Dependency-Check Report

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
FastInfoset-1.2.15.jar	cpe:2.3:a:fast_ber_project:fast_ber:1.2.15:::::::*	pkg:maven/com.sun.xml.fastinfoset/FastInfoset@1.2.15		0	Low	44
accessors-smart-2.4.8.jar	cpe:2.3:a:json-smart_project:json-smart:2.4.8:::::::* cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:::::::*	pkg:maven/net.minidev/accessors-smart@2.4.8		0	Low	43
activation-1.1.1.jar	cpe:2.3:a:oracle:java_se:1.1.1:::::::*	pkg:maven/javax.activation/activation@1.1.1		0	Low	26
amqp-client-4.12.0.jar	cpe:2.3:a:vmware:rabbitmq:4.12.0:::::::*	pkg:maven/com.rabbitmq/amqp-client@4.12.0		0	High	46
animal-sniffer-annotations-1.9.jar		pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.9		0		23
ant-1.10.12.jar	cpe:2.3:a:apache:ant:1.10.12:::::::*	pkg:maven/org.apache.ant/ant@1.10.12		0	Highest	24
antlr-2.7.7.jar		pkg:maven/antlr/antlr@2.7.7		0		24
asm-7.1.jar		pkg:maven/org.ow2.asm/asm@7.1		0		53
aws-java-sdk-core-1.12.267.jar	cpe:2.3:a:amazon:aws-sdk-java:1.12.267:::::::*	pkg:maven/com.amazonaws/aws-java-sdk-core@1.12.267		0	Highest	22
backport-util-concurrent-3.1.jar		pkg:maven/backport-util-concurrent/backport-util-concurrent@3.1		0		25
bcpkix-jdk18on-1.72.jar	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:::::::*	pkg:maven/org.bouncycastle/bcpkix-jdk18on@1.72		0	Low	66
bcprov-jdk18on-1.72.jar	cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.72:::::::* cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.72:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.72:::::::* cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.72:::::::*	pkg:maven/org.bouncycastle/bcprov-jdk18on@1.72	MEDIUM	1	Low	60
bcutil-jdk18on-1.72.jar	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:::::::*	pkg:maven/org.bouncycastle/bcutil-jdk18on@1.72		0	Low	50
bsh-2.0b5.jar	cpe:2.3:a:beanshell:beanshell:2.0:b5::::::	pkg:maven/org.beanshell/bsh@2.0b5	HIGH	1	Highest	27
byte-buddy-1.12.9.jar (shaded: net.bytebuddy:byte-buddy-dep:1.12.9)		pkg:maven/net.bytebuddy/byte-buddy-dep@1.12.9		0		9
byte-buddy-1.12.9.jar		pkg:maven/net.bytebuddy/byte-buddy@1.12.9		0		27
c3p0-0.9.5.4.jar	cpe:2.3:a:mchange:c3p0:0.9.5.4:::::::*	pkg:maven/com.mchange/c3p0@0.9.5.4		0	Highest	31
c3p0-oracle-thin-extras-0.9.5.jar	cpe:2.3:a:mchange:c3p0:0.9.5:::::::*	pkg:maven/com.google.code.maven-play-plugin.com.mchange/c3p0-oracle-thin-extras@0.9.5	HIGH	1	Highest	29
cglib-3.3.0.jar		pkg:maven/cglib/cglib@3.3.0		0		18
checker-qual-3.5.0.jar		pkg:maven/org.checkerframework/checker-qual@3.5.0		0		60
classmate-1.5.1.jar		pkg:maven/com.fasterxml/classmate@1.5.1		0		57
commons-beanutils-1.9.4.jar	cpe:2.3:a:apache:commons_beanutils:1.9.4:::::::* cpe:2.3:a:apache:commons_net:1.9.4:::::::*	pkg:maven/commons-beanutils/commons-beanutils@1.9.4	MEDIUM	1	Highest	170
commons-cli-1.4.jar	cpe:2.3:a:apache:commons_net:1.4:::::::*	pkg:maven/commons-cli/commons-cli@1.4	MEDIUM	1	Highest	87
commons-codec-1.15.jar	cpe:2.3:a:apache:commons_net:1.15:::::::*	pkg:maven/commons-codec/commons-codec@1.15	MEDIUM	1	Highest	110
commons-collections-3.2.2.jar	cpe:2.3:a:apache:commons_collections:3.2.2:::::::* cpe:2.3:a:apache:commons_net:3.2.2:::::::*	pkg:maven/commons-collections/commons-collections@3.2.2	MEDIUM	1	Highest	86
commons-csv-1.6.jar	cpe:2.3:a:apache:commons_net:1.6:::::::*	pkg:maven/org.apache.commons/commons-csv@1.6	MEDIUM	1	Highest	85
commons-dbcp-1.4.jar	cpe:2.3:a:apache:commons_net:1.4:::::::*	pkg:maven/commons-dbcp/commons-dbcp@1.4	MEDIUM	1	Highest	96
commons-digester-2.1.jar	cpe:2.3:a:apache:commons_net:2.1:::::::*	pkg:maven/commons-digester/commons-digester@2.1	MEDIUM	1	Highest	98
commons-digester3-3.2.jar	cpe:2.3:a:apache:commons_net:3.2:::::::*	pkg:maven/org.apache.commons/commons-digester3@3.2	MEDIUM	1	Highest	105
commons-exec-1.3.jar	cpe:2.3:a:apache:commons_net:1.3:::::::*	pkg:maven/org.apache.commons/commons-exec@1.3	MEDIUM	1	Highest	61
commons-httpclient-3.1.jar	cpe:2.3:a:apache:commons-httpclient:3.1:::::::* cpe:2.3:a:apache:commons_net:3.1:::::::* cpe:2.3:a:apache:httpclient:3.1:::::::*	pkg:maven/commons-httpclient/commons-httpclient@3.1	MEDIUM	3	Highest	91
commons-io-2.11.0.jar	cpe:2.3:a:apache:commons_io:2.11.0:::::::* cpe:2.3:a:apache:commons_net:2.11.0:::::::*	pkg:maven/commons-io/commons-io@2.11.0	MEDIUM	1	Highest	125
commons-jexl-2.1.1.jar	cpe:2.3:a:apache:commons_net:2.1.1:::::::*	pkg:maven/org.apache.commons/commons-jexl@2.1.1	MEDIUM	1	Highest	90
commons-jexl3-3.0.jar	cpe:2.3:a:apache:commons_net:3.0:::::::*	pkg:maven/org.apache.commons/commons-jexl3@3.0	MEDIUM	1	Highest	93
commons-lang-2.6.jar	cpe:2.3:a:apache:commons_net:2.6:::::::*	pkg:maven/commons-lang/commons-lang@2.6	MEDIUM	1	Highest	122
commons-lang3-3.12.0.jar	cpe:2.3:a:apache:commons_net:3.12.0:::::::*	pkg:maven/org.apache.commons/commons-lang3@3.12.0		0	Highest	141
commons-logging-1.2.jar	cpe:2.3:a:apache:commons_net:1.2:::::::*	pkg:maven/commons-logging/commons-logging@1.2	MEDIUM	1	Highest	117
commons-math-1.2.jar	cpe:2.3:a:apache:commons_net:1.2:::::::*	pkg:maven/commons-math/commons-math@1.2	MEDIUM	1	Highest	82
commons-pool-1.6.jar	cpe:2.3:a:apache:commons_net:1.6:::::::*	pkg:maven/commons-pool/commons-pool@1.6	MEDIUM	1	Highest	75
commons-text-1.10.0.jar	cpe:2.3:a:apache:commons_net:1.10.0:::::::* cpe:2.3:a:apache:commons_text:1.10.0:::::::*	pkg:maven/org.apache.commons/commons-text@1.10.0	MEDIUM	1	Highest	73
commons-validator-1.6.jar	cpe:2.3:a:apache:commons_net:1.6:::::::*	pkg:maven/commons-validator/commons-validator@1.6	MEDIUM	1	Highest	127
commons-vfs2-2.4.1.jar	cpe:2.3:a:apache:commons_net:2.4.1:::::::*	pkg:maven/org.apache.commons/commons-vfs2@2.4.1	MEDIUM	1	Highest	42
content-type-2.2.jar		pkg:maven/com.nimbusds/content-type@2.2		0		47
cron-parser-core-3.4.jar		pkg:maven/net.redhogs.cronparser/cron-parser-core@3.4		0		24
dom4j-2.1.4.jar	cpe:2.3:a:dom4j_project:dom4j:2.1.4:::::::*	pkg:maven/org.dom4j/dom4j@2.1.4		0	Highest	21
edu.internet2.middleware.grouper:grouper:4.0.0-SNAPSHOT	cpe:2.3:a:internet2:grouper:4.0.0:snapshot::::::	pkg:maven/edu.internet2.middleware.grouper/grouper@4.0.0-SNAPSHOT		0	Highest	6
edu.internet2.middleware.grouper:grouperClient:4.0.0-SNAPSHOT	cpe:2.3:a:internet2:grouper:4.0.0:snapshot::::::	pkg:maven/edu.internet2.middleware.grouper/grouperClient@4.0.0-SNAPSHOT		0	Highest	6
ehcache-core-2.6.10.jar		pkg:maven/net.sf.ehcache/ehcache-core@2.6.10		0		22
ehcache-core-2.6.10.jar: sizeof-agent.jar		pkg:maven/net.sf.ehcache/sizeof-agent@1.0.1		0		28
ezmorph-1.0.6.jar		pkg:maven/net.sf.ezmorph/ezmorph@1.0.6		0		32
geronimo-jms_1.1_spec-1.1.jar		pkg:maven/org.apache.geronimo.specs/geronimo-jms_1.1_spec@1.1		0		18
geronimo-jms_2.0_spec-1.0-alpha-2.jar		pkg:maven/org.apache.geronimo.specs/geronimo-jms_2.0_spec@1.0-alpha-2		0		30
google-api-client-1.25.0.jar		pkg:maven/com.google.api-client/google-api-client@1.25.0		0		33
google-api-services-admin-directory-directory_v1-rev118-1.25.0.jar		pkg:maven/com.google.apis/google-api-services-admin-directory@directory_v1-rev118-1.25.0		0		28
google-api-services-groupssettings-v1-rev82-1.25.0.jar		pkg:maven/com.google.apis/google-api-services-groupssettings@v1-rev82-1.25.0		0		28
google-http-client-1.25.0.jar		pkg:maven/com.google.http-client/google-http-client@1.25.0		0		31
google-http-client-jackson2-1.25.0.jar		pkg:maven/com.google.http-client/google-http-client-jackson2@1.25.0		0		21
google-oauth-client-1.25.0.jar	cpe:2.3:a:google:oauth_client_library_for_java:1.25.0:::::::*	pkg:maven/com.google.oauth-client/google-oauth-client@1.25.0	CRITICAL	2	Low	31
groovy-2.5.18.jar	cpe:2.3:a:apache:groovy:2.5.18:::::::*	pkg:maven/org.codehaus.groovy/groovy@2.5.18		0	Highest	294
groovy-xml-2.5.18.jar	cpe:2.3:a:apache:groovy:2.5.18:::::::*	pkg:maven/org.codehaus.groovy/groovy-xml@2.5.18		0	High	289
guava-20.0.jar	cpe:2.3:a:google:guava:20.0:::::::*	pkg:maven/com.google.guava/guava@20.0	HIGH	3	Highest	22
hibernate-commons-annotations-5.1.2.Final.jar		pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final		0		47
hibernate-core-5.6.10.Final.jar	cpe:2.3:a:hibernate:hibernate_orm:5.6.10:::::::*	pkg:maven/org.hibernate/hibernate-core@5.6.10.Final		0	Low	48
httpclient-4.5.13.jar	cpe:2.3:a:apache:httpclient:4.5.13:::::::*	pkg:maven/org.apache.httpcomponents/httpclient@4.5.13		0	Highest	32
httpcore-4.4.14.jar		pkg:maven/org.apache.httpcomponents/httpcore@4.4.14		0		32
httpmime-4.5.13.jar		pkg:maven/org.apache.httpcomponents/httpmime@4.5.13		0		30
ion-java-1.0.2.jar		pkg:maven/software.amazon.ion/ion-java@1.0.2		0		34
istack-commons-runtime-3.0.7.jar	cpe:2.3:a:apache:commons_net:3.0.7:::::::* cpe:2.3:a:oracle:java_se:3.0.7:::::::*	pkg:maven/com.sun.istack/istack-commons-runtime@3.0.7	MEDIUM	1	Low	34
j2objc-annotations-1.1.jar		pkg:maven/com.google.j2objc/j2objc-annotations@1.1		0		24
jackson-annotations-2.14.0.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0		0	Low	40
jackson-core-2.14.0.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:::::::* cpe:2.3:a:json-java_project:json-java:2.14.0:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0	HIGH	1	Low	49
jackson-databind-2.14.0.jar	cpe:2.3:a:fasterxml:jackson-databind:2.14.0:::::::* cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0	MEDIUM	1	Highest	43
jackson-dataformat-cbor-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.12.6		0	Low	41
jandex-2.0.4.Final.jar		pkg:maven/org.jboss/jandex@2.0.4.Final		0		40
java-ipv6-0.17.jar		pkg:maven/com.googlecode.java-ipv6/java-ipv6@0.17		0		20
java-jwt-3.10.3.jar		pkg:maven/com.auth0/java-jwt@3.10.3		0		37
javassist-3.22.0-GA.jar		pkg:maven/org.javassist/javassist@3.22.0-GA		0		58
javax.activation-api-1.2.0.jar		pkg:maven/javax.activation/javax.activation-api@1.2.0		0		39
javax.persistence-api-2.2.jar	cpe:2.3:a:oracle:java_se:2.2:::::::*	pkg:maven/javax.persistence/javax.persistence-api@2.2		0	Low	34
jaxb-api-2.3.1.jar	cpe:2.3:a:oracle:java_se:2.3.1:::::::*	pkg:maven/javax.xml.bind/jaxb-api@2.3.1		0	Low	37
jaxb-runtime-2.3.1.jar		pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1		0		32
jboss-logging-3.3.1.Final.jar		pkg:maven/org.jboss.logging/jboss-logging@3.3.1.Final		0		42
jboss-transaction-api_1.2_spec-1.1.1.Final.jar		pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.2_spec@1.1.1.Final		0		41
jcip-annotations-1.0-1.jar		pkg:maven/com.github.stephenc.jcip/jcip-annotations@1.0-1		0		25
jetty-6.1.26.jar	cpe:2.3:a:jetty:jetty:6.1.26:::::::* cpe:2.3:a:mortbay:jetty:6.1.26:::::::* cpe:2.3:a:mortbay_jetty:jetty:6.1.26:::::::*	pkg:maven/org.mortbay.jetty/jetty@6.1.26	MEDIUM	2	Highest	34
jline-2.14.5.jar	cpe:2.3:a:planet:planet:2.14.5:::::::*	pkg:maven/jline/jline@2.14.5		0	Low	37
jmespath-java-1.12.267.jar	cpe:2.3:a:amazon:aws-sdk-java:1.12.267:::::::*	pkg:maven/com.amazonaws/jmespath-java@1.12.267		0	Low	28
joda-time-2.9.9.jar	cpe:2.3:a:time_project:time:2.9.9:::::::*	pkg:maven/joda-time/joda-time@2.9.9		0	Highest	45
jsch-0.1.55.jar	cpe:2.3:a:jcraft:jsch:0.1.55:::::::*	pkg:maven/com.jcraft/jsch@0.1.55		0	Highest	34
json-lib-2.4-jdk15.jar		pkg:maven/net.sf.json-lib/json-lib@2.4		0		13
json-smart-2.4.8.jar	cpe:2.3:a:json-smart_project:json-smart:2.4.8:::::::* cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:::::::*	pkg:maven/net.minidev/json-smart@2.4.8	HIGH	1	Highest	51
jsoup-1.15.3.jar	cpe:2.3:a:jsoup:jsoup:1.15.3:::::::*	pkg:maven/org.jsoup/jsoup@1.15.3		0	Highest	42
jsr305-3.0.2.jar		pkg:maven/com.google.code.findbugs/jsr305@3.0.2		0		17
jta-1.1.jar		pkg:maven/javax.transaction/jta@1.1		0		22
lang-tag-1.7.jar		pkg:maven/com.nimbusds/lang-tag@1.7		0		49
ldaptive-1.2.4.jar	cpe:2.3:a:ldaptive:ldaptive:1.2.4:::::::*	pkg:maven/org.ldaptive/ldaptive@1.2.4		0	Highest	23
log4j-core-2.17.1.jar	cpe:2.3:a:apache:log4j:2.17.1:::::::*	pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1		0	Highest	50
log4j-slf4j-impl-2.17.1.jar		pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.17.1		0		46
mail-1.4.7.jar		pkg:maven/javax.mail/mail@1.4.7		0		44
mchange-commons-java-0.2.15.jar		pkg:maven/com.mchange/mchange-commons-java@0.2.15		0		29
mxparser-1.2.2.jar		pkg:maven/io.github.x-stream/mxparser@1.2.2		0		58
mysql-connector-java-8.0.28.jar	cpe:2.3:a:mysql:mysql:8.0.28:::::::* cpe:2.3:a:oracle:mysql_connector\/j:8.0.28:::::::*	pkg:maven/mysql/mysql-connector-java@8.0.28		0	Highest	44
netty-codec-4.1.72.Final.jar	cpe:2.3:a:netty:netty:4.1.72:::::::*	pkg:maven/io.netty/netty-codec@4.1.72.Final	HIGH	5	Highest	34
netty-common-4.1.72.Final.jar (shaded: org.jctools:jctools-core:3.1.0)		pkg:maven/org.jctools/jctools-core@3.1.0		0		9
netty-tcnative-classes-2.0.46.Final.jar		pkg:maven/io.netty/netty-tcnative-classes@2.0.46.Final		0		35
netty-transport-4.1.72.Final.jar	cpe:2.3:a:netty:netty:4.1.72:::::::*	pkg:maven/io.netty/netty-transport@4.1.72.Final	HIGH	4	Highest	32
nimbus-jose-jwt-9.24.4.jar (shaded: com.google.code.gson:gson:2.9.1)	cpe:2.3:a:google:gson:2.9.1:::::::*	pkg:maven/com.google.code.gson/gson@2.9.1		0	Highest	9
nimbus-jose-jwt-9.24.4.jar	cpe:2.3:a:connect2id:nimbus_jose\+jwt:9.24.4:::::::*	pkg:maven/com.nimbusds/nimbus-jose-jwt@9.24.4		0	Highest	55
oauth2-oidc-sdk-9.43.1.jar		pkg:maven/com.nimbusds/oauth2-oidc-sdk@9.43.1		0		59
org.apache.felix.framework-7.0.3.jar	cpe:2.3:a:sun:sun_ftp:7.0.3:::::::*	pkg:maven/org.apache.felix/org.apache.felix.framework@7.0.3		0	Low	41
oro-2.0.8.jar		pkg:maven/oro/oro@2.0.8		0		16
picocli-4.3.2.jar		pkg:maven/info.picocli/picocli@4.3.2		0		36
postgresql-42.5.1.jar	cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.1:::::::*	pkg:maven/org.postgresql/postgresql@42.5.1		0	Low	71
protobuf-java-3.11.4.jar	cpe:2.3:a:google:protobuf-java:3.11.4:::::::* cpe:2.3:a:protobuf:protobuf:3.11.4:::::::*	pkg:maven/com.google.protobuf/protobuf-java@3.11.4	HIGH	4	Highest	27
proton-j-0.33.10.jar	cpe:2.3:a:apache:qpid:0.33.10:::::::* cpe:2.3:a:apache:qpid_proton:0.33.10:::::::* cpe:2.3:a:apache:qpid_proton-j:0.33.10:::::::* cpe:2.3:a:proton_project:proton:0.33.10:::::::*	pkg:maven/org.apache.qpid/proton-j@0.33.10		0	Highest	30
qpid-jms-client-0.61.0.jar	cpe:2.3:a:apache:qpid:0.61.0:::::::*	pkg:maven/org.apache.qpid/qpid-jms-client@0.61.0		0	Highest	27
quartz-2.3.2.jar	cpe:2.3:a:softwareag:quartz:2.3.2:::::::*	pkg:maven/org.quartz-scheduler/quartz@2.3.2	CRITICAL	1	Highest	33
slf4j-api-1.7.32.jar		pkg:maven/org.slf4j/slf4j-api@1.7.32		0		27
smack-3.1.0.jar		pkg:maven/jivesoftware/smack@3.1.0	MEDIUM	2		22
stax-ex-1.8.jar	cpe:2.3:a:oracle:java_se:1.8:::::::*	pkg:maven/org.jvnet.staxex/stax-ex@1.8		0	Low	48
txw2-2.3.1.jar		pkg:maven/org.glassfish.jaxb/txw2@2.3.1		0		34
unboundid-ldapsdk-4.0.9.jar	cpe:2.3:a:pingidentity:ldapsdk:4.0.9:::::::*	pkg:maven/com.unboundid/unboundid-ldapsdk@4.0.9		0	Highest	49
xercesImpl-2.12.2.jar	cpe:2.3:a:apache:xerces-j:2.12.2:::::::* cpe:2.3:a:apache:xerces2_java:2.12.2:::::::*	pkg:maven/xerces/xercesImpl@2.12.2	MEDIUM	1	Low	84
xmlpull-1.1.3.1.jar		pkg:maven/xmlpull/xmlpull@1.1.3.1		0		18
xstream-1.4.20.jar	cpe:2.3:a:xstream_project:xstream:1.4.20:::::::*	pkg:maven/com.thoughtworks.xstream/xstream@1.4.20		0	Highest	55

Description:

Open Source implementation of the Fast Infoset Standard for Binary XML (http://www.itu.int/ITU-T/asn1/).

License:

http://www.opensource.org/licenses/apache2.0.php

File Path: /home/grprdist/.m2/repository/com/sun/xml/fastinfoset/FastInfoset/1.2.15/FastInfoset-1.2.15.jar
MD5: 57f3894ad7e069ae740b277d92d10fa0
SHA1: bb7b7ec0379982b97c62cd17465cb6d9155f68e8
SHA256:785861db11ca1bd0d1956682b974ad73eb19cd3e01a4b3fa82d62eca97210aec
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	FastInfoset	High
Vendor	jar	package name	fastinfoset	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	com.sun.xml.fastinfoset.FastInfoset	Medium
Vendor	Manifest	extension-name	com.sun.xml.fastinfoset	Medium
Vendor	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Vendor	Manifest	implementation-url	http://fi.java.net	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Vendor	Manifest	url	http://fi.java.net	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	FastInfoset	Highest
Vendor	pom	artifactid	FastInfoset	Low
Vendor	pom	groupid	com.sun.xml.fastinfoset	Highest
Vendor	pom	name	fastinfoset	High
Vendor	pom	parent-artifactid	fastinfoset-project	Low
Vendor	pom	url	http://fi.java.net	Highest
Product	file	name	FastInfoset	High
Product	jar	package name	fastinfoset	Highest
Product	jar	package name	sun	Highest
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	fastinfoset	Medium
Product	Manifest	bundle-symbolicname	com.sun.xml.fastinfoset.FastInfoset	Medium
Product	Manifest	extension-name	com.sun.xml.fastinfoset	Medium
Product	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Product	Manifest	Implementation-Title	Fast Infoset Implementation	High
Product	Manifest	implementation-url	http://fi.java.net	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Product	Manifest	specification-title	ITU-T Rec. X.891 \| ISO/IEC 24824-1 (Fast Infoset)	Medium
Product	Manifest	url	http://fi.java.net	Low
Product	pom	artifactid	FastInfoset	Highest
Product	pom	groupid	com.sun.xml.fastinfoset	Highest
Product	pom	name	fastinfoset	High
Product	pom	parent-artifactid	fastinfoset-project	Medium
Product	pom	url	http://fi.java.net	Medium
Version	file	version	1.2.15	High
Version	Manifest	Bundle-Version	1.2.15	High
Version	Manifest	Implementation-Version	1.2.15	High
Version	pom	version	1.2.15	Highest

Identifiers

pkg:maven/com.sun.xml.fastinfoset/FastInfoset@1.2.15 (Confidence:High)
cpe:2.3:a:fast_ber_project:fast_ber:1.2.15:*:*:*:*:*:*:* (Confidence:Low)

Description:

Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/minidev/accessors-smart/2.4.8/accessors-smart-2.4.8.jar
MD5: e5761631acc11ded0255af1249937e85
SHA1: 6e1bee5a530caba91893604d6ab41d0edcecca9a
SHA256:7dd705aa1ac0e030f8ee2624e8e77239ae1eef6ccc2621c0b8c189866ee1c42c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	accessors-smart	High
Vendor	jar	package name	asm	Highest
Vendor	jar	package name	minidev	Highest
Vendor	jar	package name	net	Highest
Vendor	Manifest	bundle-docurl	https://urielch.github.io/	Low
Vendor	Manifest	bundle-symbolicname	net.minidev.accessors-smart	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	accessors-smart	Highest
Vendor	pom	artifactid	accessors-smart	Low
Vendor	pom	developer email	shoothzj@gmail.com	Low
Vendor	pom	developer email	uchemouni@gmail.com	Low
Vendor	pom	developer id	Shoothzj	Medium
Vendor	pom	developer id	uriel	Medium
Vendor	pom	developer name	Uriel Chemouni	Medium
Vendor	pom	developer name	ZhangJian He	Medium
Vendor	pom	groupid	net.minidev	Highest
Vendor	pom	name	ASM based accessors helper used by json-smart	High
Vendor	pom	organization name	Chemouni Uriel	High
Vendor	pom	organization url	https://urielch.github.io/	Medium
Vendor	pom	url	https://urielch.github.io/	Highest
Product	file	name	accessors-smart	High
Product	jar	package name	asm	Highest
Product	jar	package name	minidev	Highest
Product	jar	package name	net	Highest
Product	Manifest	bundle-docurl	https://urielch.github.io/	Low
Product	Manifest	Bundle-Name	accessors-smart	Medium
Product	Manifest	bundle-symbolicname	net.minidev.accessors-smart	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	accessors-smart	Highest
Product	pom	developer email	shoothzj@gmail.com	Low
Product	pom	developer email	uchemouni@gmail.com	Low
Product	pom	developer id	Shoothzj	Low
Product	pom	developer id	uriel	Low
Product	pom	developer name	Uriel Chemouni	Low
Product	pom	developer name	ZhangJian He	Low
Product	pom	groupid	net.minidev	Highest
Product	pom	name	ASM based accessors helper used by json-smart	High
Product	pom	organization name	Chemouni Uriel	Low
Product	pom	organization url	https://urielch.github.io/	Low
Product	pom	url	https://urielch.github.io/	Medium
Version	file	version	2.4.8	High
Version	Manifest	Bundle-Version	2.4.8	High
Version	pom	version	2.4.8	Highest

Identifiers

pkg:maven/net.minidev/accessors-smart@2.4.8 (Confidence:High)
cpe:2.3:a:json-smart_project:json-smart:2.4.8:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:*:*:*:*:*:*:* (Confidence:Low)

Description:

The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html

File Path: /home/grprdist/.m2/repository/javax/activation/activation/1.1.1/activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	activation	High
Vendor	jar	package name	activation	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	extension-name	javax.activation	Medium
Vendor	Manifest	Implementation-Vendor	Sun Microsystems, Inc.	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	pom	artifactid	activation	Highest
Vendor	pom	artifactid	activation	Low
Vendor	pom	groupid	javax.activation	Highest
Vendor	pom	name	JavaBeans(TM) Activation Framework	High
Vendor	pom	url	http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp	Highest
Product	file	name	activation	High
Product	jar	package name	activation	Highest
Product	jar	package name	javax	Highest
Product	Manifest	extension-name	javax.activation	Medium
Product	Manifest	specification-title	JavaBeans(TM) Activation Framework Specification	Medium
Product	pom	artifactid	activation	Highest
Product	pom	groupid	javax.activation	Highest
Product	pom	name	JavaBeans(TM) Activation Framework	High
Product	pom	url	http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp	Medium
Version	file	version	1.1.1	High
Version	Manifest	Implementation-Version	1.1.1	High
Version	pom	version	1.1.1	Highest

Identifiers

pkg:maven/javax.activation/activation@1.1.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.1.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.

License:

ASL 2.0: https://www.apache.org/licenses/LICENSE-2.0.html
GPL v2: https://www.gnu.org/licenses/gpl-2.0.txt
MPL 1.1: https://www.mozilla.org/MPL/MPL-1.1.txt

File Path: /home/grprdist/.m2/repository/com/rabbitmq/amqp-client/4.12.0/amqp-client-4.12.0.jar
MD5: 906413fa9389eb87762d1913b1d342f0
SHA1: eb4cdaae6f0bca1f038524aa1cb23e9919d4d49b
SHA256:fa7ccfd324d53be9d5d98689beb33c286de0fe504febe5f1854a3a2369627b9c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	amqp-client	High
Vendor	jar	package name	amqp	Highest
Vendor	jar	package name	client	Highest
Vendor	jar	package name	rabbitmq	Highest
Vendor	Manifest	automatic-module-name	com.rabbitmq.client	Medium
Vendor	Manifest	bundle-docurl	https://www.rabbitmq.com	Low
Vendor	Manifest	bundle-symbolicname	com.rabbitmq.client	Medium
Vendor	Manifest	implementation-url	https://www.rabbitmq.com	Low
Vendor	Manifest	Implementation-Vendor	VMware, Inc. or its affiliates.	High
Vendor	Manifest	specification-vendor	AMQP Working Group (www.amqp.org)	Low
Vendor	pom	artifactid	amqp-client	Highest
Vendor	pom	artifactid	amqp-client	Low
Vendor	pom	developer email	info@rabbitmq.com	Low
Vendor	pom	developer name	Team RabbitMQ	Medium
Vendor	pom	developer org	VMware, Inc. or its affiliates.	Medium
Vendor	pom	developer org URL	https://rabbitmq.com	Medium
Vendor	pom	groupid	com.rabbitmq	Highest
Vendor	pom	name	RabbitMQ Java Client	High
Vendor	pom	organization name	VMware, Inc. or its affiliates.	High
Vendor	pom	organization url	https://www.rabbitmq.com	Medium
Vendor	pom	url	https://www.rabbitmq.com	Highest
Product	file	name	amqp-client	High
Product	jar	package name	amqp	Highest
Product	jar	package name	client	Highest
Product	jar	package name	rabbitmq	Highest
Product	Manifest	automatic-module-name	com.rabbitmq.client	Medium
Product	Manifest	bundle-docurl	https://www.rabbitmq.com	Low
Product	Manifest	Bundle-Name	RabbitMQ Java Client	Medium
Product	Manifest	bundle-symbolicname	com.rabbitmq.client	Medium
Product	Manifest	Implementation-Title	RabbitMQ Java Client	High
Product	Manifest	implementation-url	https://www.rabbitmq.com	Low
Product	Manifest	specification-title	AMQP	Medium
Product	pom	artifactid	amqp-client	Highest
Product	pom	developer email	info@rabbitmq.com	Low
Product	pom	developer name	Team RabbitMQ	Low
Product	pom	developer org	VMware, Inc. or its affiliates.	Low
Product	pom	developer org URL	https://rabbitmq.com	Low
Product	pom	groupid	com.rabbitmq	Highest
Product	pom	name	RabbitMQ Java Client	High
Product	pom	organization name	VMware, Inc. or its affiliates.	Low
Product	pom	organization url	https://www.rabbitmq.com	Low
Product	pom	url	https://www.rabbitmq.com	Medium
Version	file	version	4.12.0	High
Version	Manifest	Bundle-Version	4.12.0	High
Version	Manifest	Implementation-Version	4.12.0	High
Version	pom	version	4.12.0	Highest

Identifiers

pkg:maven/com.rabbitmq/amqp-client@4.12.0 (Confidence:High)
cpe:2.3:a:vmware:rabbitmq:4.12.0:*:*:*:*:*:*:* (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.9/animal-sniffer-annotations-1.9.jar
MD5: 41f47a4c81b5a9f76bc7f12af69e4fbe
SHA1: c29299253a087898aaff7f4eac57effa46b1910a
SHA256:cd96feeb47f34b2559704715db7b179a03a3721f9dc4092c345c718e29b42de4
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	animal-sniffer-annotations	High
Vendor	jar	package name	animal_sniffer	Low
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	codehaus	Low
Vendor	jar	package name	mojo	Highest
Vendor	jar	package name	mojo	Low
Vendor	pom	artifactid	animal-sniffer-annotations	Highest
Vendor	pom	artifactid	animal-sniffer-annotations	Low
Vendor	pom	groupid	org.codehaus.mojo	Highest
Vendor	pom	name	Animal Sniffer Annotations	High
Vendor	pom	parent-artifactid	animal-sniffer-parent	Low
Product	file	name	animal-sniffer-annotations	High
Product	jar	package name	animal_sniffer	Low
Product	jar	package name	codehaus	Highest
Product	jar	package name	ignorejrerequirement	Low
Product	jar	package name	mojo	Highest
Product	jar	package name	mojo	Low
Product	pom	artifactid	animal-sniffer-annotations	Highest
Product	pom	groupid	org.codehaus.mojo	Highest
Product	pom	name	Animal Sniffer Annotations	High
Product	pom	parent-artifactid	animal-sniffer-parent	Medium
Version	file	version	1.9	High
Version	pom	version	1.9	Highest

Identifiers

pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.9 (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/apache/ant/ant/1.10.12/ant-1.10.12.jar
MD5: f5b97fb267862b35d1eb398defe1831a
SHA1: be08c4f63e92e03bac761404cf77bc270928b6c5
SHA256:5c6a438c3ebe7a306eba452b09fa307b0e60314926177920bca896c4a504eaf6
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ant	High
Vendor	jar	package name	ant	Highest
Vendor	jar	package name	apache	Highest
Vendor	manifest: org/apache/tools/ant/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	ant	Highest
Vendor	pom	artifactid	ant	Low
Vendor	pom	groupid	org.apache.ant	Highest
Vendor	pom	name	Apache Ant Core	High
Vendor	pom	parent-artifactid	ant-parent	Low
Vendor	pom	url	https://ant.apache.org/	Highest
Product	file	name	ant	High
Product	jar	package name	ant	Highest
Product	jar	package name	apache	Highest
Product	jar	package name	tools	Highest
Product	manifest: org/apache/tools/ant/	Implementation-Title	org.apache.tools.ant	Medium
Product	manifest: org/apache/tools/ant/	Specification-Title	Apache Ant	Medium
Product	pom	artifactid	ant	Highest
Product	pom	groupid	org.apache.ant	Highest
Product	pom	name	Apache Ant Core	High
Product	pom	parent-artifactid	ant-parent	Medium
Product	pom	url	https://ant.apache.org/	Medium
Version	file	version	1.10.12	High
Version	manifest: org/apache/tools/ant/	Implementation-Version	1.10.12	Medium
Version	pom	version	1.10.12	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.ant/ant@1.10.12 (Confidence:High)
cpe:2.3:a:apache:ant:1.10.12:*:*:*:*:*:*:* (Confidence:Highest)

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html

File Path: /home/grprdist/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	antlr	High
Vendor	jar	package name	actions	Highest
Vendor	jar	package name	antlr	Highest
Vendor	jar	package name	antlr	Low
Vendor	jar	package name	java	Highest
Vendor	jar	package name	parser	Highest
Vendor	jar	package name	python	Highest
Vendor	pom	artifactid	antlr	Highest
Vendor	pom	artifactid	antlr	Low
Vendor	pom	groupid	antlr	Highest
Vendor	pom	name	AntLR Parser Generator	High
Vendor	pom	url	http://www.antlr.org/	Highest
Product	file	name	antlr	High
Product	jar	package name	actions	Highest
Product	jar	package name	antlr	Highest
Product	jar	package name	java	Highest
Product	jar	package name	parser	Highest
Product	jar	package name	python	Highest
Product	pom	artifactid	antlr	Highest
Product	pom	groupid	antlr	Highest
Product	pom	name	AntLR Parser Generator	High
Product	pom	url	http://www.antlr.org/	Medium
Version	file	version	2.7.7	High
Version	pom	version	2.7.7	Highest

Identifiers

pkg:maven/antlr/antlr@2.7.7 (Confidence:High)

Description:

ASM, a very small and fast Java bytecode manipulation framework

License:

BSD: http://asm.ow2.org/license.html

File Path: /home/grprdist/.m2/repository/org/ow2/asm/asm/7.1/asm-7.1.jar
MD5: 04fc92647ce25b41121683674a50dfdf
SHA1: fa29aa438674ff19d5e1386d2c3527a0267f291e
SHA256:4ab2fa2b6d2cc9ccb1eaa05ea329c407b47b13ed2915f62f8c4b8cc96258d4de
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	asm	High
Vendor	jar	package name	asm	Highest
Vendor	jar	package name	objectweb	Highest
Vendor	Manifest	bundle-docurl	http://asm.ow2.org	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	org.objectweb.asm	Medium
Vendor	pom	artifactid	asm	Highest
Vendor	pom	artifactid	asm	Low
Vendor	pom	developer email	ebruneton@free.fr	Low
Vendor	pom	developer email	eu@javatx.org	Low
Vendor	pom	developer email	forax@univ-mlv.fr	Low
Vendor	pom	developer id	ebruneton	Medium
Vendor	pom	developer id	eu	Medium
Vendor	pom	developer id	forax	Medium
Vendor	pom	developer name	Eric Bruneton	Medium
Vendor	pom	developer name	Eugene Kuleshov	Medium
Vendor	pom	developer name	Remi Forax	Medium
Vendor	pom	groupid	org.ow2.asm	Highest
Vendor	pom	name	asm	High
Vendor	pom	organization name	OW2	High
Vendor	pom	organization url	http://www.ow2.org/	Medium
Vendor	pom	parent-artifactid	ow2	Low
Vendor	pom	parent-groupid	org.ow2	Medium
Vendor	pom	url	http://asm.ow2.org/	Highest
Product	file	name	asm	High
Product	jar	package name	asm	Highest
Product	jar	package name	objectweb	Highest
Product	Manifest	bundle-docurl	http://asm.ow2.org	Low
Product	Manifest	Bundle-Name	org.objectweb.asm	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	org.objectweb.asm	Medium
Product	Manifest	Implementation-Title	ASM, a very small and fast Java bytecode manipulation framework	High
Product	pom	artifactid	asm	Highest
Product	pom	developer email	ebruneton@free.fr	Low
Product	pom	developer email	eu@javatx.org	Low
Product	pom	developer email	forax@univ-mlv.fr	Low
Product	pom	developer id	ebruneton	Low
Product	pom	developer id	eu	Low
Product	pom	developer id	forax	Low
Product	pom	developer name	Eric Bruneton	Low
Product	pom	developer name	Eugene Kuleshov	Low
Product	pom	developer name	Remi Forax	Low
Product	pom	groupid	org.ow2.asm	Highest
Product	pom	name	asm	High
Product	pom	organization name	OW2	Low
Product	pom	organization url	http://www.ow2.org/	Low
Product	pom	parent-artifactid	ow2	Medium
Product	pom	parent-groupid	org.ow2	Medium
Product	pom	url	http://asm.ow2.org/	Medium
Version	file	version	7.1	High
Version	Manifest	Implementation-Version	7.1	High
Version	pom	parent-version	7.1	Low
Version	pom	version	7.1	Highest

Identifiers

pkg:maven/org.ow2.asm/asm@7.1 (Confidence:High)

Description:

The AWS SDK for Java - Core module holds the classes that are used by the individual service clients to interact with Amazon Web Services. Users need to depend on aws-java-sdk artifact for accessing individual client classes.

File Path: /home/grprdist/.m2/repository/com/amazonaws/aws-java-sdk-core/1.12.267/aws-java-sdk-core-1.12.267.jar
MD5: e6f847980566ec95e838933ab1609c69
SHA1: 2562b87f3af418751c2d0bcbe4209dbefa263484
SHA256:0f06b44909ff2d30b2a61229839e3619fe2ac7bc4c5f52536299a8cc8a1ffd51
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	aws-java-sdk-core	High
Vendor	jar	package name	amazonaws	Highest
Vendor	jar	package name	amazonaws	Low
Vendor	jar	package name	classes	Highest
Vendor	jar	package name	service	Highest
Vendor	pom	artifactid	aws-java-sdk-core	Highest
Vendor	pom	artifactid	aws-java-sdk-core	Low
Vendor	pom	groupid	com.amazonaws	Highest
Vendor	pom	name	AWS SDK for Java - Core	High
Vendor	pom	parent-artifactid	aws-java-sdk-pom	Low
Vendor	pom	url	https://aws.amazon.com/sdkforjava	Highest
Product	file	name	aws-java-sdk-core	High
Product	jar	package name	amazonaws	Highest
Product	jar	package name	classes	Highest
Product	jar	package name	service	Highest
Product	pom	artifactid	aws-java-sdk-core	Highest
Product	pom	groupid	com.amazonaws	Highest
Product	pom	name	AWS SDK for Java - Core	High
Product	pom	parent-artifactid	aws-java-sdk-pom	Medium
Product	pom	url	https://aws.amazon.com/sdkforjava	Medium
Version	file	version	1.12.267	High
Version	pom	version	1.12.267	Highest

Related Dependencies

Identifiers

pkg:maven/com.amazonaws/aws-java-sdk-core@1.12.267 (Confidence:High)
cpe:2.3:a:amazon:aws-sdk-java:1.12.267:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Dawid Kurzyniec's backport of JSR 166

License:

Public Domain: http://creativecommons.org/licenses/publicdomain

File Path: /home/grprdist/.m2/repository/backport-util-concurrent/backport-util-concurrent/3.1/backport-util-concurrent-3.1.jar
MD5: 748bb0cbf4780b2e3121dc9c12e10cd9
SHA1: 682f7ac17fed79e92f8e87d8455192b63376347b
SHA256:f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	backport-util-concurrent	High
Vendor	jar	package name	backport	Highest
Vendor	jar	package name	edu	Low
Vendor	jar	package name	emory	Low
Vendor	jar	package name	mathcs	Low
Vendor	pom	artifactid	backport-util-concurrent	Highest
Vendor	pom	artifactid	backport-util-concurrent	Low
Vendor	pom	groupid	backport-util-concurrent	Highest
Vendor	pom	name	Backport of JSR 166	High
Vendor	pom	organization name	Dawid Kurzyniec	High
Vendor	pom	organization url	http://www.mathcs.emory.edu/~dawidk/	Medium
Vendor	pom	url	http://backport-jsr166.sourceforge.net/	Highest
Product	file	name	backport-util-concurrent	High
Product	jar	package name	backport	Highest
Product	jar	package name	backport	Low
Product	jar	package name	emory	Low
Product	jar	package name	mathcs	Low
Product	pom	artifactid	backport-util-concurrent	Highest
Product	pom	groupid	backport-util-concurrent	Highest
Product	pom	name	Backport of JSR 166	High
Product	pom	organization name	Dawid Kurzyniec	Low
Product	pom	organization url	http://www.mathcs.emory.edu/~dawidk/	Low
Product	pom	url	http://backport-jsr166.sourceforge.net/	Medium
Version	file	version	3.1	High
Version	pom	version	3.1	Highest

Identifiers

pkg:maven/backport-util-concurrent/backport-util-concurrent@3.1 (Confidence:High)

Description:

The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.72/bcpkix-jdk18on-1.72.jar
MD5: 4bb2ace2ca16e7fd42a0a0c13d017464
SHA1: bb3fdb5162ccd5085e8d7e57fada4d8eaa571f5a
SHA256:56a054cb170d41fb1f8ba0b29568806258b7ffefdc5e98b77ef96d4740f3d6bc
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcpkix-jdk18on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	jar	package name	cmp	Highest
Vendor	jar	package name	cms	Highest
Vendor	jar	package name	crmf	Highest
Vendor	jar	package name	eac	Highest
Vendor	jar	package name	ocsp	Highest
Vendor	jar	package name	pkcs	Highest
Vendor	jar	package name	pkix	Highest
Vendor	jar	package name	tsp	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle PKIX API	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.pkix	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcpkix	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcpkix	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcpkix-jdk18on	Highest
Vendor	pom	artifactid	bcpkix-jdk18on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcpkix-jdk18on	High
Product	jar	package name	bouncycastle	Highest
Product	jar	package name	cmp	Highest
Product	jar	package name	cms	Highest
Product	jar	package name	crmf	Highest
Product	jar	package name	eac	Highest
Product	jar	package name	ocsp	Highest
Product	jar	package name	pkcs	Highest
Product	jar	package name	pkix	Highest
Product	jar	package name	tsp	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle PKIX API	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.pkix	Medium
Product	Manifest	Bundle-Name	bcpkix	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcpkix	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcpkix	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcpkix-jdk18on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.72	High
Version	Manifest	Bundle-Version	1.72	High
Version	pom	version	1.72	Highest

Identifiers

pkg:maven/org.bouncycastle/bcpkix-jdk18on@1.72 (Confidence:High)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:*:*:*:*:*:*:* (Confidence:Low)

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.72/bcprov-jdk18on-1.72.jar
MD5: eb4ed3b81359fb50a828723a4a9ab0b6
SHA1: d8dc62c28a3497d29c93fee3e71c00b27dff41b4
SHA256:39287f2208a753db419f5ca529d6c80f094614aa74d790331126b3c9c6b85fda
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcprov-jdk18on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	jar	package name	crypto	Highest
Vendor	jar	package name	jce	Highest
Vendor	jar	package name	org	Highest
Vendor	jar	package name	provider	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle Provider	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcprov	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcprov-jdk18on	Highest
Vendor	pom	artifactid	bcprov-jdk18on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle Provider	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcprov-jdk18on	High
Product	hint analyzer	product	legion-of-the-bouncy-castle-java-crytography-api	High
Product	hint analyzer	product	the_bouncy_castle_crypto_package_for_java	High
Product	jar	package name	bouncycastle	Highest
Product	jar	package name	crypto	Highest
Product	jar	package name	jce	Highest
Product	jar	package name	org	Highest
Product	jar	package name	provider	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle Provider	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Product	Manifest	Bundle-Name	bcprov	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcprov	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcprov-jdk18on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle Provider	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.72	High
Version	Manifest	Bundle-Version	1.72	High
Version	pom	version	1.72	Highest

Identifiers

pkg:maven/org.bouncycastle/bcprov-jdk18on@1.72 (Confidence:High)
cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.72:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2023-33201 (OSSINDEX)

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

CWE-295 Improper Certificate Validation

CVSSv2:

Base Score: MEDIUM (5.3)
Vector: /AV:N/AC:L/Au:/C:L/I:N/A:N

References:

OSSINDEX - [CVE-2023-33201] CWE-295: Improper Certificate Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33201
OSSIndex - https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.bouncycastle:bcprov-jdk18on:1.72:*:*:*:*:*:*:*

Description:

The Bouncy Castle Java APIs for ASN.1 extension and utility APIs used to support bcpkix and bctls. This jar contains APIs for JDK 1.8 and up.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcutil-jdk18on/1.72/bcutil-jdk18on-1.72.jar
MD5: cade3651656670f716a430c4e3899d93
SHA1: 41f19a69ada3b06fa48781120d8bebe1ba955c77
SHA256:45377fdb6560a971eea725f507d91fd6b8fbd0797d61bfc86f2cb653c58186a4
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcutil-jdk18on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle Utility APIs	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.util	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcutil	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcutil	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcutil-jdk18on	Highest
Vendor	pom	artifactid	bcutil-jdk18on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle ASN.1 Extension and Utility APIs	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcutil-jdk18on	High
Product	jar	package name	bouncycastle	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle Utility APIs	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.util	Medium
Product	Manifest	Bundle-Name	bcutil	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcutil	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcutil	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcutil-jdk18on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle ASN.1 Extension and Utility APIs	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.72	High
Version	Manifest	Bundle-Version	1.72	High
Version	pom	version	1.72	Highest

Identifiers

pkg:maven/org.bouncycastle/bcutil-jdk18on@1.72 (Confidence:High)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:*:*:*:*:*:*:* (Confidence:Low)

Description:

BeanShell is a small, free, embeddable Java source interpreter with object scripting language features,
        written in Java. BeanShell dynamically executes standard Java syntax and extends it with common scripting
        conveniences such as loose types, commands, and method closures like those in Perl and JavaScript.

License:

GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/copyleft/lesser.html

File Path: /home/grprdist/.m2/repository/org/beanshell/bsh/2.0b5/bsh-2.0b5.jar
MD5: 02f72336919d06a8491e82346e10b4d5
SHA1: fdc2ab6ae8b53e0d4761b296c116df747cd85199
SHA256:6232199563807354b3bcb5aceb3dc136502f022c6b0ef743987a83f66fee5a5c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bsh	High
Vendor	hint analyzer	vendor	beanshell_project	Highest
Vendor	jar	package name	bsh	Highest
Vendor	jar	package name	interpreter	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	Implementation-Vendor	Pat Niemeyer (pat@pat.net)	High
Vendor	Manifest	specification-vendor	http://www.beanshell.org/	Low
Vendor	pom	artifactid	bsh	Highest
Vendor	pom	artifactid	bsh	Low
Vendor	pom	developer id	pat	Medium
Vendor	pom	developer name	Pat Niemeyer	Medium
Vendor	pom	groupid	org.beanshell	Highest
Vendor	pom	name	BeanShell	High
Vendor	pom	url	http://www.beanshell.org/	Highest
Product	file	name	bsh	High
Product	hint analyzer	product	beanshell	Highest
Product	jar	package name	bsh	Highest
Product	jar	package name	interpreter	Highest
Product	jar	package name	org	Highest
Product	Manifest	specification-title	BeanShell	Medium
Product	pom	artifactid	bsh	Highest
Product	pom	developer id	pat	Low
Product	pom	developer name	Pat Niemeyer	Low
Product	pom	groupid	org.beanshell	Highest
Product	pom	name	BeanShell	High
Product	pom	url	http://www.beanshell.org/	Medium
Version	pom	version	2.0b5	Highest

Identifiers

pkg:maven/org.beanshell/bsh@2.0b5 (Confidence:High)
cpe:2.3:a:beanshell:beanshell:2.0:b5:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2016-2510

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

CWE-19 Data Processing Errors

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

BID - 84139
CONFIRM - https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
CONFIRM - https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
CONFIRM - https://github.com/beanshell/beanshell/releases/tag/2.0b6
DEBIAN - DSA-3504
GENTOO - GLSA-201607-17
MISC - https://github.com/frohoff/ysoserial/pull/13
MISC - https://www.oracle.com/security-alerts/cpuoct2020.html
MISC - https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
OSSINDEX - [CVE-2016-2510] CWE-19
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2510
OSSIndex - https://github.com/beanshell/beanshell/releases/tag/2.0b6
REDHAT - RHSA-2016:0539
REDHAT - RHSA-2016:0540
REDHAT - RHSA-2016:1135
REDHAT - RHSA-2016:1376
REDHAT - RHSA-2016:2035
REDHAT - RHSA-2019:1545
SECTRACK - 1035440
SUSE - openSUSE-SU-2016:0788
SUSE - openSUSE-SU-2016:0833
UBUNTU - USN-2923-1

Vulnerable Software & Versions: (show all)

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with a remaining dependency onto ASM.
        You should never depend on this module without repackaging Byte Buddy and ASM into your own namespace.

File Path: /home/grprdist/.m2/repository/net/bytebuddy/byte-buddy/1.12.9/byte-buddy-1.12.9.jar/META-INF/maven/net.bytebuddy/byte-buddy-dep/pom.xml
MD5: f252b6a3ad73a2fe8b82d4e5e252b6e7
SHA1: bd386dc86918b6f7769ad855aa2636b40b639c76
SHA256:71c523053fd9cd841080a5bc89a4740b49f5dedd648e8de0ab064456e3113c14
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	byte-buddy-dep	Low
Vendor	pom	groupid	net.bytebuddy	Highest
Vendor	pom	name	Byte Buddy (with dependencies)	High
Vendor	pom	parent-artifactid	byte-buddy-parent	Low
Product	pom	artifactid	byte-buddy-dep	Highest
Product	pom	groupid	net.bytebuddy	Highest
Product	pom	name	Byte Buddy (with dependencies)	High
Product	pom	parent-artifactid	byte-buddy-parent	Medium
Version	pom	version	1.12.9	Highest

Identifiers

pkg:maven/net.bytebuddy/byte-buddy-dep@1.12.9 (Confidence:High)

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/bytebuddy/byte-buddy/1.12.9/byte-buddy-1.12.9.jar
MD5: a120a37aba17a10766b9bc869f90fd2b
SHA1: 424ded9ef3496b0d997ce066f2166a4f7ec7b07a
SHA256:e305b6b5bdf8602bc5012efaa50c96b0fb922a3c60308ee1af85605b74d82710
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	byte-buddy	High
Vendor	jar	package name	asm	Highest
Vendor	jar	package name	build	Highest
Vendor	jar	package name	bytebuddy	Highest
Vendor	jar	package name	net	Highest
Vendor	Manifest	bundle-symbolicname	net.bytebuddy.byte-buddy	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	pom	artifactid	byte-buddy	Highest
Vendor	pom	artifactid	byte-buddy	Low
Vendor	pom	groupid	net.bytebuddy	Highest
Vendor	pom	name	Byte Buddy (without dependencies)	High
Vendor	pom	parent-artifactid	byte-buddy-parent	Low
Product	file	name	byte-buddy	High
Product	jar	package name	asm	Highest
Product	jar	package name	build	Highest
Product	jar	package name	bytebuddy	Highest
Product	jar	package name	net	Highest
Product	Manifest	Bundle-Name	Byte Buddy (without dependencies)	Medium
Product	Manifest	bundle-symbolicname	net.bytebuddy.byte-buddy	Medium
Product	Manifest	multi-release	true	Low
Product	pom	artifactid	byte-buddy	Highest
Product	pom	groupid	net.bytebuddy	Highest
Product	pom	name	Byte Buddy (without dependencies)	High
Product	pom	parent-artifactid	byte-buddy-parent	Medium
Version	file	version	1.12.9	High
Version	Manifest	Bundle-Version	1.12.9	High
Version	pom	version	1.12.9	Highest

Identifiers

pkg:maven/net.bytebuddy/byte-buddy@1.12.9 (Confidence:High)

Description:

a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php

File Path: /home/grprdist/.m2/repository/com/mchange/c3p0/0.9.5.4/c3p0-0.9.5.4.jar
MD5: 45fd4a89c9fd671a0d1dc97c0ec77abe
SHA1: a21a1d37ae0b59efce99671544f51c34ed1e8def
SHA256:60cf2906cd6ad6771f514a3e848b74b3e3da99c1806f2a63c38e2dd8da5ef11f
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	c3p0	High
Vendor	jar	package name	c3p0	Highest
Vendor	jar	package name	mchange	Highest
Vendor	jar	package name	v2	Highest
Vendor	Manifest	extension-name	com.mchange.v2.c3p0	Medium
Vendor	Manifest	Implementation-Vendor	Machinery For Change, Inc.	High
Vendor	Manifest	Implementation-Vendor-Id	com.mchange	Medium
Vendor	Manifest	specification-vendor	Machinery For Change, Inc.	Low
Vendor	pom	artifactid	c3p0	Highest
Vendor	pom	artifactid	c3p0	Low
Vendor	pom	developer email	swaldman@mchange.com	Low
Vendor	pom	developer id	swaldman	Medium
Vendor	pom	developer name	Steve Waldman	Medium
Vendor	pom	groupid	com.mchange	Highest
Vendor	pom	name	c3p0	High
Vendor	pom	url	swaldman/c3p0	Highest
Product	file	name	c3p0	High
Product	jar	package name	c3p0	Highest
Product	jar	package name	mchange	Highest
Product	jar	package name	v2	Highest
Product	Manifest	extension-name	com.mchange.v2.c3p0	Medium
Product	pom	artifactid	c3p0	Highest
Product	pom	developer email	swaldman@mchange.com	Low
Product	pom	developer id	swaldman	Low
Product	pom	developer name	Steve Waldman	Low
Product	pom	groupid	com.mchange	Highest
Product	pom	name	c3p0	High
Product	pom	url	swaldman/c3p0	High
Version	file	version	0.9.5.4	High
Version	Manifest	Implementation-Version	0.9.5.4	High
Version	pom	version	0.9.5.4	Highest

Identifiers

pkg:maven/com.mchange/c3p0@0.9.5.4 (Confidence:High)
cpe:2.3:a:mchange:c3p0:0.9.5.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php

File Path: /home/grprdist/.m2/repository/com/google/code/maven-play-plugin/com/mchange/c3p0-oracle-thin-extras/0.9.5/c3p0-oracle-thin-extras-0.9.5.jar
MD5: 06b6bb3df31e56a391a5815d0f132715
SHA1: ae706b22bae360f5d360b2a5d207f804a3729ec2
SHA256:d185e4fb6a0165a39a2b85650efa18722ca9b4badef52a7701f081d9ae5ac321
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	c3p0-oracle-thin-extras	High
Vendor	jar	package name	c3p0	Highest
Vendor	jar	package name	c3p0	Low
Vendor	jar	package name	mchange	Highest
Vendor	jar	package name	mchange	Low
Vendor	jar	package name	v2	Low
Vendor	pom	artifactid	c3p0-oracle-thin-extras	Highest
Vendor	pom	artifactid	c3p0-oracle-thin-extras	Low
Vendor	pom	developer email	swaldman@mchange.com	Low
Vendor	pom	developer id	swaldman	Medium
Vendor	pom	developer name	Steve Waldman	Medium
Vendor	pom	groupid	com.google.code.maven-play-plugin.com.mchange	Highest
Vendor	pom	name	c3p0-oracle-thin-extras	High
Vendor	pom	url	swaldman/c3p0	Highest
Product	file	name	c3p0-oracle-thin-extras	High
Product	jar	package name	c3p0	Highest
Product	jar	package name	c3p0	Low
Product	jar	package name	dbms	Low
Product	jar	package name	mchange	Highest
Product	jar	package name	v2	Low
Product	pom	artifactid	c3p0-oracle-thin-extras	Highest
Product	pom	developer email	swaldman@mchange.com	Low
Product	pom	developer id	swaldman	Low
Product	pom	developer name	Steve Waldman	Low
Product	pom	groupid	com.google.code.maven-play-plugin.com.mchange	Highest
Product	pom	name	c3p0-oracle-thin-extras	High
Product	pom	url	swaldman/c3p0	High
Version	file	version	0.9.5	High
Version	pom	version	0.9.5	Highest

Identifiers

pkg:maven/com.google.code.maven-play-plugin.com.mchange/c3p0-oracle-thin-extras@0.9.5 (Confidence:High)
cpe:2.3:a:mchange:c3p0:0.9.5:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2019-5427

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

FEDORA - FEDORA-2019-063672154a
FEDORA - FEDORA-2019-cb14e234fc
MISC - https://hackerone.com/reports/509315
MISC - https://www.oracle.com/security-alerts/cpujan2021.html
MISC - https://www.oracle.com/security-alerts/cpujul2020.html
MISC - https://www.oracle.com/security-alerts/cpuoct2020.html
MISC - https://www.oracle.com/security-alerts/cpuoct2021.html
N/A - N/A

Vulnerable Software & Versions: (show all)

File Path: /home/grprdist/.m2/repository/cglib/cglib/3.3.0/cglib-3.3.0.jar
MD5: 6ff304cc2874dd20277a8206fee5fd9a
SHA1: c956b9f9708af5901e9cf05701e9b2b1c25027cc
SHA256:9fe0c26d7464140ccdfe019ac687be1fb906122b508ab54beb810db0f09a9212
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	cglib	High
Vendor	jar	package name	cglib	Highest
Vendor	jar	package name	cglib	Low
Vendor	jar	package name	net	Low
Vendor	jar	package name	sf	Low
Vendor	pom	artifactid	cglib	Highest
Vendor	pom	artifactid	cglib	Low
Vendor	pom	groupid	cglib	Highest
Vendor	pom	parent-artifactid	cglib-parent	Low
Product	file	name	cglib	High
Product	jar	package name	cglib	Highest
Product	jar	package name	cglib	Low
Product	jar	package name	sf	Low
Product	pom	artifactid	cglib	Highest
Product	pom	groupid	cglib	Highest
Product	pom	parent-artifactid	cglib-parent	Medium
Version	file	version	3.3.0	High
Version	pom	version	3.3.0	Highest

Identifiers

pkg:maven/cglib/cglib@3.3.0 (Confidence:High)

Description:

        Checker Qual is the set of annotations (qualifiers) and supporting classes
        used by the Checker Framework to type check Java source code.

        Please
        see artifact:
        org.checkerframework:checker

License:

The MIT License: http://opensource.org/licenses/MIT

File Path: /home/grprdist/.m2/repository/org/checkerframework/checker-qual/3.5.0/checker-qual-3.5.0.jar
MD5: 4464def1ed5c10f248ebfe1bccbedf1a
SHA1: 2f50520c8abea66fbd8d26e481d3aef5c673b510
SHA256:729990b3f18a95606fc2573836b6958bcdb44cb52bfbd1b7aa9c339cff35a5a4
Referenced In Project/Scope:Grouper Google Apps Provisioner:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	checker-qual	High
Vendor	jar	package name	checker	Highest
Vendor	jar	package name	checkerframework	Highest
Vendor	jar	package name	framework	Highest
Vendor	jar	package name	qual	Highest
Vendor	Manifest	automatic-module-name	org.checkerframework.checker.qual	Medium
Vendor	Manifest	bundle-symbolicname	checker-qual	Medium
Vendor	Manifest	implementation-url	https://checkerframework.org	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	checker-qual	Highest
Vendor	pom	artifactid	checker-qual	Low
Vendor	pom	developer email	mernst@cs.washington.edu	Low
Vendor	pom	developer email	smillst@cs.washington.edu	Low
Vendor	pom	developer email	wdietl@uwaterloo.ca	Low
Vendor	pom	developer id	mernst	Medium
Vendor	pom	developer id	smillst	Medium
Vendor	pom	developer id	wmdietl	Medium
Vendor	pom	developer name	Michael Ernst	Medium
Vendor	pom	developer name	Suzanne Millstein	Medium
Vendor	pom	developer name	Werner M. Dietl	Medium
Vendor	pom	developer org	University of Washington	Medium
Vendor	pom	developer org	University of Waterloo	Medium
Vendor	pom	developer org URL	http://uwaterloo.ca/	Medium
Vendor	pom	developer org URL	https://www.cs.washington.edu/	Medium
Vendor	pom	developer org URL	https://www.cs.washington.edu/research/plse/	Medium
Vendor	pom	groupid	org.checkerframework	Highest
Vendor	pom	name	Checker Qual	High
Vendor	pom	url	https://checkerframework.org	Highest
Product	file	name	checker-qual	High
Product	jar	package name	checker	Highest
Product	jar	package name	checkerframework	Highest
Product	jar	package name	framework	Highest
Product	jar	package name	qual	Highest
Product	Manifest	automatic-module-name	org.checkerframework.checker.qual	Medium
Product	Manifest	Bundle-Name	checker-qual	Medium
Product	Manifest	bundle-symbolicname	checker-qual	Medium
Product	Manifest	implementation-url	https://checkerframework.org	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	checker-qual	Highest
Product	pom	developer email	mernst@cs.washington.edu	Low
Product	pom	developer email	smillst@cs.washington.edu	Low
Product	pom	developer email	wdietl@uwaterloo.ca	Low
Product	pom	developer id	mernst	Low
Product	pom	developer id	smillst	Low
Product	pom	developer id	wmdietl	Low
Product	pom	developer name	Michael Ernst	Low
Product	pom	developer name	Suzanne Millstein	Low
Product	pom	developer name	Werner M. Dietl	Low
Product	pom	developer org	University of Washington	Low
Product	pom	developer org	University of Waterloo	Low
Product	pom	developer org URL	http://uwaterloo.ca/	Low
Product	pom	developer org URL	https://www.cs.washington.edu/	Low
Product	pom	developer org URL	https://www.cs.washington.edu/research/plse/	Low
Product	pom	groupid	org.checkerframework	Highest
Product	pom	name	Checker Qual	High
Product	pom	url	https://checkerframework.org	Medium
Version	file	version	3.5.0	High
Version	Manifest	Bundle-Version	3.5.0	High
Version	Manifest	Implementation-Version	3.5.0	High
Version	pom	version	3.5.0	Highest

Identifiers

pkg:maven/org.checkerframework/checker-qual@3.5.0 (Confidence:High)

Description:

Library for introspecting types with full generic information
        including resolving of field and method types.

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/classmate/1.5.1/classmate-1.5.1.jar
MD5: e91fcd30ba329fd1b0b6dc5321fd067c
SHA1: 3fe0bed568c62df5e89f4f174c101eab25345b6c
SHA256:aab4de3006808c09d25dd4ff4a3611cfb63c95463cfd99e73d2e1680d229a33b
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	classmate	High
Vendor	jar	package name	classmate	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	types	Highest
Vendor	Manifest	automatic-module-name	com.fasterxml.classmate	Medium
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/java-classmate	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.classmate	Medium
Vendor	Manifest	implementation-build-date	2019-10-19 22:46:35+0000	Low
Vendor	Manifest	Implementation-Vendor	fasterxml.com	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	fasterxml.com	Low
Vendor	pom	artifactid	classmate	Highest
Vendor	pom	artifactid	classmate	Low
Vendor	pom	developer email	blangel@ocheyedan.net	Low
Vendor	pom	developer email	tatu@fasterxml.com	Low
Vendor	pom	developer id	blangel	Medium
Vendor	pom	developer id	tatu	Medium
Vendor	pom	developer name	Brian Langel	Medium
Vendor	pom	developer name	Tatu Saloranta	Medium
Vendor	pom	groupid	com.fasterxml	Highest
Vendor	pom	name	ClassMate	High
Vendor	pom	organization name	fasterxml.com	High
Vendor	pom	organization url	https://fasterxml.com	Medium
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	pom	url	FasterXML/java-classmate	Highest
Product	file	name	classmate	High
Product	jar	package name	classmate	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	types	Highest
Product	Manifest	automatic-module-name	com.fasterxml.classmate	Medium
Product	Manifest	bundle-docurl	https://github.com/FasterXML/java-classmate	Low
Product	Manifest	Bundle-Name	ClassMate	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.classmate	Medium
Product	Manifest	implementation-build-date	2019-10-19 22:46:35+0000	Low
Product	Manifest	Implementation-Title	ClassMate	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	ClassMate	Medium
Product	pom	artifactid	classmate	Highest
Product	pom	developer email	blangel@ocheyedan.net	Low
Product	pom	developer email	tatu@fasterxml.com	Low
Product	pom	developer id	blangel	Low
Product	pom	developer id	tatu	Low
Product	pom	developer name	Brian Langel	Low
Product	pom	developer name	Tatu Saloranta	Low
Product	pom	groupid	com.fasterxml	Highest
Product	pom	name	ClassMate	High
Product	pom	organization name	fasterxml.com	Low
Product	pom	organization url	https://fasterxml.com	Low
Product	pom	parent-artifactid	oss-parent	Medium
Product	pom	url	FasterXML/java-classmate	High
Version	file	version	1.5.1	High
Version	Manifest	Bundle-Version	1.5.1	High
Version	Manifest	Implementation-Version	1.5.1	High
Version	pom	parent-version	1.5.1	Low
Version	pom	version	1.5.1	Highest

Identifiers

pkg:maven/com.fasterxml/classmate@1.5.1 (Confidence:High)

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-beanutils	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	beanutils	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-beanutils/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-beanutils	Medium
Vendor	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000	Low
Vendor	Manifest	implementation-url	https://commons.apache.org/proper/commons-beanutils/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-beanutils	Highest
Vendor	pom	artifactid	commons-beanutils	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dion@apache.org	Low
Vendor	pom	developer email	epugh@apache.org	Low
Vendor	pom	developer email	geirm@apache.org	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	jconlon@apache.org	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	morgand@apache.org	Low
Vendor	pom	developer email	mvdb@apache.org	Low
Vendor	pom	developer email	niallp@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer email	scolebourne@apache.org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	stain@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer email	yoavs@apache.org	Low
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	epugh	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	jconlon	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	mvdb	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	stain	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer id	yoavs	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Eric Pugh	Medium
Vendor	pom	developer name	Dion Gillard	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	John E. Conlon	Medium
Vendor	pom	developer name	Martin van den Bemt	Medium
Vendor	pom	developer name	Morgan James Delagrange	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Stian Soiland-Reyes	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer name	Yoav Shapira	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	commons-beanutils	Highest
Vendor	pom	name	Apache Commons BeanUtils	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-beanutils/	Highest
Product	file	name	commons-beanutils	High
Product	jar	package name	apache	Highest
Product	jar	package name	beanutils	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-beanutils/	Low
Product	Manifest	Bundle-Name	Apache Commons BeanUtils	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-beanutils	Medium
Product	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000	Low
Product	Manifest	Implementation-Title	Apache Commons BeanUtils	High
Product	Manifest	implementation-url	https://commons.apache.org/proper/commons-beanutils/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons BeanUtils	Medium
Product	pom	artifactid	commons-beanutils	Highest
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dion@apache.org	Low
Product	pom	developer email	epugh@apache.org	Low
Product	pom	developer email	geirm@apache.org	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	jconlon@apache.org	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	morgand@apache.org	Low
Product	pom	developer email	mvdb@apache.org	Low
Product	pom	developer email	niallp@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer email	scolebourne@apache.org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	stain@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer email	yoavs@apache.org	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	epugh	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	jconlon	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	mvdb	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	stain	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer id	yoavs	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Eric Pugh	Low
Product	pom	developer name	Dion Gillard	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	John E. Conlon	Low
Product	pom	developer name	Martin van den Bemt	Low
Product	pom	developer name	Morgan James Delagrange	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Stian Soiland-Reyes	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer name	Yoav Shapira	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	commons-beanutils	Highest
Product	pom	name	Apache Commons BeanUtils	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-beanutils/	Medium
Version	file	version	1.9.4	High
Version	Manifest	Bundle-Version	1.9.4	High
Version	Manifest	Implementation-Version	1.9.4	High
Version	pom	parent-version	1.9.4	Low
Version	pom	version	1.9.4	Highest

Identifiers

pkg:maven/commons-beanutils/commons-beanutils@1.9.4 (Confidence:High)
cpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:1.9.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar
MD5: c966d7e03507c834d5b09b848560174e
SHA1: c51c00206bb913cd8612b24abd9fa98ae89719b1
SHA256:fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-cli	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	cli	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-cli/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.cli	Medium
Vendor	Manifest	implementation-build	tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-cli/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-cli	Highest
Vendor	pom	artifactid	commons-cli	Low
Vendor	pom	developer email	bob@werken.com	Low
Vendor	pom	developer email	ebourg@apache.org	Low
Vendor	pom	developer email	jbjk@mac.com	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	roxspring@imapmail.org	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	ebourg	Medium
Vendor	pom	developer id	jkeyes	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	roxspring	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer name	Bob McWhirter	Medium
Vendor	pom	developer name	Emmanuel Bourg	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	John Keyes	Medium
Vendor	pom	developer name	Rob Oxspring	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer org	Ariane Software	Medium
Vendor	pom	developer org	Indigo Stone	Medium
Vendor	pom	developer org	integral Source	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	developer org	Werken	Medium
Vendor	pom	groupid	commons-cli	Highest
Vendor	pom	name	Apache Commons CLI	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-cli/	Highest
Product	file	name	commons-cli	High
Product	jar	package name	apache	Highest
Product	jar	package name	cli	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-cli/	Low
Product	Manifest	Bundle-Name	Apache Commons CLI	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.cli	Medium
Product	Manifest	implementation-build	tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000	Low
Product	Manifest	Implementation-Title	Apache Commons CLI	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-cli/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	specification-title	Apache Commons CLI	Medium
Product	pom	artifactid	commons-cli	Highest
Product	pom	developer email	bob@werken.com	Low
Product	pom	developer email	ebourg@apache.org	Low
Product	pom	developer email	jbjk@mac.com	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	roxspring@imapmail.org	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	ebourg	Low
Product	pom	developer id	jkeyes	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	roxspring	Low
Product	pom	developer id	tn	Low
Product	pom	developer name	Bob McWhirter	Low
Product	pom	developer name	Emmanuel Bourg	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	John Keyes	Low
Product	pom	developer name	Rob Oxspring	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer org	Ariane Software	Low
Product	pom	developer org	Indigo Stone	Low
Product	pom	developer org	integral Source	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	developer org	Werken	Low
Product	pom	groupid	commons-cli	Highest
Product	pom	name	Apache Commons CLI	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-cli/	Medium
Version	file	version	1.4	High
Version	Manifest	Implementation-Version	1.4	High
Version	pom	parent-version	1.4	Low
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/commons-cli/commons-cli@1.4 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-codec/commons-codec/1.15/commons-codec-1.15.jar
MD5: 303baf002ce6d382198090aedd9d79a2
SHA1: 49d94806b6e3dc933dacbd8acb0fdbab8ebd1e5d
SHA256:b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-codec	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	codec	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	encoder	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-codec	Highest
Vendor	pom	artifactid	commons-codec	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	dgraham@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jon@collab.net	Low
Vendor	pom	developer email	julius@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	dgraham	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jon	Medium
Vendor	pom	developer id	julius	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	David Graham	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Jon S. Stevens	Medium
Vendor	pom	developer name	Julius Davies	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	developer org URL	http://juliusdavies.ca/	Medium
Vendor	pom	groupid	commons-codec	Highest
Vendor	pom	name	Apache Commons Codec	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-codec/	Highest
Product	file	name	commons-codec	High
Product	jar	package name	apache	Highest
Product	jar	package name	codec	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	encoder	Highest
Product	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Product	Manifest	Bundle-Name	Apache Commons Codec	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Product	Manifest	Implementation-Title	Apache Commons Codec	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Apache Commons Codec	Medium
Product	pom	artifactid	commons-codec	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	dgraham@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jon@collab.net	Low
Product	pom	developer email	julius@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	dgraham	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jon	Low
Product	pom	developer id	julius	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	tn	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	David Graham	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Jon S. Stevens	Low
Product	pom	developer name	Julius Davies	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	developer org URL	http://juliusdavies.ca/	Low
Product	pom	groupid	commons-codec	Highest
Product	pom	name	Apache Commons Codec	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-codec/	Medium
Version	file	version	1.15	High
Version	Manifest	Implementation-Version	1.15	High
Version	pom	parent-version	1.15	Low
Version	pom	version	1.15	Highest

Identifiers

pkg:maven/commons-codec/commons-codec@1.15 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.15:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-collections	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	collections	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/collections/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.collections	Medium
Vendor	Manifest	implementation-build	tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/collections/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-collections	Highest
Vendor	pom	artifactid	commons-collections	Low
Vendor	pom	developer id	amamment	Medium
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	matth	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Arun M. Thomas	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Matthew Hawthorne	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	groupid	commons-collections	Highest
Vendor	pom	name	Apache Commons Collections	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/collections/	Highest
Product	file	name	commons-collections	High
Product	jar	package name	apache	Highest
Product	jar	package name	collections	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/collections/	Low
Product	Manifest	Bundle-Name	Apache Commons Collections	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.collections	Medium
Product	Manifest	implementation-build	tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100	Low
Product	Manifest	Implementation-Title	Apache Commons Collections	High
Product	Manifest	implementation-url	http://commons.apache.org/collections/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))"	Low
Product	Manifest	specification-title	Apache Commons Collections	Medium
Product	pom	artifactid	commons-collections	Highest
Product	pom	developer id	amamment	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	matth	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Arun M. Thomas	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Matthew Hawthorne	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	groupid	commons-collections	Highest
Product	pom	name	Apache Commons Collections	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/collections/	Medium
Version	file	version	3.2.2	High
Version	Manifest	Bundle-Version	3.2.2	High
Version	Manifest	Implementation-Version	3.2.2	High
Version	pom	parent-version	3.2.2	Low
Version	pom	version	3.2.2	Highest

Identifiers

pkg:maven/commons-collections/commons-collections@3.2.2 (Confidence:High)
cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-csv/1.6/commons-csv-1.6.jar
MD5: 6a0c53855ceb8fb376635e9a05fb8cb6
SHA1: 22b3c2f901af973a8ec4f24e80c8c0c77a600b79
SHA256:7d1560fe2c3564128f2ff3f7c0fc9f0666738aa0e704f3d78b8954f9e0ec3adf
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-csv	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	csv	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-csv/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.csv	Medium
Vendor	Manifest	implementation-build	release@r2596fdeebcab53fe459c481990bf1dec838128a5; 2018-09-19 11:49:19+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-csv/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-csv	Highest
Vendor	pom	artifactid	commons-csv	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	ebourg@apache.org	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	mvdb@apache.org	Low
Vendor	pom	developer email	yonik@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	ebourg	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	mvdb	Medium
Vendor	pom	developer id	yonik	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Emmanuel Bourg	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Martin van den Bemt	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Yonik Seeley	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons CSV	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-csv/	Highest
Product	file	name	commons-csv	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	csv	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-csv/	Low
Product	Manifest	Bundle-Name	Apache Commons CSV	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.csv	Medium
Product	Manifest	implementation-build	release@r2596fdeebcab53fe459c481990bf1dec838128a5; 2018-09-19 11:49:19+0000	Low
Product	Manifest	Implementation-Title	Apache Commons CSV	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-csv/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Apache Commons CSV	Medium
Product	pom	artifactid	commons-csv	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	ebourg@apache.org	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	mvdb@apache.org	Low
Product	pom	developer email	yonik@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	ebourg	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	mvdb	Low
Product	pom	developer id	yonik	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Emmanuel Bourg	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Martin van den Bemt	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Yonik Seeley	Low
Product	pom	developer org	Apache	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons CSV	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/proper/commons-csv/	Medium
Version	file	version	1.6	High
Version	Manifest	Implementation-Version	1.6	High
Version	pom	parent-version	1.6	Low
Version	pom	version	1.6	Highest

Identifiers

pkg:maven/org.apache.commons/commons-csv@1.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Commons Database Connection Pooling

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-dbcp/commons-dbcp/1.4/commons-dbcp-1.4.jar
MD5: b004158fab904f37f5831860898b3cd9
SHA1: 30be73c965cc990b153a100aaaaafcf239f82d39
SHA256:a6e2d83551d0e5b59aa942359f3010d35e79365e6552ad3dbaa6776e4851e4f6
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-dbcp	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	dbcp	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/dbcp/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.dbcp	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-dbcp	Highest
Vendor	pom	artifactid	commons-dbcp	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	markt@apache.org	Low
Vendor	pom	developer email	mpoeschl@marmot.at	Low
Vendor	pom	developer email	yoavs@apache.org	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dirkv	Medium
Vendor	pom	developer id	dweinr1	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	jmcnally	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	markt	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	mpoeschl	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	yoavs	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Weinrich	Medium
Vendor	pom	developer name	Dirk Verbeeck	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Jörg Schaible	Medium
Vendor	pom	developer name	John McNally	Medium
Vendor	pom	developer name	Mark Thomas	Medium
Vendor	pom	developer name	Martin Poeschl	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Yoav Shapira	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org	tucana.at	Medium
Vendor	pom	groupid	commons-dbcp	Highest
Vendor	pom	name	Commons DBCP	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/dbcp/	Highest
Product	file	name	commons-dbcp	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	dbcp	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/dbcp/	Low
Product	Manifest	Bundle-Name	Commons DBCP	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.dbcp	Medium
Product	Manifest	Implementation-Title	Commons DBCP	High
Product	Manifest	specification-title	Commons DBCP	Medium
Product	pom	artifactid	commons-dbcp	Highest
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	markt@apache.org	Low
Product	pom	developer email	mpoeschl@marmot.at	Low
Product	pom	developer email	yoavs@apache.org	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dirkv	Low
Product	pom	developer id	dweinr1	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	jmcnally	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	markt	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	mpoeschl	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	yoavs	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Weinrich	Low
Product	pom	developer name	Dirk Verbeeck	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Jörg Schaible	Low
Product	pom	developer name	John McNally	Low
Product	pom	developer name	Mark Thomas	Low
Product	pom	developer name	Martin Poeschl	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Yoav Shapira	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org	tucana.at	Low
Product	pom	groupid	commons-dbcp	Highest
Product	pom	name	Commons DBCP	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/dbcp/	Medium
Version	file	version	1.4	High
Version	Manifest	Bundle-Version	1.4	High
Version	Manifest	Implementation-Version	1.4	High
Version	pom	parent-version	1.4	Low
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/commons-dbcp/commons-dbcp@1.4 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-digester	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	digester	Highest
Vendor	jar	package name	rules	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-digester	Highest
Vendor	pom	artifactid	commons-digester	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	jfarcand@apache.org	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	jvanzyl@apache.org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	simonetripodi AT apache DOT org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	jfarcand	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jvanzyl	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Jason van Zyl	Medium
Vendor	pom	developer name	Jean-Francois Arcand	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Simone Tripodi	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	groupid	commons-digester	Highest
Vendor	pom	name	Commons Digester	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/digester/	Highest
Product	file	name	commons-digester	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	digester	Highest
Product	jar	package name	rules	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Product	Manifest	Bundle-Name	Commons Digester	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Product	Manifest	Implementation-Title	Commons Digester	High
Product	Manifest	specification-title	Commons Digester	Medium
Product	pom	artifactid	commons-digester	Highest
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	jfarcand@apache.org	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	jvanzyl@apache.org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	simonetripodi AT apache DOT org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	jfarcand	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jvanzyl	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Jason van Zyl	Low
Product	pom	developer name	Jean-Francois Arcand	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Simone Tripodi	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	groupid	commons-digester	Highest
Product	pom	name	Commons Digester	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/digester/	Medium
Version	file	version	2.1	High
Version	Manifest	Bundle-Version	2.1	High
Version	Manifest	Implementation-Version	2.1	High
Version	pom	parent-version	2.1	Low
Version	pom	version	2.1	Highest

Identifiers

pkg:maven/commons-digester/commons-digester@2.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    The Apache Commons Digester package lets you configure an XML to Java
    object mapping module which triggers certain actions called rules whenever
    a particular pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-digester3/3.2/commons-digester3-3.2.jar
MD5: 41d2c62c7aedafa7a3627794abc83f71
SHA1: c3f68c5ff25ec5204470fd8fdf4cb8feff5e8a79
SHA256:1c150e3d2df4b4237b47e28fea2079fb0da324578d5cca6a5fed2e37a62082ec
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-digester3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	digester	Highest
Vendor	jar	package name	digester3	Highest
Vendor	jar	package name	rules	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Vendor	Manifest	implementation-build	tags/DIGESTER3_3_2_RC2@r1212807; 2011-12-10 15:57:06+0100	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-digester3	Highest
Vendor	pom	artifactid	commons-digester3	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	jfarcand@apache.org	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	jvanzyl@apache.org	Low
Vendor	pom	developer email	mbenson AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	simonetripodi AT apache DOT org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	jfarcand	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jvanzyl	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Jason van Zyl	Medium
Vendor	pom	developer name	Jean-Francois Arcand	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Simone Tripodi	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Digester	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/digester/	Highest
Product	file	name	commons-digester3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	digester	Highest
Product	jar	package name	digester3	Highest
Product	jar	package name	rules	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Product	Manifest	Bundle-Name	Apache Commons Digester	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Product	Manifest	implementation-build	tags/DIGESTER3_3_2_RC2@r1212807; 2011-12-10 15:57:06+0100	Low
Product	Manifest	Implementation-Title	Apache Commons Digester	High
Product	Manifest	specification-title	Apache Commons Digester	Medium
Product	pom	artifactid	commons-digester3	Highest
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	jfarcand@apache.org	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	jvanzyl@apache.org	Low
Product	pom	developer email	mbenson AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	simonetripodi AT apache DOT org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	jfarcand	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jvanzyl	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Jason van Zyl	Low
Product	pom	developer name	Jean-Francois Arcand	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Simone Tripodi	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Digester	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/digester/	Medium
Version	file	version	3.2	High
Version	Manifest	Implementation-Version	3.2	High
Version	pom	parent-version	3.2	Low
Version	pom	version	3.2	Highest

Identifiers

pkg:maven/org.apache.commons/commons-digester3@3.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons Exec is a library to reliably execute external processes from within the JVM.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-exec/1.3/commons-exec-1.3.jar
MD5: 8bb8fa2edfd60d5c7ed6bf9923d14aa8
SHA1: 8dfb9facd0830a27b1b5f29f84593f0aeee7773b
SHA256:cb49812dc1bfb0ea4f20f398bcae1a88c6406e213e67f7524fb10d4f8ad9347b
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-exec	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	exec	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-exec/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.exec	Medium
Vendor	Manifest	implementation-build	trunk@r1636211; 2014-11-02 23:51:55+0000	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-exec	Highest
Vendor	pom	artifactid	commons-exec	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer id	brett	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	sgoeschl	Medium
Vendor	pom	developer id	trygvis	Medium
Vendor	pom	developer name	Brett Porter	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Siegfried Goeschl	Medium
Vendor	pom	developer name	Trygve Laugstøl	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Exec	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-exec/	Highest
Product	file	name	commons-exec	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	exec	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-exec/	Low
Product	Manifest	Bundle-Name	Apache Commons Exec	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.exec	Medium
Product	Manifest	implementation-build	trunk@r1636211; 2014-11-02 23:51:55+0000	Low
Product	Manifest	Implementation-Title	Apache Commons Exec	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	specification-title	Apache Commons Exec	Medium
Product	pom	artifactid	commons-exec	Highest
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer id	brett	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	sgoeschl	Low
Product	pom	developer id	trygvis	Low
Product	pom	developer name	Brett Porter	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Siegfried Goeschl	Low
Product	pom	developer name	Trygve Laugstøl	Low
Product	pom	developer org	Apache	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Exec	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/proper/commons-exec/	Medium
Version	file	version	1.3	High
Version	Manifest	Implementation-Version	1.3	High
Version	pom	parent-version	1.3	Low
Version	pom	version	1.3	Highest

Identifiers

pkg:maven/org.apache.commons/commons-exec@1.3 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.3:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/grprdist/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-httpclient	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	jar	package name	methods	Highest
Vendor	manifest: org/apache/commons/httpclient	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	commons-httpclient	Highest
Vendor	pom	artifactid	commons-httpclient	Low
Vendor	pom	developer email	adrian.sutton -at- ephox.com	Low
Vendor	pom	developer email	dion -at- apache.org	Low
Vendor	pom	developer email	jericho -at- apache.org	Low
Vendor	pom	developer email	jsdever -at- apache.org	Low
Vendor	pom	developer email	mbecke -at- apache.org	Low
Vendor	pom	developer email	oglueck -at- apache.org	Low
Vendor	pom	developer email	olegk -at- apache.org	Low
Vendor	pom	developer email	rwaldhoff -at- apache	Low
Vendor	pom	developer email	sullis -at- apache.org	Low
Vendor	pom	developer id	adrian	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	jericho	Medium
Vendor	pom	developer id	jsdever	Medium
Vendor	pom	developer id	mbecke	Medium
Vendor	pom	developer id	oglueck	Medium
Vendor	pom	developer id	olegk	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sullis	Medium
Vendor	pom	developer name	Adrian Sutton	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Jeff Dever	Medium
Vendor	pom	developer name	Michael Becke	Medium
Vendor	pom	developer name	Oleg Kalnichevski	Medium
Vendor	pom	developer name	Ortwin Glueck	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Sean C. Sullivan	Medium
Vendor	pom	developer name	Sung-Gu	Medium
Vendor	pom	developer org	Britannica	Medium
Vendor	pom	developer org	Independent consultant	Medium
Vendor	pom	developer org	Intencha	Medium
Vendor	pom	developer org	Multitask Consulting	Medium
Vendor	pom	groupid	commons-httpclient	Highest
Vendor	pom	name	HttpClient	High
Vendor	pom	organization name	Apache Software Foundation	High
Vendor	pom	organization url	http://jakarta.apache.org/	Medium
Vendor	pom	url	http://jakarta.apache.org/httpcomponents/httpclient-3.x/	Highest
Product	file	name	commons-httpclient	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	httpclient	Highest
Product	jar	package name	methods	Highest
Product	manifest: org/apache/commons/httpclient	Implementation-Title	org.apache.commons.httpclient	Medium
Product	manifest: org/apache/commons/httpclient	Specification-Title	Jakarta Commons HttpClient	Medium
Product	pom	artifactid	commons-httpclient	Highest
Product	pom	developer email	adrian.sutton -at- ephox.com	Low
Product	pom	developer email	dion -at- apache.org	Low
Product	pom	developer email	jericho -at- apache.org	Low
Product	pom	developer email	jsdever -at- apache.org	Low
Product	pom	developer email	mbecke -at- apache.org	Low
Product	pom	developer email	oglueck -at- apache.org	Low
Product	pom	developer email	olegk -at- apache.org	Low
Product	pom	developer email	rwaldhoff -at- apache	Low
Product	pom	developer email	sullis -at- apache.org	Low
Product	pom	developer id	adrian	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	jericho	Low
Product	pom	developer id	jsdever	Low
Product	pom	developer id	mbecke	Low
Product	pom	developer id	oglueck	Low
Product	pom	developer id	olegk	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sullis	Low
Product	pom	developer name	Adrian Sutton	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Jeff Dever	Low
Product	pom	developer name	Michael Becke	Low
Product	pom	developer name	Oleg Kalnichevski	Low
Product	pom	developer name	Ortwin Glueck	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Sean C. Sullivan	Low
Product	pom	developer name	Sung-Gu	Low
Product	pom	developer org	Britannica	Low
Product	pom	developer org	Independent consultant	Low
Product	pom	developer org	Intencha	Low
Product	pom	developer org	Multitask Consulting	Low
Product	pom	groupid	commons-httpclient	Highest
Product	pom	name	HttpClient	High
Product	pom	organization name	Apache Software Foundation	Low
Product	pom	organization url	http://jakarta.apache.org/	Low
Product	pom	url	http://jakarta.apache.org/httpcomponents/httpclient-3.x/	Medium
Version	file	version	3.1	High
Version	manifest: org/apache/commons/httpclient	Implementation-Version	3.1	Medium
Version	pom	version	3.1	Highest

Identifiers

pkg:maven/commons-httpclient/commons-httpclient@3.1 (Confidence:High)
cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:3.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

CVE-2012-5783

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-295 Improper Certificate Validation

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

BID - 58073
CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1265
MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
OSSINDEX - [CVE-2012-5783] CWE-295: Improper Certificate Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
OSSIndex - https://exchange.xforce.ibmcloud.com/#/vulnerabilities/79984
OSSIndex - https://issues.apache.org/jira/browse/HTTPCLIENT-613
OSSIndex - https://rhn.redhat.com/errata/RHSA-2013-0681.html
REDHAT - RHSA-2013:0270
REDHAT - RHSA-2013:0679
REDHAT - RHSA-2013:0680
REDHAT - RHSA-2013:0681
REDHAT - RHSA-2013:0682
REDHAT - RHSA-2013:1147
REDHAT - RHSA-2013:1853
REDHAT - RHSA-2014:0224
REDHAT - RHSA-2017:0868
SUSE - openSUSE-SU-2013:0354
SUSE - openSUSE-SU-2013:0622
SUSE - openSUSE-SU-2013:0623
SUSE - openSUSE-SU-2013:0638
UBUNTU - USN-2769-1
XF - apache-commons-ssl-spoofing(79984)

Vulnerable Software & Versions:

cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*

CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar
MD5: 3b4b7ccfaeceeac240b804839ee1a1ca
SHA1: a2503f302b11ebde7ebc3df41daebe0e4eea3689
SHA256:961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-io	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	file	Highest
Vendor	jar	package name	io	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.io	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-io/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-io	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-io	Highest
Vendor	pom	artifactid	commons-io	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	dion@apache.org	Low
Vendor	pom	developer email	ggregory at apache.org	Low
Vendor	pom	developer email	jeremias@apache.org	Low
Vendor	pom	developer email	jochen.wiedmann@gmail.com	Low
Vendor	pom	developer email	krosenvold@apache.org	Low
Vendor	pom	developer email	martinc@apache.org	Low
Vendor	pom	developer email	matth@apache.org	Low
Vendor	pom	developer email	nicolaken@apache.org	Low
Vendor	pom	developer email	roxspring@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jeremias	Medium
Vendor	pom	developer id	jochen	Medium
Vendor	pom	developer id	jukka	Medium
Vendor	pom	developer id	krosenvold	Medium
Vendor	pom	developer id	martinc	Medium
Vendor	pom	developer id	matth	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	nicolaken	Medium
Vendor	pom	developer id	roxspring	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Jeremias Maerki	Medium
Vendor	pom	developer name	Jochen Wiedmann	Medium
Vendor	pom	developer name	Jukka Zitting	Medium
Vendor	pom	developer name	Kristian Rosenvold	Medium
Vendor	pom	developer name	Martin Cooper	Medium
Vendor	pom	developer name	Matthew Hawthorne	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Nicola Ken Barozzi	Medium
Vendor	pom	developer name	Rob Oxspring	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	developer org URL	https://www.apache.org/	Medium
Vendor	pom	groupid	commons-io	Highest
Vendor	pom	name	Apache Commons IO	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-io/	Highest
Product	file	name	commons-io	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	file	Highest
Product	jar	package name	io	Highest
Product	Manifest	automatic-module-name	org.apache.commons.io	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-io/	Low
Product	Manifest	Bundle-Name	Apache Commons IO	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-io	Medium
Product	Manifest	Implementation-Title	Apache Commons IO	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons IO	Medium
Product	pom	artifactid	commons-io	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	dion@apache.org	Low
Product	pom	developer email	ggregory at apache.org	Low
Product	pom	developer email	jeremias@apache.org	Low
Product	pom	developer email	jochen.wiedmann@gmail.com	Low
Product	pom	developer email	krosenvold@apache.org	Low
Product	pom	developer email	martinc@apache.org	Low
Product	pom	developer email	matth@apache.org	Low
Product	pom	developer email	nicolaken@apache.org	Low
Product	pom	developer email	roxspring@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jeremias	Low
Product	pom	developer id	jochen	Low
Product	pom	developer id	jukka	Low
Product	pom	developer id	krosenvold	Low
Product	pom	developer id	martinc	Low
Product	pom	developer id	matth	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	nicolaken	Low
Product	pom	developer id	roxspring	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Jeremias Maerki	Low
Product	pom	developer name	Jochen Wiedmann	Low
Product	pom	developer name	Jukka Zitting	Low
Product	pom	developer name	Kristian Rosenvold	Low
Product	pom	developer name	Martin Cooper	Low
Product	pom	developer name	Matthew Hawthorne	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Nicola Ken Barozzi	Low
Product	pom	developer name	Rob Oxspring	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	developer org URL	https://www.apache.org/	Low
Product	pom	groupid	commons-io	Highest
Product	pom	name	Apache Commons IO	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-io/	Medium
Version	file	version	2.11.0	High
Version	Manifest	Bundle-Version	2.11.0	High
Version	Manifest	Implementation-Version	2.11.0	High
Version	pom	parent-version	2.11.0	Low
Version	pom	version	2.11.0	Highest

Identifiers

pkg:maven/commons-io/commons-io@2.11.0 (Confidence:High)
cpe:2.3:a:apache:commons_io:2.11.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:2.11.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Commons Jexl library is an implementation of the JSTL Expression Language with extensions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-jexl/2.1.1/commons-jexl-2.1.1.jar
MD5: 4ad8f5c161dd3a50e190334555675db9
SHA1: 6ecc181debade00230aa1e17666c4ea0371beaaa
SHA256:03c9a9fae5da78ce52c0bf24467cc37355b7e23196dff4839e2c0ff018a01306
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-jexl	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	expression	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Vendor	Manifest	implementation-build	COMMONS_JEXL_2_1_1-RC1@r1220732; 2011-12-19 14:53:11+0000	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-jexl	Highest
Vendor	pom	artifactid	commons-jexl	Low
Vendor	pom	developer email	dion AT apache DOT org	Low
Vendor	pom	developer email	geirm AT apache DOT org	Low
Vendor	pom	developer email	henrib AT apache DOT org	Low
Vendor	pom	developer email	jstrachan AT apache DOT org	Low
Vendor	pom	developer email	proyal AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	sebb AT apache DOT org	Low
Vendor	pom	developer email	tobrien AT apache DOT org	Low
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	henrib	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	proyal	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	Henri Biestro	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Peter Royal	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org	independent	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Commons JEXL	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/jexl/	Highest
Product	file	name	commons-jexl	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	expression	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Product	Manifest	Bundle-Name	Commons JEXL	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Product	Manifest	implementation-build	COMMONS_JEXL_2_1_1-RC1@r1220732; 2011-12-19 14:53:11+0000	Low
Product	Manifest	Implementation-Title	Commons JEXL	High
Product	Manifest	specification-title	Commons JEXL	Medium
Product	pom	artifactid	commons-jexl	Highest
Product	pom	developer email	dion AT apache DOT org	Low
Product	pom	developer email	geirm AT apache DOT org	Low
Product	pom	developer email	henrib AT apache DOT org	Low
Product	pom	developer email	jstrachan AT apache DOT org	Low
Product	pom	developer email	proyal AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	sebb AT apache DOT org	Low
Product	pom	developer email	tobrien AT apache DOT org	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	henrib	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	proyal	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	Henri Biestro	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Peter Royal	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org	independent	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Commons JEXL	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/jexl/	Medium
Version	file	version	2.1.1	High
Version	Manifest	Bundle-Version	2.1.1	High
Version	Manifest	Implementation-Version	2.1.1	High
Version	pom	parent-version	2.1.1	Low
Version	pom	version	2.1.1	Highest

Identifiers

pkg:maven/org.apache.commons/commons-jexl@2.1.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.1.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Apache Commons JEXL library is an implementation of the JSTL Expression Language with extensions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-jexl3/3.0/commons-jexl3-3.0.jar
MD5: 81041b5b058a2ccff0046386bc7e23f8
SHA1: 75aba6fe6659500bc7fcd420adca9c04ec9a379a
SHA256:79b0aecbe5d851ccf919ba3f5ec3ee333e011f46a24713cb2099e3968a5b9884
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-jexl3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	jexl3	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Vendor	Manifest	implementation-build	tags/COMMONS_JEXL_3_0-RC2@r1720787; 2015-12-18 14:09:43+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/jexl/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-jexl3	Highest
Vendor	pom	artifactid	commons-jexl3	Low
Vendor	pom	developer email	dion AT apache DOT org	Low
Vendor	pom	developer email	geirm AT apache DOT org	Low
Vendor	pom	developer email	henrib AT apache DOT org	Low
Vendor	pom	developer email	jstrachan AT apache DOT org	Low
Vendor	pom	developer email	proyal AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	sebb AT apache DOT org	Low
Vendor	pom	developer email	tobrien AT apache DOT org	Low
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	henrib	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	proyal	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	Henri Biestro	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Peter Royal	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer org	independent	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons JEXL	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/jexl/	Highest
Product	file	name	commons-jexl3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	jexl3	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Product	Manifest	Bundle-Name	Apache Commons JEXL	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Product	Manifest	implementation-build	tags/COMMONS_JEXL_3_0-RC2@r1720787; 2015-12-18 14:09:43+0000	Low
Product	Manifest	Implementation-Title	Apache Commons JEXL	High
Product	Manifest	implementation-url	http://commons.apache.org/jexl/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons JEXL	Medium
Product	pom	artifactid	commons-jexl3	Highest
Product	pom	developer email	dion AT apache DOT org	Low
Product	pom	developer email	geirm AT apache DOT org	Low
Product	pom	developer email	henrib AT apache DOT org	Low
Product	pom	developer email	jstrachan AT apache DOT org	Low
Product	pom	developer email	proyal AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	sebb AT apache DOT org	Low
Product	pom	developer email	tobrien AT apache DOT org	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	henrib	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	proyal	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	Henri Biestro	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Peter Royal	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer org	independent	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons JEXL	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/jexl/	Medium
Version	file	version	3.0	High
Version	Manifest	Implementation-Version	3.0	High
Version	pom	parent-version	3.0	Low
Version	pom	version	3.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-jexl3@3.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-lang	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	lang	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/lang/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-lang	Highest
Vendor	pom	artifactid	commons-lang	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@seagullsw.com	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	oheger@apache.org	Low
Vendor	pom	developer email	pbenedict@apache.org	Low
Vendor	pom	developer email	phil@steitz.com	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	scolebourne@joda.org	Low
Vendor	pom	developer email	stevencaswell@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	fredrik	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	oheger	Medium
Vendor	pom	developer id	pbenedict	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	scaswell	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	Fredrik Westermarck	Medium
Vendor	pom	developer name	Gary D. Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Joerg Schaible	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Oliver Heger	Medium
Vendor	pom	developer name	Paul Benedict	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Steven Caswell	Medium
Vendor	pom	developer org	Carman Consulting, Inc.	Medium
Vendor	pom	developer org	CollabNet, Inc.	Medium
Vendor	pom	developer org	Seagull Software	Medium
Vendor	pom	developer org	SITA ATS Ltd	Medium
Vendor	pom	groupid	commons-lang	Highest
Vendor	pom	name	Commons Lang	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/lang/	Highest
Product	file	name	commons-lang	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	lang	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/lang/	Low
Product	Manifest	Bundle-Name	Commons Lang	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.lang	Medium
Product	Manifest	Implementation-Title	Commons Lang	High
Product	Manifest	specification-title	Commons Lang	Medium
Product	pom	artifactid	commons-lang	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@seagullsw.com	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	oheger@apache.org	Low
Product	pom	developer email	pbenedict@apache.org	Low
Product	pom	developer email	phil@steitz.com	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	scolebourne@joda.org	Low
Product	pom	developer email	stevencaswell@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	fredrik	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	oheger	Low
Product	pom	developer id	pbenedict	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	scaswell	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	Fredrik Westermarck	Low
Product	pom	developer name	Gary D. Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Joerg Schaible	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Oliver Heger	Low
Product	pom	developer name	Paul Benedict	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Steven Caswell	Low
Product	pom	developer org	Carman Consulting, Inc.	Low
Product	pom	developer org	CollabNet, Inc.	Low
Product	pom	developer org	Seagull Software	Low
Product	pom	developer org	SITA ATS Ltd	Low
Product	pom	groupid	commons-lang	Highest
Product	pom	name	Commons Lang	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/lang/	Medium
Version	file	version	2.6	High
Version	Manifest	Bundle-Version	2.6	High
Version	Manifest	Implementation-Version	2.6	High
Version	pom	parent-version	2.6	Low
Version	pom	version	2.6	Highest

Identifiers

pkg:maven/commons-lang/commons-lang@2.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar
MD5: 19fe50567358922bdad277959ea69545
SHA1: c6842c86792ff03b9f1d1fe2aab8dc23aa6c6f0e
SHA256:d919d904486c037f8d193412da0c92e22a9fa24230b9d67a57855c5c31c7e94e
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-lang3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	lang3	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-lang/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-lang3	Highest
Vendor	pom	artifactid	commons-lang3	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	djones@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	lguibert@apache.org	Low
Vendor	pom	developer email	oheger@apache.org	Low
Vendor	pom	developer email	pbenedict@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	scolebourne@joda.org	Low
Vendor	pom	developer email	stevencaswell@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	djones	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	fredrik	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	lguibert	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	oheger	Medium
Vendor	pom	developer id	pbenedict	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	scaswell	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	Duncan Jones	Medium
Vendor	pom	developer name	Fredrik Westermarck	Medium
Vendor	pom	developer name	Gary D. Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Joerg Schaible	Medium
Vendor	pom	developer name	Loic Guibert	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Oliver Heger	Medium
Vendor	pom	developer name	Paul Benedict	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Steven Caswell	Medium
Vendor	pom	developer org	Carman Consulting, Inc.	Medium
Vendor	pom	developer org	CollabNet, Inc.	Medium
Vendor	pom	developer org	SITA ATS Ltd	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Lang	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	https://commons.apache.org/proper/commons-lang/	Highest
Product	file	name	commons-lang3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	lang3	Highest
Product	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-lang/	Low
Product	Manifest	Bundle-Name	Apache Commons Lang	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Product	Manifest	Implementation-Title	Apache Commons Lang	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons Lang	Medium
Product	pom	artifactid	commons-lang3	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	djones@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	lguibert@apache.org	Low
Product	pom	developer email	oheger@apache.org	Low
Product	pom	developer email	pbenedict@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	scolebourne@joda.org	Low
Product	pom	developer email	stevencaswell@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	djones	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	fredrik	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	lguibert	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	oheger	Low
Product	pom	developer id	pbenedict	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	scaswell	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	Duncan Jones	Low
Product	pom	developer name	Fredrik Westermarck	Low
Product	pom	developer name	Gary D. Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Joerg Schaible	Low
Product	pom	developer name	Loic Guibert	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Oliver Heger	Low
Product	pom	developer name	Paul Benedict	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Steven Caswell	Low
Product	pom	developer org	Carman Consulting, Inc.	Low
Product	pom	developer org	CollabNet, Inc.	Low
Product	pom	developer org	SITA ATS Ltd	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Lang	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	https://commons.apache.org/proper/commons-lang/	Medium
Version	file	version	3.12.0	High
Version	Manifest	Bundle-Version	3.12.0	High
Version	Manifest	Implementation-Version	3.12.0	High
Version	pom	parent-version	3.12.0	Low
Version	pom	version	3.12.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-lang3@3.12.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.12.0:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-logging	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	logging	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Vendor	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-logging	Highest
Vendor	pom	artifactid	commons-logging	Low
Vendor	pom	developer email	baliuka@apache.org	Low
Vendor	pom	developer email	costin@apache.org	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dennisl@apache.org	Low
Vendor	pom	developer email	donaldp@apache.org	Low
Vendor	pom	developer email	morgand@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	rsitze@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer id	baliuka	Medium
Vendor	pom	developer id	bstansberry	Medium
Vendor	pom	developer id	costin	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dennisl	Medium
Vendor	pom	developer id	donaldp	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rsitze	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer name	Brian Stansberry	Medium
Vendor	pom	developer name	Costin Manolache	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	Dennis Lundberg	Medium
Vendor	pom	developer name	Juozas Baliuka	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Peter Donald	Medium
Vendor	pom	developer name	Richard Sitze	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	commons-logging	Highest
Vendor	pom	name	Apache Commons Logging	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-logging/	Highest
Product	file	name	commons-logging	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	logging	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Product	Manifest	Bundle-Name	Apache Commons Logging	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Product	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Product	Manifest	Implementation-Title	Apache Commons Logging	High
Product	Manifest	specification-title	Apache Commons Logging	Medium
Product	pom	artifactid	commons-logging	Highest
Product	pom	developer email	baliuka@apache.org	Low
Product	pom	developer email	costin@apache.org	Low
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dennisl@apache.org	Low
Product	pom	developer email	donaldp@apache.org	Low
Product	pom	developer email	morgand@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	rsitze@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer id	baliuka	Low
Product	pom	developer id	bstansberry	Low
Product	pom	developer id	costin	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dennisl	Low
Product	pom	developer id	donaldp	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rsitze	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tn	Low
Product	pom	developer name	Brian Stansberry	Low
Product	pom	developer name	Costin Manolache	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	Dennis Lundberg	Low
Product	pom	developer name	Juozas Baliuka	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Peter Donald	Low
Product	pom	developer name	Richard Sitze	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer org	Apache	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	commons-logging	Highest
Product	pom	name	Apache Commons Logging	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-logging/	Medium
Version	file	version	1.2	High
Version	Manifest	Implementation-Version	1.2	High
Version	pom	parent-version	1.2	Low
Version	pom	version	1.2	Highest

Identifiers

pkg:maven/commons-logging/commons-logging@1.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-math/commons-math/1.2/commons-math-1.2.jar
MD5: 5d3ce091a67e863549de4493e19df069
SHA1: 3955b41fe9f3c0469bd873331940674812d09bd2
SHA256:429ad6e1a650bc924a3e26fafc8ef703147375d8dd6d02b710c655071cc82270
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-math	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	math	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.math	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-math	Highest
Vendor	pom	artifactid	commons-math	Low
Vendor	pom	developer email	achou at apache dot org	Low
Vendor	pom	developer email	brentworden at apache dot org	Low
Vendor	pom	developer email	j3322ptm at yahoo dot de	Low
Vendor	pom	developer email	luc at apache dot org	Low
Vendor	pom	developer email	mdiggory at apache dot org	Low
Vendor	pom	developer email	psteitz at apache dot org	Low
Vendor	pom	developer email	rdonkin at apache dot org	Low
Vendor	pom	developer email	tobrien at apache dot org	Low
Vendor	pom	developer id	achou	Medium
Vendor	pom	developer id	brentworden	Medium
Vendor	pom	developer id	luc	Medium
Vendor	pom	developer id	mdiggory	Medium
Vendor	pom	developer id	pietsch	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Albert Davidson Chou	Medium
Vendor	pom	developer name	Brent Worden	Medium
Vendor	pom	developer name	J. Pietschmann	Medium
Vendor	pom	developer name	Luc Maisonobe	Medium
Vendor	pom	developer name	Mark Diggory	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	groupid	commons-math	Highest
Vendor	pom	name	Commons Math	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/math/	Highest
Product	file	name	commons-math	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	math	Highest
Product	Manifest	Bundle-Name	Apache Commons Math Bundle	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.math	Medium
Product	Manifest	Implementation-Title	Commons Math	High
Product	Manifest	specification-title	Commons Math	Medium
Product	pom	artifactid	commons-math	Highest
Product	pom	developer email	achou at apache dot org	Low
Product	pom	developer email	brentworden at apache dot org	Low
Product	pom	developer email	j3322ptm at yahoo dot de	Low
Product	pom	developer email	luc at apache dot org	Low
Product	pom	developer email	mdiggory at apache dot org	Low
Product	pom	developer email	psteitz at apache dot org	Low
Product	pom	developer email	rdonkin at apache dot org	Low
Product	pom	developer email	tobrien at apache dot org	Low
Product	pom	developer id	achou	Low
Product	pom	developer id	brentworden	Low
Product	pom	developer id	luc	Low
Product	pom	developer id	mdiggory	Low
Product	pom	developer id	pietsch	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Albert Davidson Chou	Low
Product	pom	developer name	Brent Worden	Low
Product	pom	developer name	J. Pietschmann	Low
Product	pom	developer name	Luc Maisonobe	Low
Product	pom	developer name	Mark Diggory	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	groupid	commons-math	Highest
Product	pom	name	Commons Math	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/math/	Medium
Version	file	version	1.2	High
Version	Manifest	Bundle-Version	1.2	High
Version	Manifest	Implementation-Version	1.2	High
Version	pom	parent-version	1.2	Low
Version	pom	version	1.2	Highest

Identifiers

pkg:maven/commons-math/commons-math@1.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
SHA256:46c42b4a38dc6b2db53a9ee5c92c63db103665d56694e2cfce2c95d51a6860cc
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-pool	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	pool	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/pool/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.pool	Medium
Vendor	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2012-01-04 10:31:47-0500	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-pool	Highest
Vendor	pom	artifactid	commons-pool	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dirkv	Medium
Vendor	pom	developer id	dweinr1	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sandymac	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Weinrich	Medium
Vendor	pom	developer name	Dirk Verbeeck	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Sandy McArthur	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	groupid	commons-pool	Highest
Vendor	pom	name	Commons Pool	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/pool/	Highest
Product	file	name	commons-pool	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	pool	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/pool/	Low
Product	Manifest	Bundle-Name	Commons Pool	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.pool	Medium
Product	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2012-01-04 10:31:47-0500	Low
Product	Manifest	Implementation-Title	Commons Pool	High
Product	Manifest	specification-title	Commons Pool	Medium
Product	pom	artifactid	commons-pool	Highest
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dirkv	Low
Product	pom	developer id	dweinr1	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sandymac	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Weinrich	Low
Product	pom	developer name	Dirk Verbeeck	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Sandy McArthur	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	groupid	commons-pool	Highest
Product	pom	name	Commons Pool	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/pool/	Medium
Version	file	version	1.6	High
Version	Manifest	Implementation-Version	1.6	High
Version	pom	parent-version	1.6	Low
Version	pom	version	1.6	Highest

Identifiers

pkg:maven/commons-pool/commons-pool@1.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons Text is a library focused on algorithms working on strings.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar
MD5: 4afc9bfa2d31dbf7330c98fcc954b892
SHA1: 3363381aef8cef2dbc1023b3e3a9433b08b64e01
SHA256:770cd903fa7b604d1f7ef7ba17f84108667294b2b478be8ed1af3bffb4ae0018
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-text	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	text	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.text	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-text	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-text	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-text	Highest
Vendor	pom	artifactid	commons-text	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	djones@apache.org	Low
Vendor	pom	developer email	ggregory at apache.org	Low
Vendor	pom	developer email	kinow@apache.org	Low
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	djones	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	kinow	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Bruno P. Kinoshita	Medium
Vendor	pom	developer name	Duncan Jones	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	developer org URL	https://www.apache.org/	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Text	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	https://commons.apache.org/proper/commons-text	Highest
Product	file	name	commons-text	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	text	Highest
Product	Manifest	automatic-module-name	org.apache.commons.text	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-text	Low
Product	Manifest	Bundle-Name	Apache Commons Text	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-text	Medium
Product	Manifest	Implementation-Title	Apache Commons Text	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons Text	Medium
Product	pom	artifactid	commons-text	Highest
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	djones@apache.org	Low
Product	pom	developer email	ggregory at apache.org	Low
Product	pom	developer email	kinow@apache.org	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	djones	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	kinow	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Bruno P. Kinoshita	Low
Product	pom	developer name	Duncan Jones	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	developer org URL	https://www.apache.org/	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Text	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	https://commons.apache.org/proper/commons-text	Medium
Version	file	version	1.10.0	High
Version	Manifest	Bundle-Version	1.10.0	High
Version	Manifest	Implementation-Version	1.10.0	High
Version	pom	parent-version	1.10.0	Low
Version	pom	version	1.10.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-text@1.10.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.10.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_text:1.10.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
    It may be used standalone or with a framework like Struts.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-validator/commons-validator/1.6/commons-validator-1.6.jar
MD5: 3fd5efd8dcdd601035c123638a897833
SHA1: e989d1e87cdd60575df0765ed5bac65c905d7908
SHA256:bd62795d7068a69cbea333f6dbf9c9c1a6ad7521443fb57202a44874f240ba25
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-validator	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	validator	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-validator/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.validator	Medium
Vendor	Manifest	implementation-build	tags/VALIDATOR_1_6_RC1@r1783233; 2017-02-16 15:10:22+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-validator/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-validator	Highest
Vendor	pom	artifactid	commons-validator	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dgraham@apache.org	Low
Vendor	pom	developer email	dwinterfeldt@apache.org	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	husted@apache.org	Low
Vendor	pom	developer email	jmitchell NOSPAM apache.org	Low
Vendor	pom	developer email	martinc@apache.org	Low
Vendor	pom	developer email	mrdon@apache.org	Low
Vendor	pom	developer email	rleland at apache.org	Low
Vendor	pom	developer email	turner@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	bspeakmon	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dgraham	Medium
Vendor	pom	developer id	dwinterfeldt	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	husted	Medium
Vendor	pom	developer id	jmitchell	Medium
Vendor	pom	developer id	martinc	Medium
Vendor	pom	developer id	mrdon	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	nick	Medium
Vendor	pom	developer id	rleland	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	turner	Medium
Vendor	pom	developer name	Ben Speakmon	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Graham	Medium
Vendor	pom	developer name	David Winterfeldt	Medium
Vendor	pom	developer name	Don Brown	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Mitchell	Medium
Vendor	pom	developer name	James Turner	Medium
Vendor	pom	developer name	Martin Cooper	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Nick Burch	Medium
Vendor	pom	developer name	Rob Leland	Medium
Vendor	pom	developer name	SimoneTripodi	Medium
Vendor	pom	developer name	Ted Husted	Medium
Vendor	pom	developer org	EdgeTech, Inc	Medium
Vendor	pom	groupid	commons-validator	Highest
Vendor	pom	name	Apache Commons Validator	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-validator/	Highest
Product	file	name	commons-validator	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	validator	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-validator/	Low
Product	Manifest	Bundle-Name	Apache Commons Validator	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.validator	Medium
Product	Manifest	implementation-build	tags/VALIDATOR_1_6_RC1@r1783233; 2017-02-16 15:10:22+0000	Low
Product	Manifest	Implementation-Title	Apache Commons Validator	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-validator/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons Validator	Medium
Product	pom	artifactid	commons-validator	Highest
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dgraham@apache.org	Low
Product	pom	developer email	dwinterfeldt@apache.org	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	husted@apache.org	Low
Product	pom	developer email	jmitchell NOSPAM apache.org	Low
Product	pom	developer email	martinc@apache.org	Low
Product	pom	developer email	mrdon@apache.org	Low
Product	pom	developer email	rleland at apache.org	Low
Product	pom	developer email	turner@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	bspeakmon	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dgraham	Low
Product	pom	developer id	dwinterfeldt	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	husted	Low
Product	pom	developer id	jmitchell	Low
Product	pom	developer id	martinc	Low
Product	pom	developer id	mrdon	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	nick	Low
Product	pom	developer id	rleland	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	turner	Low
Product	pom	developer name	Ben Speakmon	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Graham	Low
Product	pom	developer name	David Winterfeldt	Low
Product	pom	developer name	Don Brown	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Mitchell	Low
Product	pom	developer name	James Turner	Low
Product	pom	developer name	Martin Cooper	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Nick Burch	Low
Product	pom	developer name	Rob Leland	Low
Product	pom	developer name	SimoneTripodi	Low
Product	pom	developer name	Ted Husted	Low
Product	pom	developer org	EdgeTech, Inc	Low
Product	pom	groupid	commons-validator	Highest
Product	pom	name	Apache Commons Validator	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-validator/	Medium
Version	file	version	1.6	High
Version	Manifest	Implementation-Version	1.6	High
Version	pom	parent-version	1.6	Low
Version	pom	version	1.6	Highest

Identifiers

pkg:maven/commons-validator/commons-validator@1.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons VFS is a Virtual File System library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-vfs2/2.4.1/commons-vfs2-2.4.1.jar
MD5: 3689ad3e33c2455c033c7062f583c49f
SHA1: 2b041628c3cb436d8eee25f78603f04eb5e817a5
SHA256:1d518e883bb4e9a791c2bb48c76ed7b8879708b312ed955854e50b831e23ed35
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-vfs2	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	vfs	Highest
Vendor	jar	package name	vfs2	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-vfs/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.vfs2	Medium
Vendor	Manifest	implementation-build	release@reabdee306d5b0a73859a0aa841a5c0ccfe8b337a; 2019-08-11 00:23:00+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-vfs/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-vfs2	Highest
Vendor	pom	artifactid	commons-vfs2	Low
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons VFS	High
Vendor	pom	parent-artifactid	commons-vfs2-project	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-vfs/	Highest
Product	file	name	commons-vfs2	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	vfs	Highest
Product	jar	package name	vfs2	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-vfs/	Low
Product	Manifest	Bundle-Name	Apache Commons VFS	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.vfs2	Medium
Product	Manifest	implementation-build	release@reabdee306d5b0a73859a0aa841a5c0ccfe8b337a; 2019-08-11 00:23:00+0000	Low
Product	Manifest	Implementation-Title	Apache Commons VFS	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-vfs/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons VFS	Medium
Product	pom	artifactid	commons-vfs2	Highest
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons VFS	High
Product	pom	parent-artifactid	commons-vfs2-project	Medium
Product	pom	url	http://commons.apache.org/proper/commons-vfs/	Medium
Version	file	version	2.4.1	High
Version	Manifest	Bundle-Version	2.4.1	High
Version	Manifest	Implementation-Version	2.4.1	High
Version	pom	version	2.4.1	Highest

Identifiers

pkg:maven/org.apache.commons/commons-vfs2@2.4.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.4.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Java library for Content (Media) Type representation

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/content-type/2.2/content-type-2.2.jar
MD5: 135aaa5ebcc12a45f4b3ff08cb6fa46a
SHA1: 9a894bce7646dd4086652d85b88013229f23724b
SHA256:730f1816196145e88275093c147f2e6da3c3e541207acd3503a1b06129b9bea9
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	content-type	High
Vendor	jar	package name	nimbusds	Highest
Vendor	Manifest	build-date	${timestamp}	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	build-number	${buildNumber}	Low
Vendor	Manifest	build-tag	2.2	Low
Vendor	Manifest	bundle-docurl	https://connect2id.com	Low
Vendor	Manifest	bundle-symbolicname	com.nimbusds.content-type	Medium
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	Implementation-Vendor-Id	com.nimbusds	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	content-type	Highest
Vendor	pom	artifactid	content-type	Low
Vendor	pom	developer email	vladimir@dzhuvinov.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	Nimbus Content Type	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/nimbus-content-type	Highest
Product	file	name	content-type	High
Product	jar	package name	nimbusds	Highest
Product	Manifest	build-date	${timestamp}	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	build-number	${buildNumber}	Low
Product	Manifest	build-tag	2.2	Low
Product	Manifest	bundle-docurl	https://connect2id.com	Low
Product	Manifest	Bundle-Name	Nimbus Content Type	Medium
Product	Manifest	bundle-symbolicname	com.nimbusds.content-type	Medium
Product	Manifest	Implementation-Title	Nimbus Content Type	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Nimbus Content Type	Medium
Product	pom	artifactid	content-type	Highest
Product	pom	developer email	vladimir@dzhuvinov.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	Nimbus Content Type	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com	Low
Product	pom	url	https://bitbucket.org/connect2id/nimbus-content-type	Medium
Version	file	version	2.2	High
Version	Manifest	build-tag	2.2	Low
Version	Manifest	Implementation-Version	2.2	High
Version	pom	version	2.2	Highest

Identifiers

pkg:maven/com.nimbusds/content-type@2.2 (Confidence:High)

File Path: /home/grprdist/.m2/repository/net/redhogs/cronparser/cron-parser-core/3.4/cron-parser-core-3.4.jar
MD5: 984e308161cecec9ca9ca7ab34257c1e
SHA1: f4b72519661bd9879803b82ac19eab1269bbcdf9
SHA256:caece60f6f9305eb0ff54b9558ef014a7c076bb9ecec609006983794c0ced2ee
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	cron-parser-core	High
Vendor	jar	package name	cronparser	Highest
Vendor	jar	package name	cronparser	Low
Vendor	jar	package name	net	Highest
Vendor	jar	package name	net	Low
Vendor	jar	package name	redhogs	Highest
Vendor	jar	package name	redhogs	Low
Vendor	pom	artifactid	cron-parser-core	Highest
Vendor	pom	artifactid	cron-parser-core	Low
Vendor	pom	groupid	net.redhogs.cronparser	Highest
Vendor	pom	name	cron-parser-core	High
Vendor	pom	parent-artifactid	cron-parser	Low
Product	file	name	cron-parser-core	High
Product	jar	package name	cronparser	Highest
Product	jar	package name	cronparser	Low
Product	jar	package name	net	Highest
Product	jar	package name	redhogs	Highest
Product	jar	package name	redhogs	Low
Product	pom	artifactid	cron-parser-core	Highest
Product	pom	groupid	net.redhogs.cronparser	Highest
Product	pom	name	cron-parser-core	High
Product	pom	parent-artifactid	cron-parser	Medium
Version	file	version	3.4	High
Version	pom	version	3.4	Highest

Identifiers

pkg:maven/net.redhogs.cronparser/cron-parser-core@3.4 (Confidence:High)

Description:

flexible XML framework for Java

License:

Plexus: https://github.com/dom4j/dom4j/blob/master/LICENSE

File Path: /home/grprdist/.m2/repository/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar
MD5: 8246840e53db2781ca941e4d3f9ad715
SHA1: 35c16721b88cf17b8279fcb134c0abb161cc0e9b
SHA256:235a9167a8a199be04b5326d92927ca0adeb90d11f69fe2e821b34ce8433b591
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	dom4j	High
Vendor	jar	package name	dom4j	Highest
Vendor	Manifest	automatic-module-name	org.dom4j	Medium
Vendor	pom	artifactid	dom4j	Highest
Vendor	pom	artifactid	dom4j	Low
Vendor	pom	developer email	filip@jirsak.org	Low
Vendor	pom	developer name	Filip Jirsák	Medium
Vendor	pom	groupid	org.dom4j	Highest
Vendor	pom	name	dom4j	High
Vendor	pom	url	http://dom4j.github.io/	Highest
Product	file	name	dom4j	High
Product	jar	package name	dom4j	Highest
Product	Manifest	automatic-module-name	org.dom4j	Medium
Product	pom	artifactid	dom4j	Highest
Product	pom	developer email	filip@jirsak.org	Low
Product	pom	developer name	Filip Jirsák	Low
Product	pom	groupid	org.dom4j	Highest
Product	pom	name	dom4j	High
Product	pom	url	http://dom4j.github.io/	Medium
Version	file	version	2.1.4	High
Version	pom	version	2.1.4	Highest

Identifiers

pkg:maven/org.dom4j/dom4j@2.1.4 (Confidence:High)
cpe:2.3:a:dom4j_project:dom4j:2.1.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Internet2 Groups Management Toolkit

License:

Apache 2 http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /var/grouper-docs/git/grouper/grouper/pom.xml

Referenced In Project/Scope:Grouper Google Apps Provisioner

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	pom	High
Vendor	project	artifactid	grouper	Low
Vendor	project	groupid	edu.internet2.middleware.grouper	Highest
Product	file	name	pom	High
Product	project	artifactid	grouper	Highest
Product	project	groupid	edu.internet2.middleware.grouper	Low

Identifiers

pkg:maven/edu.internet2.middleware.grouper/grouper@4.0.0-SNAPSHOT (Confidence:Highest)
cpe:2.3:a:internet2:grouper:4.0.0:snapshot:*:*:*:*:*:* (Confidence:Highest)

Description:

Client for Grouper LDAP and Web Services

License:

Apache 2 http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /var/grouper-docs/git/grouper/grouper-misc/grouperClient/pom.xml

Referenced In Project/Scope:Grouper Google Apps Provisioner

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	pom	High
Vendor	project	artifactid	grouperClient	Low
Vendor	project	groupid	edu.internet2.middleware.grouper	Highest
Product	file	name	pom	High
Product	project	artifactid	grouperClient	Highest
Product	project	groupid	edu.internet2.middleware.grouper	Low

Identifiers

pkg:maven/edu.internet2.middleware.grouper/grouperClient@4.0.0-SNAPSHOT (Confidence:Highest)
cpe:2.3:a:internet2:grouper:4.0.0:snapshot:*:*:*:*:*:* (Confidence:Highest)

Description:

This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt

File Path: /home/grprdist/.m2/repository/net/sf/ehcache/ehcache-core/2.6.10/ehcache-core-2.6.10.jar
MD5: 206e69dbe0f3454dceee5acf71b64823
SHA1: 8e567a024e27e11b961ca068c5c367f845e21a9b
SHA256:53733a580faad03c8433a6a9f0067040f7ace569f4adeaf71f8aa46e1037e3c9
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ehcache-core	High
Vendor	jar	package name	ehcache	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	sf	Highest
Vendor	pom	artifactid	ehcache-core	Highest
Vendor	pom	artifactid	ehcache-core	Low
Vendor	pom	groupid	net.sf.ehcache	Highest
Vendor	pom	name	Ehcache Core	High
Vendor	pom	parent-artifactid	ehcache-parent	Low
Vendor	pom	url	http://ehcache.org	Highest
Product	file	name	ehcache-core	High
Product	jar	package name	ehcache	Highest
Product	jar	package name	net	Highest
Product	jar	package name	sf	Highest
Product	pom	artifactid	ehcache-core	Highest
Product	pom	groupid	net.sf.ehcache	Highest
Product	pom	name	Ehcache Core	High
Product	pom	parent-artifactid	ehcache-parent	Medium
Product	pom	url	http://ehcache.org	Medium
Version	file	version	2.6.10	High
Version	pom	parent-version	2.6.10	Low
Version	pom	version	2.6.10	Highest

Identifiers

pkg:maven/net.sf.ehcache/ehcache-core@2.6.10 (Confidence:High)

File Path: /home/grprdist/.m2/repository/net/sf/ehcache/ehcache-core/2.6.10/ehcache-core-2.6.10.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
SHA256:3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	sizeof-agent	High
Vendor	jar	package name	ehcache	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	sf	Highest
Vendor	Manifest	hudson-build-number	6	Low
Vendor	Manifest	hudson-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Vendor	Manifest	jenkins-build-number	6	Low
Vendor	Manifest	jenkins-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Vendor	pom	artifactid	sizeof-agent	Low
Vendor	pom	groupid	net.sf.ehcache	Highest
Vendor	pom	name	Ehcache Size-Of Agent	High
Vendor	pom	parent-artifactid	ehcache-parent	Low
Vendor	pom	url	http://www.ehcache.org	Highest
Product	file	name	sizeof-agent	High
Product	jar	package name	ehcache	Highest
Product	jar	package name	net	Highest
Product	jar	package name	sf	Highest
Product	Manifest	hudson-build-number	6	Low
Product	Manifest	hudson-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Product	Manifest	jenkins-build-number	6	Low
Product	Manifest	jenkins-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Product	pom	artifactid	sizeof-agent	Highest
Product	pom	groupid	net.sf.ehcache	Highest
Product	pom	name	Ehcache Size-Of Agent	High
Product	pom	parent-artifactid	ehcache-parent	Medium
Product	pom	url	http://www.ehcache.org	Medium
Version	pom	parent-version	1.0.1	Low
Version	pom	version	1.0.1	Highest

Identifiers

pkg:maven/net.sf.ehcache/sizeof-agent@1.0.1 (Confidence:High)

Description:

      Simple java library for transforming an Object to another Object.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/sf/ezmorph/ezmorph/1.0.6/ezmorph-1.0.6.jar
MD5: 1fa113c6aacf3a01af1449df77acd474
SHA1: 01e55d2a0253ea37745d33062852fd2c90027432
SHA256:2be06a2380f8656426b5c610db694bbd75314caf3e9191affcd7942721398ed7
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ezmorph	High
Vendor	jar	package name	ezmorph	Highest
Vendor	jar	package name	ezmorph	Low
Vendor	jar	package name	net	Highest
Vendor	jar	package name	net	Low
Vendor	jar	package name	object	Highest
Vendor	jar	package name	sf	Highest
Vendor	jar	package name	sf	Low
Vendor	pom	artifactid	ezmorph	Highest
Vendor	pom	artifactid	ezmorph	Low
Vendor	pom	developer email	aalmiray@users.sourceforge.net	Low
Vendor	pom	developer id	aalmiray	Medium
Vendor	pom	developer name	Andres Almiray	Medium
Vendor	pom	groupid	net.sf.ezmorph	Highest
Vendor	pom	name	ezmorph	High
Vendor	pom	url	http://ezmorph.sourceforge.net	Highest
Product	file	name	ezmorph	High
Product	jar	package name	ezmorph	Highest
Product	jar	package name	ezmorph	Low
Product	jar	package name	net	Highest
Product	jar	package name	object	Highest
Product	jar	package name	sf	Highest
Product	jar	package name	sf	Low
Product	pom	artifactid	ezmorph	Highest
Product	pom	developer email	aalmiray@users.sourceforge.net	Low
Product	pom	developer id	aalmiray	Low
Product	pom	developer name	Andres Almiray	Low
Product	pom	groupid	net.sf.ezmorph	Highest
Product	pom	name	ezmorph	High
Product	pom	url	http://ezmorph.sourceforge.net	Medium
Version	file	version	1.0.6	High
Version	pom	version	1.0.6	Highest

Identifiers

pkg:maven/net.sf.ezmorph/ezmorph@1.0.6 (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-jms_1.1_spec/1.1/geronimo-jms_1.1_spec-1.1.jar
MD5: 10e163bdd905d1c16d7e1c48427b5853
SHA1: bbd68f90d445de37050b1e9fb9d7114e83757e73
SHA256:0fe8cfc0154855316054162a9b355f66a43d7e65fc71886e6d12c37d3aa5a5fc
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-jms_1.1_spec-1.1	High
Vendor	jar	package name	javax	Low
Vendor	jar	package name	jms	Highest
Vendor	jar	package name	jms	Low
Vendor	pom	artifactid	geronimo-jms_1.1_spec	Highest
Vendor	pom	artifactid	geronimo-jms_1.1_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	JMS 1.1	High
Vendor	pom	parent-artifactid	specs	Low
Product	file	name	geronimo-jms_1.1_spec-1.1	High
Product	jar	package name	jms	Highest
Product	jar	package name	jms	Low
Product	pom	artifactid	geronimo-jms_1.1_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	JMS 1.1	High
Product	pom	parent-artifactid	specs	Medium
Version	pom	parent-version	1.1	Low
Version	pom	version	1.1	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-jms_1.1_spec@1.1 (Confidence:High)

Description:

Java Message Service 2.0 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-jms_2.0_spec/1.0-alpha-2/geronimo-jms_2.0_spec-1.0-alpha-2.jar
MD5: bd94cfcc9f711642d280681330b14844
SHA1: 8d8a4d5a80138ba4ebc7b5509989e3d7013c7e74
SHA256:62a109edef3de718b0cb600bf040b4be5e32c683a57ee16f9f8a89537bf5da51
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-jms_2.0_spec-1.0-alpha-2	High
Vendor	jar	package name	jms	Highest
Vendor	jar	package name	message	Highest
Vendor	Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-jms_2.0_spec/1.0-alpha-2	Low
Vendor	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-jms_2.0_spec	Medium
Vendor	pom	artifactid	geronimo-jms_2.0_spec	Highest
Vendor	pom	artifactid	geronimo-jms_2.0_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	Apache Geronimo JMS Spec 2.0	High
Vendor	pom	parent-artifactid	genesis-java6-flava	Low
Vendor	pom	parent-groupid	org.apache.geronimo.genesis	Medium
Vendor	pom	url	http://geronimo.apache.org/maven/${siteId}/${version}	Highest
Vendor	pom	url	http://geronimo.apache.org/maven/${siteId}/1.0-alpha-2	Highest
Product	file	name	geronimo-jms_2.0_spec-1.0-alpha-2	High
Product	jar	package name	jms	Highest
Product	jar	package name	message	Highest
Product	Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-jms_2.0_spec/1.0-alpha-2	Low
Product	Manifest	Bundle-Name	Apache Geronimo JMS Spec 2.0	Medium
Product	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-jms_2.0_spec	Medium
Product	Manifest	Implementation-Title	Apache Geronimo JMS Spec 2.0	High
Product	pom	artifactid	geronimo-jms_2.0_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	Apache Geronimo JMS Spec 2.0	High
Product	pom	parent-artifactid	genesis-java6-flava	Medium
Product	pom	parent-groupid	org.apache.geronimo.genesis	Medium
Product	pom	url	http://geronimo.apache.org/maven/${siteId}/${version}	Medium
Product	pom	url	http://geronimo.apache.org/maven/${siteId}/1.0-alpha-2	Medium
Version	Manifest	Implementation-Version	1.0-alpha-2	High
Version	pom	parent-version	1.0-alpha-2	Low
Version	pom	version	1.0-alpha-2	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-jms_2.0_spec@1.0-alpha-2 (Confidence:High)

Description:

The Google API Client Library for Java provides functionality common to all Google APIs; for example HTTP transport, error handling, authentication, JSON parsing, media download/upload, and batching.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/api-client/google-api-client/1.25.0/google-api-client-1.25.0.jar
MD5: dbeddb59844ea8fbd9416a0c017a627f
SHA1: e7ff725e89ff5dcbed107be1a24e8102ae2441ee
SHA256:24e1a69d6c04e6e72e3e16757d46d32daa7dd43cb32c3895f832f25358be1402
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	google-api-client	High
Vendor	jar	package name	api	Highest
Vendor	jar	package name	client	Highest
Vendor	jar	package name	google	Highest
Vendor	jar	package name	googleapis	Highest
Vendor	Manifest	bundle-docurl	https://developers.google.com/api-client-library/java/	Low
Vendor	Manifest	bundle-symbolicname	com.google.api.client.googleapis	Medium
Vendor	Manifest	Implementation-Vendor	Google	High
Vendor	Manifest	Implementation-Vendor-Id	com.google.api-client	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	google-api-client	Highest
Vendor	pom	artifactid	google-api-client	Low
Vendor	pom	groupid	com.google.api-client	Highest
Vendor	pom	name	Google APIs Client Library for Java	High
Vendor	pom	parent-artifactid	google-api-client-parent	Low
Product	file	name	google-api-client	High
Product	jar	package name	api	Highest
Product	jar	package name	client	Highest
Product	jar	package name	google	Highest
Product	jar	package name	googleapis	Highest
Product	Manifest	bundle-docurl	https://developers.google.com/api-client-library/java/	Low
Product	Manifest	Bundle-Name	Google APIs Client Library for Java	Medium
Product	Manifest	bundle-symbolicname	com.google.api.client.googleapis	Medium
Product	Manifest	Implementation-Title	Google APIs Client Library for Java	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	google-api-client	Highest
Product	pom	groupid	com.google.api-client	Highest
Product	pom	name	Google APIs Client Library for Java	High
Product	pom	parent-artifactid	google-api-client-parent	Medium
Version	file	version	1.25.0	High
Version	Manifest	Bundle-Version	1.25.0	High
Version	Manifest	Implementation-Version	1.25.0	High
Version	pom	version	1.25.0	Highest

Identifiers

pkg:maven/com.google.api-client/google-api-client@1.25.0 (Confidence:High)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/apis/google-api-services-admin-directory/directory_v1-rev118-1.25.0/google-api-services-admin-directory-directory_v1-rev118-1.25.0.jar
MD5: 093bffe6a1b932e74232d16f654ddc1e
SHA1: cb4be66bd057795f15773450d89a38036c39b44a
SHA256:e4e39591006de30a5949b75665aadd003267f49c1595946b7f855b9a62b155e3
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	google-api-services-admin-directory-directory_v1-rev118	High
Vendor	jar	package name	admin	Highest
Vendor	jar	package name	api	Highest
Vendor	jar	package name	api	Low
Vendor	jar	package name	google	Highest
Vendor	jar	package name	google	Low
Vendor	jar	package name	services	Highest
Vendor	jar	package name	services	Low
Vendor	pom	artifactid	google-api-services-admin-directory	Highest
Vendor	pom	artifactid	google-api-services-admin-directory	Low
Vendor	pom	groupid	com.google.apis	Highest
Vendor	pom	name	Admin Directory API directory_v1-rev118-1.25.0	High
Vendor	pom	organization name	Google	High
Vendor	pom	organization url	http://www.google.com/	Medium
Product	file	name	google-api-services-admin-directory-directory_v1-rev118	High
Product	jar	package name	admin	Highest
Product	jar	package name	admin	Low
Product	jar	package name	api	Highest
Product	jar	package name	api	Low
Product	jar	package name	google	Highest
Product	jar	package name	services	Highest
Product	jar	package name	services	Low
Product	pom	artifactid	google-api-services-admin-directory	Highest
Product	pom	groupid	com.google.apis	Highest
Product	pom	name	Admin Directory API directory_v1-rev118-1.25.0	High
Product	pom	organization name	Google	Low
Product	pom	organization url	http://www.google.com/	Low
Version	pom	version	directory_v1-rev118-1.25.0	Highest

Identifiers

pkg:maven/com.google.apis/google-api-services-admin-directory@directory_v1-rev118-1.25.0 (Confidence:High)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/apis/google-api-services-groupssettings/v1-rev82-1.25.0/google-api-services-groupssettings-v1-rev82-1.25.0.jar
MD5: e1791393caa9941e855ca0210ad0137d
SHA1: 5337b0fa1813cf3e8f40afc7039c9b952a792170
SHA256:4155714fb255173943c60182f5796ed16a5efce7cd9abb547933f6c6bfe04e87
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	google-api-services-groupssettings-v1-rev82	High
Vendor	jar	package name	api	Highest
Vendor	jar	package name	api	Low
Vendor	jar	package name	google	Highest
Vendor	jar	package name	google	Low
Vendor	jar	package name	groupssettings	Highest
Vendor	jar	package name	services	Highest
Vendor	jar	package name	services	Low
Vendor	pom	artifactid	google-api-services-groupssettings	Highest
Vendor	pom	artifactid	google-api-services-groupssettings	Low
Vendor	pom	groupid	com.google.apis	Highest
Vendor	pom	name	Groups Settings API v1-rev82-1.25.0	High
Vendor	pom	organization name	Google	High
Vendor	pom	organization url	http://www.google.com/	Medium
Product	file	name	google-api-services-groupssettings-v1-rev82	High
Product	jar	package name	api	Highest
Product	jar	package name	api	Low
Product	jar	package name	google	Highest
Product	jar	package name	groupssettings	Highest
Product	jar	package name	groupssettings	Low
Product	jar	package name	services	Highest
Product	jar	package name	services	Low
Product	pom	artifactid	google-api-services-groupssettings	Highest
Product	pom	groupid	com.google.apis	Highest
Product	pom	name	Groups Settings API v1-rev82-1.25.0	High
Product	pom	organization name	Google	Low
Product	pom	organization url	http://www.google.com/	Low
Version	pom	version	v1-rev82-1.25.0	Highest

Identifiers

pkg:maven/com.google.apis/google-api-services-groupssettings@v1-rev82-1.25.0 (Confidence:High)

Description:

    Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
    including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/http-client/google-http-client/1.25.0/google-http-client-1.25.0.jar
MD5: d28fdd84656ffe586d56ab6492509dd6
SHA1: 5fb16523c393bfe0210c29db44742bd308311841
SHA256:fb7d80a515da4618e2b402e1fef96999e07621b381a5889ef091482c5a3e961d
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	google-http-client	High
Vendor	jar	package name	client	Highest
Vendor	jar	package name	google	Highest
Vendor	jar	package name	http	Highest
Vendor	Manifest	bundle-docurl	http://www.google.com/	Low
Vendor	Manifest	bundle-symbolicname	com.google.http-client.google-http-client	Medium
Vendor	Manifest	Implementation-Vendor	Google	High
Vendor	Manifest	Implementation-Vendor-Id	com.google.http-client	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	google-http-client	Highest
Vendor	pom	artifactid	google-http-client	Low
Vendor	pom	groupid	com.google.http-client	Highest
Vendor	pom	name	Google HTTP Client Library for Java	High
Vendor	pom	parent-artifactid	google-http-client-parent	Low
Product	file	name	google-http-client	High
Product	jar	package name	client	Highest
Product	jar	package name	google	Highest
Product	jar	package name	http	Highest
Product	Manifest	bundle-docurl	http://www.google.com/	Low
Product	Manifest	Bundle-Name	Google HTTP Client Library for Java	Medium
Product	Manifest	bundle-symbolicname	com.google.http-client.google-http-client	Medium
Product	Manifest	Implementation-Title	Google HTTP Client Library for Java	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	google-http-client	Highest
Product	pom	groupid	com.google.http-client	Highest
Product	pom	name	Google HTTP Client Library for Java	High
Product	pom	parent-artifactid	google-http-client-parent	Medium
Version	file	version	1.25.0	High
Version	Manifest	Bundle-Version	1.25.0	High
Version	Manifest	Implementation-Version	1.25.0	High
Version	pom	version	1.25.0	Highest

Identifiers

pkg:maven/com.google.http-client/google-http-client@1.25.0 (Confidence:High)

File Path: /home/grprdist/.m2/repository/com/google/http-client/google-http-client-jackson2/1.25.0/google-http-client-jackson2-1.25.0.jar
MD5: 5e7de7ec9216d4747dcbdc5b6d08d560
SHA1: 7c5c89bd4d0d34d9f1cb3396e8da6233e5074b5c
SHA256:f9e7e0d318860a2092d70b56331976280c4e9348a065ede3b99c92aa032fd853
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	google-http-client-jackson2	High
Vendor	jar	package name	client	Highest
Vendor	jar	package name	google	Highest
Vendor	Manifest	Implementation-Vendor	Google	High
Vendor	Manifest	Implementation-Vendor-Id	com.google.http-client	Medium
Vendor	pom	artifactid	google-http-client-jackson2	Highest
Vendor	pom	artifactid	google-http-client-jackson2	Low
Vendor	pom	groupid	com.google.http-client	Highest
Vendor	pom	name	Jackson 2 extensions to the Google HTTP Client Library for Java.	High
Vendor	pom	parent-artifactid	google-http-client-parent	Low
Product	file	name	google-http-client-jackson2	High
Product	jar	package name	client	Highest
Product	jar	package name	google	Highest
Product	Manifest	Implementation-Title	Jackson 2 extensions to the Google HTTP Client Library for Java.	High
Product	pom	artifactid	google-http-client-jackson2	Highest
Product	pom	groupid	com.google.http-client	Highest
Product	pom	name	Jackson 2 extensions to the Google HTTP Client Library for Java.	High
Product	pom	parent-artifactid	google-http-client-parent	Medium
Version	file	version	1.25.0	High
Version	Manifest	Implementation-Version	1.25.0	High
Version	pom	version	1.25.0	Highest

Identifiers

pkg:maven/com.google.http-client/google-http-client-jackson2@1.25.0 (Confidence:High)

Description:

    Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
    including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/oauth-client/google-oauth-client/1.25.0/google-oauth-client-1.25.0.jar
MD5: 6fd6dc606bb8c17c9a6d61e21533f010
SHA1: c9ee14e8b095b4b301b28d57755cc482b8d6f39f
SHA256:7e2929133d4231e702b5956a7e5dc8347a352acc1e97082b40c3585b81cd3501
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	google-oauth-client	High
Vendor	jar	package name	client	Highest
Vendor	jar	package name	google	Highest
Vendor	Manifest	bundle-docurl	http://www.google.com/	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.6	Low
Vendor	Manifest	bundle-symbolicname	com.google.oauth-client	Medium
Vendor	Manifest	Implementation-Vendor	Google	High
Vendor	Manifest	Implementation-Vendor-Id	com.google.oauth-client	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	google-oauth-client	Highest
Vendor	pom	artifactid	google-oauth-client	Low
Vendor	pom	groupid	com.google.oauth-client	Highest
Vendor	pom	name	Google OAuth Client Library for Java	High
Vendor	pom	parent-artifactid	google-oauth-client-parent	Low
Product	file	name	google-oauth-client	High
Product	jar	package name	client	Highest
Product	jar	package name	google	Highest
Product	Manifest	bundle-docurl	http://www.google.com/	Low
Product	Manifest	Bundle-Name	Google OAuth Client Library for Java	Medium
Product	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.6	Low
Product	Manifest	bundle-symbolicname	com.google.oauth-client	Medium
Product	Manifest	Implementation-Title	Google OAuth Client Library for Java	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	google-oauth-client	Highest
Product	pom	groupid	com.google.oauth-client	Highest
Product	pom	name	Google OAuth Client Library for Java	High
Product	pom	parent-artifactid	google-oauth-client-parent	Medium
Version	file	version	1.25.0	High
Version	Manifest	Bundle-Version	1.25.0	High
Version	Manifest	Implementation-Version	1.25.0	High
Version	pom	version	1.25.0	Highest

Identifiers

pkg:maven/com.google.oauth-client/google-oauth-client@1.25.0 (Confidence:High)
cpe:2.3:a:google:oauth_client_library_for_java:1.25.0:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2020-7692

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSSv3:

Base Score: CRITICAL (9.1)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:google:oauth_client_library_for_java:*:*:*:*:*:*:*:* versions up to (excluding) 1.31.0

CVE-2021-22573

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSSv3:

Base Score: HIGH (7.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:google:oauth_client_library_for_java:*:*:*:*:*:*:*:* versions up to (excluding) 1.33.3

Description:

Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy/2.5.18/groovy-2.5.18.jar
MD5: f3de969ce974116e3e262c591dfc8ef2
SHA1: 798c6b66235338deeab9ecffa8942c67a0357abe
SHA256:ce352918c7fc06c700bc7f13cbd00226042bc146a899eb52ff5b522a092a309c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	groovy	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	groovy	Highest
Vendor	Manifest	automatic-module-name	org.codehaus.groovy	Medium
Vendor	Manifest	bundle-symbolicname	groovy	Medium
Vendor	Manifest	eclipse-buddypolicy	dependent	Low
Vendor	Manifest	eclipse-extensibleapi	true	Low
Vendor	Manifest	extension-name	groovy	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	groovy	Highest
Vendor	pom	artifactid	groovy	Low
Vendor	pom	developer email	aalmiray@users.sourceforge.net	Low
Vendor	pom	developer email	b55r@sina.com	Low
Vendor	pom	developer email	blackdrag@gmx.org	Low
Vendor	pom	developer email	bob@werken.com	Low
Vendor	pom	developer email	cedric.champeau@gmail.com	Low
Vendor	pom	developer email	ckl@dacelo.nl	Low
Vendor	pom	developer email	cpoirier@dreaming.org	Low
Vendor	pom	developer email	goetze@dovetail.com	Low
Vendor	pom	developer email	guillaume.alleon@gmail.com	Low
Vendor	pom	developer email	hamletdrc@gmail.com	Low
Vendor	pom	developer email	james@coredevelopers.com	Low
Vendor	pom	developer email	jason@planet57.com	Low
Vendor	pom	developer email	jeremy.rayner@gmail.com	Low
Vendor	pom	developer email	jim@pagesmiths.com	Low
Vendor	pom	developer email	johnstump2@yahoo.com	Low
Vendor	pom	developer email	mguillemot@yahoo.fr	Low
Vendor	pom	developer email	paulk@asert.com.au	Low
Vendor	pom	developer email	phkim@cluecom.co.kr	Low
Vendor	pom	developer email	pniederw@gmail.com	Low
Vendor	pom	developer email	russel@winder.org.uk	Low
Vendor	pom	developer email	sam@sampullara.com	Low
Vendor	pom	developer email	sormuras@gmx.de	Low
Vendor	pom	developer email	tug@wilson.co.uk	Low
Vendor	pom	developer id	aalmiray	Medium
Vendor	pom	developer id	alextkachman	Medium
Vendor	pom	developer id	andresteingress	Medium
Vendor	pom	developer id	blackdrag	Medium
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	bran	Medium
Vendor	pom	developer id	ckl	Medium
Vendor	pom	developer id	cpoirier	Medium
Vendor	pom	developer id	cstein	Medium
Vendor	pom	developer id	emilles	Medium
Vendor	pom	developer id	galleon	Medium
Vendor	pom	developer id	glaforge	Medium
Vendor	pom	developer id	goetze	Medium
Vendor	pom	developer id	grocher	Medium
Vendor	pom	developer id	hamletdrc	Medium
Vendor	pom	developer id	jamiemc	Medium
Vendor	pom	developer id	jez	Medium
Vendor	pom	developer id	jimwhite	Medium
Vendor	pom	developer id	joe	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jstump	Medium
Vendor	pom	developer id	jwill	Medium
Vendor	pom	developer id	jwilson	Medium
Vendor	pom	developer id	kasper	Medium
Vendor	pom	developer id	mattf	Medium
Vendor	pom	developer id	melix	Medium
Vendor	pom	developer id	mguillem	Medium
Vendor	pom	developer id	mittie	Medium
Vendor	pom	developer id	pascalschumacher	Medium
Vendor	pom	developer id	paulk	Medium
Vendor	pom	developer id	phk	Medium
Vendor	pom	developer id	pniederw	Medium
Vendor	pom	developer id	roshandawrani	Medium
Vendor	pom	developer id	rpopma	Medium
Vendor	pom	developer id	russel	Medium
Vendor	pom	developer id	shemnon	Medium
Vendor	pom	developer id	skizz	Medium
Vendor	pom	developer id	spullara	Medium
Vendor	pom	developer id	sunlan	Medium
Vendor	pom	developer id	timyates	Medium
Vendor	pom	developer id	travis	Medium
Vendor	pom	developer id	user57	Medium
Vendor	pom	developer id	zohar	Medium
Vendor	pom	developer name	Alex Tkachman	Medium
Vendor	pom	developer name	Andre Steingress	Medium
Vendor	pom	developer name	Andres Almiray	Medium
Vendor	pom	developer name	Bing Ran	Medium
Vendor	pom	developer name	bob mcwhirter	Medium
Vendor	pom	developer name	Cedric Champeau	Medium
Vendor	pom	developer name	Chris Poirier	Medium
Vendor	pom	developer name	Chris Stevenson	Medium
Vendor	pom	developer name	Christiaan ten Klooster	Medium
Vendor	pom	developer name	Christian Stein	Medium
Vendor	pom	developer name	Daniel Sun	Medium
Vendor	pom	developer name	Danno Ferrin	Medium
Vendor	pom	developer name	Dierk Koenig	Medium
Vendor	pom	developer name	Eric Milles	Medium
Vendor	pom	developer name	Graeme Rocher	Medium
Vendor	pom	developer name	Guillaume Alleon	Medium
Vendor	pom	developer name	Guillaume Laforge	Medium
Vendor	pom	developer name	Hamlet D'Arcy	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	James Williams	Medium
Vendor	pom	developer name	Jamie McCrindle	Medium
Vendor	pom	developer name	Jason Dillon	Medium
Vendor	pom	developer name	Jeremy Rayner	Medium
Vendor	pom	developer name	Jim White	Medium
Vendor	pom	developer name	Jochen Theodorou	Medium
Vendor	pom	developer name	Joe Walnes	Medium
Vendor	pom	developer name	John Stump	Medium
Vendor	pom	developer name	John Wilson	Medium
Vendor	pom	developer name	Kasper Nielsen	Medium
Vendor	pom	developer name	Marc Guillemot	Medium
Vendor	pom	developer name	Matt Foemmel	Medium
Vendor	pom	developer name	Pascal Schumacher	Medium
Vendor	pom	developer name	Paul King	Medium
Vendor	pom	developer name	Peter Niederwieser	Medium
Vendor	pom	developer name	Pilho Kim	Medium
Vendor	pom	developer name	Remko Popma	Medium
Vendor	pom	developer name	Roshan Dawrani	Medium
Vendor	pom	developer name	Russel Winder	Medium
Vendor	pom	developer name	Sam Pullara	Medium
Vendor	pom	developer name	Steve Goetze	Medium
Vendor	pom	developer name	Tim Yates	Medium
Vendor	pom	developer name	Travis Kay	Medium
Vendor	pom	developer name	Zohar Melamed	Medium
Vendor	pom	developer org	Concertant LLP & It'z Interactive Ltd	Medium
Vendor	pom	developer org	Core Developers Network	Medium
Vendor	pom	developer org	CTSR.de	Medium
Vendor	pom	developer org	Dacelo WebDevelopment	Medium
Vendor	pom	developer org	Dovetailed Technologies, LLC	Medium
Vendor	pom	developer org	Google	Medium
Vendor	pom	developer org	IFCX.org	Medium
Vendor	pom	developer org	javanicus	Medium
Vendor	pom	developer org	Karakun AG	Medium
Vendor	pom	developer org	Leadingcare	Medium
Vendor	pom	developer org	OCI, Australia	Medium
Vendor	pom	developer org	The Werken Company	Medium
Vendor	pom	developer org	The Wilson Partnership	Medium
Vendor	pom	developer org	Thomson Reuters	Medium
Vendor	pom	developer org	ThoughtWorks	Medium
Vendor	pom	developer org	Three	Medium
Vendor	pom	groupid	org.codehaus.groovy	Highest
Vendor	pom	name	Apache Groovy	High
Vendor	pom	organization name	Apache Software Foundation	High
Vendor	pom	organization url	https://apache.org	Medium
Vendor	pom	url	https://groovy-lang.org	Highest
Product	file	name	groovy	High
Product	jar	package name	apache	Highest
Product	jar	package name	codehaus	Highest
Product	jar	package name	groovy	Highest
Product	jar	package name	runtime	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.codehaus.groovy	Medium
Product	Manifest	Bundle-Name	Groovy Runtime	Medium
Product	Manifest	bundle-symbolicname	groovy	Medium
Product	Manifest	eclipse-buddypolicy	dependent	Low
Product	Manifest	eclipse-extensibleapi	true	Low
Product	Manifest	extension-name	groovy	Medium
Product	Manifest	Implementation-Title	Groovy: a powerful, dynamic language for the JVM	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Groovy: a powerful, dynamic language for the JVM	Medium
Product	pom	artifactid	groovy	Highest
Product	pom	developer email	aalmiray@users.sourceforge.net	Low
Product	pom	developer email	b55r@sina.com	Low
Product	pom	developer email	blackdrag@gmx.org	Low
Product	pom	developer email	bob@werken.com	Low
Product	pom	developer email	cedric.champeau@gmail.com	Low
Product	pom	developer email	ckl@dacelo.nl	Low
Product	pom	developer email	cpoirier@dreaming.org	Low
Product	pom	developer email	goetze@dovetail.com	Low
Product	pom	developer email	guillaume.alleon@gmail.com	Low
Product	pom	developer email	hamletdrc@gmail.com	Low
Product	pom	developer email	james@coredevelopers.com	Low
Product	pom	developer email	jason@planet57.com	Low
Product	pom	developer email	jeremy.rayner@gmail.com	Low
Product	pom	developer email	jim@pagesmiths.com	Low
Product	pom	developer email	johnstump2@yahoo.com	Low
Product	pom	developer email	mguillemot@yahoo.fr	Low
Product	pom	developer email	paulk@asert.com.au	Low
Product	pom	developer email	phkim@cluecom.co.kr	Low
Product	pom	developer email	pniederw@gmail.com	Low
Product	pom	developer email	russel@winder.org.uk	Low
Product	pom	developer email	sam@sampullara.com	Low
Product	pom	developer email	sormuras@gmx.de	Low
Product	pom	developer email	tug@wilson.co.uk	Low
Product	pom	developer id	aalmiray	Low
Product	pom	developer id	alextkachman	Low
Product	pom	developer id	andresteingress	Low
Product	pom	developer id	blackdrag	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	bran	Low
Product	pom	developer id	ckl	Low
Product	pom	developer id	cpoirier	Low
Product	pom	developer id	cstein	Low
Product	pom	developer id	emilles	Low
Product	pom	developer id	galleon	Low
Product	pom	developer id	glaforge	Low
Product	pom	developer id	goetze	Low
Product	pom	developer id	grocher	Low
Product	pom	developer id	hamletdrc	Low
Product	pom	developer id	jamiemc	Low
Product	pom	developer id	jez	Low
Product	pom	developer id	jimwhite	Low
Product	pom	developer id	joe	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jstump	Low
Product	pom	developer id	jwill	Low
Product	pom	developer id	jwilson	Low
Product	pom	developer id	kasper	Low
Product	pom	developer id	mattf	Low
Product	pom	developer id	melix	Low
Product	pom	developer id	mguillem	Low
Product	pom	developer id	mittie	Low
Product	pom	developer id	pascalschumacher	Low
Product	pom	developer id	paulk	Low
Product	pom	developer id	phk	Low
Product	pom	developer id	pniederw	Low
Product	pom	developer id	roshandawrani	Low
Product	pom	developer id	rpopma	Low
Product	pom	developer id	russel	Low
Product	pom	developer id	shemnon	Low
Product	pom	developer id	skizz	Low
Product	pom	developer id	spullara	Low
Product	pom	developer id	sunlan	Low
Product	pom	developer id	timyates	Low
Product	pom	developer id	travis	Low
Product	pom	developer id	user57	Low
Product	pom	developer id	zohar	Low
Product	pom	developer name	Alex Tkachman	Low
Product	pom	developer name	Andre Steingress	Low
Product	pom	developer name	Andres Almiray	Low
Product	pom	developer name	Bing Ran	Low
Product	pom	developer name	bob mcwhirter	Low
Product	pom	developer name	Cedric Champeau	Low
Product	pom	developer name	Chris Poirier	Low
Product	pom	developer name	Chris Stevenson	Low
Product	pom	developer name	Christiaan ten Klooster	Low
Product	pom	developer name	Christian Stein	Low
Product	pom	developer name	Daniel Sun	Low
Product	pom	developer name	Danno Ferrin	Low
Product	pom	developer name	Dierk Koenig	Low
Product	pom	developer name	Eric Milles	Low
Product	pom	developer name	Graeme Rocher	Low
Product	pom	developer name	Guillaume Alleon	Low
Product	pom	developer name	Guillaume Laforge	Low
Product	pom	developer name	Hamlet D'Arcy	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	James Williams	Low
Product	pom	developer name	Jamie McCrindle	Low
Product	pom	developer name	Jason Dillon	Low
Product	pom	developer name	Jeremy Rayner	Low
Product	pom	developer name	Jim White	Low
Product	pom	developer name	Jochen Theodorou	Low
Product	pom	developer name	Joe Walnes	Low
Product	pom	developer name	John Stump	Low
Product	pom	developer name	John Wilson	Low
Product	pom	developer name	Kasper Nielsen	Low
Product	pom	developer name	Marc Guillemot	Low
Product	pom	developer name	Matt Foemmel	Low
Product	pom	developer name	Pascal Schumacher	Low
Product	pom	developer name	Paul King	Low
Product	pom	developer name	Peter Niederwieser	Low
Product	pom	developer name	Pilho Kim	Low
Product	pom	developer name	Remko Popma	Low
Product	pom	developer name	Roshan Dawrani	Low
Product	pom	developer name	Russel Winder	Low
Product	pom	developer name	Sam Pullara	Low
Product	pom	developer name	Steve Goetze	Low
Product	pom	developer name	Tim Yates	Low
Product	pom	developer name	Travis Kay	Low
Product	pom	developer name	Zohar Melamed	Low
Product	pom	developer org	Concertant LLP & It'z Interactive Ltd	Low
Product	pom	developer org	Core Developers Network	Low
Product	pom	developer org	CTSR.de	Low
Product	pom	developer org	Dacelo WebDevelopment	Low
Product	pom	developer org	Dovetailed Technologies, LLC	Low
Product	pom	developer org	Google	Low
Product	pom	developer org	IFCX.org	Low
Product	pom	developer org	javanicus	Low
Product	pom	developer org	Karakun AG	Low
Product	pom	developer org	Leadingcare	Low
Product	pom	developer org	OCI, Australia	Low
Product	pom	developer org	The Werken Company	Low
Product	pom	developer org	The Wilson Partnership	Low
Product	pom	developer org	Thomson Reuters	Low
Product	pom	developer org	ThoughtWorks	Low
Product	pom	developer org	Three	Low
Product	pom	groupid	org.codehaus.groovy	Highest
Product	pom	name	Apache Groovy	High
Product	pom	organization name	Apache Software Foundation	Low
Product	pom	organization url	https://apache.org	Low
Product	pom	url	https://groovy-lang.org	Medium
Version	file	version	2.5.18	High
Version	Manifest	Bundle-Version	2.5.18	High
Version	Manifest	Implementation-Version	2.5.18	High
Version	pom	version	2.5.18	Highest

Identifiers

pkg:maven/org.codehaus.groovy/groovy@2.5.18 (Confidence:High)
cpe:2.3:a:apache:groovy:2.5.18:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-xml/2.5.18/groovy-xml-2.5.18.jar
MD5: f6c37df32d9c4837944d07f775f5d51e
SHA1: 42e42df001f431da9ca965495d56cdaad93a2f0b
SHA256:a474f0f15088281be9e94639be4c1aa873d40fdb8e540220f17c071ae1490673
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	groovy-xml	High
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	groovy	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	automatic-module-name	org.codehaus.groovy.xml	Medium
Vendor	Manifest	bundle-symbolicname	groovy-xml	Medium
Vendor	Manifest	eclipse-buddypolicy	dependent	Low
Vendor	Manifest	fragment-host	groovy	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	groovy-xml	Highest
Vendor	pom	artifactid	groovy-xml	Low
Vendor	pom	developer email	aalmiray@users.sourceforge.net	Low
Vendor	pom	developer email	b55r@sina.com	Low
Vendor	pom	developer email	blackdrag@gmx.org	Low
Vendor	pom	developer email	bob@werken.com	Low
Vendor	pom	developer email	cedric.champeau@gmail.com	Low
Vendor	pom	developer email	ckl@dacelo.nl	Low
Vendor	pom	developer email	cpoirier@dreaming.org	Low
Vendor	pom	developer email	goetze@dovetail.com	Low
Vendor	pom	developer email	guillaume.alleon@gmail.com	Low
Vendor	pom	developer email	hamletdrc@gmail.com	Low
Vendor	pom	developer email	james@coredevelopers.com	Low
Vendor	pom	developer email	jason@planet57.com	Low
Vendor	pom	developer email	jeremy.rayner@gmail.com	Low
Vendor	pom	developer email	jim@pagesmiths.com	Low
Vendor	pom	developer email	johnstump2@yahoo.com	Low
Vendor	pom	developer email	mguillemot@yahoo.fr	Low
Vendor	pom	developer email	paulk@asert.com.au	Low
Vendor	pom	developer email	phkim@cluecom.co.kr	Low
Vendor	pom	developer email	pniederw@gmail.com	Low
Vendor	pom	developer email	russel@winder.org.uk	Low
Vendor	pom	developer email	sam@sampullara.com	Low
Vendor	pom	developer email	sormuras@gmx.de	Low
Vendor	pom	developer email	tug@wilson.co.uk	Low
Vendor	pom	developer id	aalmiray	Medium
Vendor	pom	developer id	alextkachman	Medium
Vendor	pom	developer id	andresteingress	Medium
Vendor	pom	developer id	blackdrag	Medium
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	bran	Medium
Vendor	pom	developer id	ckl	Medium
Vendor	pom	developer id	cpoirier	Medium
Vendor	pom	developer id	cstein	Medium
Vendor	pom	developer id	emilles	Medium
Vendor	pom	developer id	galleon	Medium
Vendor	pom	developer id	glaforge	Medium
Vendor	pom	developer id	goetze	Medium
Vendor	pom	developer id	grocher	Medium
Vendor	pom	developer id	hamletdrc	Medium
Vendor	pom	developer id	jamiemc	Medium
Vendor	pom	developer id	jez	Medium
Vendor	pom	developer id	jimwhite	Medium
Vendor	pom	developer id	joe	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jstump	Medium
Vendor	pom	developer id	jwill	Medium
Vendor	pom	developer id	jwilson	Medium
Vendor	pom	developer id	kasper	Medium
Vendor	pom	developer id	mattf	Medium
Vendor	pom	developer id	melix	Medium
Vendor	pom	developer id	mguillem	Medium
Vendor	pom	developer id	mittie	Medium
Vendor	pom	developer id	pascalschumacher	Medium
Vendor	pom	developer id	paulk	Medium
Vendor	pom	developer id	phk	Medium
Vendor	pom	developer id	pniederw	Medium
Vendor	pom	developer id	roshandawrani	Medium
Vendor	pom	developer id	rpopma	Medium
Vendor	pom	developer id	russel	Medium
Vendor	pom	developer id	shemnon	Medium
Vendor	pom	developer id	skizz	Medium
Vendor	pom	developer id	spullara	Medium
Vendor	pom	developer id	sunlan	Medium
Vendor	pom	developer id	timyates	Medium
Vendor	pom	developer id	travis	Medium
Vendor	pom	developer id	user57	Medium
Vendor	pom	developer id	zohar	Medium
Vendor	pom	developer name	Alex Tkachman	Medium
Vendor	pom	developer name	Andre Steingress	Medium
Vendor	pom	developer name	Andres Almiray	Medium
Vendor	pom	developer name	Bing Ran	Medium
Vendor	pom	developer name	bob mcwhirter	Medium
Vendor	pom	developer name	Cedric Champeau	Medium
Vendor	pom	developer name	Chris Poirier	Medium
Vendor	pom	developer name	Chris Stevenson	Medium
Vendor	pom	developer name	Christiaan ten Klooster	Medium
Vendor	pom	developer name	Christian Stein	Medium
Vendor	pom	developer name	Daniel Sun	Medium
Vendor	pom	developer name	Danno Ferrin	Medium
Vendor	pom	developer name	Dierk Koenig	Medium
Vendor	pom	developer name	Eric Milles	Medium
Vendor	pom	developer name	Graeme Rocher	Medium
Vendor	pom	developer name	Guillaume Alleon	Medium
Vendor	pom	developer name	Guillaume Laforge	Medium
Vendor	pom	developer name	Hamlet D'Arcy	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	James Williams	Medium
Vendor	pom	developer name	Jamie McCrindle	Medium
Vendor	pom	developer name	Jason Dillon	Medium
Vendor	pom	developer name	Jeremy Rayner	Medium
Vendor	pom	developer name	Jim White	Medium
Vendor	pom	developer name	Jochen Theodorou	Medium
Vendor	pom	developer name	Joe Walnes	Medium
Vendor	pom	developer name	John Stump	Medium
Vendor	pom	developer name	John Wilson	Medium
Vendor	pom	developer name	Kasper Nielsen	Medium
Vendor	pom	developer name	Marc Guillemot	Medium
Vendor	pom	developer name	Matt Foemmel	Medium
Vendor	pom	developer name	Pascal Schumacher	Medium
Vendor	pom	developer name	Paul King	Medium
Vendor	pom	developer name	Peter Niederwieser	Medium
Vendor	pom	developer name	Pilho Kim	Medium
Vendor	pom	developer name	Remko Popma	Medium
Vendor	pom	developer name	Roshan Dawrani	Medium
Vendor	pom	developer name	Russel Winder	Medium
Vendor	pom	developer name	Sam Pullara	Medium
Vendor	pom	developer name	Steve Goetze	Medium
Vendor	pom	developer name	Tim Yates	Medium
Vendor	pom	developer name	Travis Kay	Medium
Vendor	pom	developer name	Zohar Melamed	Medium
Vendor	pom	developer org	Concertant LLP & It'z Interactive Ltd	Medium
Vendor	pom	developer org	Core Developers Network	Medium
Vendor	pom	developer org	CTSR.de	Medium
Vendor	pom	developer org	Dacelo WebDevelopment	Medium
Vendor	pom	developer org	Dovetailed Technologies, LLC	Medium
Vendor	pom	developer org	Google	Medium
Vendor	pom	developer org	IFCX.org	Medium
Vendor	pom	developer org	javanicus	Medium
Vendor	pom	developer org	Karakun AG	Medium
Vendor	pom	developer org	Leadingcare	Medium
Vendor	pom	developer org	OCI, Australia	Medium
Vendor	pom	developer org	The Werken Company	Medium
Vendor	pom	developer org	The Wilson Partnership	Medium
Vendor	pom	developer org	Thomson Reuters	Medium
Vendor	pom	developer org	ThoughtWorks	Medium
Vendor	pom	developer org	Three	Medium
Vendor	pom	groupid	org.codehaus.groovy	Highest
Vendor	pom	name	Apache Groovy	High
Vendor	pom	organization name	Apache Software Foundation	High
Vendor	pom	organization url	https://apache.org	Medium
Vendor	pom	url	https://groovy-lang.org	Highest
Product	file	name	groovy-xml	High
Product	jar	package name	codehaus	Highest
Product	jar	package name	groovy	Highest
Product	jar	package name	xml	Highest
Product	Manifest	automatic-module-name	org.codehaus.groovy.xml	Medium
Product	Manifest	bundle-symbolicname	groovy-xml	Medium
Product	Manifest	eclipse-buddypolicy	dependent	Low
Product	Manifest	fragment-host	groovy	Low
Product	Manifest	Implementation-Title	Groovy: a powerful, dynamic language for the JVM	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Groovy: a powerful, dynamic language for the JVM	Medium
Product	pom	artifactid	groovy-xml	Highest
Product	pom	developer email	aalmiray@users.sourceforge.net	Low
Product	pom	developer email	b55r@sina.com	Low
Product	pom	developer email	blackdrag@gmx.org	Low
Product	pom	developer email	bob@werken.com	Low
Product	pom	developer email	cedric.champeau@gmail.com	Low
Product	pom	developer email	ckl@dacelo.nl	Low
Product	pom	developer email	cpoirier@dreaming.org	Low
Product	pom	developer email	goetze@dovetail.com	Low
Product	pom	developer email	guillaume.alleon@gmail.com	Low
Product	pom	developer email	hamletdrc@gmail.com	Low
Product	pom	developer email	james@coredevelopers.com	Low
Product	pom	developer email	jason@planet57.com	Low
Product	pom	developer email	jeremy.rayner@gmail.com	Low
Product	pom	developer email	jim@pagesmiths.com	Low
Product	pom	developer email	johnstump2@yahoo.com	Low
Product	pom	developer email	mguillemot@yahoo.fr	Low
Product	pom	developer email	paulk@asert.com.au	Low
Product	pom	developer email	phkim@cluecom.co.kr	Low
Product	pom	developer email	pniederw@gmail.com	Low
Product	pom	developer email	russel@winder.org.uk	Low
Product	pom	developer email	sam@sampullara.com	Low
Product	pom	developer email	sormuras@gmx.de	Low
Product	pom	developer email	tug@wilson.co.uk	Low
Product	pom	developer id	aalmiray	Low
Product	pom	developer id	alextkachman	Low
Product	pom	developer id	andresteingress	Low
Product	pom	developer id	blackdrag	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	bran	Low
Product	pom	developer id	ckl	Low
Product	pom	developer id	cpoirier	Low
Product	pom	developer id	cstein	Low
Product	pom	developer id	emilles	Low
Product	pom	developer id	galleon	Low
Product	pom	developer id	glaforge	Low
Product	pom	developer id	goetze	Low
Product	pom	developer id	grocher	Low
Product	pom	developer id	hamletdrc	Low
Product	pom	developer id	jamiemc	Low
Product	pom	developer id	jez	Low
Product	pom	developer id	jimwhite	Low
Product	pom	developer id	joe	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jstump	Low
Product	pom	developer id	jwill	Low
Product	pom	developer id	jwilson	Low
Product	pom	developer id	kasper	Low
Product	pom	developer id	mattf	Low
Product	pom	developer id	melix	Low
Product	pom	developer id	mguillem	Low
Product	pom	developer id	mittie	Low
Product	pom	developer id	pascalschumacher	Low
Product	pom	developer id	paulk	Low
Product	pom	developer id	phk	Low
Product	pom	developer id	pniederw	Low
Product	pom	developer id	roshandawrani	Low
Product	pom	developer id	rpopma	Low
Product	pom	developer id	russel	Low
Product	pom	developer id	shemnon	Low
Product	pom	developer id	skizz	Low
Product	pom	developer id	spullara	Low
Product	pom	developer id	sunlan	Low
Product	pom	developer id	timyates	Low
Product	pom	developer id	travis	Low
Product	pom	developer id	user57	Low
Product	pom	developer id	zohar	Low
Product	pom	developer name	Alex Tkachman	Low
Product	pom	developer name	Andre Steingress	Low
Product	pom	developer name	Andres Almiray	Low
Product	pom	developer name	Bing Ran	Low
Product	pom	developer name	bob mcwhirter	Low
Product	pom	developer name	Cedric Champeau	Low
Product	pom	developer name	Chris Poirier	Low
Product	pom	developer name	Chris Stevenson	Low
Product	pom	developer name	Christiaan ten Klooster	Low
Product	pom	developer name	Christian Stein	Low
Product	pom	developer name	Daniel Sun	Low
Product	pom	developer name	Danno Ferrin	Low
Product	pom	developer name	Dierk Koenig	Low
Product	pom	developer name	Eric Milles	Low
Product	pom	developer name	Graeme Rocher	Low
Product	pom	developer name	Guillaume Alleon	Low
Product	pom	developer name	Guillaume Laforge	Low
Product	pom	developer name	Hamlet D'Arcy	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	James Williams	Low
Product	pom	developer name	Jamie McCrindle	Low
Product	pom	developer name	Jason Dillon	Low
Product	pom	developer name	Jeremy Rayner	Low
Product	pom	developer name	Jim White	Low
Product	pom	developer name	Jochen Theodorou	Low
Product	pom	developer name	Joe Walnes	Low
Product	pom	developer name	John Stump	Low
Product	pom	developer name	John Wilson	Low
Product	pom	developer name	Kasper Nielsen	Low
Product	pom	developer name	Marc Guillemot	Low
Product	pom	developer name	Matt Foemmel	Low
Product	pom	developer name	Pascal Schumacher	Low
Product	pom	developer name	Paul King	Low
Product	pom	developer name	Peter Niederwieser	Low
Product	pom	developer name	Pilho Kim	Low
Product	pom	developer name	Remko Popma	Low
Product	pom	developer name	Roshan Dawrani	Low
Product	pom	developer name	Russel Winder	Low
Product	pom	developer name	Sam Pullara	Low
Product	pom	developer name	Steve Goetze	Low
Product	pom	developer name	Tim Yates	Low
Product	pom	developer name	Travis Kay	Low
Product	pom	developer name	Zohar Melamed	Low
Product	pom	developer org	Concertant LLP & It'z Interactive Ltd	Low
Product	pom	developer org	Core Developers Network	Low
Product	pom	developer org	CTSR.de	Low
Product	pom	developer org	Dacelo WebDevelopment	Low
Product	pom	developer org	Dovetailed Technologies, LLC	Low
Product	pom	developer org	Google	Low
Product	pom	developer org	IFCX.org	Low
Product	pom	developer org	javanicus	Low
Product	pom	developer org	Karakun AG	Low
Product	pom	developer org	Leadingcare	Low
Product	pom	developer org	OCI, Australia	Low
Product	pom	developer org	The Werken Company	Low
Product	pom	developer org	The Wilson Partnership	Low
Product	pom	developer org	Thomson Reuters	Low
Product	pom	developer org	ThoughtWorks	Low
Product	pom	developer org	Three	Low
Product	pom	groupid	org.codehaus.groovy	Highest
Product	pom	name	Apache Groovy	High
Product	pom	organization name	Apache Software Foundation	Low
Product	pom	organization url	https://apache.org	Low
Product	pom	url	https://groovy-lang.org	Medium
Version	file	version	2.5.18	High
Version	Manifest	Bundle-Version	2.5.18	High
Version	Manifest	Implementation-Version	2.5.18	High
Version	pom	version	2.5.18	Highest

Related Dependencies

groovy-cli-picocli-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-cli-picocli/2.5.18/groovy-cli-picocli-2.5.18.jar
- MD5: 9e2881fd02755e2dca877af20be272af
- SHA1: b630c15141f09a034d80e2b419e77f93a58febed
- SHA256: ce99225534b8ebfd8ceba00ff18ce84a40144da38a92b3e6f36c96602302d090
- pkg:maven/org.codehaus.groovy/groovy-cli-picocli@2.5.18
groovy-console-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-console/2.5.18/groovy-console-2.5.18.jar
- MD5: adeefc339808d50a5c6d5500421549fc
- SHA1: 724e91113829e73a87c3931279705e54fa896796
- SHA256: c81c73a5b3b6906122072d8478de8795d07f4df6b47290e59bdccf9bf05bbff4
- pkg:maven/org.codehaus.groovy/groovy-console@2.5.18
groovy-groovysh-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-groovysh/2.5.18/groovy-groovysh-2.5.18.jar
- MD5: 887c33764a5479be42e0114b27ecd488
- SHA1: 22aaf5e1849bf2ac6a1f36b5528040bff3e5fee8
- SHA256: 02328ed516035a31eb8061e50e8ebfb883b557d5a2baed3deb45abc174e54333
- pkg:maven/org.codehaus.groovy/groovy-groovysh@2.5.18
groovy-jsr223-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-jsr223/2.5.18/groovy-jsr223-2.5.18.jar
- MD5: 9181a6a9b721051d840be820a001de0e
- SHA1: e65d3c2c32352583939adb7a16e8802626f8899a
- SHA256: 2a5d25d90b89a22cbeeb83495c4d6b7cd76ac75f4078beb841a6732258a92a26
- pkg:maven/org.codehaus.groovy/groovy-jsr223@2.5.18
groovy-swing-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-swing/2.5.18/groovy-swing-2.5.18.jar
- MD5: 9dd23e929a171e2fa656224ab5d64367
- SHA1: 4a98d780762efe1fbc777d353a3406b1cbe884ec
- SHA256: 41f51592241acb04d97ef3c62827b8eff8a747cec34fd7419adca62816aec862
- pkg:maven/org.codehaus.groovy/groovy-swing@2.5.18
groovy-templates-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-templates/2.5.18/groovy-templates-2.5.18.jar
- MD5: ec20cce24dc773f21594406c8257f6d7
- SHA1: fc465a955137ff128fa41ec2d9d371c799b2c041
- SHA256: 769644776fe2be28dfc2e21d34ad3af41667b7f7e18db00e28bcb7b76b46e25f
- pkg:maven/org.codehaus.groovy/groovy-templates@2.5.18

Identifiers

pkg:maven/org.codehaus.groovy/groovy-xml@2.5.18 (Confidence:High)
cpe:2.3:a:apache:groovy:2.5.18:*:*:*:*:*:*:* (Confidence:High)

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar
MD5: f32a8a2524620dbecc9f6bf6a20c293f
SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
SHA256:36a666e3b71ae7f0f0dca23654b67e086e6c93d192f60ba5dfd5519db6c288c8
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	guava	High
Vendor	jar	package name	google	Highest
Vendor	Manifest	bundle-docurl	https://github.com/google/guava/	Low
Vendor	Manifest	bundle-symbolicname	com.google.guava	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	guava	Highest
Vendor	pom	artifactid	guava	Low
Vendor	pom	groupid	com.google.guava	Highest
Vendor	pom	name	Guava: Google Core Libraries for Java	High
Vendor	pom	parent-artifactid	guava-parent	Low
Product	file	name	guava	High
Product	jar	package name	google	Highest
Product	Manifest	bundle-docurl	https://github.com/google/guava/	Low
Product	Manifest	Bundle-Name	Guava: Google Core Libraries for Java	Medium
Product	Manifest	bundle-symbolicname	com.google.guava	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	guava	Highest
Product	pom	groupid	com.google.guava	Highest
Product	pom	name	Guava: Google Core Libraries for Java	High
Product	pom	parent-artifactid	guava-parent	Medium
Version	file	version	20.0	High
Version	pom	version	20.0	Highest

Identifiers

pkg:maven/com.google.guava/guava@20.0 (Confidence:High)
cpe:2.3:a:google:guava:20.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2023-2976

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

CWE-552 Files or Directories Accessible to External Parties

CVSSv3:

Base Score: HIGH (7.1)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

MISC - https://github.com/google/guava/issues/2575
MISC - https://security.netapp.com/advisory/ntap-20230818-0008/
OSSINDEX - [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2976
OSSIndex - https://github.com/google/guava/issues/2575
OSSIndex - https://github.com/google/guava/releases/tag/v32.0.0

Vulnerable Software & Versions:

cpe:2.3:a:google:guava:*:*:*:*:*:*:*:* versions up to (excluding) 32.0.0

CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: LOW (3.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

Common reflection code used in support of annotation processing

License:

GNU Library General Public License v2.1 or later: http://www.opensource.org/licenses/LGPL-2.1

File Path: /home/grprdist/.m2/repository/org/hibernate/common/hibernate-commons-annotations/5.1.2.Final/hibernate-commons-annotations-5.1.2.Final.jar
MD5: 2a2490b3eb8e7585a6a899d27d7ed43f
SHA1: e59ffdbc6ad09eeb33507b39ffcf287679a498c8
SHA256:1c7ce712b2679fea0a5441eb02a04144297125b768944819be0765befb996275
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hibernate-commons-annotations	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	common	Highest
Vendor	jar	package name	hibernate	Highest
Vendor	jar	package name	reflection	Highest
Vendor	Manifest	automatic-module-name	org.hibernate.commons.annotations	Medium
Vendor	Manifest	bundle-symbolicname	org.hibernate.common.hibernate-commons-annotations	Medium
Vendor	Manifest	implementation-url	http://hibernate.org	Low
Vendor	Manifest	Implementation-Vendor	Hibernate.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.hibernate	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	hibernate-commons-annotations	Highest
Vendor	pom	artifactid	hibernate-commons-annotations	Low
Vendor	pom	developer id	hibernate-team	Medium
Vendor	pom	developer name	The Hibernate Development Team	Medium
Vendor	pom	developer org	Hibernate.org	Medium
Vendor	pom	developer org URL	http://hibernate.org	Medium
Vendor	pom	groupid	org.hibernate.common	Highest
Vendor	pom	name	Hibernate Commons Annotations	High
Vendor	pom	organization name	Hibernate.org	High
Vendor	pom	organization url	http://hibernate.org	Medium
Vendor	pom	url	http://hibernate.org	Highest
Product	file	name	hibernate-commons-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	common	Highest
Product	jar	package name	hibernate	Highest
Product	jar	package name	reflection	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.hibernate.commons.annotations	Medium
Product	Manifest	Bundle-Name	hibernate-commons-annotations	Medium
Product	Manifest	bundle-symbolicname	org.hibernate.common.hibernate-commons-annotations	Medium
Product	Manifest	implementation-url	http://hibernate.org	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	hibernate-commons-annotations	Highest
Product	pom	developer id	hibernate-team	Low
Product	pom	developer name	The Hibernate Development Team	Low
Product	pom	developer org	Hibernate.org	Low
Product	pom	developer org URL	http://hibernate.org	Low
Product	pom	groupid	org.hibernate.common	Highest
Product	pom	name	Hibernate Commons Annotations	High
Product	pom	organization name	Hibernate.org	Low
Product	pom	organization url	http://hibernate.org	Low
Product	pom	url	http://hibernate.org	Medium
Version	Manifest	Bundle-Version	5.1.2.Final	High
Version	Manifest	Implementation-Version	5.1.2.Final	High
Version	pom	version	5.1.2.Final	Highest

Identifiers

pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final (Confidence:High)

Description:

Hibernate's core ORM functionality

License:

GNU Library General Public License v2.1 or later: https://www.opensource.org/licenses/LGPL-2.1

File Path: /home/grprdist/.m2/repository/org/hibernate/hibernate-core/5.6.10.Final/hibernate-core-5.6.10.Final.jar
MD5: 9c4f43fc5936b6d6555ff6ece7865220
SHA1: 408fd5802391d8e6f619db9d7c6c0e27d49118c2
SHA256:ed3693a0ae288dafff6155b03b7d743fdb9c9f432de37d7b894f44d92e3a85c4
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hibernate-core	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	hibernate	Highest
Vendor	Manifest	automatic-module-name	org.hibernate.orm.core	Medium
Vendor	Manifest	bundle-docurl	https://hibernate.org/orm/5.6	Low
Vendor	Manifest	bundle-symbolicname	org.hibernate.orm.core	Medium
Vendor	Manifest	implementation-url	https://hibernate.org/orm	Low
Vendor	Manifest	Implementation-Vendor	Hibernate.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.hibernate	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Hibernate.org	Low
Vendor	pom	artifactid	hibernate-core	Highest
Vendor	pom	artifactid	hibernate-core	Low
Vendor	pom	developer id	hibernate-team	Medium
Vendor	pom	developer name	The Hibernate Development Team	Medium
Vendor	pom	developer org	Hibernate.org	Medium
Vendor	pom	developer org URL	https://hibernate.org	Medium
Vendor	pom	groupid	org.hibernate	Highest
Vendor	pom	name	Hibernate ORM - hibernate-core	High
Vendor	pom	organization name	Hibernate.org	High
Vendor	pom	organization url	https://hibernate.org	Medium
Vendor	pom	url	https://hibernate.org/orm	Highest
Product	file	name	hibernate-core	High
Product	hint analyzer	product	orm	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	hibernate	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.hibernate.orm.core	Medium
Product	Manifest	bundle-docurl	https://hibernate.org/orm/5.6	Low
Product	Manifest	Bundle-Name	hibernate-core	Medium
Product	Manifest	bundle-symbolicname	org.hibernate.orm.core	Medium
Product	Manifest	Implementation-Title	hibernate-core	High
Product	Manifest	implementation-url	https://hibernate.org/orm	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	hibernate-core	Medium
Product	pom	artifactid	hibernate-core	Highest
Product	pom	developer id	hibernate-team	Low
Product	pom	developer name	The Hibernate Development Team	Low
Product	pom	developer org	Hibernate.org	Low
Product	pom	developer org URL	https://hibernate.org	Low
Product	pom	groupid	org.hibernate	Highest
Product	pom	name	Hibernate ORM - hibernate-core	High
Product	pom	organization name	Hibernate.org	Low
Product	pom	organization url	https://hibernate.org	Low
Product	pom	url	https://hibernate.org/orm	Medium
Version	Manifest	Bundle-Version	5.6.10.Final	High
Version	Manifest	Implementation-Version	5.6.10.Final	High
Version	pom	version	5.6.10.Final	Highest

Related Dependencies

Identifiers

pkg:maven/org.hibernate/hibernate-core@5.6.10.Final (Confidence:High)
cpe:2.3:a:hibernate:hibernate_orm:5.6.10:*:*:*:*:*:*:* (Confidence:Low)

Description:

   Apache HttpComponents Client

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpclient	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	client	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	httpclient	Highest
Vendor	pom	artifactid	httpclient	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpClient	High
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Product	file	name	httpclient	High
Product	jar	package name	apache	Highest
Product	jar	package name	client	Highest
Product	jar	package name	http	Highest
Product	jar	package name	httpclient	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Product	Manifest	Implementation-Title	Apache HttpClient	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	Manifest	specification-title	Apache HttpClient	Medium
Product	pom	artifactid	httpclient	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient	High
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Version	file	version	4.5.13	High
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 (Confidence:High)
cpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:* (Confidence:Highest)

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpcore	High
Vendor	jar	package name	apache	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Vendor	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	pom	artifactid	httpcore	Highest
Vendor	pom	artifactid	httpcore	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpCore	High
Vendor	pom	parent-artifactid	httpcomponents-core	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-core-ga	Highest
Product	file	name	httpcore	High
Product	jar	package name	apache	Highest
Product	jar	package name	http	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Product	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Product	Manifest	Implementation-Title	HttpComponents Apache HttpCore	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	Manifest	specification-title	HttpComponents Apache HttpCore	Medium
Product	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	pom	artifactid	httpcore	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpCore	High
Product	pom	parent-artifactid	httpcomponents-core	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-core-ga	Medium
Version	file	version	4.4.14	High
Version	Manifest	Implementation-Version	4.4.14	High
Version	pom	version	4.4.14	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpcore@4.4.14 (Confidence:High)

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar
MD5: 3f0c1ef2c9dc47b62b780192f54b0c18
SHA1: efc110bad4a0d45cda7858e6beee1d8a8313da5a
SHA256:06e754d99245b98dcc2860dcb43d20e737d650da2bf2077a105f68accbd5c5cc
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpmime	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	mime	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpmime	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	httpmime	Highest
Vendor	pom	artifactid	httpmime	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpClient Mime	High
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Product	file	name	httpmime	High
Product	jar	package name	apache	Highest
Product	jar	package name	http	Highest
Product	jar	package name	mime	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpmime	Medium
Product	Manifest	Implementation-Title	Apache HttpClient Mime	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	Manifest	specification-title	Apache HttpClient Mime	Medium
Product	pom	artifactid	httpmime	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient Mime	High
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Version	file	version	4.5.13	High
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpmime@4.5.13 (Confidence:High)

Description:

    A Java implementation of the Amazon Ion data notation.

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/software/amazon/ion/ion-java/1.0.2/ion-java-1.0.2.jar
MD5: 3f07f5df418af9ea2ebe80c3d6eccac4
SHA1: ee9dacea7726e495f8352b81c12c23834ffbc564
SHA256:0d127b205a1fce0abc2a3757a041748651bc66c15cf4c059bac5833b27d471a5
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ion-java	High
Vendor	jar	package name	amazon	Highest
Vendor	jar	package name	ion	Highest
Vendor	jar	package name	software	Highest
Vendor	Manifest	bundle-symbolicname	software.amazon.ion.java	Medium
Vendor	Manifest	ion-java-build-time	2017-02-07T23:59:25Z	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	pom	artifactid	ion-java	Highest
Vendor	pom	artifactid	ion-java	Low
Vendor	pom	developer email	ion-team@amazon.com	Low
Vendor	pom	developer name	Amazon Ion Team	Medium
Vendor	pom	developer org	Amazon Labs	Medium
Vendor	pom	developer org URL	https://github.com/amznlabs	Medium
Vendor	pom	groupid	software.amazon.ion	Highest
Vendor	pom	url	amznlabs/ion-java/	Highest
Product	file	name	ion-java	High
Product	jar	package name	amazon	Highest
Product	jar	package name	ion	Highest
Product	jar	package name	software	Highest
Product	Manifest	Bundle-Name	software.amazon.ion:ion-java	Medium
Product	Manifest	bundle-symbolicname	software.amazon.ion.java	Medium
Product	Manifest	ion-java-build-time	2017-02-07T23:59:25Z	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	pom	artifactid	ion-java	Highest
Product	pom	developer email	ion-team@amazon.com	Low
Product	pom	developer name	Amazon Ion Team	Low
Product	pom	developer org	Amazon Labs	Low
Product	pom	developer org URL	https://github.com/amznlabs	Low
Product	pom	groupid	software.amazon.ion	Highest
Product	pom	url	amznlabs/ion-java/	High
Version	file	version	1.0.2	High
Version	Manifest	Bundle-Version	1.0.2	High
Version	Manifest	ion-java-project-version	1.0.2	Medium
Version	pom	version	1.0.2	Highest

Identifiers

pkg:maven/software.amazon.ion/ion-java@1.0.2 (Confidence:High)

Description:

istack common utility code

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html, https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/com/sun/istack/istack-commons-runtime/3.0.7/istack-commons-runtime-3.0.7.jar
MD5: 83e9617b86023b91bd54f65c09838f4b
SHA1: c197c86ceec7318b1284bffb49b54226ca774003
SHA256:6443e10ba2e259fb821d9b6becf10db5316285fc30c53cec9d7b19a3877e7fdf
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	istack-commons-runtime	High
Vendor	jar	package name	istack	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com/	Low
Vendor	Manifest	bundle-symbolicname	com.sun.istack.commons-runtime	Medium
Vendor	Manifest	implementation-build-id	3.0.7-c8b5e20894f565780625d6f9b018ef7c458cd688, 2018-08-29T05:23:37-0700	Low
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun.istack	Medium
Vendor	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	istack-commons-runtime	Highest
Vendor	pom	artifactid	istack-commons-runtime	Low
Vendor	pom	groupid	com.sun.istack	Highest
Vendor	pom	name	istack common utility code runtime	High
Vendor	pom	parent-artifactid	istack-commons	Low
Product	file	name	istack-commons-runtime	High
Product	jar	package name	istack	Highest
Product	jar	package name	sun	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com/	Low
Product	Manifest	Bundle-Name	istack common utility code runtime	Medium
Product	Manifest	bundle-symbolicname	com.sun.istack.commons-runtime	Medium
Product	Manifest	implementation-build-id	3.0.7-c8b5e20894f565780625d6f9b018ef7c458cd688, 2018-08-29T05:23:37-0700	Low
Product	Manifest	Implementation-Title	istack common utility code runtime	High
Product	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	artifactid	istack-commons-runtime	Highest
Product	pom	groupid	com.sun.istack	Highest
Product	pom	name	istack common utility code runtime	High
Product	pom	parent-artifactid	istack-commons	Medium
Version	file	version	3.0.7	High
Version	Manifest	Bundle-Version	3.0.7	High
Version	Manifest	Implementation-Version	3.0.7	High
Version	pom	version	3.0.7	Highest

Identifiers

pkg:maven/com.sun.istack/istack-commons-runtime@3.0.7 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.0.7:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:oracle:java_se:3.0.7:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/j2objc/j2objc-annotations/1.1/j2objc-annotations-1.1.jar
MD5: 49ae3204bb0bb9b2ac77062641f4a6d7
SHA1: ed28ded51a8b1c6b112568def5f4b455e6809019
SHA256:2994a7eb78f2710bd3d3bfb639b2c94e219cedac0d4d084d516e78c16dddecf6
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	j2objc-annotations	High
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	annotations	Low
Vendor	jar	package name	google	Highest
Vendor	jar	package name	google	Low
Vendor	jar	package name	j2objc	Highest
Vendor	jar	package name	j2objc	Low
Vendor	pom	artifactid	j2objc-annotations	Highest
Vendor	pom	artifactid	j2objc-annotations	Low
Vendor	pom	groupid	com.google.j2objc	Highest
Vendor	pom	name	J2ObjC Annotations	High
Vendor	pom	url	google/j2objc/	Highest
Product	file	name	j2objc-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	annotations	Low
Product	jar	package name	google	Highest
Product	jar	package name	j2objc	Highest
Product	jar	package name	j2objc	Low
Product	pom	artifactid	j2objc-annotations	Highest
Product	pom	groupid	com.google.j2objc	Highest
Product	pom	name	J2ObjC Annotations	High
Product	pom	url	google/j2objc/	High
Version	file	version	1.1	High
Version	pom	version	1.1	Highest

Identifiers

pkg:maven/com.google.j2objc/j2objc-annotations@1.1 (Confidence:High)

Description:

Core annotations used for value types, used by Jackson data binding package.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.14.0/jackson-annotations-2.14.0.jar
MD5: 9dd0a11ebc38409f2e6ae5bc4c7b6aa4
SHA1: fb7afb3c9c8ea363a9c88ea9c0a7177cf2fbd369
SHA256:efaff8693acbae673468d251b5e5ea8fc7ce1b852327bccf1cce72244c2e5f1c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-annotations	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-annotations	Highest
Vendor	pom	artifactid	jackson-annotations	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-annotations	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson	Highest
Product	file	name	jackson-annotations	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	Jackson-annotations	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Product	Manifest	Implementation-Title	Jackson-annotations	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Jackson-annotations	Medium
Product	pom	artifactid	jackson-annotations	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-annotations	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson	High
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	parent-version	2.14.0	Low
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:*:*:*:*:*:*:* (Confidence:Low)

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.0/jackson-core-2.14.0.jar
MD5: 88988c4b941b1f4c6637af5218b26f87
SHA1: 49d219171d6af643e061e9e1baaaf6a6a067918d
SHA256:ab4793e5df4fbfae445ca55e9e1439311c80fa8b34fc13162c1260902b4dbea0
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-core	High
Vendor	jar	package name	base	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	json	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-core	Highest
Vendor	pom	artifactid	jackson-core	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-core	High
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson-core	Highest
Product	file	name	jackson-core	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	base	Highest
Product	jar	package name	core	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	json	Highest
Product	jar	package name	version	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Product	Manifest	Bundle-Name	Jackson-core	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Product	Manifest	Implementation-Title	Jackson-core	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Jackson-core	Medium
Product	pom	artifactid	jackson-core	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-core	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson-core	High
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:json-java_project:json-java:2.14.0:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2022-45688

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.14.0/jackson-databind-2.14.0.jar
MD5: f94ffc53b4062cae1f383a4482593020
SHA1: 513b8ca3fea0352ceebe4d0bbeea527ab343dc1a
SHA256:54377fa855f52ed87e8f689b35249971840b16870dee76806d5d200cbcd66f27
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-databind	High
Vendor	jar	package name	databind	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-databind	Highest
Vendor	pom	artifactid	jackson-databind	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	jackson-databind	High
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson	Highest
Product	file	name	jackson-databind	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	databind	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	jackson-databind	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Product	Manifest	Implementation-Title	jackson-databind	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	jackson-databind	Medium
Product	pom	artifactid	jackson-databind	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	jackson-databind	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson	High
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-databind:2.14.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2023-35116

** DISPUTED ** jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:

Base Score: MEDIUM (4.7)
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

MISC - https://github.com/FasterXML/jackson-databind/issues/3972

Vulnerable Software & Versions:

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* versions up to (including) 2.15.2

Description:

Support for reading and writing Concise Binary Object Representation
([CBOR](https://www.rfc-editor.org/info/rfc7049)
encoded data using Jackson abstractions (streaming API, data binding, tree model)

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.12.6/jackson-dataformat-cbor-2.12.6.jar
MD5: 2bef08f2597473f39e4d9c9de01d3dde
SHA1: 3cd2e6a538f73483c6c59c354ce2276bcdc5ba7b
SHA256:cfa008d15f052e69221e8c3193056ff95c3c594271321ccac8d72dc1a770619c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-dataformat-cbor	High
Vendor	jar	package name	cbor	Highest
Vendor	jar	package name	dataformat	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-dataformats-binary	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.dataformat.jackson-dataformat-cbor	Medium
Vendor	Manifest	implementation-build-date	2021-12-15 04:37:17+0000	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.dataformat	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-dataformat-cbor	Highest
Vendor	pom	artifactid	jackson-dataformat-cbor	Low
Vendor	pom	groupid	com.fasterxml.jackson.dataformat	Highest
Vendor	pom	name	Jackson dataformat: CBOR	High
Vendor	pom	parent-artifactid	jackson-dataformats-binary	Low
Vendor	pom	url	http://github.com/FasterXML/jackson-dataformats-binary	Highest
Product	file	name	jackson-dataformat-cbor	High
Product	jar	package name	cbor	Highest
Product	jar	package name	dataformat	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-dataformats-binary	Low
Product	Manifest	Bundle-Name	Jackson dataformat: CBOR	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.dataformat.jackson-dataformat-cbor	Medium
Product	Manifest	implementation-build-date	2021-12-15 04:37:17+0000	Low
Product	Manifest	Implementation-Title	Jackson dataformat: CBOR	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Jackson dataformat: CBOR	Medium
Product	pom	artifactid	jackson-dataformat-cbor	Highest
Product	pom	groupid	com.fasterxml.jackson.dataformat	Highest
Product	pom	name	Jackson dataformat: CBOR	High
Product	pom	parent-artifactid	jackson-dataformats-binary	Medium
Product	pom	url	http://github.com/FasterXML/jackson-dataformats-binary	Medium
Version	file	version	2.12.6	High
Version	Manifest	Bundle-Version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High
Version	pom	version	2.12.6	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

Description:

Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/jboss/jandex/2.0.4.Final/jandex-2.0.4.Final.jar
MD5: 2938e9457bf0c1fba50d8b03a05218de
SHA1: 1796bb21a7a19a10caa7c555f81da66f4bf490cb
SHA256:f75da95aa66d841c5341480247a39a5c3c615aa6966058306d49a5d3db9b3b61
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jandex	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	indexer	Highest
Vendor	jar	package name	jandex	Highest
Vendor	jar	package name	jboss	Highest
Vendor	Manifest	build-timestamp	Mon, 23 Oct 2017 13:00:50 -0500	Low
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.jandex	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/jandex	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.jboss	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	artifactid	jandex	Highest
Vendor	pom	artifactid	jandex	Low
Vendor	pom	groupid	org.jboss	Highest
Vendor	pom	name	Java Annotation Indexer	High
Vendor	pom	parent-artifactid	jboss-parent	Low
Product	file	name	jandex	High
Product	jar	package name	indexer	Highest
Product	jar	package name	jandex	Highest
Product	jar	package name	jboss	Highest
Product	Manifest	build-timestamp	Mon, 23 Oct 2017 13:00:50 -0500	Low
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Bundle-Name	Java Annotation Indexer	Medium
Product	Manifest	bundle-symbolicname	org.jboss.jandex	Medium
Product	Manifest	Implementation-Title	Java Annotation Indexer	High
Product	Manifest	implementation-url	http://www.jboss.org/jandex	Low
Product	Manifest	os-arch	amd64	Low
Product	Manifest	os-name	Linux	Medium
Product	Manifest	specification-title	Java Annotation Indexer	Medium
Product	pom	artifactid	jandex	Highest
Product	pom	groupid	org.jboss	Highest
Product	pom	name	Java Annotation Indexer	High
Product	pom	parent-artifactid	jboss-parent	Medium
Version	Manifest	Bundle-Version	2.0.4.Final	High
Version	Manifest	Implementation-Version	2.0.4.Final	High
Version	pom	parent-version	2.0.4.Final	Low
Version	pom	version	2.0.4.Final	Highest

Identifiers

pkg:maven/org.jboss/jandex@2.0.4.Final (Confidence:High)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/googlecode/java-ipv6/java-ipv6/0.17/java-ipv6-0.17.jar
MD5: 7eab662f5ec5c0f1d964e1c551a5ac02
SHA1: 243426a162fa169ad40f5f59cb957321f00cba3f
SHA256:37cf71baf707041cb494834c559ad12b631f5c7747c804ec19598bc0e0f01162
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	java-ipv6	High
Vendor	jar	package name	googlecode	Highest
Vendor	jar	package name	googlecode	Low
Vendor	jar	package name	ipv6	Highest
Vendor	jar	package name	ipv6	Low
Vendor	pom	artifactid	java-ipv6	Highest
Vendor	pom	artifactid	java-ipv6	Low
Vendor	pom	groupid	com.googlecode.java-ipv6	Highest
Vendor	pom	name	Java IPv6 Library	High
Vendor	pom	url	janvanbesien/java-ipv6/	Highest
Product	file	name	java-ipv6	High
Product	jar	package name	googlecode	Highest
Product	jar	package name	ipv6	Highest
Product	jar	package name	ipv6	Low
Product	pom	artifactid	java-ipv6	Highest
Product	pom	groupid	com.googlecode.java-ipv6	Highest
Product	pom	name	Java IPv6 Library	High
Product	pom	url	janvanbesien/java-ipv6/	High
Version	file	version	0.17	High
Version	pom	version	0.17	Highest

Identifiers

pkg:maven/com.googlecode.java-ipv6/java-ipv6@0.17 (Confidence:High)

Description:

Java implementation of JSON Web Token (JWT)

License:

The MIT License (MIT): https://raw.githubusercontent.com/auth0/java-jwt/master/LICENSE

File Path: /home/grprdist/.m2/repository/com/auth0/java-jwt/3.10.3/java-jwt-3.10.3.jar
MD5: 69ca7c81203e238a71437325580b3663
SHA1: 138b7ea9ca2c8c8e66acf5a70e809490bcf08955
SHA256:c5901a5dadf420867cd6cb598f7ae09b0cde7f7e46b7e1a70b56be8d5a5c64a6
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	java-jwt	High
Vendor	jar	package name	auth0	Highest
Vendor	jar	package name	jwt	Highest
Vendor	pom	artifactid	java-jwt	Highest
Vendor	pom	artifactid	java-jwt	Low
Vendor	pom	developer email	hernan@auth0.com	Low
Vendor	pom	developer email	luciano.balmaceda@auth0.com	Low
Vendor	pom	developer email	oss@auth0.com	Low
Vendor	pom	developer id	auth0	Medium
Vendor	pom	developer id	hzalaz	Medium
Vendor	pom	developer id	lbalmaceda	Medium
Vendor	pom	developer name	Auth0	Medium
Vendor	pom	developer name	Hernan Zalazar	Medium
Vendor	pom	developer name	Luciano Balmaceda	Medium
Vendor	pom	groupid	com.auth0	Highest
Vendor	pom	name	java jwt	High
Vendor	pom	url	auth0/java-jwt	Highest
Product	file	name	java-jwt	High
Product	jar	package name	auth0	Highest
Product	jar	package name	jwt	Highest
Product	Manifest	Implementation-Title	java-jwt	High
Product	pom	artifactid	java-jwt	Highest
Product	pom	developer email	hernan@auth0.com	Low
Product	pom	developer email	luciano.balmaceda@auth0.com	Low
Product	pom	developer email	oss@auth0.com	Low
Product	pom	developer id	auth0	Low
Product	pom	developer id	hzalaz	Low
Product	pom	developer id	lbalmaceda	Low
Product	pom	developer name	Auth0	Low
Product	pom	developer name	Hernan Zalazar	Low
Product	pom	developer name	Luciano Balmaceda	Low
Product	pom	groupid	com.auth0	Highest
Product	pom	name	java jwt	High
Product	pom	url	auth0/java-jwt	High
Version	file	version	3.10.3	High
Version	Manifest	Implementation-Version	3.10.3	High
Version	pom	version	3.10.3	Highest

Identifiers

pkg:maven/com.auth0/java-jwt@3.10.3 (Confidence:High)

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/

File Path: /home/grprdist/.m2/repository/org/javassist/javassist/3.22.0-GA/javassist-3.22.0-GA.jar
MD5: 69f277ed4c6631e45ec4cacd0e6e46c6
SHA1: 3e83394258ae2089be7219b971ec21a8288528ad
SHA256:59531c00f3e3aa1ff48b3a8cf4ead47d203ab0e2fd9e0ad401f764e05947e252
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javassist	High
Vendor	jar	package name	bytecode	Highest
Vendor	jar	package name	javassist	Highest
Vendor	Manifest	bundle-symbolicname	javassist	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	Shigeru Chiba, www.javassist.org	Low
Vendor	pom	artifactid	javassist	Highest
Vendor	pom	artifactid	javassist	Low
Vendor	pom	developer email	adinn@redhat.com	Low
Vendor	pom	developer email	chiba@javassist.org	Low
Vendor	pom	developer email	kabir.khan@jboss.com	Low
Vendor	pom	developer email	smarlow@redhat.com	Low
Vendor	pom	developer id	adinn	Medium
Vendor	pom	developer id	chiba	Medium
Vendor	pom	developer id	kabir.khan@jboss.com	Medium
Vendor	pom	developer id	scottmarlow	Medium
Vendor	pom	developer name	Andrew Dinn	Medium
Vendor	pom	developer name	Kabir Khan	Medium
Vendor	pom	developer name	Scott Marlow	Medium
Vendor	pom	developer name	Shigeru Chiba	Medium
Vendor	pom	developer org	JBoss	Medium
Vendor	pom	developer org	The Javassist Project	Medium
Vendor	pom	developer org URL	http://www.javassist.org/	Medium
Vendor	pom	developer org URL	http://www.jboss.org/	Medium
Vendor	pom	groupid	org.javassist	Highest
Vendor	pom	name	Javassist	High
Vendor	pom	organization name	Shigeru Chiba, www.javassist.org	High
Vendor	pom	url	http://www.javassist.org/	Highest
Product	file	name	javassist	High
Product	jar	package name	bytecode	Highest
Product	jar	package name	javassist	Highest
Product	Manifest	Bundle-Name	Javassist	Medium
Product	Manifest	bundle-symbolicname	javassist	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Javassist	Medium
Product	pom	artifactid	javassist	Highest
Product	pom	developer email	adinn@redhat.com	Low
Product	pom	developer email	chiba@javassist.org	Low
Product	pom	developer email	kabir.khan@jboss.com	Low
Product	pom	developer email	smarlow@redhat.com	Low
Product	pom	developer id	adinn	Low
Product	pom	developer id	chiba	Low
Product	pom	developer id	kabir.khan@jboss.com	Low
Product	pom	developer id	scottmarlow	Low
Product	pom	developer name	Andrew Dinn	Low
Product	pom	developer name	Kabir Khan	Low
Product	pom	developer name	Scott Marlow	Low
Product	pom	developer name	Shigeru Chiba	Low
Product	pom	developer org	JBoss	Low
Product	pom	developer org	The Javassist Project	Low
Product	pom	developer org URL	http://www.javassist.org/	Low
Product	pom	developer org URL	http://www.jboss.org/	Low
Product	pom	groupid	org.javassist	Highest
Product	pom	name	Javassist	High
Product	pom	organization name	Shigeru Chiba, www.javassist.org	Low
Product	pom	url	http://www.javassist.org/	Medium
Version	Manifest	specification-version	3.22.0-GA	High
Version	pom	version	3.22.0-GA	Highest

Identifiers

pkg:maven/org.javassist/javassist@3.22.0-GA (Confidence:High)

Description:

JavaBeans Activation Framework API jar

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt

File Path: /home/grprdist/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.activation-api	High
Vendor	jar	package name	activation	Highest
Vendor	jar	package name	javax	Highest
Vendor	Manifest	automatic-module-name	java.activation	Medium
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	javax.activation-api	Medium
Vendor	Manifest	extension-name	javax.activation	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	originally-created-by	1.8.0_141 (Oracle Corporation)	Low
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	pom	artifactid	javax.activation-api	Highest
Vendor	pom	artifactid	javax.activation-api	Low
Vendor	pom	groupid	javax.activation	Highest
Vendor	pom	name	JavaBeans Activation Framework API jar	High
Vendor	pom	parent-artifactid	all	Low
Vendor	pom	parent-groupid	com.sun.activation	Medium
Product	file	name	javax.activation-api	High
Product	jar	package name	activation	Highest
Product	jar	package name	javax	Highest
Product	Manifest	automatic-module-name	java.activation	Medium
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	JavaBeans Activation Framework API jar	Medium
Product	Manifest	bundle-symbolicname	javax.activation-api	Medium
Product	Manifest	extension-name	javax.activation	Medium
Product	Manifest	Implementation-Title	javax.activation.javax.activation-api	High
Product	Manifest	originally-created-by	1.8.0_141 (Oracle Corporation)	Low
Product	Manifest	specification-title	javax.activation.javax.activation-api	Medium
Product	pom	artifactid	javax.activation-api	Highest
Product	pom	groupid	javax.activation	Highest
Product	pom	name	JavaBeans Activation Framework API jar	High
Product	pom	parent-artifactid	all	Medium
Product	pom	parent-groupid	com.sun.activation	Medium
Version	file	version	1.2.0	High
Version	Manifest	Bundle-Version	1.2.0	High
Version	Manifest	Implementation-Version	1.2.0	High
Version	pom	version	1.2.0	Highest

Identifiers

pkg:maven/javax.activation/javax.activation-api@1.2.0 (Confidence:High)

Description:

Java(TM) Persistence API

License:

Eclipse Public License v1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License v. 1.0: http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/grprdist/.m2/repository/javax/persistence/javax.persistence-api/2.2/javax.persistence-api-2.2.jar
MD5: e6520b3435f5b6d58eee415b5542abf8
SHA1: 25665ac8c0b62f50e6488173233239120fc52c96
SHA256:5578b71b37999a5eaed3fea0d14aa61c60c6ec6328256f2b63472f336318baf4
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.persistence-api	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	persistence	Highest
Vendor	Manifest	automatic-module-name	java.persistence	Medium
Vendor	Manifest	bundle-symbolicname	javax.persistence-api	Medium
Vendor	Manifest	extension-name	javax.persistence	Medium
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	javax.persistence-api	Highest
Vendor	pom	artifactid	javax.persistence-api	Low
Vendor	pom	groupid	javax.persistence	Highest
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	parent-groupid	net.java	Medium
Vendor	pom	url	javaee/jpa-spec	Highest
Product	file	name	javax.persistence-api	High
Product	jar	package name	javax	Highest
Product	jar	package name	persistence	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	java.persistence	Medium
Product	Manifest	Bundle-Name	Java(TM) Persistence API jar	Medium
Product	Manifest	bundle-symbolicname	javax.persistence-api	Medium
Product	Manifest	extension-name	javax.persistence	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	javax.persistence-api	Highest
Product	pom	groupid	javax.persistence	Highest
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	parent-groupid	net.java	Medium
Product	pom	url	javaee/jpa-spec	High
Version	file	version	2.2	High
Version	Manifest	Bundle-Version	2.2	High
Version	Manifest	Implementation-Version	2.2	High
Version	pom	parent-version	2.2	Low
Version	pom	version	2.2	Highest

Identifiers

pkg:maven/javax.persistence/javax.persistence-api@2.2 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.2:*:*:*:*:*:*:* (Confidence:Low)

Description:

JAXB (JSR 222) API

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1

File Path: /home/grprdist/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jaxb-api	High
Vendor	jar	package name	bind	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	jaxb	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com/	Low
Vendor	Manifest	bundle-symbolicname	jaxb-api	Medium
Vendor	Manifest	extension-name	javax.xml.bind	Medium
Vendor	Manifest	implementation-build-id	UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700	Low
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	jaxb-api	Highest
Vendor	pom	artifactid	jaxb-api	Low
Vendor	pom	groupid	javax.xml.bind	Highest
Vendor	pom	parent-artifactid	jaxb-api-parent	Low
Product	file	name	jaxb-api	High
Product	jar	package name	bind	Highest
Product	jar	package name	javax	Highest
Product	jar	package name	jaxb	Highest
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com/	Low
Product	Manifest	Bundle-Name	jaxb-api	Medium
Product	Manifest	bundle-symbolicname	jaxb-api	Medium
Product	Manifest	extension-name	javax.xml.bind	Medium
Product	Manifest	implementation-build-id	UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700	Low
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))"	Low
Product	Manifest	specification-title	jaxb-api	Medium
Product	pom	artifactid	jaxb-api	Highest
Product	pom	groupid	javax.xml.bind	Highest
Product	pom	parent-artifactid	jaxb-api-parent	Medium
Version	file	version	2.3.1	High
Version	Manifest	Bundle-Version	2.3.1	High
Version	pom	version	2.3.1	Highest

Identifiers

pkg:maven/javax.xml.bind/jaxb-api@2.3.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.3.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

JAXB (JSR 222) Reference Implementation

File Path: /home/grprdist/.m2/repository/org/glassfish/jaxb/jaxb-runtime/2.3.1/jaxb-runtime-2.3.1.jar
MD5: 848098e3eda0d37738d51a7acacd8e95
SHA1: dd6dda9da676a54c5b36ca2806ff95ee017d8738
SHA256:45fecfa5c8217ce1f3652ab95179790ec8cc0dec0384bca51cbeb94a293d9f2f
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jaxb-runtime	High
Vendor	jar	package name	bind	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	jaxb-runtime	Highest
Vendor	pom	artifactid	jaxb-runtime	Low
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	pom	name	JAXB Runtime	High
Vendor	pom	parent-artifactid	jaxb-runtime-parent	Low
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	file	name	jaxb-runtime	High
Product	jar	package name	bind	Highest
Product	jar	package name	sun	Highest
Product	jar	package name	xml	Highest
Product	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Product	Manifest	Implementation-Title	JAXB Implementation	High
Product	Manifest	specification-title	Java Architecture for XML Binding	Medium
Product	pom	artifactid	jaxb-runtime	Highest
Product	pom	groupid	org.glassfish.jaxb	Highest
Product	pom	name	JAXB Runtime	High
Product	pom	parent-artifactid	jaxb-runtime-parent	Medium
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Version	file	version	2.3.1	High
Version	Manifest	build-id	2.3.1	Medium
Version	Manifest	Implementation-Version	2.3.1	High
Version	Manifest	major-version	2.3.1	Medium
Version	pom	version	2.3.1	Highest

Identifiers

pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1 (Confidence:High)

Description:

The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/jboss/logging/jboss-logging/3.3.1.Final/jboss-logging-3.3.1.Final.jar
MD5: 93cf8945ff84aaf9f0ed9a76991338fb
SHA1: c46217ab74b532568c0ed31dc599db3048bd1b67
SHA256:9f7d8b884370763b131bf48a0fc91edec89ad80e0e40c47658098a686a905bb2
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jboss-logging	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	logging	Highest
Vendor	Manifest	build-timestamp	Wed, 15 Mar 2017 13:22:07 -0700	Low
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.logging.jboss-logging	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.logging	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	artifactid	jboss-logging	Highest
Vendor	pom	artifactid	jboss-logging	Low
Vendor	pom	groupid	org.jboss.logging	Highest
Vendor	pom	name	JBoss Logging 3	High
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	pom	url	http://www.jboss.org	Highest
Product	file	name	jboss-logging	High
Product	jar	package name	jboss	Highest
Product	jar	package name	logging	Highest
Product	Manifest	build-timestamp	Wed, 15 Mar 2017 13:22:07 -0700	Low
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Bundle-Name	JBoss Logging 3	Medium
Product	Manifest	bundle-symbolicname	org.jboss.logging.jboss-logging	Medium
Product	Manifest	Implementation-Title	JBoss Logging 3	High
Product	Manifest	implementation-url	http://www.jboss.org	Low
Product	Manifest	os-arch	amd64	Low
Product	Manifest	os-name	Linux	Medium
Product	Manifest	specification-title	JBoss Logging 3	Medium
Product	pom	artifactid	jboss-logging	Highest
Product	pom	groupid	org.jboss.logging	Highest
Product	pom	name	JBoss Logging 3	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	parent-groupid	org.jboss	Medium
Product	pom	url	http://www.jboss.org	Medium
Version	Manifest	Bundle-Version	3.3.1.Final	High
Version	Manifest	Implementation-Version	3.3.1.Final	High
Version	pom	parent-version	3.3.1.Final	Low
Version	pom	version	3.3.1.Final	Highest

Identifiers

pkg:maven/org.jboss.logging/jboss-logging@3.3.1.Final (Confidence:High)

Description:

The Java Transaction 1.2 API classes

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt

File Path: /home/grprdist/.m2/repository/org/jboss/spec/javax/transaction/jboss-transaction-api_1.2_spec/1.1.1.Final/jboss-transaction-api_1.2_spec-1.1.1.Final.jar
MD5: 1e633c47138aba999d39692a31a1a124
SHA1: a8485cab9484dda36e9a8c319e76b5cc18797b58
SHA256:a310a50b9bdc44aaf36362dc9bb212235a147ffa8ef72dc9544a39c329eabbc3
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jboss-transaction-api_1.2_spec-1.1.1.Final	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	transaction	Highest
Vendor	Manifest	automatic-module-name	java.transaction	Medium
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.spec.javax.transaction.jboss-transaction-api_1.2_spec	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/jboss-transaction-api_1.2_spec	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.spec.javax.transaction	Medium
Vendor	Manifest	os-arch	x86	Low
Vendor	Manifest	os-name	Windows 10	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	jboss-transaction-api_1.2_spec	Highest
Vendor	pom	artifactid	jboss-transaction-api_1.2_spec	Low
Vendor	pom	groupid	org.jboss.spec.javax.transaction	Highest
Vendor	pom	name	Java Transaction API	High
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Product	file	name	jboss-transaction-api_1.2_spec-1.1.1.Final	High
Product	jar	package name	javax	Highest
Product	jar	package name	transaction	Highest
Product	Manifest	automatic-module-name	java.transaction	Medium
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Bundle-Name	Java Transaction API	Medium
Product	Manifest	bundle-symbolicname	org.jboss.spec.javax.transaction.jboss-transaction-api_1.2_spec	Medium
Product	Manifest	Implementation-Title	Java Transaction API	High
Product	Manifest	implementation-url	http://www.jboss.org/jboss-transaction-api_1.2_spec	Low
Product	Manifest	os-arch	x86	Low
Product	Manifest	os-name	Windows 10	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	JSR 907: Java Transaction API (JTA)	Medium
Product	pom	artifactid	jboss-transaction-api_1.2_spec	Highest
Product	pom	groupid	org.jboss.spec.javax.transaction	Highest
Product	pom	name	Java Transaction API	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	parent-groupid	org.jboss	Medium
Version	Manifest	Bundle-Version	1.1.1.Final	High
Version	Manifest	Implementation-Version	1.1.1.Final	High
Version	pom	parent-version	1.1.1.Final	Low
Version	pom	version	1.1.1.Final	Highest

Identifiers

pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.2_spec@1.1.1.Final (Confidence:High)

Description:

    A clean room implementation of the JCIP Annotations based entirely on the specification provided by the javadocs.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/github/stephenc/jcip/jcip-annotations/1.0-1/jcip-annotations-1.0-1.jar
MD5: d62dbfa8789378457ada685e2f614846
SHA1: ef31541dd28ae2cefdd17c7ebf352d93e9058c63
SHA256:4fccff8382aafc589962c4edb262f6aa595e34f1e11e61057d1c6a96e8fc7323
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jcip-annotations	High
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	annotations	Low
Vendor	jar	package name	jcip	Highest
Vendor	jar	package name	jcip	Low
Vendor	jar	package name	net	Low
Vendor	pom	artifactid	jcip-annotations	Highest
Vendor	pom	artifactid	jcip-annotations	Low
Vendor	pom	developer id	stephenc	Medium
Vendor	pom	developer name	Stephen Connolly	Medium
Vendor	pom	groupid	com.github.stephenc.jcip	Highest
Vendor	pom	name	JCIP Annotations under Apache License	High
Vendor	pom	url	http://stephenc.github.com/jcip-annotations	Highest
Product	file	name	jcip-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	annotations	Low
Product	jar	package name	jcip	Highest
Product	jar	package name	jcip	Low
Product	pom	artifactid	jcip-annotations	Highest
Product	pom	developer id	stephenc	Low
Product	pom	developer name	Stephen Connolly	Low
Product	pom	groupid	com.github.stephenc.jcip	Highest
Product	pom	name	JCIP Annotations under Apache License	High
Product	pom	url	http://stephenc.github.com/jcip-annotations	Medium
Version	pom	version	1.0-1	Highest

Identifiers

pkg:maven/com.github.stephenc.jcip/jcip-annotations@1.0-1 (Confidence:High)

Description:

Jetty server core

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php

File Path: /home/grprdist/.m2/repository/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar
MD5: 12b65438bbaf225102d0396c21236052
SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jetty	High
Vendor	jar	package name	jetty	Highest
Vendor	jar	package name	mortbay	Highest
Vendor	jar	package name	server	Highest
Vendor	Manifest	bundle-docurl	http://jetty.mortbay.org	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Vendor	Manifest	bundle-symbolicname	org.mortbay.jetty.server	Medium
Vendor	Manifest	mode	development	Low
Vendor	Manifest	originally-created-by	1.6.0_22 (Sun Microsystems Inc.)	Low
Vendor	Manifest	url	http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty	Low
Vendor	pom	artifactid	jetty	Highest
Vendor	pom	artifactid	jetty	Low
Vendor	pom	groupid	org.mortbay.jetty	Highest
Vendor	pom	name	Jetty Server	High
Vendor	pom	parent-artifactid	project	Low
Product	file	name	jetty	High
Product	jar	package name	jetty	Highest
Product	jar	package name	mortbay	Highest
Product	jar	package name	server	Highest
Product	Manifest	bundle-docurl	http://jetty.mortbay.org	Low
Product	Manifest	Bundle-Name	Jetty Server	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Product	Manifest	bundle-symbolicname	org.mortbay.jetty.server	Medium
Product	Manifest	mode	development	Low
Product	Manifest	originally-created-by	1.6.0_22 (Sun Microsystems Inc.)	Low
Product	Manifest	url	http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty	Low
Product	pom	artifactid	jetty	Highest
Product	pom	groupid	org.mortbay.jetty	Highest
Product	pom	name	Jetty Server	High
Product	pom	parent-artifactid	project	Medium
Version	file	version	6.1.26	High
Version	Manifest	Bundle-Version	6.1.26	High
Version	Manifest	implementation-version	6.1.26	High
Version	pom	version	6.1.26	Highest

Related Dependencies

Identifiers

pkg:maven/org.mortbay.jetty/jetty@6.1.26 (Confidence:High)
cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2011-4461

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CWE-310 Cryptographic Issues

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

BUGTRAQ - 20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table
CERT-VN - VU#903934
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM - https://security.netapp.com/advisory/ntap-20190307-0004/
HP - HPSBST03346
MISC - http://www.nruns.com/_downloads/advisory28122011.pdf
MISC - http://www.ocert.org/advisories/ocert-2011-003.html
OSSINDEX - [CVE-2011-4461] CWE-310
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461
OSSIndex - http://www.ocert.org/advisories/ocert-2011-003.html
OSSIndex - http://www.ubuntu.com/usn/USN-1429-1/
SECTRACK - 1026475
SECUNIA - 47408
SECUNIA - 48981
UBUNTU - USN-1429-1
XF - jetty-hash-dos(72017)

Vulnerable Software & Versions: (show all)

CVE-2009-1523

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

BID - 34800
BID - 35675
CERT-VN - VU#402580
CONFIRM - http://jira.codehaus.org/browse/JETTY-1004
CONFIRM - http://www.kb.cert.org/vuls/id/CRDY-7RKQCY
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=499867
FEDORA - FEDORA-2009-5500
FEDORA - FEDORA-2009-5509
FEDORA - FEDORA-2009-5513
HP - SSRT100184
SECTRACK - 1022563
SECUNIA - 34975
SECUNIA - 35143
SECUNIA - 35225
SECUNIA - 35776
SECUNIA - 40553
VUPEN - ADV-2009-1900
VUPEN - ADV-2010-1792

Vulnerable Software & Versions: (show all)

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php

File Path: /home/grprdist/.m2/repository/jline/jline/2.14.5/jline-2.14.5.jar
MD5: 54de3b3c5a84e395d8066c143802985e
SHA1: fdedd5f2522122102f0b3db85fe7aa563a009926
SHA256:4f347bc90d6f5ce61c0f8928d44a7b993275ceaa7d7f237714518a9bdd5003ce
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jline	High
Vendor	jar	package name	jline	Highest
Vendor	Manifest	bundle-symbolicname	jline	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	pom	artifactid	jline	Highest
Vendor	pom	artifactid	jline	Low
Vendor	pom	developer email	gnodet@gmail.com	Low
Vendor	pom	developer email	jason@planet57.com	Low
Vendor	pom	developer email	mprudhom@gmail.com	Low
Vendor	pom	developer id	gnodet	Medium
Vendor	pom	developer id	jdillon	Medium
Vendor	pom	developer id	mprudhom	Medium
Vendor	pom	developer name	Guillaume Nodet	Medium
Vendor	pom	developer name	Jason Dillon	Medium
Vendor	pom	developer name	Marc Prud'hommeaux	Medium
Vendor	pom	groupid	jline	Highest
Vendor	pom	name	JLine	High
Product	file	name	jline	High
Product	jar	package name	jline	Highest
Product	Manifest	Bundle-Name	JLine	Medium
Product	Manifest	bundle-symbolicname	jline	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	pom	artifactid	jline	Highest
Product	pom	developer email	gnodet@gmail.com	Low
Product	pom	developer email	jason@planet57.com	Low
Product	pom	developer email	mprudhom@gmail.com	Low
Product	pom	developer id	gnodet	Low
Product	pom	developer id	jdillon	Low
Product	pom	developer id	mprudhom	Low
Product	pom	developer name	Guillaume Nodet	Low
Product	pom	developer name	Jason Dillon	Low
Product	pom	developer name	Marc Prud'hommeaux	Low
Product	pom	groupid	jline	Highest
Product	pom	name	JLine	High
Version	file	version	2.14.5	High
Version	Manifest	Bundle-Version	2.14.5	High
Version	pom	version	2.14.5	Highest

Identifiers

pkg:maven/jline/jline@2.14.5 (Confidence:High)
cpe:2.3:a:planet:planet:2.14.5:*:*:*:*:*:*:* (Confidence:Low)

Description:

Implementation of the JMES Path JSON Query langauge for Java.

License:

Apache License, Version 2.0: https://aws.amazon.com/apache2.0

File Path: /home/grprdist/.m2/repository/com/amazonaws/jmespath-java/1.12.267/jmespath-java-1.12.267.jar
MD5: e2a19172a5599b97ba09a270eac7acda
SHA1: 27260189acb9fbfc3a72c8f67dbdf4ce7d11276b
SHA256:dfa93938d0c40fd07e8e97fc0db2d9b062eb69d295e524c5dd614956bf13844e
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jmespath-java	High
Vendor	jar	package name	amazonaws	Highest
Vendor	jar	package name	amazonaws	Low
Vendor	jar	package name	jmespath	Highest
Vendor	jar	package name	jmespath	Low
Vendor	pom	artifactid	jmespath-java	Highest
Vendor	pom	artifactid	jmespath-java	Low
Vendor	pom	developer id	amazonwebservices	Medium
Vendor	pom	developer org	Amazon Web Services	Medium
Vendor	pom	developer org URL	https://aws.amazon.com	Medium
Vendor	pom	groupid	com.amazonaws	Highest
Vendor	pom	name	JMES Path Query library	High
Vendor	pom	parent-artifactid	aws-java-sdk-pom	Low
Vendor	pom	url	https://aws.amazon.com/sdkforjava	Highest
Product	file	name	jmespath-java	High
Product	jar	package name	amazonaws	Highest
Product	jar	package name	jmespath	Highest
Product	jar	package name	jmespath	Low
Product	pom	artifactid	jmespath-java	Highest
Product	pom	developer id	amazonwebservices	Low
Product	pom	developer org	Amazon Web Services	Low
Product	pom	developer org URL	https://aws.amazon.com	Low
Product	pom	groupid	com.amazonaws	Highest
Product	pom	name	JMES Path Query library	High
Product	pom	parent-artifactid	aws-java-sdk-pom	Medium
Product	pom	url	https://aws.amazon.com/sdkforjava	Medium
Version	file	version	1.12.267	High
Version	pom	version	1.12.267	Highest

Identifiers

pkg:maven/com.amazonaws/jmespath-java@1.12.267 (Confidence:High)
cpe:2.3:a:amazon:aws-sdk-java:1.12.267:*:*:*:*:*:*:* (Confidence:Low)

Description:

Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/joda-time/joda-time/2.9.9/joda-time-2.9.9.jar
MD5: eca438c8cc2b1de38e28d884b7f15dbc
SHA1: f7b520c458572890807d143670c9b24f4de90897
SHA256:b049a43c1057942e6acfbece008e4949b2e35d1658d0c8e06f4485397e2fa4e7
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	joda-time	High
Vendor	jar	package name	joda	Highest
Vendor	jar	package name	time	Highest
Vendor	Manifest	bundle-docurl	http://www.joda.org/joda-time/	Low
Vendor	Manifest	bundle-symbolicname	joda-time	Medium
Vendor	Manifest	extension-name	joda-time	Medium
Vendor	Manifest	implementation-url	http://www.joda.org/joda-time/	Low
Vendor	Manifest	Implementation-Vendor	Joda.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.joda	Medium
Vendor	Manifest	specification-vendor	Joda.org	Low
Vendor	pom	artifactid	joda-time	Highest
Vendor	pom	artifactid	joda-time	Low
Vendor	pom	developer id	broneill	Medium
Vendor	pom	developer id	jodastephen	Medium
Vendor	pom	developer name	Brian S O'Neill	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	groupid	joda-time	Highest
Vendor	pom	name	Joda-Time	High
Vendor	pom	organization name	Joda.org	High
Vendor	pom	organization url	http://www.joda.org	Medium
Vendor	pom	url	http://www.joda.org/joda-time/	Highest
Product	file	name	joda-time	High
Product	jar	package name	joda	Highest
Product	jar	package name	time	Highest
Product	Manifest	bundle-docurl	http://www.joda.org/joda-time/	Low
Product	Manifest	Bundle-Name	Joda-Time	Medium
Product	Manifest	bundle-symbolicname	joda-time	Medium
Product	Manifest	extension-name	joda-time	Medium
Product	Manifest	Implementation-Title	org.joda.time	High
Product	Manifest	implementation-url	http://www.joda.org/joda-time/	Low
Product	Manifest	specification-title	Joda-Time	Medium
Product	pom	artifactid	joda-time	Highest
Product	pom	developer id	broneill	Low
Product	pom	developer id	jodastephen	Low
Product	pom	developer name	Brian S O'Neill	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	groupid	joda-time	Highest
Product	pom	name	Joda-Time	High
Product	pom	organization name	Joda.org	Low
Product	pom	organization url	http://www.joda.org	Low
Product	pom	url	http://www.joda.org/joda-time/	Medium
Version	file	version	2.9.9	High
Version	Manifest	Bundle-Version	2.9.9	High
Version	Manifest	Implementation-Version	2.9.9	High
Version	pom	version	2.9.9	Highest

Identifiers

pkg:maven/joda-time/joda-time@2.9.9 (Confidence:High)
cpe:2.3:a:time_project:time:2.9.9:*:*:*:*:*:*:* (Confidence:Highest)

Description:

JSch is a pure Java implementation of SSH2

License:

Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt

File Path: /home/grprdist/.m2/repository/com/jcraft/jsch/0.1.55/jsch-0.1.55.jar
MD5: c395ada0fc012d66f11bd30246f6c84d
SHA1: bbd40e5aa7aa3cfad5db34965456cee738a42a50
SHA256:d492b15a6d2ea3f1cc39c422c953c40c12289073dbe8360d98c0f6f9ec74fc44
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jsch	High
Vendor	jar	package name	jcraft	Highest
Vendor	jar	package name	jcraft	Low
Vendor	jar	package name	jsch	Highest
Vendor	jar	package name	jsch	Low
Vendor	pom	artifactid	jsch	Highest
Vendor	pom	artifactid	jsch	Low
Vendor	pom	developer email	ymnk at jcraft D0t com	Low
Vendor	pom	developer id	ymnk	Medium
Vendor	pom	developer name	Atsuhiko Yamanaka	Medium
Vendor	pom	developer org	JCraft,Inc.	Medium
Vendor	pom	developer org URL	http://www.jcraft.com/	Medium
Vendor	pom	groupid	com.jcraft	Highest
Vendor	pom	name	JSch	High
Vendor	pom	organization name	JCraft,Inc.	High
Vendor	pom	organization url	http://www.jcraft.com/	Medium
Vendor	pom	url	http://www.jcraft.com/jsch/	Highest
Product	file	name	jsch	High
Product	jar	package name	jcraft	Highest
Product	jar	package name	jsch	Highest
Product	jar	package name	jsch	Low
Product	pom	artifactid	jsch	Highest
Product	pom	developer email	ymnk at jcraft D0t com	Low
Product	pom	developer id	ymnk	Low
Product	pom	developer name	Atsuhiko Yamanaka	Low
Product	pom	developer org	JCraft,Inc.	Low
Product	pom	developer org URL	http://www.jcraft.com/	Low
Product	pom	groupid	com.jcraft	Highest
Product	pom	name	JSch	High
Product	pom	organization name	JCraft,Inc.	Low
Product	pom	organization url	http://www.jcraft.com/	Low
Product	pom	url	http://www.jcraft.com/jsch/	Medium
Version	file	version	0.1.55	High
Version	pom	version	0.1.55	Highest

Identifiers

pkg:maven/com.jcraft/jsch@0.1.55 (Confidence:High)
cpe:2.3:a:jcraft:jsch:0.1.55:*:*:*:*:*:*:* (Confidence:Highest)

File Path: /home/grprdist/.m2/repository/net/sf/json-lib/json-lib/2.4/json-lib-2.4-jdk15.jar
MD5: f5db294d05b3d5a5bfb873455b0a8626
SHA1: 136743e0d12df4e785e62b48618cee169b2ae546
SHA256:8290f8871ebd3db52e36c6fa844fe172895b2c714ea589cfed3d78ad9c01a924
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	json-lib	High
Vendor	jar	package name	json	Low
Vendor	jar	package name	net	Low
Vendor	jar	package name	sf	Low
Vendor	pom	artifactid	json-lib	Highest
Vendor	pom	groupid	net.sf.json-lib	Highest
Product	file	name	json-lib	High
Product	jar	package name	json	Low
Product	jar	package name	sf	Low
Product	pom	artifactid	json-lib	Highest
Version	file	name	json-lib	Medium
Version	file	version	2.4.jdk15	High
Version	pom	version	2.4	Highest

Identifiers

pkg:maven/net.sf.json-lib/json-lib@2.4 (Confidence:Highest)

Description:

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/minidev/json-smart/2.4.8/json-smart-2.4.8.jar
MD5: 20a8427206313ed3aa85cdc47f730415
SHA1: 7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f
SHA256:174a9ad578b56644e62b3965d8bf94ac3a76e707c6343b8abac9d3671438b4b2
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	json-smart	High
Vendor	jar	package name	json	Highest
Vendor	jar	package name	minidev	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	parser	Highest
Vendor	Manifest	bundle-docurl	https://urielch.github.io/	Low
Vendor	Manifest	bundle-symbolicname	net.minidev.json-smart	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	json-smart	Highest
Vendor	pom	artifactid	json-smart	Low
Vendor	pom	developer email	adoneitan@gmail.com	Low
Vendor	pom	developer email	shoothzj@gmail.com	Low
Vendor	pom	developer email	uchemouni@gmail.com	Low
Vendor	pom	developer id	erav	Medium
Vendor	pom	developer id	Shoothzj	Medium
Vendor	pom	developer id	uriel	Medium
Vendor	pom	developer name	Eitan Raviv	Medium
Vendor	pom	developer name	Uriel Chemouni	Medium
Vendor	pom	developer name	ZhangJian He	Medium
Vendor	pom	groupid	net.minidev	Highest
Vendor	pom	name	JSON Small and Fast Parser	High
Vendor	pom	organization name	Chemouni Uriel	High
Vendor	pom	organization url	https://urielch.github.io/	Medium
Vendor	pom	url	https://urielch.github.io/	Highest
Product	file	name	json-smart	High
Product	jar	package name	json	Highest
Product	jar	package name	minidev	Highest
Product	jar	package name	net	Highest
Product	jar	package name	parser	Highest
Product	Manifest	bundle-docurl	https://urielch.github.io/	Low
Product	Manifest	Bundle-Name	json-smart	Medium
Product	Manifest	bundle-symbolicname	net.minidev.json-smart	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	json-smart	Highest
Product	pom	developer email	adoneitan@gmail.com	Low
Product	pom	developer email	shoothzj@gmail.com	Low
Product	pom	developer email	uchemouni@gmail.com	Low
Product	pom	developer id	erav	Low
Product	pom	developer id	Shoothzj	Low
Product	pom	developer id	uriel	Low
Product	pom	developer name	Eitan Raviv	Low
Product	pom	developer name	Uriel Chemouni	Low
Product	pom	developer name	ZhangJian He	Low
Product	pom	groupid	net.minidev	Highest
Product	pom	name	JSON Small and Fast Parser	High
Product	pom	organization name	Chemouni Uriel	Low
Product	pom	organization url	https://urielch.github.io/	Low
Product	pom	url	https://urielch.github.io/	Medium
Version	file	version	2.4.8	High
Version	Manifest	Bundle-Version	2.4.8	High
Version	pom	version	2.4.8	Highest

Identifiers

pkg:maven/net.minidev/json-smart@2.4.8 (Confidence:High)
cpe:2.3:a:json-smart_project:json-smart:2.4.8:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2023-1370 (OSSINDEX)

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

CWE-674 Uncontrolled Recursion

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2023-1370] CWE-674: Uncontrolled Recursion
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1370
OSSIndex - https://ubuntu.com/security/CVE-2023-1370

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:net.minidev:json-smart:2.4.8:*:*:*:*:*:*:*

Description:

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for fetching URLs and extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

License:

The MIT License: https://jsoup.org/license

File Path: /home/grprdist/.m2/repository/org/jsoup/jsoup/1.15.3/jsoup-1.15.3.jar
MD5: 4f16c3b17b8c1b0173b1ed9f99f2c27c
SHA1: f6e1d8a8819f854b681c8eaa57fd59a42329e10c
SHA256:e20a5e78b1372f2a4e620832db4442d5077e5cbde280b24c666a3770844999bc
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jsoup	High
Vendor	jar	package name	jsoup	Highest
Vendor	jar	package name	parser	Highest
Vendor	Manifest	automatic-module-name	org.jsoup	Medium
Vendor	Manifest	build-jdk-spec	18	Low
Vendor	Manifest	bundle-docurl	https://jsoup.org/	Low
Vendor	Manifest	bundle-symbolicname	org.jsoup	Medium
Vendor	Manifest	Implementation-Vendor	Jonathan Hedley	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	jsoup	Highest
Vendor	pom	artifactid	jsoup	Low
Vendor	pom	developer email	jonathan@hedley.net	Low
Vendor	pom	developer id	jhy	Medium
Vendor	pom	developer name	Jonathan Hedley	Medium
Vendor	pom	groupid	org.jsoup	Highest
Vendor	pom	name	jsoup Java HTML Parser	High
Vendor	pom	organization name	Jonathan Hedley	High
Vendor	pom	organization url	https://jhy.io/	Medium
Vendor	pom	url	https://jsoup.org/	Highest
Product	file	name	jsoup	High
Product	jar	package name	jsoup	Highest
Product	jar	package name	parser	Highest
Product	Manifest	automatic-module-name	org.jsoup	Medium
Product	Manifest	build-jdk-spec	18	Low
Product	Manifest	bundle-docurl	https://jsoup.org/	Low
Product	Manifest	Bundle-Name	jsoup Java HTML Parser	Medium
Product	Manifest	bundle-symbolicname	org.jsoup	Medium
Product	Manifest	Implementation-Title	jsoup Java HTML Parser	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jsoup	Highest
Product	pom	developer email	jonathan@hedley.net	Low
Product	pom	developer id	jhy	Low
Product	pom	developer name	Jonathan Hedley	Low
Product	pom	groupid	org.jsoup	Highest
Product	pom	name	jsoup Java HTML Parser	High
Product	pom	organization name	Jonathan Hedley	Low
Product	pom	organization url	https://jhy.io/	Low
Product	pom	url	https://jsoup.org/	Medium
Version	file	version	1.15.3	High
Version	Manifest	Bundle-Version	1.15.3	High
Version	Manifest	Implementation-Version	1.15.3	High
Version	pom	version	1.15.3	Highest

Identifiers

pkg:maven/org.jsoup/jsoup@1.15.3 (Confidence:High)
cpe:2.3:a:jsoup:jsoup:1.15.3:*:*:*:*:*:*:* (Confidence:Highest)

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jsr305	High
Vendor	Manifest	bundle-symbolicname	org.jsr-305	Medium
Vendor	pom	artifactid	jsr305	Highest
Vendor	pom	artifactid	jsr305	Low
Vendor	pom	groupid	com.google.code.findbugs	Highest
Vendor	pom	name	FindBugs-jsr305	High
Vendor	pom	url	http://findbugs.sourceforge.net/	Highest
Product	file	name	jsr305	High
Product	Manifest	Bundle-Name	FindBugs-jsr305	Medium
Product	Manifest	bundle-symbolicname	org.jsr-305	Medium
Product	pom	artifactid	jsr305	Highest
Product	pom	groupid	com.google.code.findbugs	Highest
Product	pom	name	FindBugs-jsr305	High
Product	pom	url	http://findbugs.sourceforge.net/	Medium
Version	file	version	3.0.2	High
Version	Manifest	Bundle-Version	3.0.2	High
Version	pom	version	3.0.2	Highest

Identifiers

pkg:maven/com.google.code.findbugs/jsr305@3.0.2 (Confidence:High)

Description:

    The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.

File Path: /home/grprdist/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar
MD5: 82a10ce714f411b28f13850059de09ee
SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
SHA256:b8ec163b4a47bad16f9a0b7d03c3210c6b0a29216d768031073ac20817c0ba50
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jta	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	transaction	Highest
Vendor	Manifest	extension-name	javax.transaction	Medium
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	pom	artifactid	jta	Highest
Vendor	pom	artifactid	jta	Low
Vendor	pom	groupid	javax.transaction	Highest
Vendor	pom	name	Java Transaction API	High
Vendor	pom	url	http://java.sun.com/products/jta	Highest
Product	file	name	jta	High
Product	jar	package name	javax	Highest
Product	jar	package name	transaction	Highest
Product	Manifest	extension-name	javax.transaction	Medium
Product	Manifest	specification-title	Java Transaction API Specification	Medium
Product	pom	artifactid	jta	Highest
Product	pom	groupid	javax.transaction	Highest
Product	pom	name	Java Transaction API	High
Product	pom	url	http://java.sun.com/products/jta	Medium
Version	file	version	1.1	High
Version	Manifest	specification-version	1.1	High
Version	pom	version	1.1	Highest

Identifiers

pkg:maven/javax.transaction/jta@1.1 (Confidence:High)

Description:

Java implementation of "Tags for Identifying Languages" (RFC 5646)

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/lang-tag/1.7/lang-tag-1.7.jar
MD5: 31b8a4f76fdbf21f1d667f9d6618e0b2
SHA1: 97c73ecd70bc7e8eefb26c5eea84f251a63f1031
SHA256:e8c1c594e2425bdbea2d860de55c69b69fc5d59454452449a0f0913c2a5b8a31
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	lang-tag	High
Vendor	jar	package name	langtag	Highest
Vendor	jar	package name	nimbusds	Highest
Vendor	Manifest	build-date	${timestamp}	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	build-number	${buildNumber}	Low
Vendor	Manifest	build-tag	1.7	Low
Vendor	Manifest	bundle-docurl	https://connect2id.com/	Low
Vendor	Manifest	bundle-symbolicname	lang-tag	Medium
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	Implementation-Vendor-Id	com.nimbusds	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	lang-tag	Highest
Vendor	pom	artifactid	lang-tag	Low
Vendor	pom	developer email	vladimir@dzhuvinov.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	Nimbus LangTag	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com/	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/nimbus-language-tags	Highest
Product	file	name	lang-tag	High
Product	jar	package name	langtag	Highest
Product	jar	package name	nimbusds	Highest
Product	Manifest	build-date	${timestamp}	Low
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	build-number	${buildNumber}	Low
Product	Manifest	build-tag	1.7	Low
Product	Manifest	bundle-docurl	https://connect2id.com/	Low
Product	Manifest	Bundle-Name	Nimbus LangTag	Medium
Product	Manifest	bundle-symbolicname	lang-tag	Medium
Product	Manifest	Implementation-Title	Nimbus LangTag	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Nimbus LangTag	Medium
Product	pom	artifactid	lang-tag	Highest
Product	pom	developer email	vladimir@dzhuvinov.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	Nimbus LangTag	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com/	Low
Product	pom	url	https://bitbucket.org/connect2id/nimbus-language-tags	Medium
Version	file	version	1.7	High
Version	Manifest	build-tag	1.7	Low
Version	Manifest	Implementation-Version	1.7	High
Version	pom	version	1.7	Highest

Identifiers

pkg:maven/com.nimbusds/lang-tag@1.7 (Confidence:High)

Description:

Ldaptive API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt, http://www.gnu.org/licenses/lgpl-3.0.txt

File Path: /home/grprdist/.m2/repository/org/ldaptive/ldaptive/1.2.4/ldaptive-1.2.4.jar
MD5: fb195e2011383d6dc6678ceea2406ba8
SHA1: 05866d99f046d84c243c57ad120cb7d5bc8b07a5
SHA256:3e8bac957050e1261c06933b4e11eff4a8e45bad3dd8e42af0d851d5d942722b
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ldaptive	High
Vendor	jar	package name	ldaptive	Highest
Vendor	Manifest	bundle-symbolicname	org.ldaptive	Medium
Vendor	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	ldaptive	Highest
Vendor	pom	artifactid	ldaptive	Low
Vendor	pom	groupid	org.ldaptive	Highest
Vendor	pom	name	LDAPTIVE CORE	High
Vendor	pom	parent-artifactid	ldaptive-parent	Low
Product	file	name	ldaptive	High
Product	jar	package name	ldaptive	Highest
Product	Manifest	Bundle-Name	LDAPTIVE CORE	Medium
Product	Manifest	bundle-symbolicname	org.ldaptive	Medium
Product	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	ldaptive	Highest
Product	pom	groupid	org.ldaptive	Highest
Product	pom	name	LDAPTIVE CORE	High
Product	pom	parent-artifactid	ldaptive-parent	Medium
Version	file	version	1.2.4	High
Version	Manifest	Bundle-Version	1.2.4	High
Version	pom	version	1.2.4	Highest

Related Dependencies

Identifiers

pkg:maven/org.ldaptive/ldaptive@1.2.4 (Confidence:High)
cpe:2.3:a:ldaptive:ldaptive:1.2.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

The Apache Log4j Implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar
MD5: 8d2f5c52700336dae846b2c3ecde7a6e
SHA1: 779f60f3844dadc3ef597976fcb1e5127b1f343d
SHA256:c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41
Referenced In Project/Scope:Grouper Google Apps Provisioner:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	log4j-core	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	log4j	Highest
Vendor	jar	package name	logging	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Vendor	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.logging.log4j	Medium
Vendor	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Vendor	Manifest	log4jreleasemanager	Matt Sicker	Low
Vendor	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	log4j-core	Highest
Vendor	pom	artifactid	log4j-core	Low
Vendor	pom	groupid	org.apache.logging.log4j	Highest
Vendor	pom	name	Apache Log4j Core	High
Vendor	pom	parent-artifactid	log4j	Low
Product	file	name	log4j-core	High
Product	jar	package name	apache	Highest
Product	jar	package name	core	Highest
Product	jar	package name	log4j	Highest
Product	jar	package name	logging	Highest
Product	jar	package name	org	Highest
Product	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Log4j Core	Medium
Product	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Product	Manifest	Implementation-Title	Apache Log4j Core	High
Product	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Product	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Product	Manifest	log4jreleasemanager	Matt Sicker	Low
Product	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Log4j Core	Medium
Product	pom	artifactid	log4j-core	Highest
Product	pom	groupid	org.apache.logging.log4j	Highest
Product	pom	name	Apache Log4j Core	High
Product	pom	parent-artifactid	log4j	Medium
Version	file	version	2.17.1	High
Version	Manifest	Bundle-Version	2.17.1	High
Version	Manifest	Implementation-Version	2.17.1	High
Version	Manifest	log4jreleaseversion	2.17.1	Medium
Version	pom	version	2.17.1	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1 (Confidence:High)
cpe:2.3:a:apache:log4j:2.17.1:*:*:*:*:*:*:* (Confidence:Highest)

Description:

The Apache Log4j SLF4J API binding to Log4j 2 Core

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar
MD5: 8d0e5934a9c341dbc3493d4039afd985
SHA1: 84692d456bcce689355d33d68167875e486954dd
SHA256:e9a03720e5d5076009c2530635da9d08485e28a0b0ec20708dadc51afb78e41e
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	log4j-slf4j-impl	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	impl	Highest
Vendor	jar	package name	logging	Highest
Vendor	jar	package name	slf4j	Highest
Vendor	Manifest	automatic-module-name	org.apache.logging.log4j.slf4j	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.logging.log4j.slf4j-impl	Medium
Vendor	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.logging.log4j	Medium
Vendor	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Vendor	Manifest	log4jreleasemanager	Matt Sicker	Low
Vendor	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	log4j-slf4j-impl	Highest
Vendor	pom	artifactid	log4j-slf4j-impl	Low
Vendor	pom	groupid	org.apache.logging.log4j	Highest
Vendor	pom	name	Apache Log4j SLF4J Binding	High
Vendor	pom	parent-artifactid	log4j	Low
Product	file	name	log4j-slf4j-impl	High
Product	jar	package name	apache	Highest
Product	jar	package name	impl	Highest
Product	jar	package name	logging	Highest
Product	jar	package name	slf4j	Highest
Product	Manifest	automatic-module-name	org.apache.logging.log4j.slf4j	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Log4j SLF4J Binding	Medium
Product	Manifest	bundle-symbolicname	org.apache.logging.log4j.slf4j-impl	Medium
Product	Manifest	Implementation-Title	Apache Log4j SLF4J Binding	High
Product	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/	Low
Product	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Product	Manifest	log4jreleasemanager	Matt Sicker	Low
Product	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Log4j SLF4J Binding	Medium
Product	pom	artifactid	log4j-slf4j-impl	Highest
Product	pom	groupid	org.apache.logging.log4j	Highest
Product	pom	name	Apache Log4j SLF4J Binding	High
Product	pom	parent-artifactid	log4j	Medium
Version	file	version	2.17.1	High
Version	Manifest	Bundle-Version	2.17.1	High
Version	Manifest	Implementation-Version	2.17.1	High
Version	Manifest	log4jreleaseversion	2.17.1	Medium
Version	pom	version	2.17.1	Highest

Identifiers

pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.17.1 (Confidence:High)

Description:

JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/javax/mail/mail/1.4.7/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
SHA256:78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mail	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	mail	Highest
Vendor	jar	package name	provider	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	javax.mail	Medium
Vendor	Manifest	extension-name	javax.mail	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	originally-created-by	1.7.0_15 (Oracle Corporation)	Low
Vendor	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	pom	artifactid	mail	Highest
Vendor	pom	artifactid	mail	Low
Vendor	pom	groupid	javax.mail	Highest
Vendor	pom	name	JavaMail API (compat)	High
Vendor	pom	parent-artifactid	all	Low
Vendor	pom	parent-groupid	com.sun.mail	Medium
Product	file	name	mail	High
Product	jar	package name	javax	Highest
Product	jar	package name	mail	Highest
Product	jar	package name	provider	Highest
Product	jar	package name	sun	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	JavaMail API (compat)	Medium
Product	Manifest	bundle-symbolicname	javax.mail	Medium
Product	Manifest	extension-name	javax.mail	Medium
Product	Manifest	Implementation-Title	javax.mail	High
Product	Manifest	originally-created-by	1.7.0_15 (Oracle Corporation)	Low
Product	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Product	Manifest	specification-title	JavaMail(TM) API Design Specification	Medium
Product	pom	artifactid	mail	Highest
Product	pom	groupid	javax.mail	Highest
Product	pom	name	JavaMail API (compat)	High
Product	pom	parent-artifactid	all	Medium
Product	pom	parent-groupid	com.sun.mail	Medium
Version	file	version	1.4.7	High
Version	Manifest	Bundle-Version	1.4.7	High
Version	Manifest	Implementation-Version	1.4.7	High
Version	pom	version	1.4.7	Highest

Identifiers

pkg:maven/javax.mail/mail@1.4.7 (Confidence:High)

Description:

mchange-commons-java

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.html

File Path: /home/grprdist/.m2/repository/com/mchange/mchange-commons-java/0.2.15/mchange-commons-java-0.2.15.jar
MD5: 97c4575d9d49d9afb71492e6bb4417da
SHA1: 6ef5abe5f1b94ac45b7b5bad42d871da4fda6bbc
SHA256:2b8fce65e95a3e968d5ab3507e2833f43df3daee0635ee51c7ce33343bb3a21c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mchange-commons-java	High
Vendor	jar	package name	mchange	Highest
Vendor	Manifest	Implementation-Vendor	com.mchange	High
Vendor	Manifest	Implementation-Vendor-Id	com.mchange	Medium
Vendor	Manifest	specification-vendor	com.mchange	Low
Vendor	pom	artifactid	mchange-commons-java	Highest
Vendor	pom	artifactid	mchange-commons-java	Low
Vendor	pom	developer email	swaldman@mchange.com	Low
Vendor	pom	developer id	swaldman	Medium
Vendor	pom	developer name	Steve Waldman	Medium
Vendor	pom	groupid	com.mchange	Highest
Vendor	pom	name	mchange-commons-java	High
Vendor	pom	organization name	com.mchange	High
Vendor	pom	url	swaldman/mchange-commons-java	Highest
Product	file	name	mchange-commons-java	High
Product	jar	package name	mchange	Highest
Product	Manifest	Implementation-Title	mchange-commons-java	High
Product	Manifest	specification-title	mchange-commons-java	Medium
Product	pom	artifactid	mchange-commons-java	Highest
Product	pom	developer email	swaldman@mchange.com	Low
Product	pom	developer id	swaldman	Low
Product	pom	developer name	Steve Waldman	Low
Product	pom	groupid	com.mchange	Highest
Product	pom	name	mchange-commons-java	High
Product	pom	organization name	com.mchange	Low
Product	pom	url	swaldman/mchange-commons-java	High
Version	file	version	0.2.15	High
Version	Manifest	Implementation-Version	0.2.15	High
Version	pom	version	0.2.15	Highest

Identifiers

pkg:maven/com.mchange/mchange-commons-java@0.2.15 (Confidence:High)

Description:

    MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged changes of the Plexus fork.

License:

Indiana University Extreme! Lab Software License: https://raw.githubusercontent.com/x-stream/mxparser/master/LICENSE.txt

File Path: /home/grprdist/.m2/repository/io/github/x-stream/mxparser/1.2.2/mxparser-1.2.2.jar
MD5: 9d7e42409dfdcee9bd17903015bdeae2
SHA1: 476fb3b3bb3716cad797cd054ce45f89445794e9
SHA256:aeeee23a3303d811bca8790ea7f25b534314861c03cff36dafdcc2180969eb97
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mxparser	High
Vendor	jar	package name	github	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	mxparser	Highest
Vendor	jar	package name	xstream	Highest
Vendor	Manifest	automatic-module-name	io.github.xstream.mxparser	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-symbolicname	mxparser	Medium
Vendor	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Vendor	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Vendor	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Vendor	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Vendor	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Vendor	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Vendor	Manifest	x-build-os	Linux	Low
Vendor	Manifest	x-build-time	2021-08-18T22:35:34Z	Low
Vendor	Manifest	x-builder	Maven 3.8.1	Low
Vendor	Manifest	x-compile-source	1.4	Low
Vendor	Manifest	x-compile-target	1.4	Low
Vendor	pom	artifactid	mxparser	Highest
Vendor	pom	artifactid	mxparser	Low
Vendor	pom	developer id	mxparser	Medium
Vendor	pom	developer name	XStream Committers	Medium
Vendor	pom	groupid	io.github.x-stream	Highest
Vendor	pom	name	MXParser	High
Vendor	pom	url	http://x-stream.github.io/mxparser	Highest
Product	file	name	mxparser	High
Product	jar	package name	github	Highest
Product	jar	package name	io	Highest
Product	jar	package name	mxparser	Highest
Product	jar	package name	xstream	Highest
Product	Manifest	automatic-module-name	io.github.xstream.mxparser	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	Bundle-Name	MXParser	Medium
Product	Manifest	bundle-symbolicname	mxparser	Medium
Product	Manifest	Implementation-Title	MXParser	High
Product	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Product	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Product	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Product	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Product	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Product	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Product	Manifest	specification-title	MXParser	Medium
Product	Manifest	x-build-os	Linux	Low
Product	Manifest	x-build-time	2021-08-18T22:35:34Z	Low
Product	Manifest	x-builder	Maven 3.8.1	Low
Product	Manifest	x-compile-source	1.4	Low
Product	Manifest	x-compile-target	1.4	Low
Product	pom	artifactid	mxparser	Highest
Product	pom	developer id	mxparser	Low
Product	pom	developer name	XStream Committers	Low
Product	pom	groupid	io.github.x-stream	Highest
Product	pom	name	MXParser	High
Product	pom	url	http://x-stream.github.io/mxparser	Medium
Version	file	version	1.2.2	High
Version	Manifest	Bundle-Version	1.2.2	High
Version	Manifest	Implementation-Version	1.2.2	High
Version	pom	version	1.2.2	Highest

Identifiers

pkg:maven/io.github.x-stream/mxparser@1.2.2 (Confidence:High)

Description:

JDBC Type 4 driver for MySQL

License:

The GNU General Public License, v2 with FOSS exception

File Path: /home/grprdist/.m2/repository/mysql/mysql-connector-java/8.0.28/mysql-connector-java-8.0.28.jar
MD5: 95cde01c78e7b04e13305338d60e056a
SHA1: 33678b1729d4f832b9e4bcb2d5bbd67940920a7a
SHA256:a00ccdf537ff50e50067b989108c2235197ffb65e197149bbb669db843cd1c3e
Referenced In Project/Scope:Grouper Google Apps Provisioner:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mysql-connector-java	High
Vendor	hint analyzer	vendor	oracle	Highest
Vendor	hint analyzer (hint)	vendor	sun	Highest
Vendor	jar	package name	cj	Highest
Vendor	jar	package name	driver	Highest
Vendor	jar	package name	jdbc	Highest
Vendor	jar	package name	mysql	Highest
Vendor	jar	package name	type	Highest
Vendor	Manifest	bundle-symbolicname	com.mysql.cj	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.mysql	Medium
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	mysql-connector-java	Highest
Vendor	pom	artifactid	mysql-connector-java	Low
Vendor	pom	groupid	mysql	Highest
Vendor	pom	name	MySQL Connector/J	High
Vendor	pom	organization name	Oracle Corporation	High
Vendor	pom	organization url	http://www.oracle.com	Medium
Vendor	pom	url	http://dev.mysql.com/doc/connector-j/en/	Highest
Product	file	name	mysql-connector-java	High
Product	hint analyzer	product	mysql_connector/j	Highest
Product	hint analyzer	product	mysql_connector_j	Highest
Product	hint analyzer	product	mysql_connectors	Highest
Product	jar	package name	cj	Highest
Product	jar	package name	driver	Highest
Product	jar	package name	jdbc	Highest
Product	jar	package name	mysql	Highest
Product	jar	package name	type	Highest
Product	jar	package name	xdevapi	Highest
Product	Manifest	Bundle-Name	Oracle Corporation's JDBC and XDevAPI Driver for MySQL	Medium
Product	Manifest	bundle-symbolicname	com.mysql.cj	Medium
Product	Manifest	Implementation-Title	MySQL Connector/J	High
Product	Manifest	specification-title	JDBC	Medium
Product	pom	artifactid	mysql-connector-java	Highest
Product	pom	groupid	mysql	Highest
Product	pom	name	MySQL Connector/J	High
Product	pom	organization name	Oracle Corporation	Low
Product	pom	organization url	http://www.oracle.com	Low
Product	pom	url	http://dev.mysql.com/doc/connector-j/en/	Medium
Version	file	version	8.0.28	High
Version	Manifest	Bundle-Version	8.0.28	High
Version	Manifest	Implementation-Version	8.0.28	High
Version	pom	version	8.0.28	Highest

Identifiers

pkg:maven/mysql/mysql-connector-java@8.0.28 (Confidence:High)
cpe:2.3:a:mysql:mysql:8.0.28:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:oracle:mysql_connector\/j:8.0.28:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

https://www.apache.org/licenses/LICENSE-2.0

File Path: /home/grprdist/.m2/repository/io/netty/netty-codec/4.1.72.Final/netty-codec-4.1.72.Final.jar
MD5: e2af17ef73be08c189cdd70beaf4e886
SHA1: 613c4019d687db4e9a5532564e442f83c4474ed7
SHA256:5d8591ca271a1e9c224e8de3873aa9936acb581ee0db514e7dc18523df36d16c
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	netty-codec	High
Vendor	jar	package name	codec	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	netty	Highest
Vendor	Manifest	automatic-module-name	io.netty.codec	Medium
Vendor	Manifest	bundle-docurl	https://netty.io/	Low
Vendor	Manifest	bundle-symbolicname	io.netty.codec	Medium
Vendor	Manifest	implementation-url	https://netty.io/netty-codec/	Low
Vendor	Manifest	Implementation-Vendor	The Netty Project	High
Vendor	Manifest	Implementation-Vendor-Id	io.netty	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	netty-codec	Highest
Vendor	pom	artifactid	netty-codec	Low
Vendor	pom	groupid	io.netty	Highest
Vendor	pom	name	Netty/Codec	High
Vendor	pom	parent-artifactid	netty-parent	Low
Product	file	name	netty-codec	High
Product	jar	package name	codec	Highest
Product	jar	package name	io	Highest
Product	jar	package name	netty	Highest
Product	Manifest	automatic-module-name	io.netty.codec	Medium
Product	Manifest	bundle-docurl	https://netty.io/	Low
Product	Manifest	Bundle-Name	Netty/Codec	Medium
Product	Manifest	bundle-symbolicname	io.netty.codec	Medium
Product	Manifest	Implementation-Title	Netty/Codec	High
Product	Manifest	implementation-url	https://netty.io/netty-codec/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	netty-codec	Highest
Product	pom	groupid	io.netty	Highest
Product	pom	name	Netty/Codec	High
Product	pom	parent-artifactid	netty-parent	Medium
Version	Manifest	Bundle-Version	4.1.72.Final	High
Version	Manifest	Implementation-Version	4.1.72.Final	High
Version	pom	version	4.1.72.Final	Highest

Identifiers

pkg:maven/io.netty/netty-codec@4.1.72.Final (Confidence:High)
cpe:2.3:a:netty:netty:4.1.72:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2022-41881

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

CWE-674 Uncontrolled Recursion

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (excluding) 4.1.86

CVE-2023-4586

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

CWE-295 Improper Certificate Validation

CVSSv3:

Base Score: HIGH (7.4)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41915 (OSSINDEX)

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41915 for details

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv2:

Base Score: MEDIUM (6.5)
Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:io.netty:netty-codec:4.1.72.Final:*:*:*:*:*:*:*

CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (excluding) 4.1.94

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/io/netty/netty-common/4.1.72.Final/netty-common-4.1.72.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: 08e7326c64d7fd6ae4ea32e7eb4e5b79
SHA1: 9deceaba814dea198202b04fe0eec0d2dbf69ea9
SHA256:acaf1b4c366f6794a734288a2c003f16af90a9c479cf4d7daade689764e4fb47
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	jctools-core	Low
Vendor	pom	groupid	org.jctools	Highest
Vendor	pom	name	Java Concurrency Tools Core Library	High
Vendor	pom	url	JCTools	Highest
Product	pom	artifactid	jctools-core	Highest
Product	pom	groupid	org.jctools	Highest
Product	pom	name	Java Concurrency Tools Core Library	High
Product	pom	url	JCTools	High
Version	pom	version	3.1.0	Highest

Identifiers

pkg:maven/org.jctools/jctools-core@3.1.0 (Confidence:High)

Description:

    A Mavenized fork of Tomcat Native which incorporates various patches. This artifact is dynamically linked
    to OpenSSL and Apache APR.

File Path: /home/grprdist/.m2/repository/io/netty/netty-tcnative-classes/2.0.46.Final/netty-tcnative-classes-2.0.46.Final.jar
MD5: b398595d12e13f97ff9295abdf0d6a76
SHA1: 9937a832d9c19861822d345b48ced388b645aa5f
SHA256:d3ec888dcc4ac7915bf88b417c5e04fd354f4311032a748a6882df09347eed9a
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	netty-tcnative-classes	High
Vendor	jar	package name	internal	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	netty	Highest
Vendor	jar	package name	tcnative	Highest
Vendor	Manifest	automatic-module-name	io.netty.internal.tcnative	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-symbolicname	io.netty.tcnative-classes	Medium
Vendor	Manifest	implementation-url	https://github.com/netty/netty-tcnative/netty-tcnative-classes/	Low
Vendor	Manifest	Implementation-Vendor-Id	io.netty	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	netty-tcnative-classes	Highest
Vendor	pom	artifactid	netty-tcnative-classes	Low
Vendor	pom	groupid	io.netty	Highest
Vendor	pom	name	Netty/TomcatNative [OpenSSL - Classes]	High
Vendor	pom	parent-artifactid	netty-tcnative-parent	Low
Product	file	name	netty-tcnative-classes	High
Product	jar	package name	internal	Highest
Product	jar	package name	io	Highest
Product	jar	package name	netty	Highest
Product	jar	package name	tcnative	Highest
Product	Manifest	automatic-module-name	io.netty.internal.tcnative	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	Bundle-Name	Netty/TomcatNative [OpenSSL - Classes]	Medium
Product	Manifest	bundle-symbolicname	io.netty.tcnative-classes	Medium
Product	Manifest	Implementation-Title	Netty/TomcatNative [OpenSSL - Classes]	High
Product	Manifest	implementation-url	https://github.com/netty/netty-tcnative/netty-tcnative-classes/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	netty-tcnative-classes	Highest
Product	pom	groupid	io.netty	Highest
Product	pom	name	Netty/TomcatNative [OpenSSL - Classes]	High
Product	pom	parent-artifactid	netty-tcnative-parent	Medium
Version	Manifest	Bundle-Version	2.0.46.Final	High
Version	Manifest	Implementation-Version	2.0.46.Final	High
Version	pom	version	2.0.46.Final	Highest

Identifiers

pkg:maven/io.netty/netty-tcnative-classes@2.0.46.Final (Confidence:High)

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

https://www.apache.org/licenses/LICENSE-2.0

File Path: /home/grprdist/.m2/repository/io/netty/netty-transport/4.1.72.Final/netty-transport-4.1.72.Final.jar
MD5: 6f4128413f9200c948bcceb2299bb7e5
SHA1: 99138b436a584879355aca8fe3c64b46227d5d79
SHA256:c5fb68e9a65b6e8a516adfcb9fa323479ee7b4d9449d8a529d2ecab3d3711d5a
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	netty-transport	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	netty	Highest
Vendor	Manifest	automatic-module-name	io.netty.transport	Medium
Vendor	Manifest	bundle-docurl	https://netty.io/	Low
Vendor	Manifest	bundle-symbolicname	io.netty.transport	Medium
Vendor	Manifest	implementation-url	https://netty.io/netty-transport/	Low
Vendor	Manifest	Implementation-Vendor	The Netty Project	High
Vendor	Manifest	Implementation-Vendor-Id	io.netty	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	netty-transport	Highest
Vendor	pom	artifactid	netty-transport	Low
Vendor	pom	groupid	io.netty	Highest
Vendor	pom	name	Netty/Transport	High
Vendor	pom	parent-artifactid	netty-parent	Low
Product	file	name	netty-transport	High
Product	jar	package name	io	Highest
Product	jar	package name	netty	Highest
Product	Manifest	automatic-module-name	io.netty.transport	Medium
Product	Manifest	bundle-docurl	https://netty.io/	Low
Product	Manifest	Bundle-Name	Netty/Transport	Medium
Product	Manifest	bundle-symbolicname	io.netty.transport	Medium
Product	Manifest	Implementation-Title	Netty/Transport	High
Product	Manifest	implementation-url	https://netty.io/netty-transport/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	netty-transport	Highest
Product	pom	groupid	io.netty	Highest
Product	pom	name	Netty/Transport	High
Product	pom	parent-artifactid	netty-parent	Medium
Version	Manifest	Bundle-Version	4.1.72.Final	High
Version	Manifest	Implementation-Version	4.1.72.Final	High
Version	pom	version	4.1.72.Final	Highest

Related Dependencies

netty-buffer-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-buffer/4.1.72.Final/netty-buffer-4.1.72.Final.jar
- MD5: c634cd6c023be6687141249ea6520349
- SHA1: f306eec3f79541f9b8af9c471a0d5b63b7996272
- SHA256: 568ff7cd9d8e2284ec980730c88924f686642929f8f219a74518b4e64755f3a1
- pkg:maven/io.netty/netty-buffer@4.1.72.Final
netty-codec-http-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-codec-http/4.1.72.Final/netty-codec-http-4.1.72.Final.jar
- MD5: 299f0a5309cdd6b88c370a0c3d52ee4d
- SHA1: a8f062d67303a5e4b2bc2ad48fb4fd8c99108e45
- SHA256: fa6fec88010bfaf6a7415b5364671b6b18ffb6b35a986ab97b423fd8c3a0174b
- pkg:maven/io.netty/netty-codec-http@4.1.72.Final
netty-common-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-common/4.1.72.Final/netty-common-4.1.72.Final.jar
- MD5: 97eac92e43b01012ccfe4cf877279b90
- SHA1: a55bac9c3af5f59828207b551a96ac19bbfc341e
- SHA256: 8adb4c291260ceb2859a68c49f0adeed36bf49587608e2b81ecff6aaf06025e9
- pkg:maven/io.netty/netty-common@4.1.72.Final
netty-handler-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-handler/4.1.72.Final/netty-handler-4.1.72.Final.jar
- MD5: 745b292bba3a4abc6eda77c8bb425594
- SHA1: 9feee089fee606c64be90c0332db9aef1f7d8e46
- SHA256: 9cb6012af7e06361d738ac4e3bdc49a158f8cf87d9dee0f2744056b7d99c28d5
- pkg:maven/io.netty/netty-handler@4.1.72.Final
netty-resolver-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-resolver/4.1.72.Final/netty-resolver-4.1.72.Final.jar
- MD5: 9bde143c826010ea731930a12015a62c
- SHA1: 4ff458458ea32ed1156086820b624a815fcbf2c0
- SHA256: 6474598aab7cc9d8d6cfa06c05bd1b19adbf7f8451dbdd73070b33a6c60b1b90
- pkg:maven/io.netty/netty-resolver@4.1.72.Final
netty-transport-classes-epoll-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-transport-classes-epoll/4.1.72.Final/netty-transport-classes-epoll-4.1.72.Final.jar
- MD5: f94c823a477eb166e2cc59024245007e
- SHA1: 490c922f85c8f6a5b39bdeec1f6629d58d48eaff
- SHA256: e1528a9751c1285aa7beaf3a1eb0597151716426ce38598ac9bc0891209b9e68
- pkg:maven/io.netty/netty-transport-classes-epoll@4.1.72.Final
netty-transport-classes-kqueue-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-transport-classes-kqueue/4.1.72.Final/netty-transport-classes-kqueue-4.1.72.Final.jar
- MD5: a1c106eb5650211b4ba5f4673111d738
- SHA1: fbcce97a6f9f79b8c5fc118bb838e7a4526d8efa
- SHA256: e47ef6c2d1a0aa8d4f05836e8160c4223894278a34e5967bf669154a4a30d20b
- pkg:maven/io.netty/netty-transport-classes-kqueue@4.1.72.Final
netty-transport-native-epoll-4.1.72.Final-linux-x86_64.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-transport-native-epoll/4.1.72.Final/netty-transport-native-epoll-4.1.72.Final-linux-x86_64.jar
- MD5: 994eb863fddd8729c075939e46cc3ee0
- SHA1: b3eef308278d874e208388164b9eabcd1e1e6963
- SHA256: 3d4639f03ef04d98ce7f9e56978d6ff5f7deaa9b51cc4f1fa92699a6eed8efb8
- pkg:maven/io.netty/netty-transport-native-epoll@4.1.72.Final
netty-transport-native-kqueue-4.1.72.Final-osx-x86_64.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-transport-native-kqueue/4.1.72.Final/netty-transport-native-kqueue-4.1.72.Final-osx-x86_64.jar
- MD5: d87fba69205a681e2bfb165421d8a191
- SHA1: 55c34d17be1489c3936800f0505c3c04389b1848
- SHA256: 4c3bbc22abadfec6fa9bfd0a74ce1948341a4b7f5e657d7397e24a6cd509ad50
- pkg:maven/io.netty/netty-transport-native-kqueue@4.1.72.Final
netty-transport-native-unix-common-4.1.72.Final.jar
- File Path: /home/grprdist/.m2/repository/io/netty/netty-transport-native-unix-common/4.1.72.Final/netty-transport-native-unix-common-4.1.72.Final.jar
- MD5: 86a0352dfbd9e7155085e584d7d28f33
- SHA1: cedc023ffdcb68543b22a1ebc7960a160589aa09
- SHA256: 6f8f1cc29b5a234eeee9439a63eb3f03a5994aa540ff555cb0b2c88cefaf6877
- pkg:maven/io.netty/netty-transport-native-unix-common@4.1.72.Final

Identifiers

pkg:maven/io.netty/netty-transport@4.1.72.Final (Confidence:High)
cpe:2.3:a:netty:netty:4.1.72:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2022-41881

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

CWE-674 Uncontrolled Recursion

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (excluding) 4.1.86

CVE-2023-4586

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

CWE-295 Improper Certificate Validation

CVSSv3:

Base Score: HIGH (7.4)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (excluding) 4.1.94

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar/META-INF/maven/com.google.code.gson/gson/pom.xml
MD5: 7bd7595123078326684b630486e49fa8
SHA1: f0cf3edcef8dcb74d27cb427544a309eb718d772
SHA256:e5966323d7142570b37a4be979e21bc2dae848107e4dc416d8f44d9aa3f02903
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	gson	Low
Vendor	pom	groupid	com.google.code.gson	Highest
Vendor	pom	name	Gson	High
Vendor	pom	parent-artifactid	gson-parent	Low
Product	pom	artifactid	gson	Highest
Product	pom	groupid	com.google.code.gson	Highest
Product	pom	name	Gson	High
Product	pom	parent-artifactid	gson-parent	Medium
Version	pom	version	2.9.1	Highest

Identifiers

pkg:maven/com.google.code.gson/gson@2.9.1 (Confidence:High)
cpe:2.3:a:google:gson:2.9.1:*:*:*:*:*:*:* (Confidence:Highest)

Description:

        Java library for Javascript Object Signing and Encryption (JOSE) and
        JSON Web Tokens (JWT)

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar
MD5: f00923fe2eb333891619668391ac4d14
SHA1: 29a1f6a00a4daa3e1873f6bf4f16ddf4d6fd6d37
SHA256:8d589630722a4c56349248652477fdaa4e30df9c732c4d6eac2f271437246304
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	nimbus-jose-jwt	High
Vendor	jar	package name	jose	Highest
Vendor	jar	package name	jwt	Highest
Vendor	jar	package name	nimbusds	Highest
Vendor	Manifest	automatic-module-name	com.nimbusds.jose.jwt	Medium
Vendor	Manifest	build-date	${timestamp}	Low
Vendor	Manifest	build-number	${buildNumber}	Low
Vendor	Manifest	build-tag	9.24.4	Low
Vendor	Manifest	bundle-docurl	https://connect2id.com	Low
Vendor	Manifest	bundle-symbolicname	com.nimbusds.nimbus-jose-jwt	Medium
Vendor	Manifest	implementation-url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Low
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	Implementation-Vendor-Id	com.nimbusds	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	nimbus-jose-jwt	Highest
Vendor	pom	artifactid	nimbus-jose-jwt	Low
Vendor	pom	developer email	vladimir@dzhuvinov.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	Nimbus JOSE+JWT	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Highest
Product	file	name	nimbus-jose-jwt	High
Product	jar	package name	9	Highest
Product	jar	package name	jose	Highest
Product	jar	package name	jwt	Highest
Product	jar	package name	nimbusds	Highest
Product	Manifest	automatic-module-name	com.nimbusds.jose.jwt	Medium
Product	Manifest	build-date	${timestamp}	Low
Product	Manifest	build-number	${buildNumber}	Low
Product	Manifest	build-tag	9.24.4	Low
Product	Manifest	bundle-docurl	https://connect2id.com	Low
Product	Manifest	Bundle-Name	Nimbus JOSE+JWT	Medium
Product	Manifest	bundle-symbolicname	com.nimbusds.nimbus-jose-jwt	Medium
Product	Manifest	Implementation-Title	Nimbus JOSE+JWT	High
Product	Manifest	implementation-url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Nimbus JOSE+JWT	Medium
Product	pom	artifactid	nimbus-jose-jwt	Highest
Product	pom	developer email	vladimir@dzhuvinov.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	Nimbus JOSE+JWT	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com	Low
Product	pom	url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Medium
Version	file	version	9.24.4	High
Version	Manifest	build-tag	9.24.4	Low
Version	Manifest	Bundle-Version	9.24.4	High
Version	Manifest	Implementation-Version	9.24.4	High
Version	pom	version	9.24.4	Highest

Identifiers

pkg:maven/com.nimbusds/nimbus-jose-jwt@9.24.4 (Confidence:High)
cpe:2.3:a:connect2id:nimbus_jose\+jwt:9.24.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

		OAuth 2.0 SDK with OpenID Connection extensions for developing
		client and server applications.

License:

Apache License, version 2.0: https://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/grprdist/.m2/repository/com/nimbusds/oauth2-oidc-sdk/9.43.1/oauth2-oidc-sdk-9.43.1.jar
MD5: 564a5b104ad66dce737a0e281dac4293
SHA1: a25abc8ea0a91296063d55dbb57b698f81a4649c
SHA256:65d360ca0d7bb89302a8153c7acb30214d5c027b177c714d72dc05d41f993204
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	oauth2-oidc-sdk	High
Vendor	jar	package name	client	Highest
Vendor	jar	package name	connect	Highest
Vendor	jar	package name	nimbusds	Highest
Vendor	jar	package name	oauth2	Highest
Vendor	jar	package name	openid	Highest
Vendor	jar	package name	sdk	Highest
Vendor	Manifest	build-date	20220909.152910.032	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	build-number	e3848927b9884a3f19aa947388ec605a7bcc4d65	Low
Vendor	Manifest	build-tag	9.43.1	Low
Vendor	Manifest	bundle-developers	vdzhuvinov;email="vd@connect2id.com";name="Vladimir Dzhuvinov"	Low
Vendor	Manifest	bundle-docurl	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Low
Vendor	Manifest	bundle-symbolicname	oauth2-oidc-sdk	Medium
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	oauth2-oidc-sdk	Highest
Vendor	pom	artifactid	oauth2-oidc-sdk	Low
Vendor	pom	developer email	vd@connect2id.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	OAuth 2.0 SDK with OpenID Connect extensions	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Highest
Product	file	name	oauth2-oidc-sdk	High
Product	jar	package name	client	Highest
Product	jar	package name	connect	Highest
Product	jar	package name	nimbusds	Highest
Product	jar	package name	oauth2	Highest
Product	jar	package name	openid	Highest
Product	jar	package name	sdk	Highest
Product	Manifest	build-date	20220909.152910.032	Low
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	build-number	e3848927b9884a3f19aa947388ec605a7bcc4d65	Low
Product	Manifest	build-tag	9.43.1	Low
Product	Manifest	bundle-developers	vdzhuvinov;email="vd@connect2id.com";name="Vladimir Dzhuvinov"	Low
Product	Manifest	bundle-docurl	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Low
Product	Manifest	Bundle-Name	OAuth 2.0 SDK with OpenID Connect extensions	Medium
Product	Manifest	bundle-symbolicname	oauth2-oidc-sdk	Medium
Product	Manifest	Implementation-Title	OAuth 2.0 SDK with OpenID Connect extensions	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	OAuth 2.0 SDK with OpenID Connect extensions	Medium
Product	pom	artifactid	oauth2-oidc-sdk	Highest
Product	pom	developer email	vd@connect2id.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	OAuth 2.0 SDK with OpenID Connect extensions	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com	Low
Product	pom	url	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Medium
Version	file	version	9.43.1	High
Version	Manifest	build-tag	9.43.1	Low
Version	Manifest	Bundle-Version	9.43.1	High
Version	Manifest	Implementation-Version	9.43.1	High
Version	pom	version	9.43.1	Highest

Identifiers

pkg:maven/com.nimbusds/oauth2-oidc-sdk@9.43.1 (Confidence:High)

Description:

OSGi R8 framework implementation.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/felix/org.apache.felix.framework/7.0.3/org.apache.felix.framework-7.0.3.jar
MD5: ea392d1ab3f5f416f8aa1ac14c1c14ff
SHA1: c60632913c11ae47e8a6dcd5b617f48ee17693f5
SHA256:afd53fb601da924552129a965e3c2fbe1a17a3824b77c7f74b318606ef9a174d
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	org.apache.felix.framework	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	felix	Highest
Vendor	jar	package name	framework	Highest
Vendor	Manifest	add-opens	java.base/java.net java.base/sun.net.www.protocol.file java.base/sun.net.www.protocol.ftp java.base/sun.net.www.protocol.http java.base/sun.net.www.protocol.https java.base/sun.net.www.protocol.jar java.base/sun.net.www.protocol.jmod java.base/sun.net.www.protocol.mailto java.base/sun.net.www.protocol.jrt java.base/jdk.internal.loader java.base/java.security	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.felix.framework	Medium
Vendor	Manifest	provide-capability	osgi.service;objectClass="org.osgi.service.packageadmin.PackageAdmin",osgi.service;objectClass="org.osgi.service.startlevel.StartLevel"	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	apache.felix.framework	Low
Vendor	pom	artifactid	org.apache.felix.framework	Highest
Vendor	pom	groupid	org.apache.felix	Highest
Vendor	pom	name	Apache Felix Framework	High
Vendor	pom	parent-artifactid	felix-parent	Low
Product	file	name	org.apache.felix.framework	High
Product	jar	package name	apache	Highest
Product	jar	package name	felix	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	framework	Highest
Product	jar	package name	osgi	Highest
Product	jar	package name	packageadmin	Highest
Product	jar	package name	service	Highest
Product	jar	package name	startlevel	Highest
Product	jar	package name	version	Highest
Product	Manifest	add-opens	java.base/java.net java.base/sun.net.www.protocol.file java.base/sun.net.www.protocol.ftp java.base/sun.net.www.protocol.http java.base/sun.net.www.protocol.https java.base/sun.net.www.protocol.jar java.base/sun.net.www.protocol.jmod java.base/sun.net.www.protocol.mailto java.base/sun.net.www.protocol.jrt java.base/jdk.internal.loader java.base/java.security	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Felix Framework	Medium
Product	Manifest	bundle-symbolicname	org.apache.felix.framework	Medium
Product	Manifest	provide-capability	osgi.service;objectClass="org.osgi.service.packageadmin.PackageAdmin",osgi.service;objectClass="org.osgi.service.startlevel.StartLevel"	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	apache.felix.framework	Highest
Product	pom	artifactid	org.apache.felix.framework	Highest
Product	pom	groupid	org.apache.felix	Highest
Product	pom	name	Apache Felix Framework	High
Product	pom	parent-artifactid	felix-parent	Medium
Version	file	version	7.0.3	High
Version	Manifest	Bundle-Version	7.0.3	High
Version	pom	parent-version	7.0.3	Low
Version	pom	version	7.0.3	Highest

Identifiers

pkg:maven/org.apache.felix/org.apache.felix.framework@7.0.3 (Confidence:High)
cpe:2.3:a:sun:sun_ftp:7.0.3:*:*:*:*:*:*:* (Confidence:Low)

File Path: /home/grprdist/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	oro	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	oro	Highest
Vendor	manifest: org/apache/oro	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	oro	Highest
Vendor	pom	artifactid	oro	Low
Vendor	pom	groupid	oro	Highest
Product	file	name	oro	High
Product	jar	package name	apache	Highest
Product	jar	package name	oro	Highest
Product	manifest: org/apache/oro	Implementation-Title	org.apache.oro	Medium
Product	manifest: org/apache/oro	Specification-Title	Jakarta ORO	Medium
Product	pom	artifactid	oro	Highest
Product	pom	groupid	oro	Highest
Version	file	version	2.0.8	High
Version	pom	version	2.0.8	Highest

Identifiers

pkg:maven/oro/oro@2.0.8 (Confidence:High)

Description:

Java command line parser with both an annotations API and a programmatic API. Usage help with ANSI styles and colors. Autocomplete. Nested subcommands. Easily included as source to avoid adding a dependency.

License:

The Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/info/picocli/picocli/4.3.2/picocli-4.3.2.jar
MD5: f20bf12b29c0ffea894d557336171f39
SHA1: 37a9ed41f7a028611775b6e8ad831e3e5fcd6280
SHA256:43c9cf516012aad1ac5ce6b54642e9cb1271e66d827b06a879fd314144d57550
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	picocli	High
Vendor	jar	package name	autocomplete	Highest
Vendor	jar	package name	picocli	Highest
Vendor	Manifest	bundle-symbolicname	picocli	Medium
Vendor	Manifest	Implementation-Vendor	Remko Popma	High
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	Manifest	specification-vendor	Remko Popma	Low
Vendor	pom	artifactid	picocli	Highest
Vendor	pom	artifactid	picocli	Low
Vendor	pom	developer email	rpopma@apache.org	Low
Vendor	pom	developer id	rpopma	Medium
Vendor	pom	developer name	Remko Popma	Medium
Vendor	pom	groupid	info.picocli	Highest
Vendor	pom	name	picocli - a mighty tiny Command Line Interface	High
Vendor	pom	url	http://picocli.info	Highest
Product	file	name	picocli	High
Product	jar	package name	autocomplete	Highest
Product	jar	package name	picocli	Highest
Product	Manifest	Bundle-Name	picocli	Medium
Product	Manifest	bundle-symbolicname	picocli	Medium
Product	Manifest	Implementation-Title	picocli	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	specification-title	picocli	Medium
Product	pom	artifactid	picocli	Highest
Product	pom	developer email	rpopma@apache.org	Low
Product	pom	developer id	rpopma	Low
Product	pom	developer name	Remko Popma	Low
Product	pom	groupid	info.picocli	Highest
Product	pom	name	picocli - a mighty tiny Command Line Interface	High
Product	pom	url	http://picocli.info	Medium
Version	file	version	4.3.2	High
Version	Manifest	Bundle-Version	4.3.2	High
Version	Manifest	Implementation-Version	4.3.2	High
Version	pom	version	4.3.2	Highest

Identifiers

pkg:maven/info.picocli/picocli@4.3.2 (Confidence:High)

Description:

PostgreSQL JDBC Driver Postgresql

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html

File Path: /home/grprdist/.m2/repository/org/postgresql/postgresql/42.5.1/postgresql-42.5.1.jar
MD5: 378f8a2ddab2564a281e5f852800e2e9
SHA1: ac2f61eb3b1b4e47ea45de47e73d2e92f49e3ce1
SHA256:89e8bffa8b37b9487946012c690cf04f3103953051c1c193d88ee36b68d365ae
Referenced In Project/Scope:Grouper Google Apps Provisioner:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	postgresql	High
Vendor	jar	package name	driver	Highest
Vendor	jar	package name	jdbc	Highest
Vendor	jar	package name	postgresql	Highest
Vendor	Manifest	automatic-module-name	org.postgresql.jdbc	Medium
Vendor	Manifest	bundle-copyright	Copyright (c) 2003-2020, PostgreSQL Global Development Group	Low
Vendor	Manifest	bundle-docurl	https://jdbc.postgresql.org/	Low
Vendor	Manifest	bundle-symbolicname	org.postgresql.jdbc	Medium
Vendor	Manifest	Implementation-Vendor	PostgreSQL Global Development Group	High
Vendor	Manifest	Implementation-Vendor-Id	org.postgresql	Medium
Vendor	Manifest	provide-capability	osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver"	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	postgresql	Highest
Vendor	pom	artifactid	postgresql	Low
Vendor	pom	developer id	bokken	Medium
Vendor	pom	developer id	davecramer	Medium
Vendor	pom	developer id	jurka	Medium
Vendor	pom	developer id	oliver	Medium
Vendor	pom	developer id	ringerc	Medium
Vendor	pom	developer id	vlsi	Medium
Vendor	pom	developer name	Brett Okken	Medium
Vendor	pom	developer name	Craig Ringer	Medium
Vendor	pom	developer name	Dave Cramer	Medium
Vendor	pom	developer name	Kris Jurka	Medium
Vendor	pom	developer name	Oliver Jowett	Medium
Vendor	pom	developer name	Vladimir Sitnikov	Medium
Vendor	pom	groupid	org.postgresql	Highest
Vendor	pom	name	PostgreSQL JDBC Driver	High
Vendor	pom	organization name	PostgreSQL Global Development Group	High
Vendor	pom	organization url	https://jdbc.postgresql.org/	Medium
Vendor	pom	url	https://jdbc.postgresql.org	Highest
Product	file	name	postgresql	High
Product	hint analyzer	product	pgjdbc	Highest
Product	hint analyzer	product	postgresql_jdbc_driver	Highest
Product	jar	package name	driver	Highest
Product	jar	package name	jdbc	Highest
Product	jar	package name	osgi	Highest
Product	jar	package name	postgresql	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.postgresql.jdbc	Medium
Product	Manifest	bundle-copyright	Copyright (c) 2003-2020, PostgreSQL Global Development Group	Low
Product	Manifest	bundle-docurl	https://jdbc.postgresql.org/	Low
Product	Manifest	Bundle-Name	PostgreSQL JDBC Driver	Medium
Product	Manifest	bundle-symbolicname	org.postgresql.jdbc	Medium
Product	Manifest	Implementation-Title	PostgreSQL JDBC Driver	High
Product	Manifest	provide-capability	osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver"	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))"	Low
Product	Manifest	specification-title	JDBC	Medium
Product	pom	artifactid	postgresql	Highest
Product	pom	developer id	bokken	Low
Product	pom	developer id	davecramer	Low
Product	pom	developer id	jurka	Low
Product	pom	developer id	oliver	Low
Product	pom	developer id	ringerc	Low
Product	pom	developer id	vlsi	Low
Product	pom	developer name	Brett Okken	Low
Product	pom	developer name	Craig Ringer	Low
Product	pom	developer name	Dave Cramer	Low
Product	pom	developer name	Kris Jurka	Low
Product	pom	developer name	Oliver Jowett	Low
Product	pom	developer name	Vladimir Sitnikov	Low
Product	pom	groupid	org.postgresql	Highest
Product	pom	name	PostgreSQL JDBC Driver	High
Product	pom	organization name	PostgreSQL Global Development Group	Low
Product	pom	organization url	https://jdbc.postgresql.org/	Low
Product	pom	url	https://jdbc.postgresql.org	Medium
Version	file	version	42.5.1	High
Version	Manifest	Bundle-Version	42.5.1	High
Version	Manifest	Implementation-Version	42.5.1	High
Version	pom	version	42.5.1	Highest

Identifiers

pkg:maven/org.postgresql/postgresql@42.5.1 (Confidence:High)
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.

License:

https://opensource.org/licenses/BSD-3-Clause

File Path: /home/grprdist/.m2/repository/com/google/protobuf/protobuf-java/3.11.4/protobuf-java-3.11.4.jar
MD5: c4ceefed77d79affded2a1302e74606d
SHA1: 7ec0925cc3aef0335bbc7d57edfd42b0f86f8267
SHA256:42e98f58f53d1a49fd734c2dd193880f2dfec3436a2993a00d06b8800a22a3f2
Referenced In Project/Scope:Grouper Google Apps Provisioner:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	protobuf-java	High
Vendor	jar	package name	google	Highest
Vendor	jar	package name	protobuf	Highest
Vendor	Manifest	automatic-module-name	com.google.protobuf	Medium
Vendor	Manifest	bundle-docurl	https://developers.google.com/protocol-buffers/	Low
Vendor	Manifest	bundle-symbolicname	com.google.protobuf	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	protobuf-java	Highest
Vendor	pom	artifactid	protobuf-java	Low
Vendor	pom	groupid	com.google.protobuf	Highest
Vendor	pom	name	Protocol Buffers [Core]	High
Vendor	pom	parent-artifactid	protobuf-parent	Low
Product	file	name	protobuf-java	High
Product	jar	package name	google	Highest
Product	jar	package name	protobuf	Highest
Product	Manifest	automatic-module-name	com.google.protobuf	Medium
Product	Manifest	bundle-docurl	https://developers.google.com/protocol-buffers/	Low
Product	Manifest	Bundle-Name	Protocol Buffers [Core]	Medium
Product	Manifest	bundle-symbolicname	com.google.protobuf	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	artifactid	protobuf-java	Highest
Product	pom	groupid	com.google.protobuf	Highest
Product	pom	name	Protocol Buffers [Core]	High
Product	pom	parent-artifactid	protobuf-parent	Medium
Version	file	version	3.11.4	High
Version	Manifest	Bundle-Version	3.11.4	High
Version	pom	version	3.11.4	Highest

Identifiers

pkg:maven/com.google.protobuf/protobuf-java@3.11.4 (Confidence:High)
cpe:2.3:a:google:protobuf-java:3.11.4:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:protobuf:protobuf:3.11.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2022-3171

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

NVD-CWE-noinfo

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
FEDORA - FEDORA-2022-15729fa33d
FEDORA - FEDORA-2022-25f35ed634
GENTOO - GLSA-202301-09
OSSINDEX - [CVE-2022-3171] CWE-noinfo
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3171
OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
OSSIndex - https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
OSSIndex - https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2

Vulnerable Software & Versions: (show all)

CVE-2022-3509 (OSSINDEX)

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-3509] CWE-20: Improper Input Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3509
OSSIndex - https://github.com/protocolbuffers/protobuf/pull/10673
OSSIndex - https://security-tracker.debian.org/tracker/CVE-2022-3509

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:com.google.protobuf:protobuf-java:3.11.4:*:*:*:*:*:*:*

CVE-2022-3510 (OSSINDEX)

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-3510 for details

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-3510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3510
OSSIndex - https://github.com/advisories/GHSA-4gg5-vx3j-xwc7

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:com.google.protobuf:protobuf-java:3.11.4:*:*:*:*:*:*:*

CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

Description:

Proton is a library for speaking AMQP.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/qpid/proton-j/0.33.10/proton-j-0.33.10.jar
MD5: 55d0529cb097f647e53cff7a4189b128
SHA1: fb31048dec7642e31982a46500acb211f52f6314
SHA256:1fcddf5c76e70eff331900443c51e1a2c8d313b5ffc70611995fadfb6c36d96a
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	proton-j	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	proton	Highest
Vendor	jar	package name	qpid	Highest
Vendor	Manifest	automatic-module-name	org.apache.qpid.proton.j	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.qpid.proton-j	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	proton-j	Highest
Vendor	pom	artifactid	proton-j	Low
Vendor	pom	groupid	org.apache.qpid	Highest
Vendor	pom	name	Proton-J	High
Vendor	pom	parent-artifactid	proton-j-parent	Low
Product	file	name	proton-j	High
Product	jar	package name	amqp	Highest
Product	jar	package name	apache	Highest
Product	jar	package name	proton	Highest
Product	jar	package name	qpid	Highest
Product	Manifest	automatic-module-name	org.apache.qpid.proton.j	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Proton-J	Medium
Product	Manifest	bundle-symbolicname	org.apache.qpid.proton-j	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	proton-j	Highest
Product	pom	groupid	org.apache.qpid	Highest
Product	pom	name	Proton-J	High
Product	pom	parent-artifactid	proton-j-parent	Medium
Version	file	version	0.33.10	High
Version	Manifest	Bundle-Version	0.33.10	High
Version	pom	version	0.33.10	Highest

Identifiers

pkg:maven/org.apache.qpid/proton-j@0.33.10 (Confidence:High)
cpe:2.3:a:apache:qpid:0.33.10:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:qpid_proton:0.33.10:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:qpid_proton-j:0.33.10:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:proton_project:proton:0.33.10:*:*:*:*:*:*:* (Confidence:Highest)

Description:

The core JMS Client implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/qpid/qpid-jms-client/0.61.0/qpid-jms-client-0.61.0.jar
MD5: e8bd7c8a71cdcebbd6701084d4caae11
SHA1: f53f49713a144de8e46cffb4af24a1775dea1e0c
SHA256:7aea6f78c010c34cce82de3f837ccf17362c4d05588bd2d0af6e938de575ca0b
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	qpid-jms-client	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	jms	Highest
Vendor	jar	package name	qpid	Highest
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.qpid.jms.client	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	qpid-jms-client	Highest
Vendor	pom	artifactid	qpid-jms-client	Low
Vendor	pom	groupid	org.apache.qpid	Highest
Vendor	pom	name	QpidJMS Client	High
Vendor	pom	parent-artifactid	qpid-jms-parent	Low
Product	file	name	qpid-jms-client	High
Product	jar	package name	apache	Highest
Product	jar	package name	jms	Highest
Product	jar	package name	qpid	Highest
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	QpidJMS Client	Medium
Product	Manifest	bundle-symbolicname	org.apache.qpid.jms.client	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	qpid-jms-client	Highest
Product	pom	groupid	org.apache.qpid	Highest
Product	pom	name	QpidJMS Client	High
Product	pom	parent-artifactid	qpid-jms-parent	Medium
Version	file	version	0.61.0	High
Version	Manifest	Bundle-Version	0.61.0	High
Version	pom	version	0.61.0	Highest

Identifiers

pkg:maven/org.apache.qpid/qpid-jms-client@0.61.0 (Confidence:High)
cpe:2.3:a:apache:qpid:0.61.0:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Enterprise Job Scheduler

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0

File Path: /home/grprdist/.m2/repository/org/quartz-scheduler/quartz/2.3.2/quartz-2.3.2.jar
MD5: d7299dbaec0e0ed7af281b07cc40c8c1
SHA1: 18a6d6b5a40b77bd060b34cb9f2acadc4bae7c8a
SHA256:639c6a675bc472e1568df9d8c954ff702da6f83ed27da0ff9a7bd12ed73b8bf0
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	quartz	High
Vendor	hint analyzer	vendor	softwareag	Highest
Vendor	jar	package name	job	Highest
Vendor	jar	package name	quartz	Highest
Vendor	jar	package name	scheduler	Highest
Vendor	Manifest	bundle-docurl	http://www.terracotta.org	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.6	Low
Vendor	Manifest	bundle-symbolicname	org.quartz-scheduler.quartz	Medium
Vendor	Manifest	terracotta-name	quartz	Medium
Vendor	Manifest	terracotta-projectstatus	Supported	Low
Vendor	pom	artifactid	quartz	Highest
Vendor	pom	artifactid	quartz	Low
Vendor	pom	groupid	org.quartz-scheduler	Highest
Vendor	pom	name	quartz	High
Vendor	pom	parent-artifactid	quartz-parent	Low
Product	file	name	quartz	High
Product	jar	package name	job	Highest
Product	jar	package name	quartz	Highest
Product	jar	package name	scheduler	Highest
Product	jar	package name	terracotta	Highest
Product	Manifest	bundle-docurl	http://www.terracotta.org	Low
Product	Manifest	Bundle-Name	quartz	Medium
Product	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.6	Low
Product	Manifest	bundle-symbolicname	org.quartz-scheduler.quartz	Medium
Product	Manifest	terracotta-name	quartz	Medium
Product	Manifest	terracotta-projectstatus	Supported	Low
Product	pom	artifactid	quartz	Highest
Product	pom	groupid	org.quartz-scheduler	Highest
Product	pom	name	quartz	High
Product	pom	parent-artifactid	quartz-parent	Medium
Version	file	version	2.3.2	High
Version	Manifest	Bundle-Version	2.3.2	High
Version	pom	version	2.3.2	Highest

Identifiers

pkg:maven/org.quartz-scheduler/quartz@2.3.2 (Confidence:High)
cpe:2.3:a:softwareag:quartz:2.3.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2023-39017

** DISPUTED ** quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur.

CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

MISC - https://github.com/quartz-scheduler/quartz/issues/943

Vulnerable Software & Versions:

cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:* versions up to (including) 2.3.2

Description:

The slf4j API

File Path: /home/grprdist/.m2/repository/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.jar
MD5: fbcf58513bc25b80f075d812aad3e3cf
SHA1: cdcff33940d9f2de763bc41ea05a0be5941176c3
SHA256:3624f8474c1af46d75f98bc097d7864a323c81b3808aa43689a6e1c601c027be
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	slf4j-api	High
Vendor	jar	package name	slf4j	Highest
Vendor	Manifest	automatic-module-name	org.slf4j	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	slf4j.api	Medium
Vendor	pom	artifactid	slf4j-api	Highest
Vendor	pom	artifactid	slf4j-api	Low
Vendor	pom	groupid	org.slf4j	Highest
Vendor	pom	name	SLF4J API Module	High
Vendor	pom	parent-artifactid	slf4j-parent	Low
Vendor	pom	url	http://www.slf4j.org	Highest
Product	file	name	slf4j-api	High
Product	jar	package name	slf4j	Highest
Product	Manifest	automatic-module-name	org.slf4j	Medium
Product	Manifest	Bundle-Name	slf4j-api	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	slf4j.api	Medium
Product	Manifest	Implementation-Title	slf4j-api	High
Product	pom	artifactid	slf4j-api	Highest
Product	pom	groupid	org.slf4j	Highest
Product	pom	name	SLF4J API Module	High
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	pom	url	http://www.slf4j.org	Medium
Version	file	version	1.7.32	High
Version	Manifest	Bundle-Version	1.7.32	High
Version	Manifest	Implementation-Version	1.7.32	High
Version	pom	version	1.7.32	Highest

Identifiers

pkg:maven/org.slf4j/slf4j-api@1.7.32 (Confidence:High)

Description:

        Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence. A pure Java library, it can be embedded into your applications to create anything from a full XMPP client to simple XMPP integrations such as sending notification messages.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/grprdist/.m2/repository/jivesoftware/smack/3.1.0/smack-3.1.0.jar
MD5: 362dd4c2fc9b23a33d47272456dd0c39
SHA1: 916a0fe08d840a08c950f49fb59b961e14d673b8
SHA256:c9a25e014608d3402b795d125c88a18a6e22e6c61c65b5e5d224e0f72f4aec8b
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	smack	High
Vendor	jar	package name	jivesoftware	Highest
Vendor	jar	package name	jivesoftware	Low
Vendor	jar	package name	presence	Highest
Vendor	jar	package name	smack	Highest
Vendor	jar	package name	smack	Low
Vendor	pom	artifactid	smack	Highest
Vendor	pom	artifactid	smack	Low
Vendor	pom	groupid	jivesoftware	Highest
Vendor	pom	name	Smack	High
Vendor	pom	url	http://www.jivesoftware.org/smack/	Highest
Product	file	name	smack	High
Product	jar	package name	jivesoftware	Highest
Product	jar	package name	presence	Highest
Product	jar	package name	smack	Highest
Product	jar	package name	smack	Low
Product	pom	artifactid	smack	Highest
Product	pom	groupid	jivesoftware	Highest
Product	pom	name	Smack	High
Product	pom	url	http://www.jivesoftware.org/smack/	Medium
Version	file	version	3.1.0	High
Version	pom	version	3.1.0	Highest

Identifiers

pkg:maven/jivesoftware/smack@3.1.0 (Confidence:High)

Published Vulnerabilities

CVE-2014-5075 (OSSINDEX)

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-310 Cryptographic Issues

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

OSSINDEX - [CVE-2014-5075] CWE-310
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5075
OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1127276
OSSIndex - https://op-co.de/CVE-2014-5075.html

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:jivesoftware:smack:3.1.0:*:*:*:*:*:*:*

CVE-2014-0363 (OSSINDEX)

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.

CWE-295 Improper Certificate Validation

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

OSSINDEX - [CVE-2014-0363] CWE-295: Improper Certificate Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363
OSSIndex - https://issues.igniterealtime.org/browse/SMACK-410

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:jivesoftware:smack:3.1.0:*:*:*:*:*:*:*

Description:

Extensions to JSR-173 StAX API.

License:

                Dual license consisting of the CDDL v1.1 and GPL v2
            : https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/org/jvnet/staxex/stax-ex/1.8/stax-ex-1.8.jar
MD5: a0ebfdbc6b5a34b174a1d1f732d1bdda
SHA1: 8cc35f73da321c29973191f2cf143d29d26a1df7
SHA256:95b05d9590af4154c6513b9c5dc1fb2e55b539972ba0a9ef28e9a0c01d83ad77
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	stax-ex	High
Vendor	jar	package name	jvnet	Highest
Vendor	jar	package name	staxex	Highest
Vendor	Manifest	bundle-symbolicname	org.jvnet.staxex.stax-ex	Medium
Vendor	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Vendor	Manifest	implementation-url	http://stax-ex.java.net/	Low
Vendor	Manifest	Implementation-Vendor-Id	org.jvnet.staxex	Medium
Vendor	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Vendor	pom	artifactid	stax-ex	Highest
Vendor	pom	artifactid	stax-ex	Low
Vendor	pom	developer email	Roman.Grigoriadi@oracle.com	Low
Vendor	pom	developer email	Zheng.Jun.Li@oracle.com	Low
Vendor	pom	developer id	bravehorsie	Medium
Vendor	pom	developer id	zhengjl	Medium
Vendor	pom	developer name	Roman Grigoriadi	Medium
Vendor	pom	developer name	Zheng Jun Li	Medium
Vendor	pom	groupid	org.jvnet.staxex	Highest
Vendor	pom	name	Extended StAX API	High
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	parent-groupid	net.java	Medium
Vendor	pom	url	http://stax-ex.java.net/	Highest
Product	file	name	stax-ex	High
Product	jar	package name	jvnet	Highest
Product	jar	package name	staxex	Highest
Product	Manifest	Bundle-Name	Extended StAX API	Medium
Product	Manifest	bundle-symbolicname	org.jvnet.staxex.stax-ex	Medium
Product	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Product	Manifest	Implementation-Title	Extended StAX API	High
Product	Manifest	implementation-url	http://stax-ex.java.net/	Low
Product	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Product	pom	artifactid	stax-ex	Highest
Product	pom	developer email	Roman.Grigoriadi@oracle.com	Low
Product	pom	developer email	Zheng.Jun.Li@oracle.com	Low
Product	pom	developer id	bravehorsie	Low
Product	pom	developer id	zhengjl	Low
Product	pom	developer name	Roman Grigoriadi	Low
Product	pom	developer name	Zheng Jun Li	Low
Product	pom	groupid	org.jvnet.staxex	Highest
Product	pom	name	Extended StAX API	High
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	parent-groupid	net.java	Medium
Product	pom	url	http://stax-ex.java.net/	Medium
Version	file	version	1.8	High
Version	Manifest	Implementation-Version	1.8	High
Version	pom	parent-version	1.8	Low
Version	pom	version	1.8	Highest

Identifiers

pkg:maven/org.jvnet.staxex/stax-ex@1.8 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.8:*:*:*:*:*:*:* (Confidence:Low)

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/grprdist/.m2/repository/org/glassfish/jaxb/txw2/2.3.1/txw2-2.3.1.jar
MD5: 0fed730907ba86376ef392ee7eb42d5f
SHA1: a09d2c48d3285f206fafbffe0e50619284e92126
SHA256:34975dde1c6920f1a39791142235689bc3cd357e24d05edd8ff93b885bd68d60
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	txw2	High
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	txw	Highest
Vendor	jar	package name	txw2	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	txw2	Highest
Vendor	pom	artifactid	txw2	Low
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	pom	name	TXW2 Runtime	High
Vendor	pom	parent-artifactid	jaxb-txw-parent	Low
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	file	name	txw2	High
Product	jar	package name	sun	Highest
Product	jar	package name	txw	Highest
Product	jar	package name	txw2	Highest
Product	jar	package name	xml	Highest
Product	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Product	Manifest	Implementation-Title	TXW Runtime	High
Product	Manifest	specification-title	Java Architecture for XML Binding	Medium
Product	pom	artifactid	txw2	Highest
Product	pom	groupid	org.glassfish.jaxb	Highest
Product	pom	name	TXW2 Runtime	High
Product	pom	parent-artifactid	jaxb-txw-parent	Medium
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Version	file	version	2.3.1	High
Version	Manifest	build-id	2.3.1	Medium
Version	Manifest	Implementation-Version	2.3.1	High
Version	Manifest	major-version	2.3.1	Medium
Version	pom	version	2.3.1	Highest

Identifiers

pkg:maven/org.glassfish.jaxb/txw2@2.3.1 (Confidence:High)

Description:

      The UnboundID LDAP SDK for Java is a fast, comprehensive, and easy-to-use
      Java API for communicating with LDAP directory servers and performing
      related tasks like reading and writing LDIF, encoding and decoding data
      using base64 and ASN.1 BER, and performing secure communication.  This
      package contains the Standard Edition of the LDAP SDK, which is a
      complete, general-purpose library for communicating with LDAPv3 directory
      servers.

License:

GNU General Public License version 2 (GPLv2): http://www.gnu.org/licenses/gpl-2.0.html
GNU Lesser General Public License version 2.1 (LGPLv2.1): http://www.gnu.org/licenses/lgpl-2.1.html
UnboundID LDAP SDK Free Use License: https://docs.ldap.com/ldap-sdk/docs/LICENSE-UnboundID-LDAPSDK.txt

File Path: /home/grprdist/.m2/repository/com/unboundid/unboundid-ldapsdk/4.0.9/unboundid-ldapsdk-4.0.9.jar
MD5: 9c4684b76cc5354f5af4796e0ae81df5
SHA1: b676202ad7b56718266fda979e280fa955792e1c
SHA256:693bc47a6d311217397f7fd78043272d8b090cec4fe1c8834b31fc9a138f8361
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	unboundid-ldapsdk	High
Vendor	jar	package name	ldap	Highest
Vendor	jar	package name	sdk	Highest
Vendor	jar	package name	unboundid	Highest
Vendor	Manifest	build-time	20181110015704Z	Low
Vendor	Manifest	bundle-copyright	Copyright 2008-2018 Ping Identity Corporation	Low
Vendor	Manifest	bundle-docurl	https://github.com/pingidentity/ldapsdk	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.7	Low
Vendor	Manifest	bundle-symbolicname	com.unboundid.ldap.sdk	Medium
Vendor	Manifest	implementation-url	https://github.com/pingidentity/ldapsdk	Low
Vendor	Manifest	Implementation-Vendor	Ping Identity	High
Vendor	Manifest	source-path	/directory/tags/ldapsdk/ldapsdk-4.0.9	Low
Vendor	Manifest	source-revision	29290	Low
Vendor	pom	artifactid	unboundid-ldapsdk	Highest
Vendor	pom	artifactid	unboundid-ldapsdk	Low
Vendor	pom	developer email	neilwilson@pingidentity.com	Low
Vendor	pom	developer id	dirmgr	Medium
Vendor	pom	developer name	Neil Wilson	Medium
Vendor	pom	groupid	com.unboundid	Highest
Vendor	pom	name	UnboundID LDAP SDK for Java	High
Vendor	pom	organization name	Ping Identity Corporation	High
Vendor	pom	organization url	pingidentity/ldapsdk	Medium
Vendor	pom	url	pingidentity/ldapsdk	Highest
Product	file	name	unboundid-ldapsdk	High
Product	jar	package name	ldap	Highest
Product	jar	package name	sdk	Highest
Product	jar	package name	unboundid	Highest
Product	Manifest	build-time	20181110015704Z	Low
Product	Manifest	bundle-copyright	Copyright 2008-2018 Ping Identity Corporation	Low
Product	Manifest	bundle-docurl	https://github.com/pingidentity/ldapsdk	Low
Product	Manifest	Bundle-Name	UnboundID LDAP SDK for Java	Medium
Product	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.7	Low
Product	Manifest	bundle-symbolicname	com.unboundid.ldap.sdk	Medium
Product	Manifest	Implementation-Title	UnboundID LDAP SDK for Java	High
Product	Manifest	implementation-url	https://github.com/pingidentity/ldapsdk	Low
Product	Manifest	source-path	/directory/tags/ldapsdk/ldapsdk-4.0.9	Low
Product	Manifest	source-revision	29290	Low
Product	pom	artifactid	unboundid-ldapsdk	Highest
Product	pom	developer email	neilwilson@pingidentity.com	Low
Product	pom	developer id	dirmgr	Low
Product	pom	developer name	Neil Wilson	Low
Product	pom	groupid	com.unboundid	Highest
Product	pom	name	UnboundID LDAP SDK for Java	High
Product	pom	organization name	Ping Identity Corporation	Low
Product	pom	url	pingidentity/ldapsdk	High
Version	file	version	4.0.9	High
Version	Manifest	Bundle-Version	4.0.9	High
Version	Manifest	Implementation-Version	4.0.9	High
Version	pom	version	4.0.9	Highest

Identifiers

pkg:maven/com.unboundid/unboundid-ldapsdk@4.0.9 (Confidence:High)
cpe:2.3:a:pingidentity:ldapsdk:4.0.9:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Xerces2 provides high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces continues to build upon the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 provides fully conforming XML Schema 1.0 and 1.1 processors. An experimental implementation of the "XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010)" is also provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/xerces/xercesImpl/2.12.2/xercesImpl-2.12.2.jar
MD5: 40e4f2d5aacfbf51a9a1572d77a0e5e9
SHA1: f051f988aa2c9b4d25d05f95742ab0cc3ed789e2
SHA256:6fc991829af1708d15aea50c66f0beadcd2cfeb6968e0b2f55c1b0909883fe16
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xercesImpl	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	dom	Highest
Vendor	jar	package name	parsers	Highest
Vendor	jar	package name	serialize	Highest
Vendor	jar	package name	version	Highest
Vendor	jar	package name	w3c	Highest
Vendor	jar	package name	xerces	Highest
Vendor	jar	package name	xinclude	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar	package name	xni	Highest
Vendor	manifest: javax/xml/datatype/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/namespace/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/parsers/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/stream/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/transform/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/validation/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/xpath/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xerces/impl/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xerces/xni/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/w3c/dom/	Implementation-Vendor	World Wide Web Consortium	Medium
Vendor	manifest: org/w3c/dom/ls/	Implementation-Vendor	World Wide Web Consortium	Medium
Vendor	manifest: org/xml/sax/	Implementation-Vendor	David Megginson	Medium
Vendor	pom	artifactid	xercesImpl	Highest
Vendor	pom	artifactid	xercesImpl	Low
Vendor	pom	developer email	j-dev@xerces.apache.org	Low
Vendor	pom	developer id	xerces	Medium
Vendor	pom	developer name	Apache Software Foundation	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org URL	http://www.apache.org	Medium
Vendor	pom	groupid	xerces	Highest
Vendor	pom	name	Xerces2-j	High
Vendor	pom	url	https://xerces.apache.org/xerces2-j/	Highest
Product	file	name	xercesImpl	High
Product	hint analyzer	product	xerces-j	Highest
Product	jar	package name	apache	Highest
Product	jar	package name	datatype	Highest
Product	jar	package name	dom	Highest
Product	jar	package name	impl	Highest
Product	jar	package name	parsers	Highest
Product	jar	package name	serialize	Highest
Product	jar	package name	validation	Highest
Product	jar	package name	version	Highest
Product	jar	package name	w3c	Highest
Product	jar	package name	xerces	Highest
Product	jar	package name	xinclude	Highest
Product	jar	package name	xml	Highest
Product	jar	package name	xni	Highest
Product	jar	package name	xpath	Highest
Product	manifest: javax/xml/datatype/	Implementation-Title	javax.xml.datatype	Medium
Product	manifest: javax/xml/datatype/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: javax/xml/namespace/	Implementation-Title	javax.xml.namespace	Medium
Product	manifest: javax/xml/namespace/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: javax/xml/parsers/	Implementation-Title	javax.xml.parsers	Medium
Product	manifest: javax/xml/parsers/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: javax/xml/stream/	Implementation-Title	javax.xml.stream	Medium
Product	manifest: javax/xml/stream/	Specification-Title	Streaming API for XML	Medium
Product	manifest: javax/xml/transform/	Implementation-Title	javax.xml.transform	Medium
Product	manifest: javax/xml/transform/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: javax/xml/validation/	Implementation-Title	javax.xml.validation	Medium
Product	manifest: javax/xml/validation/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: javax/xml/xpath/	Implementation-Title	javax.xml.xpath	Medium
Product	manifest: javax/xml/xpath/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: org/apache/xerces/impl/	Implementation-Title	org.apache.xerces.impl.Version	Medium
Product	manifest: org/apache/xerces/xni/	Implementation-Title	org.apache.xerces.xni	Medium
Product	manifest: org/apache/xerces/xni/	Specification-Title	Xerces Native Interface	Medium
Product	manifest: org/w3c/dom/	Implementation-Title	org.w3c.dom	Medium
Product	manifest: org/w3c/dom/	Specification-Title	Document Object Model, Level 3 Core	Medium
Product	manifest: org/w3c/dom/ls/	Implementation-Title	org.w3c.dom.ls	Medium
Product	manifest: org/w3c/dom/ls/	Specification-Title	Document Object Model, Level 3 Load and Save	Medium
Product	manifest: org/xml/sax/	Implementation-Title	org.xml.sax	Medium
Product	manifest: org/xml/sax/	Specification-Title	Simple API for XML	Medium
Product	pom	artifactid	xercesImpl	Highest
Product	pom	developer email	j-dev@xerces.apache.org	Low
Product	pom	developer id	xerces	Low
Product	pom	developer name	Apache Software Foundation	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org URL	http://www.apache.org	Low
Product	pom	groupid	xerces	Highest
Product	pom	name	Xerces2-j	High
Product	pom	url	https://xerces.apache.org/xerces2-j/	Medium
Version	file	version	2.12.2	High
Version	manifest: org/apache/xerces/impl/	Implementation-Version	2.12.2	Medium
Version	pom	version	2.12.2	Highest

Identifiers

pkg:maven/xerces/xercesImpl@2.12.2 (Confidence:High)
cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2017-10355 (OSSINDEX)

sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

CWE-833 Deadlock

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2017-10355] CWE-833: Deadlock
OSSIndex - https://blogs.securiteam.com/index.php/archives/3271

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:*

License:

Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txt

File Path: /home/grprdist/.m2/repository/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
MD5: cc57dacc720eca721a50e78934b822d2
SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa
SHA256:34e08ee62116071cbb69c0ed70d15a7a5b208d62798c59f2120bb8929324cb63
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xmlpull	High
Vendor	jar	package name	v1	Low
Vendor	jar	package name	xmlpull	Highest
Vendor	jar	package name	xmlpull	Low
Vendor	pom	artifactid	xmlpull	Highest
Vendor	pom	artifactid	xmlpull	Low
Vendor	pom	groupid	xmlpull	Highest
Vendor	pom	name	XML Pull Parsing API	High
Vendor	pom	url	http://www.xmlpull.org	Highest
Product	file	name	xmlpull	High
Product	jar	package name	v1	Low
Product	jar	package name	xmlpull	Highest
Product	pom	artifactid	xmlpull	Highest
Product	pom	groupid	xmlpull	Highest
Product	pom	name	XML Pull Parsing API	High
Product	pom	url	http://www.xmlpull.org	Medium
Version	file	version	1.1.3.1	High
Version	pom	version	1.1.3.1	Highest

Identifiers

pkg:maven/xmlpull/xmlpull@1.1.3.1 (Confidence:High)

Description:

XStream is a serialization library from Java objects to XML and back.

License:

BSD-3-Clause

File Path: /home/grprdist/.m2/repository/com/thoughtworks/xstream/xstream/1.4.20/xstream-1.4.20.jar
MD5: 1e816f33b1eb780a309789478051faeb
SHA1: 0e2315b8b2e95e9f21697833c8e56cdd9c98a5ee
SHA256:87df0f0be57c92037d0110fbb225a30b651702dc275653d285afcfef31bc2e81
Referenced In Project/Scope:Grouper Google Apps Provisioner:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xstream	High
Vendor	jar	package name	core	Highest
Vendor	jar	package name	thoughtworks	Highest
Vendor	jar	package name	xstream	Highest
Vendor	Manifest	bundle-docurl	http://x-stream.github.io	Low
Vendor	Manifest	bundle-symbolicname	xstream	Medium
Vendor	Manifest	Implementation-Vendor	XStream	High
Vendor	Manifest	Implementation-Vendor-Id	com.thoughtworks.xstream	Medium
Vendor	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Vendor	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Vendor	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Vendor	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Vendor	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Vendor	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Vendor	Manifest	specification-vendor	XStream	Low
Vendor	Manifest	x-build-os	Linux	Low
Vendor	Manifest	x-build-time	2022-12-23T23:21:05Z	Low
Vendor	Manifest	x-builder	Maven 3.8.6	Low
Vendor	Manifest	x-compile-source	1.4	Low
Vendor	Manifest	x-compile-target	1.4	Low
Vendor	pom	artifactid	xstream	Highest
Vendor	pom	artifactid	xstream	Low
Vendor	pom	groupid	com.thoughtworks.xstream	Highest
Vendor	pom	name	XStream Core	High
Vendor	pom	parent-artifactid	xstream-parent	Low
Product	file	name	xstream	High
Product	jar	package name	core	Highest
Product	jar	package name	io	Highest
Product	jar	package name	thoughtworks	Highest
Product	jar	package name	xml	Highest
Product	jar	package name	xstream	Highest
Product	Manifest	bundle-docurl	http://x-stream.github.io	Low
Product	Manifest	Bundle-Name	XStream Core	Medium
Product	Manifest	bundle-symbolicname	xstream	Medium
Product	Manifest	Implementation-Title	XStream Core	High
Product	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Product	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Product	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Product	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Product	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Product	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Product	Manifest	specification-title	XStream Core	Medium
Product	Manifest	x-build-os	Linux	Low
Product	Manifest	x-build-time	2022-12-23T23:21:05Z	Low
Product	Manifest	x-builder	Maven 3.8.6	Low
Product	Manifest	x-compile-source	1.4	Low
Product	Manifest	x-compile-target	1.4	Low
Product	pom	artifactid	xstream	Highest
Product	pom	groupid	com.thoughtworks.xstream	Highest
Product	pom	name	XStream Core	High
Product	pom	parent-artifactid	xstream-parent	Medium
Version	file	version	1.4.20	High
Version	Manifest	Bundle-Version	1.4.20	High
Version	Manifest	Implementation-Version	1.4.20	High
Version	pom	version	1.4.20	Highest

Identifiers

pkg:maven/com.thoughtworks.xstream/xstream@1.4.20 (Confidence:High)
cpe:2.3:a:xstream_project:xstream:1.4.20:*:*:*:*:*:*:* (Confidence:Highest)

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: Grouper Google Apps Provisioner

edu.internet2.middleware.grouper:google-apps-provisioner:4.0.0-SNAPSHOT

Summary

Dependencies

FastInfoset-1.2.15.jar

Evidence

Identifiers

accessors-smart-2.4.8.jar

Evidence

Identifiers

activation-1.1.1.jar

Evidence

Identifiers

amqp-client-4.12.0.jar

Evidence

Identifiers

animal-sniffer-annotations-1.9.jar

Evidence

Identifiers

ant-1.10.12.jar

Evidence

Related Dependencies

Identifiers

antlr-2.7.7.jar

Evidence

Identifiers

asm-7.1.jar

Evidence

Identifiers

aws-java-sdk-core-1.12.267.jar

Evidence

Related Dependencies

Identifiers

backport-util-concurrent-3.1.jar

Evidence

Identifiers

bcpkix-jdk18on-1.72.jar

Evidence

Identifiers

bcprov-jdk18on-1.72.jar

Evidence

Identifiers

Published Vulnerabilities

bcutil-jdk18on-1.72.jar

Evidence

Identifiers

bsh-2.0b5.jar

Evidence

Identifiers

Published Vulnerabilities

byte-buddy-1.12.9.jar (shaded: net.bytebuddy:byte-buddy-dep:1.12.9)

Evidence

Identifiers

byte-buddy-1.12.9.jar

Evidence

Identifiers

c3p0-0.9.5.4.jar

Evidence

Identifiers

c3p0-oracle-thin-extras-0.9.5.jar

Evidence

Identifiers

Published Vulnerabilities

cglib-3.3.0.jar

Evidence

Identifiers

checker-qual-3.5.0.jar

Evidence

Identifiers

classmate-1.5.1.jar

Evidence

Identifiers

commons-beanutils-1.9.4.jar

Evidence

Identifiers

Published Vulnerabilities

commons-cli-1.4.jar

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor