Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 7.1.2
Report Generated On: Wed, 18 Jun 2025 11:32:29 GMT
Dependencies Scanned: 11 (10 unique)
Vulnerable Dependencies: 4
Vulnerabilities Found: 5
Vulnerabilities Suppressed: 0
...
CurrentEngineRelease: 12.1.0
NVD CVE Checked: 2025-06-18T11:25:28
NVD CVE Modified: 2025-06-18T10:00:02
VersionCheckOn: 2025-06-18T11:25:28

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
commons-codec-1.15.jar	cpe:2.3:a:apache:commons_net:1.15:::::::*	pkg:maven/commons-codec/commons-codec@1.15	MEDIUM	1	Highest	110
commons-jexl-2.1.1.jar	cpe:2.3:a:apache:commons_net:2.1.1:::::::*	pkg:maven/org.apache.commons/commons-jexl@2.1.1	MEDIUM	1	Highest	90
commons-lang3-3.12.0.jar	cpe:2.3:a:apache:commons_net:3.12.0:::::::*	pkg:maven/org.apache.commons/commons-lang3@3.12.0		0	Highest	141
commons-logging-1.2.jar	cpe:2.3:a:apache:commons_net:1.2:::::::*	pkg:maven/commons-logging/commons-logging@1.2	MEDIUM	1	Highest	117
httpclient-4.5.13.jar	cpe:2.3:a:apache:httpclient:4.5.13:::::::*	pkg:maven/org.apache.httpcomponents/httpclient@4.5.13		0	Highest	32
httpcore-4.4.14.jar		pkg:maven/org.apache.httpcomponents/httpcore@4.4.14		0		32
jackson-annotations-2.18.2.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.18.2		0	Low	40
jackson-core-2.18.2.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:::::::* cpe:2.3:a:json-java_project:json-java:2.18.2:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.2	HIGH	2	Low	51
jackson-databind-2.18.2.jar	cpe:2.3:a:fasterxml:jackson-databind:2.18.2:::::::* cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.18.2		0	Highest	43
log4j-core-2.17.1.jar	cpe:2.3:a:apache:log4j:2.17.1:::::::*	pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1		0	Highest	50

Dependencies

commons-codec-1.15.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-codec/commons-codec/1.15/commons-codec-1.15.jar
MD5: 303baf002ce6d382198090aedd9d79a2
SHA1: 49d94806b6e3dc933dacbd8acb0fdbab8ebd1e5d
SHA256:b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-codec	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	codec	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	encoder	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-codec	Highest
Vendor	pom	artifactid	commons-codec	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	dgraham@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jon@collab.net	Low
Vendor	pom	developer email	julius@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	dgraham	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jon	Medium
Vendor	pom	developer id	julius	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	David Graham	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Jon S. Stevens	Medium
Vendor	pom	developer name	Julius Davies	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	developer org URL	http://juliusdavies.ca/	Medium
Vendor	pom	groupid	commons-codec	Highest
Vendor	pom	name	Apache Commons Codec	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-codec/	Highest
Product	file	name	commons-codec	High
Product	jar	package name	apache	Highest
Product	jar	package name	codec	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	encoder	Highest
Product	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Product	Manifest	Bundle-Name	Apache Commons Codec	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Product	Manifest	Implementation-Title	Apache Commons Codec	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Apache Commons Codec	Medium
Product	pom	artifactid	commons-codec	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	dgraham@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jon@collab.net	Low
Product	pom	developer email	julius@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	dgraham	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jon	Low
Product	pom	developer id	julius	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	tn	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	David Graham	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Jon S. Stevens	Low
Product	pom	developer name	Julius Davies	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	developer org URL	http://juliusdavies.ca/	Low
Product	pom	groupid	commons-codec	Highest
Product	pom	name	Apache Commons Codec	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-codec/	Medium
Version	file	version	1.15	High
Version	Manifest	Implementation-Version	1.15	High
Version	pom	parent-version	1.15	Low
Version	pom	version	1.15	Highest

Identifiers

pkg:maven/commons-codec/commons-codec@1.15 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.15:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

commons-jexl-2.1.1.jar

Description:

The Commons Jexl library is an implementation of the JSTL Expression Language with extensions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-jexl/2.1.1/commons-jexl-2.1.1.jar
MD5: 4ad8f5c161dd3a50e190334555675db9
SHA1: 6ecc181debade00230aa1e17666c4ea0371beaaa
SHA256:03c9a9fae5da78ce52c0bf24467cc37355b7e23196dff4839e2c0ff018a01306
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-jexl	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	expression	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Vendor	Manifest	implementation-build	COMMONS_JEXL_2_1_1-RC1@r1220732; 2011-12-19 14:53:11+0000	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-jexl	Highest
Vendor	pom	artifactid	commons-jexl	Low
Vendor	pom	developer email	dion AT apache DOT org	Low
Vendor	pom	developer email	geirm AT apache DOT org	Low
Vendor	pom	developer email	henrib AT apache DOT org	Low
Vendor	pom	developer email	jstrachan AT apache DOT org	Low
Vendor	pom	developer email	proyal AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	sebb AT apache DOT org	Low
Vendor	pom	developer email	tobrien AT apache DOT org	Low
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	henrib	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	proyal	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	Henri Biestro	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Peter Royal	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org	independent	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Commons JEXL	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/jexl/	Highest
Product	file	name	commons-jexl	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	expression	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Product	Manifest	Bundle-Name	Commons JEXL	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Product	Manifest	implementation-build	COMMONS_JEXL_2_1_1-RC1@r1220732; 2011-12-19 14:53:11+0000	Low
Product	Manifest	Implementation-Title	Commons JEXL	High
Product	Manifest	specification-title	Commons JEXL	Medium
Product	pom	artifactid	commons-jexl	Highest
Product	pom	developer email	dion AT apache DOT org	Low
Product	pom	developer email	geirm AT apache DOT org	Low
Product	pom	developer email	henrib AT apache DOT org	Low
Product	pom	developer email	jstrachan AT apache DOT org	Low
Product	pom	developer email	proyal AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	sebb AT apache DOT org	Low
Product	pom	developer email	tobrien AT apache DOT org	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	henrib	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	proyal	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	Henri Biestro	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Peter Royal	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org	independent	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Commons JEXL	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/jexl/	Medium
Version	file	version	2.1.1	High
Version	Manifest	Bundle-Version	2.1.1	High
Version	Manifest	Implementation-Version	2.1.1	High
Version	pom	parent-version	2.1.1	Low
Version	pom	version	2.1.1	Highest

Identifiers

pkg:maven/org.apache.commons/commons-jexl@2.1.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.1.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

commons-lang3-3.12.0.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar
MD5: 19fe50567358922bdad277959ea69545
SHA1: c6842c86792ff03b9f1d1fe2aab8dc23aa6c6f0e
SHA256:d919d904486c037f8d193412da0c92e22a9fa24230b9d67a57855c5c31c7e94e
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-lang3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	lang3	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-lang/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-lang3	Highest
Vendor	pom	artifactid	commons-lang3	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	djones@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	lguibert@apache.org	Low
Vendor	pom	developer email	oheger@apache.org	Low
Vendor	pom	developer email	pbenedict@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	scolebourne@joda.org	Low
Vendor	pom	developer email	stevencaswell@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	djones	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	fredrik	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	lguibert	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	oheger	Medium
Vendor	pom	developer id	pbenedict	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	scaswell	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	Duncan Jones	Medium
Vendor	pom	developer name	Fredrik Westermarck	Medium
Vendor	pom	developer name	Gary D. Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Joerg Schaible	Medium
Vendor	pom	developer name	Loic Guibert	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Oliver Heger	Medium
Vendor	pom	developer name	Paul Benedict	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Steven Caswell	Medium
Vendor	pom	developer org	Carman Consulting, Inc.	Medium
Vendor	pom	developer org	CollabNet, Inc.	Medium
Vendor	pom	developer org	SITA ATS Ltd	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Lang	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	https://commons.apache.org/proper/commons-lang/	Highest
Product	file	name	commons-lang3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	lang3	Highest
Product	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-lang/	Low
Product	Manifest	Bundle-Name	Apache Commons Lang	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Product	Manifest	Implementation-Title	Apache Commons Lang	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons Lang	Medium
Product	pom	artifactid	commons-lang3	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	djones@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	lguibert@apache.org	Low
Product	pom	developer email	oheger@apache.org	Low
Product	pom	developer email	pbenedict@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	scolebourne@joda.org	Low
Product	pom	developer email	stevencaswell@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	djones	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	fredrik	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	lguibert	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	oheger	Low
Product	pom	developer id	pbenedict	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	scaswell	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	Duncan Jones	Low
Product	pom	developer name	Fredrik Westermarck	Low
Product	pom	developer name	Gary D. Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Joerg Schaible	Low
Product	pom	developer name	Loic Guibert	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Oliver Heger	Low
Product	pom	developer name	Paul Benedict	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Steven Caswell	Low
Product	pom	developer org	Carman Consulting, Inc.	Low
Product	pom	developer org	CollabNet, Inc.	Low
Product	pom	developer org	SITA ATS Ltd	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Lang	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	https://commons.apache.org/proper/commons-lang/	Medium
Version	file	version	3.12.0	High
Version	Manifest	Bundle-Version	3.12.0	High
Version	Manifest	Implementation-Version	3.12.0	High
Version	pom	parent-version	3.12.0	Low
Version	pom	version	3.12.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-lang3@3.12.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.12.0:*:*:*:*:*:*:* (Confidence:Highest)

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-logging	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	logging	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Vendor	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-logging	Highest
Vendor	pom	artifactid	commons-logging	Low
Vendor	pom	developer email	baliuka@apache.org	Low
Vendor	pom	developer email	costin@apache.org	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dennisl@apache.org	Low
Vendor	pom	developer email	donaldp@apache.org	Low
Vendor	pom	developer email	morgand@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	rsitze@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer id	baliuka	Medium
Vendor	pom	developer id	bstansberry	Medium
Vendor	pom	developer id	costin	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dennisl	Medium
Vendor	pom	developer id	donaldp	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rsitze	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer name	Brian Stansberry	Medium
Vendor	pom	developer name	Costin Manolache	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	Dennis Lundberg	Medium
Vendor	pom	developer name	Juozas Baliuka	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Peter Donald	Medium
Vendor	pom	developer name	Richard Sitze	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	commons-logging	Highest
Vendor	pom	name	Apache Commons Logging	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-logging/	Highest
Product	file	name	commons-logging	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	logging	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Product	Manifest	Bundle-Name	Apache Commons Logging	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Product	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Product	Manifest	Implementation-Title	Apache Commons Logging	High
Product	Manifest	specification-title	Apache Commons Logging	Medium
Product	pom	artifactid	commons-logging	Highest
Product	pom	developer email	baliuka@apache.org	Low
Product	pom	developer email	costin@apache.org	Low
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dennisl@apache.org	Low
Product	pom	developer email	donaldp@apache.org	Low
Product	pom	developer email	morgand@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	rsitze@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer id	baliuka	Low
Product	pom	developer id	bstansberry	Low
Product	pom	developer id	costin	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dennisl	Low
Product	pom	developer id	donaldp	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rsitze	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tn	Low
Product	pom	developer name	Brian Stansberry	Low
Product	pom	developer name	Costin Manolache	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	Dennis Lundberg	Low
Product	pom	developer name	Juozas Baliuka	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Peter Donald	Low
Product	pom	developer name	Richard Sitze	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer org	Apache	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	commons-logging	Highest
Product	pom	name	Apache Commons Logging	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-logging/	Medium
Version	file	version	1.2	High
Version	Manifest	Implementation-Version	1.2	High
Version	pom	parent-version	1.2	Low
Version	pom	version	1.2	Highest

Identifiers

pkg:maven/commons-logging/commons-logging@1.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

httpclient-4.5.13.jar

Description:

   Apache HttpComponents Client

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpclient	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	client	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	httpclient	Highest
Vendor	pom	artifactid	httpclient	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpClient	High
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Product	file	name	httpclient	High
Product	jar	package name	apache	Highest
Product	jar	package name	client	Highest
Product	jar	package name	http	Highest
Product	jar	package name	httpclient	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Product	Manifest	Implementation-Title	Apache HttpClient	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	Manifest	specification-title	Apache HttpClient	Medium
Product	pom	artifactid	httpclient	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient	High
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Version	file	version	4.5.13	High
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 (Confidence:High)
cpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:* (Confidence:Highest)

httpcore-4.4.14.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpcore	High
Vendor	jar	package name	apache	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Vendor	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	pom	artifactid	httpcore	Highest
Vendor	pom	artifactid	httpcore	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpCore	High
Vendor	pom	parent-artifactid	httpcomponents-core	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-core-ga	Highest
Product	file	name	httpcore	High
Product	jar	package name	apache	Highest
Product	jar	package name	http	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Product	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Product	Manifest	Implementation-Title	HttpComponents Apache HttpCore	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	Manifest	specification-title	HttpComponents Apache HttpCore	Medium
Product	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	pom	artifactid	httpcore	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpCore	High
Product	pom	parent-artifactid	httpcomponents-core	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-core-ga	Medium
Version	file	version	4.4.14	High
Version	Manifest	Implementation-Version	4.4.14	High
Version	pom	version	4.4.14	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpcore@4.4.14 (Confidence:High)

jackson-annotations-2.18.2.jar

Description:

Core annotations used for value types, used by Jackson data binding package.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.18.2/jackson-annotations-2.18.2.jar
MD5: 79d38d3c51068a2bbc40268d02f80763
SHA1: 985d77751ebc7fce5db115a986bc9aa82f973f4a
SHA256:581bd61000ef7648943f781ca05689e56d03f6052748365a8e2b3a9b5d3fa32f
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-annotations	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-annotations	Highest
Vendor	pom	artifactid	jackson-annotations	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-annotations	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson	Highest
Product	file	name	jackson-annotations	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	Jackson-annotations	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Product	Manifest	Implementation-Title	Jackson-annotations	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Jackson-annotations	Medium
Product	pom	artifactid	jackson-annotations	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-annotations	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson	High
Version	file	version	2.18.2	High
Version	Manifest	Bundle-Version	2.18.2	High
Version	Manifest	Implementation-Version	2.18.2	High
Version	pom	parent-version	2.18.2	Low
Version	pom	version	2.18.2	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.18.2 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:*:*:*:*:*:*:* (Confidence:Low)

jackson-core-2.18.2.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.18.2/jackson-core-2.18.2.jar
MD5: bf935e6eca3a57defa13918661905cb0
SHA1: fb64ccac5c27dca8819418eb4e443a9f496d9ee7
SHA256:d8054ae7c0d1c2d2f55d28e46026ebe5892881f3fab5f439233184381c3b4a1f
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-core	High
Vendor	jar	package name	base	Highest
Vendor	jar	package name	com	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	json	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-core	Highest
Vendor	pom	artifactid	jackson-core	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-core	High
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson-core	Highest
Product	file	name	jackson-core	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	base	Highest
Product	jar	package name	com	Highest
Product	jar	package name	core	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	json	Highest
Product	jar	package name	version	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Product	Manifest	Bundle-Name	Jackson-core	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Product	Manifest	Implementation-Title	Jackson-core	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Jackson-core	Medium
Product	pom	artifactid	jackson-core	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-core	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson-core	High
Version	file	version	2.18.2	High
Version	Manifest	Bundle-Version	2.18.2	High
Version	Manifest	Implementation-Version	2.18.2	High
Version	pom	version	2.18.2	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.2 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:json-java_project:json-java:2.18.2:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2022-45688

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2023-5072

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:json-java_project:json-java:*:*:*:*:*:*:*:* versions up to (including) 20230618

jackson-databind-2.18.2.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.18.2/jackson-databind-2.18.2.jar
MD5: 1b56887bcd3eaea1ff710eb673e610b0
SHA1: deef8697b92141fb6caf7aa86966cff4eec9b04f
SHA256:4b364e6850dc89172fcf1d4dd26b8ff5488eda44ff4657e22dd265203dd5ab3c
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-databind	High
Vendor	jar	package name	databind	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-databind	Highest
Vendor	pom	artifactid	jackson-databind	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	jackson-databind	High
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson	Highest
Product	file	name	jackson-databind	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	databind	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	jackson-databind	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Product	Manifest	Implementation-Title	jackson-databind	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	jackson-databind	Medium
Product	pom	artifactid	jackson-databind	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	jackson-databind	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson	High
Version	file	version	2.18.2	High
Version	Manifest	Bundle-Version	2.18.2	High
Version	Manifest	Implementation-Version	2.18.2	High
Version	pom	version	2.18.2	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.18.2 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-databind:2.18.2:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:*:*:*:*:*:*:* (Confidence:Low)

log4j-core-2.17.1.jar

Description:

The Apache Log4j Implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar
MD5: 8d2f5c52700336dae846b2c3ecde7a6e
SHA1: 779f60f3844dadc3ef597976fcb1e5127b1f343d
SHA256:c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41
Referenced In Project/Scope:Grouper Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	log4j-core	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	log4j	Highest
Vendor	jar	package name	logging	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Vendor	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.logging.log4j	Medium
Vendor	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Vendor	Manifest	log4jreleasemanager	Matt Sicker	Low
Vendor	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	log4j-core	Highest
Vendor	pom	artifactid	log4j-core	Low
Vendor	pom	groupid	org.apache.logging.log4j	Highest
Vendor	pom	name	Apache Log4j Core	High
Vendor	pom	parent-artifactid	log4j	Low
Product	file	name	log4j-core	High
Product	jar	package name	apache	Highest
Product	jar	package name	core	Highest
Product	jar	package name	log4j	Highest
Product	jar	package name	logging	Highest
Product	jar	package name	org	Highest
Product	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Log4j Core	Medium
Product	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Product	Manifest	Implementation-Title	Apache Log4j Core	High
Product	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Product	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Product	Manifest	log4jreleasemanager	Matt Sicker	Low
Product	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Log4j Core	Medium
Product	pom	artifactid	log4j-core	Highest
Product	pom	groupid	org.apache.logging.log4j	Highest
Product	pom	name	Apache Log4j Core	High
Product	pom	parent-artifactid	log4j	Medium
Version	file	version	2.17.1	High
Version	Manifest	Bundle-Version	2.17.1	High
Version	Manifest	Implementation-Version	2.17.1	High
Version	Manifest	log4jreleaseversion	2.17.1	Medium
Version	pom	version	2.17.1	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1 (Confidence:High)
cpe:2.3:a:apache:log4j:2.17.1:*:*:*:*:*:*:* (Confidence:Highest)

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor

Project: Grouper Client

edu.internet2.middleware.grouper:grouperClient:5.0.0-SNAPSHOT

Summary

Dependencies

commons-codec-1.15.jar

Evidence

Identifiers

Published Vulnerabilities

commons-jexl-2.1.1.jar

Evidence

Identifiers

Published Vulnerabilities

commons-lang3-3.12.0.jar

Evidence

Identifiers

commons-logging-1.2.jar

Evidence

Identifiers

Published Vulnerabilities

httpclient-4.5.13.jar

Evidence

Identifiers

httpcore-4.4.14.jar

Evidence

Identifiers

jackson-annotations-2.18.2.jar

Evidence

Identifiers

jackson-core-2.18.2.jar

Evidence

Identifiers

Published Vulnerabilities

jackson-databind-2.18.2.jar

Evidence

Identifiers

log4j-core-2.17.1.jar

Evidence

Related Dependencies

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: Grouper Client

edu.internet2.middleware.grouper:grouperClient:5.0.0-SNAPSHOT

Summary

Dependencies

commons-codec-1.15.jar

Evidence

Identifiers

Published Vulnerabilities

commons-jexl-2.1.1.jar

Evidence

Identifiers

Published Vulnerabilities

commons-lang3-3.12.0.jar

Evidence

Identifiers

commons-logging-1.2.jar

Evidence

Identifiers

Published Vulnerabilities

httpclient-4.5.13.jar

Evidence

Identifiers

httpcore-4.4.14.jar

Evidence

Identifiers

jackson-annotations-2.18.2.jar

Evidence

Identifiers

jackson-core-2.18.2.jar

Evidence

Identifiers

Published Vulnerabilities

jackson-databind-2.18.2.jar

Evidence

Identifiers

log4j-core-2.17.1.jar

Evidence

Related Dependencies

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor