You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@river.apache.org by Peter <ji...@zeus.net.au> on 2017/01/07 10:56:49 UTC
Maven build
Neat little tool that generates vulnerability reports on dependencies
during a maven build. N.B. the following aren't actual dependencies of
Phoenix.
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
Cheers,
Pete.
Dependency-Check is an open source tool performing a best effort
analysis of 3rd party dependencies; false positives and false negatives
may exist in the analysis performed by the tool. Use of the tool and the
reporting provided constitutes acceptance for use in an AS IS condition,
and there are NO warranties, implied or otherwise, with regard to the
analysis or its use. Any use of the tool and the reporting provided is
at the users risk. In no event shall the copyright holder or OWASP be
held liable for any damages whatsoever arising out of or in connection
with the use of this tool, the analysis performed, or the resulting report.
How to read the report
<http://jeremylong.github.io/DependencyCheck/general/thereport.html>
| Suppressing false positives
<http://jeremylong.github.io/DependencyCheck/general/suppression.html>
| Getting Help: google group
<https://groups.google.com/forum/#%21forum/dependency-check> |
github issues <https://github.com/jeremylong/DependencyCheck/issues>
Project: Module :: Phoenix
Scan Information (show all):
* /dependency-check version/: 1.4.4
* /Report Generated On/: Jan 7, 2017 at 19:06:08 EST
* /Dependencies Scanned/: 62 (62 unique)
* /Vulnerable Dependencies/: 4
* /Vulnerabilities Found/: 9
* /Vulnerabilities Suppressed/: 0
* ...
Display: Showing Vulnerable Dependencies (click to show all)
Dependency CPE GAV Highest Severity CVE Count CPE Confidence
Evidence Count
commons-httpclient-3.0.jar cpe:/a:apache:commons-httpclient:3.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0>
cpe:/a:apache:httpclient:3.0
commons-httpclient:commons-httpclient:3.0 Medium 4 HIGHEST 15
jackrabbit-jcr-commons-1.5.0.jar cpe:/a:apache:jackrabbit:1.5.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
org.apache.jackrabbit:jackrabbit-jcr-commons:1.5.0 Medium 2 HIGHEST 15
jackrabbit-webdav-1.5.0.jar cpe:/a:apache:jackrabbit:1.5.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
org.apache.jackrabbit:jackrabbit-webdav:1.5.0 Medium 2 HIGHEST 13
wagon-webdav-jackrabbit-1.0-beta-6.jar cpe:/a:apache:jackrabbit:1.0
org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6 Medium 1
LOW 16
Dependencies
commons-httpclient-3.0.jar
*Description:* The HttpClient component supports the client-side of RFC
1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications
(RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and
provides a framework by which new request types (methods) or HTTP
extensions can be created easily.
*License:*
Apache License: http://www.apache.org/licenses/LICENSE-2.0
*File Path:*
C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\commons-httpclient\commons-httpclient\3.0\commons-httpclient-3.0.jar
*MD5:* cd69c70d6c078f4340bd5e867ec6f1b6
*SHA1:* 336a280d178bb957e5233189f0f32e067366c4e5
*Referenced In Project/Scope:* Module :: Phoenix:runtime
Evidence
Identifiers
* *maven:* commons-httpclient:commons-httpclient:3.0 /Confidence/:HIGH
* *cpe:* cpe:/a:apache:commons-httpclient:3.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0>
/Confidence/:HIGHEST
*cpe:* cpe:/a:apache:httpclient:3.0 /Confidence/:LOW
Published Vulnerabilities
*CVE-2015-5262
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262>*
Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents
HttpClient before 4.3.6 ignores the http.socket.timeout configuration
setting during an SSL handshake, which allows remote attackers to cause
a denial of service (HTTPS call hang) via unspecified vectors.
* CONFIRM -
http://svn.apache.org/viewvc?view=revision&revision=1626784
<http://svn.apache.org/viewvc?view=revision&revision=1626784>
* CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1261538
* CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1478
* FEDORA - FEDORA-2015-15588
<http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html>
* FEDORA - FEDORA-2015-15589
<http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html>
* FEDORA - FEDORA-2015-15590
<http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html>
* SECTRACK - 1033743 <http://www.securitytracker.com/id/1033743>
* UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>
Vulnerable Software & Versions:
* cpe:/a:apache:httpclient:4.3.5
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttpclient%3A4.3.5>
and all previous versions
*CVE-2014-3577
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577>*
Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents
HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not
properly verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows man-in-the-middle attackers to spoof SSL
servers via a "CN=" string in a field in the distinguished name (DN) of
a certificate, as demonstrated by the "foo,CN=www.apache.org" string in
the O field.
* BID - 69258 <http://www.securityfocus.com/bid/69258>
* CONFIRM - https://access.redhat.com/solutions/1165533
* CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
* FULLDISC - 20140818 CVE-2014-3577: Apache HttpComponents client:
Hostname verification susceptible to MITM attack
<http://seclists.org/fulldisclosure/2014/Aug/48>
* MISC -
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
* OSVDB - 110143 <http://www.osvdb.org/110143>
* REDHAT - RHSA-2014:1146
<http://rhn.redhat.com/errata/RHSA-2014-1146.html>
* REDHAT - RHSA-2014:1166
<http://rhn.redhat.com/errata/RHSA-2014-1166.html>
* REDHAT - RHSA-2014:1833
<http://rhn.redhat.com/errata/RHSA-2014-1833.html>
* REDHAT - RHSA-2014:1834
<http://rhn.redhat.com/errata/RHSA-2014-1834.html>
* REDHAT - RHSA-2014:1835
<http://rhn.redhat.com/errata/RHSA-2014-1835.html>
* REDHAT - RHSA-2014:1836
<http://rhn.redhat.com/errata/RHSA-2014-1836.html>
* REDHAT - RHSA-2014:1891
<http://rhn.redhat.com/errata/RHSA-2014-1891.html>
* REDHAT - RHSA-2014:1892
<http://rhn.redhat.com/errata/RHSA-2014-1892.html>
* REDHAT - RHSA-2015:0125
<http://rhn.redhat.com/errata/RHSA-2015-0125.html>
* REDHAT - RHSA-2015:0158
<http://rhn.redhat.com/errata/RHSA-2015-0158.html>
* REDHAT - RHSA-2015:0675
<http://rhn.redhat.com/errata/RHSA-2015-0675.html>
* REDHAT - RHSA-2015:0720
<http://rhn.redhat.com/errata/RHSA-2015-0720.html>
* REDHAT - RHSA-2015:0765
<http://rhn.redhat.com/errata/RHSA-2015-0765.html>
* REDHAT - RHSA-2015:0850
<http://rhn.redhat.com/errata/RHSA-2015-0850.html>
* REDHAT - RHSA-2015:0851
<http://rhn.redhat.com/errata/RHSA-2015-0851.html>
* REDHAT - RHSA-2015:1176
<http://rhn.redhat.com/errata/RHSA-2015-1176.html>
* REDHAT - RHSA-2015:1177
<http://rhn.redhat.com/errata/RHSA-2015-1177.html>
* SECTRACK - 1030812 <http://www.securitytracker.com/id/1030812>
* SECUNIA - 60466 <http://secunia.com/advisories/60466>
* UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>
* XF - apache-cve20143577-spoofing(95327)
<http://xforce.iss.net/xforce/xfdb/95327>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:httpclient:4.3.4
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttpclient%3A4.3.4>
and all previous versions
* ...
*CVE-2012-6153
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153>*
Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before
4.2.3 does not properly verify that the server hostname matches a domain
name in the subject's Common Name (CN) or subjectAltName field of the
X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
servers via a certificate with a subject that specifies a common name in
a field that is not the CN field. NOTE: this issue exists because of an
incomplete fix for CVE-2012-5783.
* BID - 69257 <http://www.securityfocus.com/bid/69257>
* CONFIRM -
http://svn.apache.org/viewvc?view=revision&revision=1411705
<http://svn.apache.org/viewvc?view=revision&revision=1411705>
* CONFIRM - https://access.redhat.com/solutions/1165533
* CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1129916
* CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
* REDHAT - RHSA-2014:1098
<http://rhn.redhat.com/errata/RHSA-2014-1098.html>
* REDHAT - RHSA-2014:1833
<http://rhn.redhat.com/errata/RHSA-2014-1833.html>
* REDHAT - RHSA-2014:1834
<http://rhn.redhat.com/errata/RHSA-2014-1834.html>
* REDHAT - RHSA-2014:1835
<http://rhn.redhat.com/errata/RHSA-2014-1835.html>
* REDHAT - RHSA-2014:1836
<http://rhn.redhat.com/errata/RHSA-2014-1836.html>
* REDHAT - RHSA-2014:1891
<http://rhn.redhat.com/errata/RHSA-2014-1891.html>
* REDHAT - RHSA-2014:1892
<http://rhn.redhat.com/errata/RHSA-2014-1892.html>
* REDHAT - RHSA-2015:0125
<http://rhn.redhat.com/errata/RHSA-2015-0125.html>
* REDHAT - RHSA-2015:0158
<http://rhn.redhat.com/errata/RHSA-2015-0158.html>
* REDHAT - RHSA-2015:0675
<http://rhn.redhat.com/errata/RHSA-2015-0675.html>
* REDHAT - RHSA-2015:0720
<http://rhn.redhat.com/errata/RHSA-2015-0720.html>
* REDHAT - RHSA-2015:0765
<http://rhn.redhat.com/errata/RHSA-2015-0765.html>
* REDHAT - RHSA-2015:0850
<http://rhn.redhat.com/errata/RHSA-2015-0850.html>
* REDHAT - RHSA-2015:0851
<http://rhn.redhat.com/errata/RHSA-2015-0851.html>
* UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:commons-httpclient:4.2.2
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A4.2.2>
and all previous versions
* ...
*CVE-2012-5783
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783>*
Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments
Service (FPS) merchant Java SDK and other products, does not verify that
the server hostname matches a domain name in the subject's Common Name
(CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
certificate.
* BID - 58073 <http://www.securityfocus.com/bid/58073>
* MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
<http://www.cs.utexas.edu/%7Eshmat/shmat_ccs12.pdf>
* REDHAT - RHSA-2013:0270
<http://rhn.redhat.com/errata/RHSA-2013-0270.html>
* REDHAT - RHSA-2013:0679
<http://rhn.redhat.com/errata/RHSA-2013-0679.html>
* REDHAT - RHSA-2013:0680
<http://rhn.redhat.com/errata/RHSA-2013-0680.html>
* REDHAT - RHSA-2013:0681
<http://rhn.redhat.com/errata/RHSA-2013-0681.html>
* REDHAT - RHSA-2013:0682
<http://rhn.redhat.com/errata/RHSA-2013-0682.html>
* REDHAT - RHSA-2013:1147
<http://rhn.redhat.com/errata/RHSA-2013-1147.html>
* REDHAT - RHSA-2013:1853
<http://rhn.redhat.com/errata/RHSA-2013-1853.html>
* REDHAT - RHSA-2014:0224
<http://rhn.redhat.com/errata/RHSA-2014-0224.html>
* SUSE - openSUSE-SU-2013:0354
<http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html>
* SUSE - openSUSE-SU-2013:0622
<http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html>
* SUSE - openSUSE-SU-2013:0623
<http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html>
* SUSE - openSUSE-SU-2013:0638
<http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html>
* UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>
* XF - apache-commons-ssl-spoofing(79984)
<http://xforce.iss.net/xforce/xfdb/79984>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:commons-httpclient:3.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0>
* ...
jackrabbit-jcr-commons-1.5.0.jar
*Description:* General purpose classes for use with the JCR API
*License:*
http://www.apache.org/licenses/LICENSE-2.0.txt
*File Path:*
C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\jackrabbit\jackrabbit-jcr-commons\1.5.0\jackrabbit-jcr-commons-1.5.0.jar
*MD5:* 579d2a761b42553e07f6dcd8225f0d53
*SHA1:* 816ca280dc631b277e7b963723f2e99b038383f2
*Referenced In Project/Scope:* Module :: Phoenix:runtime
Evidence
Identifiers
* *cpe:* cpe:/a:apache:jackrabbit:1.5.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
/Confidence/:HIGHEST
* *maven:* org.apache.jackrabbit:jackrabbit-jcr-commons:1.5.0
/Confidence/:HIGH
Published Vulnerabilities
*CVE-2015-1833
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>*
Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
XML external entity (XXE) vulnerability in Apache Jackrabbit before
2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6,
2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to
read arbitrary files and send requests to intranet servers via a crafted
WebDAV request.
* BID - 74761 <http://www.securityfocus.com/bid/74761>
* BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE
vulnerability)
<http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded>
* CONFIRM -
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
* CONFIRM - https://issues.apache.org/jira/browse/JCR-3883
* DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298>
* EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/>
* MISC -
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
* MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit
WebDAV XXE vulnerability)
<http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:jackrabbit:2.0.5
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5>
and all previous versions
* ...
*CVE-2009-0026
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0026>*
Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit
before 1.5.2 allow remote attackers to inject arbitrary web script or
HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
* BID - 33360 <http://www.securityfocus.com/bid/33360>
* BUGTRAQ - 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released
<http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded>
* CONFIRM -
http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt
* CONFIRM - https://issues.apache.org/jira/browse/JCR-1925
* SREASON - 4942 <http://securityreason.com/securityalert/4942>
* VUPEN - ADV-2009-0177
<http://www.vupen.com/english/advisories/2009/0177>
* XF - jackrabbit-search-swr-xss(48110)
<http://xforce.iss.net/xforce/xfdb/48110>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:jackrabbit:1.5.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
* ...
jackrabbit-webdav-1.5.0.jar
*Description:* WebDAV library used by the Jackrabbit WebDAV support
*File Path:*
C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\jackrabbit\jackrabbit-webdav\1.5.0\jackrabbit-webdav-1.5.0.jar
*MD5:* 137d4d30c1c78972fec7628c94f4f4a1
*SHA1:* b14c7fbbd34862d4d51c5e72ba3a69cde892c260
*Referenced In Project/Scope:* Module :: Phoenix:runtime
Evidence
Identifiers
* *cpe:* cpe:/a:apache:jackrabbit:1.5.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
/Confidence/:HIGHEST
* *maven:* org.apache.jackrabbit:jackrabbit-webdav:1.5.0
/Confidence/:HIGH
Published Vulnerabilities
*CVE-2015-1833
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>*
Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
XML external entity (XXE) vulnerability in Apache Jackrabbit before
2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6,
2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to
read arbitrary files and send requests to intranet servers via a crafted
WebDAV request.
* BID - 74761 <http://www.securityfocus.com/bid/74761>
* BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE
vulnerability)
<http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded>
* CONFIRM -
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
* CONFIRM - https://issues.apache.org/jira/browse/JCR-3883
* DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298>
* EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/>
* MISC -
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
* MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit
WebDAV XXE vulnerability)
<http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:jackrabbit:2.0.5
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5>
and all previous versions
* ...
*CVE-2009-0026
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0026>*
Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit
before 1.5.2 allow remote attackers to inject arbitrary web script or
HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
* BID - 33360 <http://www.securityfocus.com/bid/33360>
* BUGTRAQ - 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released
<http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded>
* CONFIRM -
http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt
* CONFIRM - https://issues.apache.org/jira/browse/JCR-1925
* SREASON - 4942 <http://securityreason.com/securityalert/4942>
* VUPEN - ADV-2009-0177
<http://www.vupen.com/english/advisories/2009/0177>
* XF - jackrabbit-search-swr-xss(48110)
<http://xforce.iss.net/xforce/xfdb/48110>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:jackrabbit:1.5.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
* ...
wagon-webdav-jackrabbit-1.0-beta-6.jar
*Description:* Wagon that gets and puts artifacts through webdav protocol
*File Path:*
C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\maven\wagon\wagon-webdav-jackrabbit\1.0-beta-6\wagon-webdav-jackrabbit-1.0-beta-6.jar
*MD5:* 54e5811336dab214bd598b4ac92cdf99
*SHA1:* b694b223d0f19abcb32e304ebd5054061ee0f7b5
*Referenced In Project/Scope:* Module :: Phoenix:runtime
Evidence
Identifiers
* *cpe:* cpe:/a:apache:jackrabbit:1.0 /Confidence/:LOW
* *maven:* org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6
/Confidence/:HIGH
Published Vulnerabilities
*CVE-2015-1833
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>*
Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
XML external entity (XXE) vulnerability in Apache Jackrabbit before
2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6,
2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to
read arbitrary files and send requests to intranet servers via a crafted
WebDAV request.
* BID - 74761 <http://www.securityfocus.com/bid/74761>
* BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE
vulnerability)
<http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded>
* CONFIRM -
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
* CONFIRM - https://issues.apache.org/jira/browse/JCR-3883
* DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298>
* EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/>
* MISC -
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
* MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit
WebDAV XXE vulnerability)
<http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E>
Vulnerable Software & Versions: (show all)
* cpe:/a:apache:jackrabbit:2.0.5
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5>
and all previous versions
* ...
This report contains data retrieved from the National Vulnerability
Database <http://nvd.nist.gov>.