

Identifiers

pkg:javascript/[email protected] (Confidence:Highest)

Published Vulnerabilities

Disallow calling helperMissing and blockHelperMissing directly (RETIREJS) suppress

Disallow calling helperMissing and blockHelperMissing directly

$vuln.cwes.toString()

Severity: low

References: info - info

Prototype pollution (RETIREJS) suppress

Prototype pollution

$vuln.cwes.toString()

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 6 of 26 Dependency-Check Report 03/03/20, 1231 PM

Severity: medium

References: info - info

Quoteless attributes in templates can lead to XSS (RETIREJS) suppress

Quoteless attributes in templates can lead to XSS

$vuln.cwes.toString()

Severity: medium

References: info - info

opensaml-2.6.4.jar

Description:

The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\ROOT\WEB-INF\lib\opensaml-2.6.4.jar MD5: 70e20154abc9a94e230b5679e3603e5a SHA1: de2c742b770bd58328fd05ebd9d9efc85f79d88c SHA256:b8297a0b783113a5e0113ee69683addf99194b3ff981c0c90b85dda492f30064

Evidence

Related Dependencies

Identifiers

pkg:maven/org.opensaml/[email protected] (Confidence:High) cpe:2.3:a:shibboleth:opensaml:2.6.4:*:*:*:*:*:*:* (Confidence:Highest) suppress

Published Vulnerabilities

CVE-2015-1796 (OSSINDEX) suppress

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

null

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References: OSSINDEX - [CVE-2015-1796] null

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.opensaml:opensaml:2.6.4:*:*:*:*:*:*:*

jakarta.json-1.1.5.jar

Description:

Default provider for JSR 374:Java API for Processing JSON

License:

https://projects.eclipse.org/license/epl-2.0, https://projects.eclipse.org/license/secondary-gpl-2.0-cp

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\jakarta.json-1.1.5.jar MD5: ce7bb3bd542ad49b5aca79e530820022 SHA1: db0810e21a749c7ff934836c95d69c7c4e67b455 SHA256:d8a7d4c657a25f695bdc7ba475290b2d77d8195303d816b7cf9be9349a02095a

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 7 of 26 Dependency-Check Report 03/03/20, 1231 PM

Evidence

Related Dependencies

Identifiers

pkg:maven/org.glassfish/[email protected] (Confidence:High) cpe:2.3:a:processing:processing:1.1.5:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2018-1000840 suppress

Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N CVSSv3: Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References: MISC - https://github.com/processing/processing/issues/5706 MISC - https://twitter.com/ben_fry/status/1054333613465059329

Vulnerable Software & Versions:

cpe:2.3:a:processing:processing:*:*:*:*:*:*:*:* versions up to (including) 3.4

jquery-1.8.0.min.js

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\web\swagger\lib\jquery-1.8.0.min.js MD5: cd8b0bffc85bb5614385ee4ce3596d07 SHA1: 359c6c1ed98081b9a69eb3513b9deced59c957f9 SHA256:d73e2e1bff9c55b85284ff287cb20dc29ad9165ec09091a0597b61199f330805

Evidence

Related Dependencies

Identifiers

pkg:javascript/[email protected] (Confidence:Highest)

Published Vulnerabilities

CVE-2012-6708 suppress

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References: BID - 102792 CONFIRM - https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 MISC - http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 8 of 26 Dependency-Check Report 03/03/20, 1231 PM

MISC - https://bugs.jquery.com/ticket/11290 MISC - https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d MISC - https://snyk.io/vuln/npm:jquery:20120206 MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities info - info info - info info - info

Vulnerable Software & Versions (NVD):

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251 suppress

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerable Software & Versions (NVD):

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

CVE-2019-11358 suppress

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

MLIST - [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update MLIST - [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html MLIST - [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html MLIST - [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) MLIST - [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js REDHAT - RHBA-2019:1570 REDHAT - RHSA-2019:1456 REDHAT - RHSA-2019:2587 REDHAT - RHSA-2019:3023 REDHAT - RHSA-2019:3024 SUSE - openSUSE-SU-2019:1839 SUSE - openSUSE-SU-2019:1872 info - info info - info info - info

Vulnerable Software & Versions (NVD):

axis-1.1.1.jar

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\axis-1.1.1.jar MD5: 2dc09952afc23a3ca81cf44f22bb6551 SHA1: b29e1858fb99d1baa3374b6006be549876b242bd SHA256:352f1c7f31ba065036a99bb1825b3a98aaeae70dd8f9f7611a4304762fa9db7b

Evidence

Identifiers

cpe:2.3:a:apache:axis:1.1:*:*:*:*:*:*:* (Confidence:Medium) suppress

Published Vulnerabilities

CVE-2012-5784 suppress

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-20 Improper Input Validation

CVSSv2: Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References: BID - 56408 MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf MLIST - [axis-java-dev] 20190503 [jira] [Comment Edited] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190503 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190907 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190909 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190909 [jira] [Resolved] (AXIS-2905) Insecure certificate validation CVE-2014-3596 REDHAT - RHSA-2013:0269 REDHAT - RHSA-2013:0683 REDHAT - RHSA-2014:0037 SECUNIA - 51219 SUSE - openSUSE-SU-2019:1497 SUSE - openSUSE-SU-2019:1526 XF - apache-axis-ssl-spoofing(79829)

Vulnerable Software & Versions: (show all)

cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:* versions up to (including) 1.4 ...

CVE-2014-3596 suppress

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 11 of 26 Dependency-Check Report 03/03/20, 1231 PM

subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. CWE-297: Improper Validation of Certificate with Host Mismatch

NVD-CWE-Other

CVSSv2: Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References: BID - 69295 CONFIRM - http://linux.oracle.com/errata/ELSA-2014-1193.html MISC - https://issues.apache.org/jira/browse/AXIS-2905 MISC - https://www.oracle.com/security-alerts/cpujan2020.html MLIST - [axis-java-dev] 20190503 [jira] [Comment Edited] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190503 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190907 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190909 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [axis-java-dev] 20190909 [jira] [Resolved] (AXIS-2905) Insecure certificate validation CVE-2014-3596 MLIST - [oss-security] 20140820 CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack REDHAT - RHSA-2014:1193 SECTRACK - 1030745 SECUNIA - 61222 SUSE - openSUSE-SU-2019:1497 SUSE - openSUSE-SU-2019:1526 XF - apache-axis-cve20143596-spoofing(95377)

Vulnerable Software & Versions: (show all)

cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:* versions up to (including) 1.4 ...

CVE-2018-8032 suppress

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References: CONFIRM - https://issues.apache.org/jira/browse/AXIS-2924 MISC - https://www.oracle.com/security-alerts/cpujan2020.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST - [axis-java-dev] 20180708 [jira] [Created] (AXIS-2924) CVE-2018-8032 XSS vulnerability MLIST - [axis-java-dev] 20190925 [jira] [Commented] (AXIS-2924) CVE-2018-8032 XSS vulnerability MLIST - [axis-java-dev] 20190929 [jira] [Commented] (AXIS-2924) CVE-2018-8032 XSS vulnerability

Vulnerable Software & Versions:

cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:* versions from (including) 1.0; versions up to (including) 1.4

jquery-1.12.4.js

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\SchemaUI\resources\jquery-1.12.4.js MD5: 6759c1abd2e24dba0e868bf698580a1a SHA1: b4d7acef6c5d3d0620af92e4d15e57f289bb4d97 SHA256:9239ec5e70dd809a33718b2671dbfb7e3a045d7e9b015933242af30c3deae19c

Evidence

Related Dependencies

Identifiers

pkg:javascript/[email protected] (Confidence:Highest)

Published Vulnerabilities

CVE-2015-9251 suppress

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 12 of 26 Dependency-Check Report 03/03/20, 1231 PM

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerable Software & Versions (NVD):

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

CVE-2019-11358 suppress

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References: BID - 108023 BUGTRAQ - 20190421 [SECURITY] [DSA 4434-1] drupal7 security update BUGTRAQ - 20190509 dotCMS v5.1.1 Vulnerabilities BUGTRAQ - 20190612 [SECURITY] [DSA 4460-1] mediawiki security update CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0001/ CONFIRM - https://www.synology.com/security/advisory/Synology_SA_19_19 CONFIRM - https://www.tenable.com/security/tns-2019-08 DEBIAN - DSA-4434 DEBIAN - DSA-4460 FEDORA - FEDORA-2019-1a3edd7e8a FEDORA - FEDORA-2019-2a0ce0c58c FEDORA - FEDORA-2019-7eaf0bbe7c FEDORA - FEDORA-2019-a06dffab1c FEDORA - FEDORA-2019-eba8e44ee6 FEDORA - FEDORA-2019-f563e66380 FULLDISC - 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 Vulnerabilities MISC - http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MISC - http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html MISC - https://backdropcms.org/security/backdrop-sa-core-2019-009 MISC - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ MISC - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b MISC - https://github.com/jquery/jquery/pull/4333 MISC - https://snyk.io/vuln/SNYK-JS-JQUERY-174006 MISC - https://www.drupal.org/sa-core-2019-006 MISC - https://www.oracle.com/security-alerts/cpujan2020.html MISC - https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MISC - https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ MLIST - [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update MLIST - [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html MLIST - [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html MLIST - [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) MLIST - [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js REDHAT - RHBA-2019:1570 REDHAT - RHSA-2019:1456 REDHAT - RHSA-2019:2587 REDHAT - RHSA-2019:3023 REDHAT - RHSA-2019:3024 SUSE - openSUSE-SU-2019:1839 file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 14 of 26 Dependency-Check Report 03/03/20, 1231 PM

SUSE - openSUSE-SU-2019:1872 info - info info - info info - info

Vulnerable Software & Versions (NVD):

filters-2.0.235.jar

Description:

A collection of image processing filters.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\filters-2.0.235.jar MD5: d91073d6b28e2505e96620709626495f SHA1: af6a2dfefef70f1ab2d7a8d1f8173f67e276b3f4 SHA256:be6a1d54ebb043495e31e25e72b440f69156a5624cdd7e1c55c47e30d4fae308

Evidence

Identifiers

pkg:maven/com.jhlabs/[email protected] (Confidence:High) cpe:2.3:a:image_processing_software:image_processing_software:2.0.235:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2005-0406 suppress

A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.

NVD-CWE-Other

CVSSv2: Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:N

References: FULLDISC - 20050214 Advisory: JPEG EXIF information disclosure MISC - http://www.redteam-pentesting.de/advisories/rt-sa-2005-008.txt

Vulnerable Software & Versions:

cpe:2.3:a:image_processing_software:image_processing_software:*:*:*:*:*:*:*:*

jakarta-slide-webdavlib-2.1.jar

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\jakarta-slide-webdavlib-2.1.jar MD5: 72d438422f784e7a6aeb323e1300ae52 SHA1: bb5f289eea39b2410b848cf84977008fc86ca0b2 SHA256:222d02f94539a132f271a3b01515d3b667c68d394160eac63cc76fbca3e74d3c

Evidence

Identifiers

cpe:2.3:a:apache:jakarta_slide:2.1:*:*:*:*:*:*:* (Confidence:Highest) suppress

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 15 of 26 Dependency-Check Report 03/03/20, 1231 PM

Published Vulnerabilities

CVE-2007-5731 suppress

Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2: Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N

References: CONFIRM - http://svn.apache.org/viewvc/jakarta/slide/trunk/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java? view=log&sortby=date&pathrev=590976 EXPLOIT-DB - 4567 OSVDB - 38673 SECUNIA - 27467 VUPEN - ADV-2007-3699

Vulnerable Software & Versions:

cpe:2.3:a:apache:jakarta_slide:2.1:*:*:*:*:*:*:*

apache-jsp-9.0.29.jar

Description:

A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies, so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\webrunner\apache-jsp-9.0.29.jar MD5: 5344ecdb310422b2a24134873d806cfa SHA1: 0e2b3d5c4fbc95be51443f2c6aedbc2e7284e75c SHA256:b5613bb2bfebb1a344b9f76845804fbfd733470def167d1c257f6569790d682e

Evidence

Identifiers

pkg:maven/org.mortbay.jasper/[email protected] (Confidence:High) cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:* (Confidence:Low) suppress cpe:2.3:a:apache_software_foundation:tomcat:9.0.29:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2016-5425 suppress

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

CWE-264 Permissions, Privileges, and Access Controls

CVSSv2: Base Score: HIGH (7.2) Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C CVSSv3: Base Score: HIGH (7.8) Vector: /AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References: BID - 93472 CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html EXPLOIT-DB - 40488 MISC - http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html MISC - http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST - [activemq-issues] 20190925 [jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, OracleLinux, RedHat etc.) REDHAT - RHSA-2016:2046 SECTRACK - 1036979

Vulnerable Software & Versions:

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 16 of 26 Dependency-Check Report 03/03/20, 1231 PM

CVE-2019-17563 suppress

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

CWE-384 Session Fixation

CVSSv2: Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P

References: BUGTRAQ - 20191229 [SECURITY] [DSA 4596-1] tomcat8 security update CONFIRM - https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20200107-0001/ DEBIAN - DSA-4596 MLIST - [debian-lts-announce] 20200127 [SECURITY] [DLA 2077-1] tomcat7 security update MLIST - [tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/ MLIST - [tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ SUSE - openSUSE-SU-2020:0038 UBUNTU - USN-4251-1

Vulnerable Software & Versions: (show all)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 9.0.0; versions up to (including) 9.0.29 ...

python36.dll

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\AIMap\python36.dll MD5: 77e62e4a3ff434ce90a434827829a2b9 SHA1: dbddb18f7140a898d80869bfe3a60739b81bbcd7 SHA256:ec25af091ac1a5b13a0d5d4e3980148a0279faf2f598c77708e77b49c3694563

Evidence

Identifiers

cpe:2.3:a:python:python:36:*:*:*:*:*:*:* (Confidence:High) suppress cpe:2.3:a:python_software_foundation:python:36:*:*:*:*:*:*:* (Confidence:High) suppress

Published Vulnerabilities

CVE-2007-4559 suppress

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2: Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References: CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=263261 MLIST - [python-dev] 20070824 tarfile and directory traversal vulnerability MLIST - [python-dev] 20070825 tarfile and directory traversal vulnerability SECUNIA - 26623 VUPEN - ADV-2007-3022

Vulnerable Software & Versions:

cpe:2.3:a:python_software_foundation:python:*:*:*:*:*:*:*:*

log4j-1.2.17.jar

Description:

Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 17 of 26 Dependency-Check Report 03/03/20, 1231 PM

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\log4j-1.2.17.jar MD5: 8afa47a3fe1e7eefee70e5390d1f99fa SHA1: cbe7f826dbc4bcb03f37f12ca7e2687d9853987a SHA256:6b099b29627499b4b141fb4b4d3e8e1fe530a650249f9b39278bc30ad31b4475

Evidence

Identifiers

pkg:maven/log4j/[email protected] (Confidence:High) cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* (Confidence:Highest) suppress

Published Vulnerabilities

CVE-2019-17571 suppress

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CWE-502 Deserialization of Untrusted Data

CVSSv2: Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References: CONFIRM - https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20200110-0001/ MLIST - [activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571 MLIST - [activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10] MLIST - [activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571 MLIST - [activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10] MLIST - [activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10] MLIST - [activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571 MLIST - [activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10] MLIST - [activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571 MLIST - [debian-lts-announce] 20200112 [SECURITY] [DLA 2065-1] apache-log4j1.2 security update MLIST - [kafka-dev] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571 MLIST - [kafka-jira] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571 MLIST - [kafka-jira] 20200105 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571 MLIST - [kafka-jira] 20200106 [jira] [Assigned] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571 MLIST - [kafka-jira] 20200106 [jira] [Commented] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571 MLIST - [kafka-jira] 20200107 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571 MLIST - [tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 MLIST - [tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 MLIST - [tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 MLIST - [tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 MLIST - [tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 MLIST - [tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23] MLIST - [zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-dev] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-dev] 20200118 Build failed in Jenkins: zookeeper-master-maven-owasp #329 MLIST - [zookeeper-issues] 20200107 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-issues] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-issues] 20200108 [jira] [Assigned] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-issues] 20200108 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-issues] 20200108 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-issues] 20200118 [jira] [Resolved] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-issues] 20200129 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-notifications] 20200108 [GitHub] [zookeeper] eolivelli opened a new pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE- 2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer MLIST - [zookeeper-notifications] 20200118 [GitHub] [zookeeper] asfgit closed pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019- 17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer SUSE - openSUSE-SU-2020:0051

Vulnerable Software & Versions:

cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (including) 1.2.17

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 18 of 26 Dependency-Check Report 03/03/20, 1231 PM

not-yet-commons-ssl-0.3.9.jar

Description:

A Java SSL component library

License:

Apache License v2: http://juliusdavies.ca/commons-ssl/LICENSE.txt

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\ROOT\WEB-INF\lib\not-yet-commons-ssl-0.3.9.jar MD5: 478a6177330a0098435828a8409f49c1 SHA1: e20f0960c000681c91d00de846a43cf2051b8f69 SHA256:198100753dbc631c97a8e86422c12630a0c3d89d06b33313a3c2550af651c174

Evidence

Related Dependencies

Identifiers

pkg:maven/ca.juliusdavies/[email protected] (Confidence:High) cpe:2.3:a:not_yet_commons_ssl_project:not_yet_commons_ssl:0.3.9:*:*:*:*:*:*:* (Confidence:Highest) suppress

Published Vulnerabilities

CVE-2014-3604 suppress

Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-310 Cryptographic Issues

CVSSv2: Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References: CONFIRM - http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172 MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1131803 MISC - https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml OSSINDEX - [CVE-2014-3604] Cryptographic Issues REDHAT - RHSA-2015:1888 XF - notyetcommons-cve20143604-sec-bypass(97659)

Vulnerable Software & Versions:

cpe:2.3:a:not_yet_commons_ssl_project:not_yet_commons_ssl:*:*:*:*:*:*:*:* versions up to (including) 0.3.14

spring-core-5.2.2.RELEASE.jar

Description:

Spring Core

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\ROOT\WEB-INF\lib\spring-core-5.2.2.RELEASE.jar MD5: af31f2ae937e45b71fa038cc0c010019 SHA1: bfcf2f6d0494d89db63ae170b8491223c93a88dc SHA256:94459936895f669c8bdd794be79850b73a9b980cc01a4aec88f373f150002b70

Evidence

Related Dependencies

Identifiers

pkg:maven/org.springframework/[email protected] (Confidence:High)

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 19 of 26 Dependency-Check Report 03/03/20, 1231 PM

cpe:2.3:a:pivotal_software:spring_framework:5.2.2.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:springsource:spring_framework:5.2.2.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:vmware:springsource_spring_framework:5.2.2:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2020-5397 suppress

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2: Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:N

References: CONFIRM - https://pivotal.io/security/cve-2020-5397

Vulnerable Software & Versions:

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 5.2.0; versions up to (excluding) 5.2.3

CVE-2020-5398 suppress

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

CWE-494 Download of Code Without Integrity Check

CVSSv2: Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C

References: CONFIRM - https://pivotal.io/security/cve-2020-5398

Vulnerable Software & Versions: (show all)

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 5.2.0; versions up to (excluding) 5.2.3 ...

PDFxStream-1.0.jar

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\PDFxStream-1.0.jar MD5: 5938ce2f39d8ef8d0b2149f005c4960c SHA1: 3394db90ad55730c2ff6dc10253ad4cf3c6f4d72 SHA256:08fa8ca230235a17ad1449ebc9dfd9f2e338b9bddd9383cb9e703104eaf04e21

Evidence

Identifiers

cpe:2.3:a:snowtide:pdfxstream:1.0:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2019-17063 suppress

In Snowtide PDFxStream before 3.7.1 (for Java), a crafted PDF file can trigger an extremely long running computation because of page-tree mishandling.

CWE-20 Improper Input Validation

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References: MISC - http://downloads.snowtide.com/CHANGELOG.html

Vulnerable Software & Versions:

cpe:2.3:a:snowtide:pdfxstream:*:*:*:*:*:*:*:* versions up to (excluding) 3.7.1

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 20 of 26 Dependency-Check Report 03/03/20, 1231 PM

castor-doclet-0.4.6.jar

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\castor-doclet-0.4.6.jar MD5: c4fa43c973afcd480f8ed6b37f4d9b6a SHA1: bfdf4c5c77dcee0f425029028e75e7d15d9cf154 SHA256:f3788346a1190cb3c4330a8a1a2f368a77cf7fa76918e4bbdcd1e7ac7f3b2b2d

Evidence

Identifiers

cpe:2.3:a:castor_project:castor:0.4.6:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2014-3004 suppress

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerable Software & Versions: (show all)

cpe:2.3:a:castor_project:castor:*:*:*:*:*:*:*:* versions up to (including) 1.3.2 ...

spring-tx-5.2.2.RELEASE.jar

Description:

Spring Transaction

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\spring-tx-5.2.2.RELEASE.jar MD5: 291345def43a9414dbc714dfded9a137 SHA1: 2af860baa0b094e13786613e15e1804edb7a5977 SHA256:dcbde9808b6bff2ea1ab3fa33eb12ba5d03db54ba16810206dd41d0ad6ec0dff

Evidence

Related Dependencies

Identifiers

pkg:maven/org.springframework/[email protected] (Confidence:High) cpe:2.3:a:pivotal_software:spring_framework:5.2.2.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:springsource:spring_framework:5.2.2.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:vmware:springsource_spring_framework:5.2.2:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 21 of 26 Dependency-Check Report 03/03/20, 1231 PM

CVE-2020-5397 suppress

CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2: Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:N

References: CONFIRM - https://pivotal.io/security/cve-2020-5397

Vulnerable Software & Versions:

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 5.2.0; versions up to (excluding) 5.2.3

CVE-2020-5398 suppress

CWE-494 Download of Code Without Integrity Check

CVSSv2: Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C

References: CONFIRM - https://pivotal.io/security/cve-2020-5398

Vulnerable Software & Versions: (show all)

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 5.2.0; versions up to (excluding) 5.2.3 ...

spring-web-5.2.1.RELEASE.jar

Description:

Spring Web

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\ROOT\WEB-INF\lib\spring-web-5.2.1.RELEASE.jar MD5: a4e0d90be3153154ff3c5e3a3da4d0be SHA1: 4f1dfe592951c312b52de469f1940b1cb0455226 SHA256:db16f4fc7bdadff7413a29c25ae61fc9e72f89519dc30f16142eb11daf269ca4

Evidence

Related Dependencies

Identifiers

pkg:maven/org.springframework/[email protected] (Confidence:High) cpe:2.3:a:pivotal_software:spring_framework:5.2.1.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:springsource:spring_framework:5.2.1.release:*:*:*:*:*:*:* (Confidence:Highest) suppress cpe:2.3:a:vmware:springsource_spring_framework:5.2.1:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2020-5397 suppress

CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2: Base Score: LOW (2.6) file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 22 of 26 Dependency-Check Report 03/03/20, 1231 PM

Vector: /AV:N/AC:H/Au:N/C:N/I:N/A:N

References: CONFIRM - https://pivotal.io/security/cve-2020-5397

Vulnerable Software & Versions:

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 5.2.0; versions up to (excluding) 5.2.3

CVE-2020-5398 suppress

CWE-494 Download of Code Without Integrity Check

CVSSv2: Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C

References: CONFIRM - https://pivotal.io/security/cve-2020-5398

Vulnerable Software & Versions: (show all)

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 5.2.0; versions up to (excluding) 5.2.3 ...

jquery-1.11.1.min.js

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectPortal\webapps\wars\pd\resources\jqueryui-ruler\js\jquery-1.11.1.min.js MD5: 4dc834d16a0d219d5c2b8a5b814569e4 SHA1: 4fbe0563917d6f6289e4e1b4a0a8758e4e43bda9 SHA256:91222f96f34735ebc88df208017e54d4329b9202e3e52367fb8b149698a1a5ef

Evidence

Related Dependencies

Identifiers

pkg:javascript/[email protected] (Confidence:Highest)

Published Vulnerabilities

CVE-2015-9251 suppress

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [flink-dev] 20190811 Apache flink 1.7.2 security issues MLIST - [flink-user] 20190811 Apache flink 1.7.2 security issues MLIST - [flink-user] 20190813 Apache flink 1.7.2 security issues MLIST - [flink-user] 20190813 Re: Apache flink 1.7.2 security issues MLIST - [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js info - info info - info info - info info - info

Vulnerable Software & Versions (NVD):

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 24 of 26 Dependency-Check Report 03/03/20, 1231 PM

CVE-2019-11358 suppress

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2: Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:N CVSSv3: Base Score: MEDIUM (6.1) Vector: /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References: BID - 108023 BUGTRAQ - 20190421 [SECURITY] [DSA 4434-1] drupal7 security update BUGTRAQ - 20190509 dotCMS v5.1.1 Vulnerabilities BUGTRAQ - 20190612 [SECURITY] [DSA 4460-1] mediawiki security update CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0001/ CONFIRM - https://www.synology.com/security/advisory/Synology_SA_19_19 CONFIRM - https://www.tenable.com/security/tns-2019-08 DEBIAN - DSA-4434 DEBIAN - DSA-4460 FEDORA - FEDORA-2019-1a3edd7e8a FEDORA - FEDORA-2019-2a0ce0c58c FEDORA - FEDORA-2019-7eaf0bbe7c FEDORA - FEDORA-2019-a06dffab1c FEDORA - FEDORA-2019-eba8e44ee6 FEDORA - FEDORA-2019-f563e66380 FULLDISC - 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability FULLDISC - 20190510 dotCMS v5.1.1 Vulnerabilities MISC - http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html MISC - http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html MISC - https://backdropcms.org/security/backdrop-sa-core-2019-009 MISC - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ MISC - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b MISC - https://github.com/jquery/jquery/pull/4333 MISC - https://snyk.io/vuln/SNYK-JS-JQUERY-174006 MISC - https://www.drupal.org/sa-core-2019-006 MISC - https://www.oracle.com/security-alerts/cpujan2020.html MISC - https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC - https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MISC - https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ MLIST - [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 MLIST - [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update MLIST - [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html MLIST - [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html MLIST - [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) MLIST - [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js REDHAT - RHBA-2019:1570 REDHAT - RHSA-2019:1456 REDHAT - RHSA-2019:2587 REDHAT - RHSA-2019:3023 REDHAT - RHSA-2019:3024 SUSE - openSUSE-SU-2019:1839 SUSE - openSUSE-SU-2019:1872 info - info info - info info - info

Vulnerable Software & Versions (NVD):

bcpg-jdk15on-1.64.jar

Description:

The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.5 to JDK 11. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html Apache Software License, Version 1.1: https://www.apache.org/licenses/LICENSE-1.1 file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 25 of 26 Dependency-Check Report 03/03/20, 1231 PM

File Path: D:\BUILD\CONNECT\V_3.2\MySQL_PatchEnv\AdeptiaConnect-3.1\ConnectServer\AdeptiaServer\ServerKernel\dependency\common\bcpg-jdk15on-1.64.jar MD5: 498ac36829826fe4b0d12af9550b5b0c SHA1: 56956a8c63ccadf62e7c678571cf86f30bd84441 SHA256:10acaf221fc4e49d4a4067b02316271698e8742ef4b23cb5f2434a0e3502b7b4

Evidence

Identifiers

pkg:maven/org.bouncycastle/[email protected] (Confidence:High) cpe:2.3:a:openpgp:openpgp:1.64:*:*:*:*:*:*:* (Confidence:Low) suppress

Published Vulnerabilities

CVE-2005-0366 suppress

The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.

NVD-CWE-Other

CVSSv2: Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

References: BID - 12529 CERT-VN - VU#303094 CONFIRM - http://www.pgp.com/library/ctocorner/openpgp.html GENTOO - GLSA-200503-29 MANDRAKE - MDKSA-2005:057 MISC - http://eprint.iacr.org/2005/033 MISC - http://eprint.iacr.org/2005/033.pdf OSVDB - 13775 SECTRACK - 1013166 SUSE - SUSE-SR:2005:007

Vulnerable Software & Versions:

cpe:2.3:a:openpgp:openpgp:*:*:*:*:*:*:*:*

This report contains data retrieved from the National Vulnerability Database. This report may contain data retrieved from the NPM Public Advisories. This report may contain data retrieved from RetireJS. This report may contain data retrieved from the Sonatype OSS Index.

file:///Users/avinash/Downloads/ACE_v3.2_3rdPartyJars_Scanning_Report.html Page 26 of 26