You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
Path to dependency file: /server/plugins/noderoster/impl/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Path to dependency file: /server/plugins/noderoster/impl/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Vulnerable Library - siesta-server-2.3.2.jar
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-1695
Vulnerable Library - resteasy-jaxrs-3.1.4.Final.jar
Resteasy
Library home page: http://rest-easy.org/resteasy-jaxrs
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
Publish Date: 2020-05-19
URL: CVE-2020-1695
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1695
Release Date: 2020-05-19
Fix Resolution: org.jboss.resteasy:resteasy-jaxrs:3.12.0.Final,4.6.0.Final,org.jboss.resteasy:resteasy-core:3.12.0.Final,4.6.0.Final
CVE-2017-7561
Vulnerable Library - resteasy-jaxrs-3.1.4.Final.jar
Resteasy
Library home page: http://rest-easy.org/resteasy-jaxrs
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
Publish Date: 2017-08-22
URL: CVE-2017-7561
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://issues.jboss.org/browse/RESTEASY-1704
Release Date: 2017-08-22
Fix Resolution: 3.0.25.Final,3.5.0.CR1,4.0.0.Beta1
CVE-2020-25633
Vulnerable Library - resteasy-client-3.1.4.Final.jar
Resteasy
Library home page: http://rest-easy.org/resteasy-client
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
Publish Date: 2020-09-18
URL: CVE-2020-25633
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1879042#c13
Release Date: 2020-09-18
Fix Resolution: 4.5.7.Final
CVE-2020-10693
Vulnerable Library - hibernate-validator-5.1.2.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://validator.hibernate.org
Path to dependency file: /server/plugins/noderoster/impl/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Publish Date: 2020-05-06
URL: CVE-2020-10693
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hibernate.atlassian.net/projects/HV/issues/HV-1774
Release Date: 2020-05-06
Fix Resolution: org.hibernate.validator:hibernate-validator:6.0.20.Final,org.hibernate.validator:hibernate-validator:6.1.5.Final,org.hibernate.validator:hibernate-validator:7.0.0.Alpha2
CVE-2021-29425
Vulnerable Library - commons-io-2.6.jar
The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/proper/commons-io/
Path to dependency file: /server/plugins/noderoster/impl/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
The text was updated successfully, but these errors were encountered: