Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Livy Project Parent POM

org.apache.livy:livy-main:0.8.0-incubating-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
JavaEWAH-0.3.2.jarcpe:2.3:a:google:gmail:0.3.2:*:*:*:*:*:*:*pkg:maven/com.googlecode.javaewah/JavaEWAH@0.3.2 0Low26
RoaringBitmap-0.7.45.jarpkg:maven/org.roaringbitmap/RoaringBitmap@0.7.45 025
ST4-4.0.4.jarpkg:maven/org.antlr/ST4@4.0.4 036
activation-1.1.1.jarcpe:2.3:a:oracle:java_se:1.1.1:*:*:*:*:*:*:*pkg:maven/javax.activation/activation@1.1.1 0Low26
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 026
aircompressor-0.10.jarpkg:maven/io.airlift/aircompressor@0.10 028
all-sessions.js 00
antlr-2.7.7.jarpkg:maven/antlr/antlr@2.7.7 024
antlr-runtime-3.4.jarpkg:maven/org.antlr/antlr-runtime@3.4 038
antlr4-runtime-4.7.jarpkg:maven/org.antlr/antlr4-runtime@4.7 030
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 020
aopalliance-repackaged-2.4.0-b34.jarpkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.4.0-b34 021
apache-log4j-extras-1.2.17.jarcpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*pkg:maven/log4j/apache-log4j-extras@1.2.17CRITICAL5Highest30
apacheds-i18n-2.0.0-M15.jarpkg:maven/org.apache.directory.server/apacheds-i18n@2.0.0-M15 031
apacheds-i18n-2.0.0-M21.jarpkg:maven/org.apache.directory.server/apacheds-i18n@2.0.0-M21 033
apacheds-kerberos-codec-2.0.0-M15.jarpkg:maven/org.apache.directory.server/apacheds-kerberos-codec@2.0.0-M15 031
api-asn1-api-1.0.0-M20.jarpkg:maven/org.apache.directory.api/api-asn1-api@1.0.0-M20 031
api-asn1-api-1.0.0-M33.jarpkg:maven/org.apache.directory.api/api-asn1-api@1.0.0-M33 033
api-i18n-1.0.0-M33.jarcpe:2.3:a:apache:directory_ldap_api:1.0.0:m33:*:*:*:*:*:*pkg:maven/org.apache.directory.api/api-i18n@1.0.0-M33CRITICAL1Low33
api-util-1.0.0-M20.jarcpe:2.3:a:apache:directory_ldap_api:1.0.0:m20:*:*:*:*:*:*pkg:maven/org.apache.directory.api/api-util@1.0.0-M20CRITICAL1Low25
arpack_combined_all-0.1.jarcpe:2.3:a:lapack_project:lapack:0.1:*:*:*:*:*:*:*pkg:maven/net.sourceforge.f2j/arpack_combined_all@0.1CRITICAL1Low28
arrow-format-0.10.0.jarcpe:2.3:a:apache:arrow:0.10.0:*:*:*:*:*:*:*pkg:maven/org.apache.arrow/arrow-format@0.10.0 0Highest29
asm-3.1.jarpkg:maven/asm/asm@3.1 018
async-http-client-2.10.1.jarcpe:2.3:a:async-http-client_project:async-http-client:2.10.1:*:*:*:*:*:*:*
cpe:2.3:a:asynchttpclient_project:async-http-client:2.10.1:*:*:*:*:*:*:*		pkg:maven/org.asynchttpclient/async-http-client@2.10.1 0Highest22
async-http-client-netty-utils-2.10.1.jarpkg:maven/org.asynchttpclient/async-http-client-netty-utils@2.10.1 023
avro-1.7.4.jarcpe:2.3:a:apache:avro:1.7.4:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro@1.7.4HIGH1Highest25
avro-1.8.2.jar (shaded: org.apache.avro:avro-guava-dependencies:1.8.2)cpe:2.3:a:apache:avro:1.8.2:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro-guava-dependencies@1.8.2HIGH1Highest11
avro-1.8.2.jarcpe:2.3:a:apache:avro:1.8.2:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro@1.8.2HIGH1Highest33
bonecp-0.8.0.RELEASE.jarpkg:maven/com.jolbox/bonecp@0.8.0.RELEASE 022
bootstrap.min.js 00
breeze-macros_2.11-0.13.2.jarpkg:maven/org.scalanlp/breeze-macros_2.11@0.13.2 028
breeze-macros_2.12-0.13.2.jarpkg:maven/org.scalanlp/breeze-macros_2.12@0.13.2 028
breeze_2.11-0.13.2.jarpkg:maven/org.scalanlp/breeze_2.11@0.13.2 026
breeze_2.12-0.13.2.jarpkg:maven/org.scalanlp/breeze_2.12@0.13.2 026
byte-buddy-1.6.11.jar (shaded: net.bytebuddy:byte-buddy-dep:1.6.11)pkg:maven/net.bytebuddy/byte-buddy-dep@1.6.11 09
byte-buddy-1.6.11.jarpkg:maven/net.bytebuddy/byte-buddy@1.6.11 025
byte-buddy-agent-1.6.11.jarpkg:maven/net.bytebuddy/byte-buddy-agent@1.6.11 031
calcite-avatica-1.2.0-incubating.jarcpe:2.3:a:apache:apache_calcite_avatica:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:calcite:1.2.0:*:*:*:*:*:*:*		pkg:maven/org.apache.calcite/calcite-avatica@1.2.0-incubatingCRITICAL3Highest24
calcite-core-1.2.0-incubating.jarcpe:2.3:a:apache:calcite:1.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.calcite/calcite-core@1.2.0-incubatingCRITICAL2Highest24
chill-java-0.9.3.jarpkg:maven/com.twitter/chill-java@0.9.3 035
chill_2.11-0.9.3.jarpkg:maven/com.twitter/chill_2.11@0.9.3 032
chill_2.12-0.9.3.jarpkg:maven/com.twitter/chill_2.12@0.9.3 032
commons-beanutils-1.7.0.jarcpe:2.3:a:apache:commons_beanutils:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:1.7.0:*:*:*:*:*:*:*		pkg:maven/commons-beanutils/commons-beanutils@1.7.0HIGH3Highest21
commons-beanutils-core-1.8.0.jarcpe:2.3:a:apache:commons_beanutils:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:1.8.0:*:*:*:*:*:*:*		pkg:maven/commons-beanutils/commons-beanutils-core@1.8.0HIGH3Highest30
commons-cli-1.2.jarcpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:*pkg:maven/commons-cli/commons-cli@1.2MEDIUM1Highest68
commons-codec-1.9.jarcpe:2.3:a:apache:commons_net:1.9:*:*:*:*:*:*:*pkg:maven/commons-codec/commons-codec@1.9MEDIUM1Highest101
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*		pkg:maven/commons-collections/commons-collections@3.2.2MEDIUM1Highest86
commons-compiler-3.0.9.jarpkg:maven/org.codehaus.janino/commons-compiler@3.0.9 033
commons-compress-1.4.1.jarcpe:2.3:a:apache:commons_compress:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:1.4.1:*:*:*:*:*:*:*		pkg:maven/org.apache.commons/commons-compress@1.4.1HIGH4Highest62
commons-compress-1.8.1.jarcpe:2.3:a:apache:commons_compress:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:1.8.1:*:*:*:*:*:*:*		pkg:maven/org.apache.commons/commons-compress@1.8.1HIGH6Highest80
commons-configuration-1.6.jarcpe:2.3:a:apache:commons_configuration:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:*		pkg:maven/commons-configuration/commons-configuration@1.6MEDIUM1Highest130
commons-crypto-1.0.0.jarcpe:2.3:a:apache:commons_net:1.0.0:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-crypto@1.0.0MEDIUM1Highest116
commons-crypto-1.0.0.jar: commons-crypto.dll 02
commons-crypto-1.0.0.jar: commons-crypto.dll 02
commons-daemon-1.0.13.jarcpe:2.3:a:apache:apache_commons_daemon:1.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:1.0.13:*:*:*:*:*:*:*		pkg:maven/commons-daemon/commons-daemon@1.0.13MEDIUM1Highest68
commons-dbcp-1.4.jarcpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:*pkg:maven/commons-dbcp/commons-dbcp@1.4MEDIUM1Highest96
commons-digester-1.8.jarcpe:2.3:a:apache:commons_net:1.8:*:*:*:*:*:*:*pkg:maven/commons-digester/commons-digester@1.8MEDIUM1Highest90
commons-httpclient-3.1.jarcpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*		pkg:maven/commons-httpclient/commons-httpclient@3.1MEDIUM3Highest91
commons-io-2.4.jarcpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:2.4:*:*:*:*:*:*:*		pkg:maven/commons-io/commons-io@2.4MEDIUM2Highest109
commons-io-2.5.jarcpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_net:2.5:*:*:*:*:*:*:*		pkg:maven/commons-io/commons-io@2.5MEDIUM2Highest119
commons-lang-2.6.jarcpe:2.3:a:apache:commons_net:2.6:*:*:*:*:*:*:*pkg:maven/commons-lang/commons-lang@2.6MEDIUM1Highest122
commons-lang3-3.5.jarcpe:2.3:a:apache:commons_net:3.5:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-lang3@3.5MEDIUM1Highest141
commons-lang3-3.6.jarcpe:2.3:a:apache:commons_net:3.6:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-lang3@3.6MEDIUM1Highest141
commons-logging-1.1.3.jarcpe:2.3:a:apache:commons_net:1.1.3:*:*:*:*:*:*:*pkg:maven/commons-logging/commons-logging@1.1.3MEDIUM1Highest118
commons-logging-1.2.jarcpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:*pkg:maven/commons-logging/commons-logging@1.2MEDIUM1Highest117
commons-math3-3.1.1.jarcpe:2.3:a:apache:commons_net:3.1.1:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-math3@3.1.1MEDIUM1Highest126
commons-math3-3.4.1.jarcpe:2.3:a:apache:commons_net:3.4.1:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-math3@3.4.1MEDIUM1Highest132
commons-net-3.1.jarcpe:2.3:a:apache:commons_net:3.1:*:*:*:*:*:*:*pkg:maven/commons-net/commons-net@3.1MEDIUM1Highest91
commons-pool-1.5.4.jarcpe:2.3:a:apache:commons_net:1.5.4:*:*:*:*:*:*:*pkg:maven/commons-pool/commons-pool@1.5.4MEDIUM1Highest74
compress-lzf-1.0.3.jarpkg:maven/com.ning/compress-lzf@1.0.3 031
core-1.1.2.jarpkg:maven/com.github.fommil.netlib/core@1.1.2 023
curator-client-2.7.1.jarpkg:maven/org.apache.curator/curator-client@2.7.1 023
curator-framework-2.6.0.jarpkg:maven/org.apache.curator/curator-framework@2.6.0 027
curator-framework-2.7.1.jarpkg:maven/org.apache.curator/curator-framework@2.7.1 027
curator-recipes-2.6.0.jarpkg:maven/org.apache.curator/curator-recipes@2.6.0 025
curator-recipes-2.7.1.jarpkg:maven/org.apache.curator/curator-recipes@2.7.1 025
dataTables.bootstrap.min.js 00
datanucleus-api-jdo-3.2.6.jarpkg:maven/org.datanucleus/datanucleus-api-jdo@3.2.6 031
datanucleus-core-3.2.10.jarcpe:2.3:a:eclipse:equinox:3.2.10:*:*:*:*:*:*:*pkg:maven/org.datanucleus/datanucleus-core@3.2.10HIGH1Low29
datanucleus-rdbms-3.2.9.jarpkg:maven/org.datanucleus/datanucleus-rdbms@3.2.9 031
derby-10.12.1.1.jarcpe:2.3:a:apache:derby:10.12.1.1:*:*:*:*:*:*:*pkg:maven/org.apache.derby/derby@10.12.1.1MEDIUM1Highest24
eigenbase-properties-1.1.5.jarpkg:maven/net.hydromatic/eigenbase-properties@1.1.5 034
flatbuffers-1.2.0-3f79e055.jarcpe:2.3:a:google:gmail:1.2.0:*:*:*:*:*:*:*pkg:maven/com.vlkan/flatbuffers@1.2.0-3f79e055 0Low27
gson-2.2.4.jarcpe:2.3:a:google:gson:2.2.4:*:*:*:*:*:*:*pkg:maven/com.google.code.gson/gson@2.2.4HIGH1Highest41
guava-11.0.2.jarcpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@11.0.2MEDIUM2Highest20
guava-16.0.1.jarcpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@16.0.1MEDIUM2Highest19
guice-3.0.jarpkg:maven/com.google.inject/guice@3.0 029
guice-servlet-3.0.jarpkg:maven/com.google.inject.extensions/guice-servlet@3.0 028
hadoop-hdfs-2.7.3-tests.jar: bootstrap.min.jspkg:javascript/bootstrap@3.0.2MEDIUM53
hadoop-hdfs-2.7.3-tests.jar: dfs-dust.js 00
hadoop-hdfs-2.7.3-tests.jar: dfshealth.js 00
hadoop-hdfs-2.7.3-tests.jar: dust-full-2.0.0.min.js 00
hadoop-hdfs-2.7.3-tests.jar: dust-helpers-1.1.1.min.js 00
hadoop-hdfs-2.7.3-tests.jar: explorer.js 00
hadoop-hdfs-2.7.3-tests.jar: jquery-1.10.2.min.jspkg:javascript/jquery@1.10.2.minMEDIUM43
hadoop-hdfs-2.7.3-tests.jar: snn.js 00
hadoop-yarn-common-2.7.3.jar: jquery-1.8.2.min.js.gz: jquery-1.8.2.min.jspkg:javascript/jquery@1.8.2.minMEDIUM53
hadoop-yarn-common-2.7.3.jar: jquery-ui-1.9.1.custom.min.js.gz: jquery-ui-1.9.1.custom.min.jspkg:javascript/jquery-ui-dialog@1.9.1
pkg:javascript/jquery-ui@1.9.1		MEDIUM65
hadoop-yarn-common-2.7.3.jar: jquery.dataTables.min.js.gz: jquery.dataTables.min.js 00
hadoop-yarn-common-2.7.3.jar: jquery.jstree.js.gz: jquery.jstree.js 00
hadoop-yarn-common-2.7.3.jar: natural.js 00
hadoop-yarn-common-2.7.3.jar: yarn.dt.plugins.js 00
hadoop-yarn-server-common-2.7.3.jarcpe:2.3:a:apache:hadoop:2.7.3:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-yarn-server-common@2.7.3CRITICAL12Highest27
hive-exec-1.2.1.spark2.jar (shaded: com.esotericsoftware.kryo:kryo:2.21)cpe:2.3:a:google:gmail:2.21:*:*:*:*:*:*:*pkg:maven/com.esotericsoftware.kryo/kryo@2.21 0Low15
hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive.shims:hive-shims-0.20S:1.2.1.spark2)pkg:maven/org.spark-project.hive.shims/hive-shims-0.20S@1.2.1.spark2 011
hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive.shims:hive-shims-0.23:1.2.1.spark2)pkg:maven/org.spark-project.hive.shims/hive-shims-0.23@1.2.1.spark2 011
hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive.shims:hive-shims-common:1.2.1.spark2)pkg:maven/org.spark-project.hive.shims/hive-shims-common@1.2.1.spark2 011
hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive:hive-common:1.2.1.spark2)pkg:maven/org.spark-project.hive/hive-common@1.2.1.spark2 09
hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive:hive-serde:1.2.1.spark2)pkg:maven/org.spark-project.hive/hive-serde@1.2.1.spark2 09
hive-exec-1.2.1.spark2.jarcpe:2.3:a:apache:hive:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:spark:1.2.1:ark2:*:*:*:*:*:*		pkg:maven/org.spark-project.hive/hive-exec@1.2.1.spark2CRITICAL19Highest21
hive-exec-1.2.1.spark2.jar: minlog-1.2.jarcpe:2.3:a:google:gmail:1.2:*:*:*:*:*:*:*pkg:maven/com.esotericsoftware.minlog/minlog@1.2 0Low25
hive-exec-1.2.1.spark2.jar: objenesis-1.2.jar 020
hive-exec-1.2.1.spark2.jar: reflectasm-1.07-shaded.jarcpe:2.3:a:google:gmail:1.07:*:*:*:*:*:*:*pkg:maven/com.esotericsoftware.reflectasm/reflectasm@1.07 0Low28
hk2-api-2.4.0-b34.jarpkg:maven/org.glassfish.hk2/hk2-api@2.4.0-b34 023
hk2-locator-2.4.0-b34.jarcpe:2.3:a:service_project:service:2.4.0.b34:*:*:*:*:*:*:*pkg:maven/org.glassfish.hk2/hk2-locator@2.4.0-b34 0Low19
hk2-utils-2.4.0-b34.jar (shaded: org.jvnet:tiger-types:1.4)pkg:maven/org.jvnet/tiger-types@1.4 012
hk2-utils-2.4.0-b34.jarcpe:2.3:a:oracle:utilities_framework:2.4.0.b34:*:*:*:*:*:*:*pkg:maven/org.glassfish.hk2/hk2-utils@2.4.0-b34 0Low27
hppc-0.7.2.jarpkg:maven/com.carrotsearch/hppc@0.7.2 025
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)cpe:2.3:a:fasterxml:jackson-modules-java8:2.4.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.4.0MEDIUM1Low16
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)cpe:2.3:a:fasterxml:jackson-databind:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.4.0:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0CRITICAL8Highest16
htrace-core-3.1.0-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)cpe:2.3:a:apache:commons_net:1.1.1:*:*:*:*:*:*:*pkg:maven/commons-logging/commons-logging@1.1.1MEDIUM1Highest88
htrace-core-3.1.0-incubating.jarpkg:maven/org.apache.htrace/htrace-core@3.1.0-incubating 024
httpclient-4.5.3.jarcpe:2.3:a:apache:httpclient:4.5.3:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.3MEDIUM1Highest32
httpcore-4.4.4.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.4 030
httpmime-4.5.1.jarpkg:maven/org.apache.httpcomponents/httpmime@4.5.1 030
ivy-2.4.0.jarcpe:2.3:a:apache:ivy:2.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.ivy/ivy@2.4.0CRITICAL2Highest39
jackson-core-2.12.7.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.12.7:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.7 0Low49
jackson-core-asl-1.9.13.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.13 038
jackson-databind-2.12.7.1.jarcpe:2.3:a:fasterxml:jackson-databind:2.12.7.1:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.7.1:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.7.1 0Highest44
jackson-jaxrs-1.8.3.jarpkg:maven/org.codehaus.jackson/jackson-jaxrs@1.8.3 032
jackson-jaxrs-1.9.13.jarpkg:maven/org.codehaus.jackson/jackson-jaxrs@1.9.13 038
jackson-mapper-asl-1.9.13.jarcpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13HIGH2High36
jackson-module-scala_2.11-2.12.7.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-scala_2.11@2.12.7 052
jackson-module-scala_2.12-2.12.7.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-scala_2.12@2.12.7 052
jackson-xc-1.8.3.jarcpe:2.3:a:fasterxml:jackson-databind:1.8.3:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-xc@1.8.3CRITICAL4Low32
jackson-xc-1.9.13.jarcpe:2.3:a:fasterxml:jackson-databind:1.9.13:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-xc@1.9.13CRITICAL4Low38
janino-3.0.9.jarpkg:maven/org.codehaus.janino/janino@3.0.9 030
java-xmlbuilder-0.4.jarpkg:maven/com.jamesmurty.utils/java-xmlbuilder@0.4 028
javassist-3.18.1-GA.jarpkg:maven/org.javassist/javassist@3.18.1-GA 053
javax.activation-1.2.0.jarpkg:maven/com.sun.activation/javax.activation@1.2.0 040
javax.annotation-api-1.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.2 044
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 020
javax.inject-2.4.0-b34.jarpkg:maven/org.glassfish.hk2.external/javax.inject@2.4.0-b34 023
javax.servlet-api-3.1.0.jarcpe:2.3:a:oracle:java_se:3.1.0:*:*:*:*:*:*:*pkg:maven/javax.servlet/javax.servlet-api@3.1.0 0Medium49
javax.ws.rs-api-2.0.1.jarcpe:2.3:a:oracle:java_se:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 0Low59
javolution-5.5.1.jarpkg:maven/javolution/javolution@5.5.1 035
jaxb-api-2.2.2.jarpkg:maven/javax.xml.bind/jaxb-api@2.2.2 032
jaxb-impl-2.2.3-1.jarpkg:maven/com.sun.xml.bind/jaxb-impl@2.2.3-1 030
jcl-over-slf4j-1.7.16.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.16 023
jdo-api-3.0.1.jarpkg:maven/javax.jdo/jdo-api@3.0.1 095
jersey-common-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.core/jersey-common@2.22.2MEDIUM1Highest25
jersey-core-1.9.jarcpe:2.3:a:jersey_project:jersey:1.9:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-core@1.9HIGH1Highest30
jersey-server-1.9.jarcpe:2.3:a:jersey_project:jersey:1.9:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-server@1.9 0Highest30
jersey-server-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.core/jersey-server@2.22.2 0Highest29
jets3t-0.9.0.jarcpe:2.3:a:service_project:service:0.9.0:*:*:*:*:*:*:*pkg:maven/net.java.dev.jets3t/jets3t@0.9.0 0Low24
jettison-1.1.jarcpe:2.3:a:jettison_project:jettison:1.1:*:*:*:*:*:*:*pkg:maven/org.codehaus.jettison/jettison@1.1HIGH2Highest23
jetty-6.1.26.jarcpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*		pkg:maven/org.mortbay.jetty/jetty@6.1.26MEDIUM2Highest34
jetty-server-9.3.24.v20180605.jarcpe:2.3:a:eclipse:jetty:9.3.24:20180605:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.24:20180605:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.3.24:20180605:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-server@9.3.24.v20180605HIGH9Highest39
jetty-util-9.3.24.v20180605.jarcpe:2.3:a:eclipse:jetty:9.3.24:20180605:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.24:20180605:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.3.24:20180605:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-util@9.3.24.v20180605HIGH10Highest39
jetty-xml-9.4.6.v20170531.jarcpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.6:20170531:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.6:20170531:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-xml@9.4.6.v20170531CRITICAL16Highest39
jline-0.9.94.jarpkg:maven/jline/jline@0.9.94 024
jline-0.9.94.jar: jline32.dll 04
jline-0.9.94.jar: jline64.dll 04
joda-time-2.9.1.jarpkg:maven/joda-time/joda-time@2.9.1 045
joda-time-2.9.3.jarpkg:maven/joda-time/joda-time@2.9.3 045
jodd-core-3.5.2.jarcpe:2.3:a:jodd:jodd:3.5.2:*:*:*:*:*:*:*pkg:maven/org.jodd/jodd-core@3.5.2CRITICAL1Highest40
jquery.dataTables.min.js 00
jsch-0.1.42.jarcpe:2.3:a:jcraft:jsch:0.1.42:*:*:*:*:*:*:*pkg:maven/com.jcraft/jsch@0.1.42MEDIUM1Highest24
json4s-ast_2.11-3.5.3.jarpkg:maven/org.json4s/json4s-ast_2.11@3.5.3 033
json4s-ast_2.12-3.5.3.jarpkg:maven/org.json4s/json4s-ast_2.12@3.5.3 033
json4s-core_2.11-3.5.3.jarpkg:maven/org.json4s/json4s-core_2.11@3.5.3 033
json4s-core_2.12-3.5.3.jarpkg:maven/org.json4s/json4s-core_2.12@3.5.3 033
json4s-jackson_2.11-3.5.3.jarpkg:maven/org.json4s/json4s-jackson_2.11@3.5.3 035
json4s-jackson_2.12-3.5.3.jarpkg:maven/org.json4s/json4s-jackson_2.12@3.5.3 035
json4s-scalap_2.11-3.5.3.jarpkg:maven/org.json4s/json4s-scalap_2.11@3.5.3 035
json4s-scalap_2.12-3.5.3.jarpkg:maven/org.json4s/json4s-scalap_2.12@3.5.3 035
json4s-xml_2.11-3.6.3.jarpkg:maven/org.json4s/json4s-xml_2.11@3.6.3 035
jsp-api-2.1.jarpkg:maven/javax.servlet.jsp/jsp-api@2.1 022
jsr305-1.3.9.jarpkg:maven/com.google.code.findbugs/jsr305@1.3.9 016
jsr305-3.0.0.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.0 030
jta-1.1.jarpkg:maven/javax.transaction/jta@1.1 022
jtransforms-2.4.0.jarpkg:maven/com.github.rwl/jtransforms@2.4.0 027
jul-to-slf4j-1.7.16.jarpkg:maven/org.slf4j/jul-to-slf4j@1.7.16 026
juniversalchardet-1.0.3.jarpkg:maven/com.googlecode.juniversalchardet/juniversalchardet@1.0.3 024
kryo-shaded-4.0.2.jar (shaded: com.esotericsoftware:reflectasm:1.11.3)pkg:maven/com.esotericsoftware/reflectasm@1.11.3 015
kryo-shaded-4.0.2.jarpkg:maven/com.esotericsoftware/kryo-parent@4.0.2
pkg:maven/com.esotericsoftware/kryo-shaded@4.0.2		 037
leveldbjni-all-1.8.jarpkg:maven/org.fusesource.leveldbjni/leveldbjni-all@1.8 031
leveldbjni-all-1.8.jar: leveldbjni.dll 02
leveldbjni-all-1.8.jar: leveldbjni.dll 02
libfb303-0.9.3.jarcpe:2.3:a:apache:thrift:0.9.3:*:*:*:*:*:*:*pkg:maven/org.apache.thrift/libfb303@0.9.3HIGH6Highest88
libthrift-0.9.3.jarcpe:2.3:a:apache:thrift:0.9.3:*:*:*:*:*:*:*pkg:maven/org.apache.thrift/libthrift@0.9.3HIGH6Highest96
livy-ui.js 00
log4j-1.2.16.jarcpe:2.3:a:apache:log4j:1.2.16:*:*:*:*:*:*:*pkg:maven/log4j/log4j@1.2.16CRITICAL6Highest30
lz4-java-1.4.0.jarpkg:maven/org.lz4/lz4-java@1.4.0 034
machinist_2.11-0.6.1.jarpkg:maven/org.typelevel/machinist_2.11@0.6.1 034
machinist_2.12-0.6.1.jarpkg:maven/org.typelevel/machinist_2.12@0.6.1 034
macro-compat_2.11-1.1.1.jarpkg:maven/org.typelevel/macro-compat_2.11@1.1.1 027
macro-compat_2.12-1.1.1.jarpkg:maven/org.typelevel/macro-compat_2.12@1.1.1 027
metrics-core-3.1.0.jarpkg:maven/io.dropwizard.metrics/metrics-core@3.1.0 022
metrics-graphite-3.1.5.jarpkg:maven/io.dropwizard.metrics/metrics-graphite@3.1.5 024
metrics-healthchecks-3.1.0.jarpkg:maven/io.dropwizard.metrics/metrics-healthchecks@3.1.0 024
metrics-json-3.1.5.jarpkg:maven/io.dropwizard.metrics/metrics-json@3.1.5 024
metrics-json-3.2.3.jarpkg:maven/io.dropwizard.metrics/metrics-json@3.2.3 024
metrics-jvm-3.1.5.jarpkg:maven/io.dropwizard.metrics/metrics-jvm@3.1.5 024
metrics-jvm-3.2.3.jarpkg:maven/io.dropwizard.metrics/metrics-jvm@3.2.3 024
metrics-scala_2.11-3.5.9.jarcpe:2.3:a:scully:scully:3.5.9:*:*:*:*:*:*:*pkg:maven/nl.grons/metrics-scala_2.11@3.5.9 0Low32
metrics-servlet-3.2.3.jarpkg:maven/io.dropwizard.metrics/metrics-servlet@3.2.3 024
metrics-servlets-3.2.3.jarpkg:maven/io.dropwizard.metrics/metrics-servlets@3.2.3 024
mime-util-2.1.3.jarpkg:maven/eu.medsea.mimeutil/mime-util@2.1.3 053
minlog-1.3.0.jarpkg:maven/com.esotericsoftware/minlog@1.3.0 033
mockito-core-2.7.22.jarpkg:maven/org.mockito/mockito-core@2.7.22 041
netty-3.6.2.Final.jarcpe:2.3:a:netty:netty:3.6.2:*:*:*:*:*:*:*pkg:maven/io.netty/netty@3.6.2.FinalCRITICAL13Highest41
netty-3.7.0.Final.jarcpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*pkg:maven/io.netty/netty@3.7.0.FinalCRITICAL13Highest41
netty-3.9.9.Final.jarcpe:2.3:a:netty:netty:3.9.9:*:*:*:*:*:*:*pkg:maven/io.netty/netty@3.9.9.FinalCRITICAL10Highest41
netty-all-4.1.17.Final.jarcpe:2.3:a:netty:netty:4.1.17:*:*:*:*:*:*:*pkg:maven/io.netty/netty-all@4.1.17.FinalCRITICAL13Highest22
netty-common-4.1.36.Final.jar (shaded: org.jctools:jctools-core:2.1.1)pkg:maven/org.jctools/jctools-core@2.1.1 09
netty-reactive-streams-2.0.3.jarpkg:maven/com.typesafe.netty/netty-reactive-streams@2.0.3 027
netty-transport-4.1.36.Final.jarcpe:2.3:a:netty:netty:4.1.36:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport@4.1.36.FinalCRITICAL11Highest32
objenesis-2.5.1.jarpkg:maven/org.objenesis/objenesis@2.5.1 031
objenesis-2.5.jarpkg:maven/org.objenesis/objenesis@2.5 030
opencsv-2.3.jarpkg:maven/net.sf.opencsv/opencsv@2.3 039
orc-core-1.5.5-nohive.jar (shaded: org.apache.hive:hive-storage-api:2.6.0)cpe:2.3:a:apache:hive:2.6.0:*:*:*:*:*:*:*pkg:maven/org.apache.hive/hive-storage-api@2.6.0HIGH2Highest12
orc-core-1.5.5-nohive.jarcpe:2.3:a:apache:orc:1.5.5:*:*:*:*:*:*:*pkg:maven/org.apache.orc/orc-core@1.5.5 0Highest29
org.apache.livy:livy-api:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-api@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-client-common:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-client-common@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-client-http:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-client-http@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-core_2.11:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-core_2.11@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-core_2.12:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-core_2.12@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-repl_2.11:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-repl_2.11@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-repl_2.12:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-repl_2.12@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-rsc:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-rsc@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-scala-api_2.11:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-scala-api_2.11@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-scala-api_2.12:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-scala-api_2.12@0.8.0-incubating-SNAPSHOT 0Highest6
org.apache.livy:livy-server:0.8.0-incubating-SNAPSHOTcpe:2.3:a:apache:livy:0.8.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.livy/livy-server@0.8.0-incubating-SNAPSHOT 0Highest6
oro-2.0.8.jarpkg:maven/oro/oro@2.0.8 016
osgi-resource-locator-1.0.1.jarpkg:maven/org.glassfish.hk2/osgi-resource-locator@1.0.1 034
paranamer-2.8.jarpkg:maven/com.thoughtworks.paranamer/paranamer@2.8 022
parquet-column-1.10.1.jarcpe:2.3:a:apache:parquet-mr:1.10.1:*:*:*:*:*:*:*pkg:maven/org.apache.parquet/parquet-column@1.10.1HIGH1Low30
parquet-format-2.4.0.jarpkg:maven/org.apache.parquet/parquet-format@2.4.0 040
parquet-hadoop-bundle-1.6.0.jar (shaded: com.twitter:parquet-column:1.6.0)cpe:2.3:a:apache:parquet-mr:1.6.0:*:*:*:*:*:*:*pkg:maven/com.twitter/parquet-column@1.6.0HIGH1Low12
parquet-hadoop-bundle-1.6.0.jar (shaded: com.twitter:parquet-format:2.2.0-rc1)pkg:maven/com.twitter/parquet-format@2.2.0-rc1 022
parquet-hadoop-bundle-1.6.0.jar (shaded: org.slf4j:slf4j-api:1.7.2)pkg:maven/org.slf4j/slf4j-api@1.7.2 011
parquet-hadoop-bundle-1.6.0.jarcpe:2.3:a:apache:hadoop:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:parquet-mr:1.6.0:*:*:*:*:*:*:*		pkg:maven/com.twitter/parquet-hadoop-bundle@1.6.0
pkg:maven/com.twitter/parquet-hadoop@1.6.0		CRITICAL5Highest34
profiler-1.0.2.jarpkg:maven/com.papertrail/profiler@1.0.2 028
protobuf-java-2.5.0.jarcpe:2.3:a:google:protobuf-java:2.5.0:*:*:*:*:*:*:*pkg:maven/com.google.protobuf/protobuf-java@2.5.0HIGH3Highest28
py4j-0.10.7.jarpkg:maven/net.sf.py4j/py4j@0.10.7 018
pyrolite-4.13.jarpkg:maven/net.razorvine/pyrolite@4.13 032
reactive-streams-1.0.2.jarpkg:maven/org.reactivestreams/reactive-streams@1.0.2 029
scala-compiler-2.11.12.jar (shaded: jline:jline:2.14.3)pkg:maven/jline/jline@2.14.3 025
scala-compiler-2.11.12.jarcpe:2.3:a:scala-lang:scala:2.11.12:*:*:*:*:*:*:*pkg:maven/org.scala-lang/scala-compiler@2.11.12MEDIUM5Highest34
scala-compiler-2.11.12.jar: diagrams.js 00
scala-compiler-2.11.12.jar: index.js 00
scala-compiler-2.11.12.jar: jansi.dll 02
scala-compiler-2.11.12.jar: jansi.dll 02
scala-compiler-2.11.12.jar: jquery-ui.jspkg:javascript/jquery-ui-dialog@1.9.0
pkg:javascript/jquery-ui@1.9.0		MEDIUM65
scala-compiler-2.11.12.jar: jquery.jspkg:javascript/jquery@1.8.2MEDIUM53
scala-compiler-2.11.12.jar: jquery.layout.js 00
scala-compiler-2.11.12.jar: modernizr.custom.js 00
scala-compiler-2.11.12.jar: raphael-min.js 00
scala-compiler-2.11.12.jar: scheduler.js 00
scala-compiler-2.11.12.jar: template.js 00
scala-compiler-2.11.12.jar: tools.tooltip.js 00
scala-compiler-2.12.10.jar (shaded: jline:jline:2.14.6)pkg:maven/jline/jline@2.14.6 025
scala-compiler-2.12.10.jar: diagrams.js 00
scala-compiler-2.12.10.jar: index.js 00
scala-compiler-2.12.10.jar: jquery.min.jspkg:javascript/jquery@3.4.1MEDIUM23
scala-compiler-2.12.10.jar: jquery.mousewheel.min.js 00
scala-compiler-2.12.10.jar: jquery.panzoom.min.js 00
scala-compiler-2.12.10.jar: jquery.slim.min.jspkg:javascript/jquery@3.4.1MEDIUM23
scala-compiler-2.12.10.jar: scheduler.js 00
scala-compiler-2.12.10.jar: template.js 00
scala-library-2.11.12.jarcpe:2.3:a:scala-lang:scala:2.11.12:*:*:*:*:*:*:*pkg:maven/org.scala-lang/scala-library@2.11.12 0Highest34
scala-library-2.12.10.jarcpe:2.3:a:scala-lang:scala:2.12.10:*:*:*:*:*:*:*pkg:maven/org.scala-lang/scala-library@2.12.10 0Highest38
scala-parser-combinators_2.11-1.0.4.jarpkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.4 030
scala-parser-combinators_2.11-1.0.6.jarpkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.6 030
scala-parser-combinators_2.11-1.1.0.jarpkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.1.0 032
scala-parser-combinators_2.12-1.1.0.jarpkg:maven/org.scala-lang.modules/scala-parser-combinators_2.12@1.1.0 032
scala-xml_2.11-1.0.6.jarpkg:maven/org.scala-lang.modules/scala-xml_2.11@1.0.6 032
scala-xml_2.11-1.2.0.jarpkg:maven/org.scala-lang.modules/scala-xml_2.11@1.2.0 034
scala-xml_2.12-1.0.6.jarpkg:maven/org.scala-lang.modules/scala-xml_2.12@1.0.6 032
scala-xml_2.12-1.2.0.jarpkg:maven/org.scala-lang.modules/scala-xml_2.12@1.2.0 034
scalactic_2.11-3.0.8.jarpkg:maven/org.scalactic/scalactic_2.11@3.0.8 041
scalatest_2.11-3.0.8.jarpkg:maven/org.scalatest/scalatest_2.11@3.0.8 041
scalatest_2.11-3.0.8.jar: d3.v2.min.js 00
scalatest_2.11-3.0.8.jar: sorttable.js 00
scalatra-common_2.11-2.6.5.jarpkg:maven/org.scalatra/scalatra-common_2.11@2.6.5 086
scalatra-json_2.11-2.6.5.jarpkg:maven/org.scalatra/scalatra-json_2.11@2.6.5 088
scalatra-metrics_2.11-2.6.5.jarpkg:maven/org.scalatra/scalatra-metrics_2.11@2.6.5 088
scalatra-test_2.11-2.6.5.jarpkg:maven/org.scalatra/scalatra-test_2.11@2.6.5 088
scalatra_2.11-2.6.5.jarpkg:maven/org.scalatra/scalatra_2.11@2.6.5 087
servlet-api-2.5.jarpkg:maven/javax.servlet/servlet-api@2.5 020
session-log.js 00
session.js 00
shapeless_2.11-2.3.2.jarpkg:maven/com.chuusai/shapeless_2.11@2.3.2 025
shapeless_2.12-2.3.2.jarpkg:maven/com.chuusai/shapeless_2.12@2.3.2 025
shims-0.7.45.jarpkg:maven/org.roaringbitmap/shims@0.7.45 017
slf4j-api-1.7.25.jarpkg:maven/org.slf4j/slf4j-api@1.7.25 025
slf4j-log4j12-1.7.10.jarpkg:maven/org.slf4j/slf4j-log4j12@1.7.10 025
slf4j-log4j12-1.7.16.jarpkg:maven/org.slf4j/slf4j-log4j12@1.7.16 025
snappy-0.2.jarpkg:maven/org.iq80.snappy/snappy@0.2 032
snappy-java-1.0.4.1.jarcpe:2.3:a:google:snappy:1.0.4.1:*:*:*:*:*:*:*pkg:maven/org.xerial.snappy/snappy-java@1.0.4.1 0Highest35
snappy-java-1.0.4.1.jar: snappyjava.dll 02
snappy-java-1.0.4.1.jar: snappyjava.dll 02
snappy-java-1.1.7.3.jarpkg:maven/org.xerial.snappy/snappy-java@1.1.7.3 039
snappy-java-1.1.7.3.jar: snappyjava.dll 02
snappy-java-1.1.7.3.jar: snappyjava.dll 02
spark-core_2.11-2.4.5.jar (shaded: org.eclipse.jetty:jetty-proxy:9.3.27.v20190418)pkg:maven/org.eclipse.jetty/jetty-proxy@9.3.27.v20190418LOW111
spark-core_2.11-2.4.5.jar (shaded: org.eclipse.jetty:jetty-server:9.3.27.v20190418)cpe:2.3:a:eclipse:jetty:9.3.27:20190418:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.27:20190418:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-server@9.3.27.v20190418HIGH6Highest11
spark-core_2.11-2.4.5.jarcpe:2.3:a:apache:spark:2.4.5:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-core_2.11@2.4.5CRITICAL7Highest27
spark-core_2.11-2.4.5.jar: additional-metrics.js 00
spark-core_2.11-2.4.5.jar: bootstrap-tooltip.js 00
spark-core_2.11-2.4.5.jar: d3.min.js 00
spark-core_2.11-2.4.5.jar: dagre-d3.min.js 00
spark-core_2.11-2.4.5.jar: dataTables.bootstrap.min.js 00
spark-core_2.11-2.4.5.jar: dataTables.rowsGroup.js 00
spark-core_2.11-2.4.5.jar: executorspage.js 00
spark-core_2.11-2.4.5.jar: graphlib-dot.min.js 00
spark-core_2.11-2.4.5.jar: historypage-common.js 00
spark-core_2.11-2.4.5.jar: historypage.js 00
spark-core_2.11-2.4.5.jar: initialize-tooltips.js 00
spark-core_2.11-2.4.5.jar: jquery-1.12.4.min.jspkg:javascript/jquery@1.12.4.minMEDIUM43
spark-core_2.11-2.4.5.jar: jquery.blockUI.min.js 00
spark-core_2.11-2.4.5.jar: jquery.cookies.2.2.0.min.js 00
spark-core_2.11-2.4.5.jar: jquery.dataTables.1.10.18.min.js 00
spark-core_2.11-2.4.5.jar: jquery.mustache.js 00
spark-core_2.11-2.4.5.jar: jsonFormatter.min.js 00
spark-core_2.11-2.4.5.jar: log-view.js 00
spark-core_2.11-2.4.5.jar: sorttable.js 00
spark-core_2.11-2.4.5.jar: spark-dag-viz.js 00
spark-core_2.11-2.4.5.jar: table.js 00
spark-core_2.11-2.4.5.jar: timeline-view.js 00
spark-core_2.11-2.4.5.jar: utils.js 00
spark-core_2.11-2.4.5.jar: vis.min.js 00
spark-core_2.11-2.4.5.jar: webui.js 00
spark-hive_2.11-2.4.5.jarcpe:2.3:a:apache:hive:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:spark:2.4.5:*:*:*:*:*:*:*		pkg:maven/org.apache.spark/spark-hive_2.11@2.4.5CRITICAL10Highest28
spark-mllib_2.11-2.4.5.jar (shaded: org.jpmml:pmml-model:1.2.15)pkg:maven/org.jpmml/pmml-model@1.2.15 09
spark-mllib_2.11-2.4.5.jar (shaded: org.jpmml:pmml-schema:1.2.15)pkg:maven/org.jpmml/pmml-schema@1.2.15 09
spark-network-common_2.11-2.4.5.jar (shaded: com.google.guava:guava:14.0.1)cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@14.0.1MEDIUM2Highest9
spark-sql_2.11-2.4.5.jarcpe:2.3:a:apache:spark:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:www-sql_project:www-sql:2.4.5:*:*:*:*:*:*:*		pkg:maven/org.apache.spark/spark-sql_2.11@2.4.5CRITICAL7Highest28
spark-sql_2.11-2.4.5.jar: spark-sql-viz.js 00
spark-streaming_2.11-2.4.5.jar: streaming-page.js 00
spire-macros_2.11-0.13.0.jarpkg:maven/org.spire-math/spire-macros_2.11@0.13.0 036
spire-macros_2.12-0.13.0.jarpkg:maven/org.spire-math/spire-macros_2.12@0.13.0 036
spire_2.11-0.13.0.jarpkg:maven/org.spire-math/spire_2.11@0.13.0 036
spire_2.12-0.13.0.jarpkg:maven/org.spire-math/spire_2.12@0.13.0 036
stax-api-1.0-2.jarpkg:maven/javax.xml.stream/stax-api@1.0-2 021
stax-api-1.0.1.jarpkg:maven/stax/stax-api@1.0.1 030
stream-2.7.0.jarpkg:maven/com.clearspring.analytics/stream@2.7.0 032
stringtemplate-3.2.1.jarpkg:maven/org.antlr/stringtemplate@3.2.1 038
univocity-parsers-2.7.3.jarpkg:maven/com.univocity/univocity-parsers@2.7.3 045
unused-1.0.0.jarpkg:maven/org.spark-project.spark/unused@1.0.0 029
validation-api-1.1.0.Final.jarpkg:maven/javax.validation/validation-api@1.1.0.Final 042
xbean-asm6-shaded-4.8.jar (shaded: org.apache.xbean:xbean-asm-util:4.8)pkg:maven/org.apache.xbean/xbean-asm-util@4.8 09
xbean-asm6-shaded-4.8.jarpkg:maven/org.apache.xbean/xbean-asm6-shaded@4.8 028
xercesImpl-2.9.1.jarcpe:2.3:a:apache:xerces-j:2.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:xerces2_java:2.9.1:*:*:*:*:*:*:*		pkg:maven/xerces/xercesImpl@2.9.1HIGH6Highest69
xml-apis-1.3.04.jarcpe:2.3:a:apache:commons_net:1.3.04:*:*:*:*:*:*:*pkg:maven/xml-apis/xml-apis@1.3.04MEDIUM1Low71
xmlenc-0.52.jarpkg:maven/xmlenc/xmlenc@0.52 021
xz-1.0.jarcpe:2.3:a:tukaani:xz:1.0:*:*:*:*:*:*:*pkg:maven/org.tukaani/xz@1.0 0Highest25
xz-1.5.jarcpe:2.3:a:tukaani:xz:1.5:*:*:*:*:*:*:*pkg:maven/org.tukaani/xz@1.5 0Highest31
zookeeper-3.4.6.jarcpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*pkg:maven/org.apache.zookeeper/zookeeper@3.4.6HIGH4Highest25
zstd-jni-1.3.2-2.jarpkg:maven/com.github.luben/zstd-jni@1.3.2-2 035
zstd-jni-1.3.2-2.jar: libzstd-jni.dll 02
zstd-jni-1.3.2-2.jar: libzstd-jni.dll 02

Dependencies

JavaEWAH-0.3.2.jar

Description:

The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.

JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.

The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/googlecode/javaewah/JavaEWAH/0.3.2/JavaEWAH-0.3.2.jar
MD5: 2abde98a935176283db25a9bc70fb520
SHA1: 7130b68f1d4d9666f0ced0ba1a1bee37e2e51926
SHA256:93123dc8204cbc6248565ca6b81543ab0e15c2421173b9be84bf50540d811dea
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

RoaringBitmap-0.7.45.jar

Description:

Roaring bitmaps are compressed bitmaps (also called bitsets) which tend to outperform
     conventional compressed bitmaps such as WAH or Concise.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/roaringbitmap/RoaringBitmap/0.7.45/RoaringBitmap-0.7.45.jar
MD5: 27d1d944c1f540e8771b9eb9aead1efb
SHA1: cf97912280a8bc6f740d0e2c15b8acdfeb683ac3
SHA256:5db5c2bb8e5cd5368bd0784f427a55666507d7158c316afef4e1346b7246177e
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

ST4-4.0.4.jar

Description:

StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.

StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. 

It evolved over years of effort developing jGuru.com. 

StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic 
is that unlike other engines, it strictly enforces model-view separation.

Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.

There are currently about 600 StringTemplate source downloads a month.

License:

BSD licence: http://antlr.org/license.html
File Path: /root/.m2/repository/org/antlr/ST4/4.0.4/ST4-4.0.4.jar
MD5: 06856c607f242639cd52ef2b4c63ebc9
SHA1: 467a2aa12be6d0f0f68c70eecf6714ab733027ac
SHA256:17cc49dc535a0fbe58c3a8634e774572bed31eb73415e9ce9d2703b977bf356f
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

activation-1.1.1.jar

Description:

The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /root/.m2/repository/javax/activation/activation/1.1.1/activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

activation-1.1.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /root/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

aircompressor-0.10.jar

Description:

Compression algorithms

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/airlift/aircompressor/0.10/aircompressor-0.10.jar
MD5: f7530afc9741d3594cb9f86a2ab875c2
SHA1: bf8305930ec675964bd68599c702ffb32df4d1e6
SHA256:a5471abddc99a95939abfc0405cddb2213c4fba561de94f888d6e625566e826c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

all-sessions.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/all-sessions.js
MD5: 43e4ef9bd61d65f393a45ae15b1cc807
SHA1: 89404bd69f724ead1e607b321ff4e3887b56ce17
SHA256:8048719c9cad45a94de28e437b6beb1ccc9fc94e2c3c9a5a076bef3fccea8642
Referenced In Project/Scope:livy-server

Identifiers

  • None

antlr-2.7.7.jar

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html
File Path: /root/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

antlr-runtime-3.4.jar

Description:

A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /root/.m2/repository/org/antlr/antlr-runtime/3.4/antlr-runtime-3.4.jar
MD5: 0e0318be407e51fdf7ba6777eabfdf73
SHA1: 8f011408269a8e42b8548687e137d8eeb56df4b4
SHA256:5b7cf53b7b30b034023f58030c8147c433f2bee0fe7dec8fae6bebf3708c5a63
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

antlr4-runtime-4.7.jar

Description:

The ANTLR 4 Runtime

License:

http://www.antlr.org/license.html
File Path: /root/.m2/repository/org/antlr/antlr4-runtime/4.7/antlr4-runtime-4.7.jar
MD5: b79f55024206b39be2539e1ecfde0c0a
SHA1: 30b13b7efc55b7feea667691509cf59902375001
SHA256:2a61943f803bbd1d0e02dffd19b92a418f83340c994346809e3b51e2231aa6c0
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

aopalliance-1.0.jar

Description:

AOP Alliance

License:

Public Domain
File Path: /root/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile

Identifiers

aopalliance-repackaged-2.4.0-b34.jar

Description:

Dependency Injection Kernel

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/hk2/external/aopalliance-repackaged/2.4.0-b34/aopalliance-repackaged-2.4.0-b34.jar
MD5: 57983543b3574e117d6f03ceff5f238c
SHA1: 3d5e856dbc91a3a2b0bcb3a3424f8b62421ae4cf
SHA256:5d3cb0cece722c7ba8ab987b931053cdbcb0cb12ad5c8c8a7691eb6f7e60a64b
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

apache-log4j-extras-1.2.17.jar

Description:

      This package provides additional appenders, filters and
      other capabilities for version 1.2 of Apache log4j™. Several of these were backported from
      the abandoned Apache log4j 1.3 development effort.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/log4j/apache-log4j-extras/1.2.17/apache-log4j-extras-1.2.17.jar
MD5: f32ed7ae770c83a4ac6fe6714f98f1bd
SHA1: 85863614d82185d7e51fe21c00aa9117a523a8b6
SHA256:361d4d40350309978b5ac2e45b2e93d72ad5864ad4da74afc1898ddd8d0550d0
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2019-17571  

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9493  

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23305  

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23302  

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23307  

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

apacheds-i18n-2.0.0-M15.jar

Description:

Internationalization of errors and other messages

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/server/apacheds-i18n/2.0.0-M15/apacheds-i18n-2.0.0-M15.jar
MD5: f5877c02fd56ade67713560e589c81b9
SHA1: 71c61c84683152ec2a6a65f3f96fe534e304fa22
SHA256:bd3b7cece7fc6364cbce32b9edd0e9628a3e889c6a93cdeff1b5e2131e2a007c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

apacheds-i18n-2.0.0-M21.jar

Description:

Internationalization of errors and other messages

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/server/apacheds-i18n/2.0.0-M21/apacheds-i18n-2.0.0-M21.jar
MD5: 0f985cfd476b1e150580dc7e2d2cba0e
SHA1: 1cad886a17dbe04a1093df6db17f4c33ce46c3dd
SHA256:7054cb9bba5a8ad29b2cc82a1d0e0aee60d87347dffd402570ff47fa0ea1f883
Referenced In Project/Scope:livy-server:compile

Identifiers

apacheds-kerberos-codec-2.0.0-M15.jar

Description:

The Kerberos protocol encoder/decoder module

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/server/apacheds-kerberos-codec/2.0.0-M15/apacheds-kerberos-codec-2.0.0-M15.jar
MD5: 3118e22eac44e150c383df1d417772f4
SHA1: 1c16e4e477183641c5f0dd5cdecd27ec331bacb5
SHA256:4996f5b72497e94dd86d64a370158c4fb0049eea9b17ff8b27a4671d6c136ded
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

api-asn1-api-1.0.0-M20.jar

Description:

ASN.1 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/api/api-asn1-api/1.0.0-M20/api-asn1-api-1.0.0-M20.jar
MD5: cf4561832dab76e9f37461342ec18d17
SHA1: 5e6486ffa3125ba44dc410ead166e1d6ba8ac76d
SHA256:484aaf4b888b0eb699d95bea265c2d5b6ebec951d70e5c5f7691cd52dd4c8298
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

api-asn1-api-1.0.0-M33.jar

Description:

ASN.1 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/api/api-asn1-api/1.0.0-M33/api-asn1-api-1.0.0-M33.jar
MD5: c46687f9e497f748586dc7275819989b
SHA1: 1f52883cba4ce7ca668e7d3229fed3d2e1145c1d
SHA256:52e19e3c767a5be4e9358341233a27d94187dfdd99ff4e90ddf9ea443bcaf22c
Referenced In Project/Scope:livy-server:compile

Identifiers

api-i18n-1.0.0-M33.jar

Description:

Internationalization of errors and other messages

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/api/api-i18n/1.0.0-M33/api-i18n-1.0.0-M33.jar
MD5: e3366b8887e825cbdb66ca36a1ca665a
SHA1: d1cd144cdde056ee5f09048aa6aa1da23b823871
SHA256:f8884053153ca27cd3e1d51f75889a065794d214815bf4712e7ef923f182392f
Referenced In Project/Scope:livy-server:compile

Identifiers

CVE-2018-1337  

In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

api-util-1.0.0-M20.jar

Description:

Utilities shared across this top level project

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/directory/api/api-util/1.0.0-M20/api-util-1.0.0-M20.jar
MD5: 2c5a6722666882024becdd64301be492
SHA1: a871abf060b3cf83fc6dc4d7e3d151fce50ac3cb
SHA256:fd32fd047ccf143c58d093b58811aa81e539f8cf83c1187809f1a241a1df12d1
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2018-1337  

In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

arpack_combined_all-0.1.jar

Description:

Java APIs for the BLAS, LAPACK, and ARPACK Fortran libraries as translated through F2J.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/net/sourceforge/f2j/arpack_combined_all/0.1/arpack_combined_all-0.1.jar
MD5: 83d82dd480da2aeba6429e746453ec0b
SHA1: 225619a060b42605b4d9fd4af11815664abf26eb
SHA256:9964fb948ef213548a79b23dd480af9d72f1450824fa006bbfea211ac1ffa6dc
Referenced In Projects/Scopes:
  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

CVE-2021-4048  

An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
CWE-125 Out-of-bounds Read

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

arrow-format-0.10.0.jar

File Path: /root/.m2/repository/org/apache/arrow/arrow-format/0.10.0/arrow-format-0.10.0.jar
MD5: 44fc2dc5d5691bbea3d2a321c96664d3
SHA1: 85347ddea82e80b0aa14efd25aefb9a009d8ff0f
SHA256:21387bd6012d98bbc7083f349f9569dc4798cd72c5b7c9aa713092bbce1939eb
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

asm-3.1.jar

File Path: /root/.m2/repository/asm/asm/3.1/asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
SHA256:333ff5369043975b7e031b8b27206937441854738e038c1f47f98d072a20437a
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

async-http-client-2.10.1.jar

Description:

The Async Http Client (AHC) classes.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/asynchttpclient/async-http-client/2.10.1/async-http-client-2.10.1.jar
MD5: cc668461a45dcee1fa71231affd81554
SHA1: e016d72930c533438bfb4754b07bc99e5a8e9b5f
SHA256:8baace97a3d523fd3898fa6a1b53bdb99e5a0b1d4e55389f7ce9dc5b5d5c185d
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

async-http-client-netty-utils-2.10.1.jar

Description:

The Async Http Client (AHC) library's purpose is to allow Java    applications to easily execute HTTP requests and    asynchronously process the response.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/asynchttpclient/async-http-client-netty-utils/2.10.1/async-http-client-netty-utils-2.10.1.jar
MD5: e2da6a17c8c9a0e30ef67a51d1f2a37d
SHA1: f365b035c75e12ddb444724417e7f78e0f96e9c2
SHA256:6ffec083e27b4fa5f256edf3ad64203618298530f4cb0839ded6b22f9f7d5bb6
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

avro-1.7.4.jar

Description:

Avro core components

File Path: /root/.m2/repository/org/apache/avro/avro/1.7.4/avro-1.7.4.jar
MD5: de02dfb1f5880c0b422f215ffcaa3379
SHA1: 416e7030879814f52845b97f04bb50ecd1cef372
SHA256:a01d26e9a5ed0754e8c88dbb373fba896c57df0a0c424185767a3857855bb222
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

CVE-2021-43045  

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

avro-1.8.2.jar (shaded: org.apache.avro:avro-guava-dependencies:1.8.2)

Description:

Temporary artifact of guava dependencies

File Path: /root/.m2/repository/org/apache/avro/avro/1.8.2/avro-1.8.2.jar/META-INF/maven/org.apache.avro/avro-guava-dependencies/pom.xml
MD5: 1117ab0e3aa409849f56cb09776d930e
SHA1: 23d4a56f8c32dbfd25bf866f626ebfa4a65e7fcf
SHA256:d0b0d846cc6327f8c4845d56f4471603287eb83ce2e116fa79795042761c2486
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-43045  

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

avro-1.8.2.jar

Description:

Avro core components

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/avro/avro/1.8.2/avro-1.8.2.jar
MD5: 10395e5a571e1a1f6113411f276d2fea
SHA1: 91e3146dfff4bd510181032c8276a3a0130c0697
SHA256:f754a0830ce67a5a9fa67a54ec15d103ef15e1c850d7b26faf7b647eeddc82d3
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-43045  

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

bonecp-0.8.0.RELEASE.jar

Description:

Lightweight connection pool.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/com/jolbox/bonecp/0.8.0.RELEASE/bonecp-0.8.0.RELEASE.jar
MD5: 730a2f3602f5f4c3ff7590b08205adce
SHA1: cec24ee9345b3678472bb1b8fdd6aa6b9428beb8
SHA256:a53d5b5a7ba6433fc7c29e29664313e50ddb53e7381698c41d1091e3c3d081fb
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

bootstrap.min.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/bootstrap.min.js
MD5: 2f34b630ffe30ba2ff2b91e3f3c322a1
SHA1: b16fd8226bd6bfb08e568f1b1d0a21d60247cefb
SHA256:9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe
Referenced In Project/Scope:livy-server

Identifiers

  • None

breeze-macros_2.11-0.13.2.jar

Description:

breeze-macros

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/scalanlp/breeze-macros_2.11/0.13.2/breeze-macros_2.11-0.13.2.jar
MD5: a6688faa09ad9e4ea4fe711e620c8003
SHA1: b079266f280c98e710c20dfa7d892c28ab217ee4
SHA256:87c9ff48595bea3ecb5507363e37dad58bc13e29d96a06995d8514c9fd71bb32
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

breeze-macros_2.12-0.13.2.jar

Description:

breeze-macros

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/scalanlp/breeze-macros_2.12/0.13.2/breeze-macros_2.12-0.13.2.jar
MD5: 7f94ee105a59dc721e135de3f5ee1dd3
SHA1: 2c2f4ed921b1564de17b63b996d102b9ccc91f16
SHA256:90ada170dd3617638d4d93cdd64bf7f3d837f4a8046be25e84ca20e5ed89321f
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

breeze_2.11-0.13.2.jar

Description:

breeze

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/scalanlp/breeze_2.11/0.13.2/breeze_2.11-0.13.2.jar
MD5: 21e286c5b6c31b76ee033ba8a0ee4511
SHA1: 4ead72f6bff9a6b7f2c16ca840f55db2b78b3922
SHA256:9a18fbf07affaee3174e16109a990c15982b2629a391c95ad916c838830fc891
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

breeze_2.12-0.13.2.jar

Description:

breeze

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/scalanlp/breeze_2.12/0.13.2/breeze_2.12-0.13.2.jar
MD5: fafaccde16ffba3ff5dd85321cb0e8c0
SHA1: 9f70553f79824eda6afb5e681dfa30788c5c6be7
SHA256:e52ac9bfcd3b12287632c5eb3e3f77251c863e0c66c3f566da739e2f0fa0cd47
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

byte-buddy-1.6.11.jar (shaded: net.bytebuddy:byte-buddy-dep:1.6.11)

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with a remaining dependency onto ASM.
        You should never depend on this module without repackaging Byte Buddy and ASM into your own namespace.

File Path: /root/.m2/repository/net/bytebuddy/byte-buddy/1.6.11/byte-buddy-1.6.11.jar/META-INF/maven/net.bytebuddy/byte-buddy-dep/pom.xml
MD5: 21962ff4f38fe6bf7a826a676e853c56
SHA1: d1832d62496ba1d311e82693d0a5b39f6d2c8280
SHA256:0ad262d6099669fc43963b11a4bb9815ad5b33116c5a9223ea3c58b2c15baebc
Referenced In Project/Scope:livy-integration-test:runtime

Identifiers

byte-buddy-1.6.11.jar

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/net/bytebuddy/byte-buddy/1.6.11/byte-buddy-1.6.11.jar
MD5: abd404f008234647aa01336ca175bd49
SHA1: 8a8f9409e27f1d62c909c7eef2aa7b3a580b4901
SHA256:8785a451b5581cf14239a9b290a7e4807baba8a5c613192dd915a84644849b87
Referenced In Project/Scope:livy-integration-test:runtime

Identifiers

byte-buddy-agent-1.6.11.jar

Description:

The Byte Buddy Java agent allows to access the JVM's HotSwap feature.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/net/bytebuddy/byte-buddy-agent/1.6.11/byte-buddy-agent-1.6.11.jar
MD5: ce085675a5ab47e5a406afb5933c2b8c
SHA1: 0200d9c012befccd211ff91082a151257b1dc084
SHA256:d8d9576b9fe1c8ebaed3594d7923ecc198e14cfbdc1655aa4ac63adeea030fc4
Referenced In Project/Scope:livy-integration-test:runtime

Identifiers

calcite-avatica-1.2.0-incubating.jar

Description:

JDBC driver framework.

File Path: /root/.m2/repository/org/apache/calcite/calcite-avatica/1.2.0-incubating/calcite-avatica-1.2.0-incubating.jar
MD5: 2ae66375cfb806d72ee628caa7b3e6ec
SHA1: 449432909cb395700a7293cb4147b4230124fd9d
SHA256:f3ad4ac66d01e0288e32c950b9ab5dca935643112059705e6395904646912f2a
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2022-39135  

In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2022-36364  

Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.
CWE-665 Improper Initialization

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13955  

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

calcite-core-1.2.0-incubating.jar

Description:

Core Calcite APIs and engine.

File Path: /root/.m2/repository/org/apache/calcite/calcite-core/1.2.0-incubating/calcite-core-1.2.0-incubating.jar
MD5: 7650597181c7bb103d569958a667e631
SHA1: 48fbc72e0c33026e53ab2272bafa4917ff598693
SHA256:36e2542170fad78360076d9b62b705211b9c3c39e2ddfbceb7ef9a2b86896b90
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2022-39135  

In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13955  

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

chill-java-0.9.3.jar

Description:

chill-java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/twitter/chill-java/0.9.3/chill-java-0.9.3.jar
MD5: c2c0a8d1e5f0502a238a42ce81e8ad44
SHA1: f7670c73b068b3beeba8f0ed284e08b8d38eae02
SHA256:a4ee44dd7eb33435766cd65f87027591c2871c9b09293fb1937ff09284d787cd
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

chill_2.11-0.9.3.jar

Description:

chill

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/twitter/chill_2.11/0.9.3/chill_2.11-0.9.3.jar
MD5: 98de737188d11f3020516cb64c33eda3
SHA1: 432cc2832f1deee574535b3dbf7be0a478e9ab0f
SHA256:fc2c4327b0612d398b5aa304fb6133105c4bd0524c06f1519672534bff1bec2e
Referenced In Projects/Scopes:
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

chill_2.12-0.9.3.jar

Description:

chill

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/twitter/chill_2.12/0.9.3/chill_2.12-0.9.3.jar
MD5: 5b6ce66f7f0d955bdbd61a460dd0f1d2
SHA1: 4e4c0e7f25d3f9d4e479794fea51d4d4fcb39c91
SHA256:c8e9a81028161b5f34e0d322cd53e0a11214c9704748bd5e9a741ec42452f4c7
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-repl_2.12:provided

Identifiers

commons-beanutils-1.7.0.jar

File Path: /root/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
MD5: 0f18acf5fa857f9959675e14d901a7ce
SHA1: 5675fd96b29656504b86029551973d60fb41339b
SHA256:24bcaa20ccbdc7c856ce0c0aea144566943403e2e9f27bd9779cda1d76823ef4
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2014-0114  

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-beanutils-core-1.8.0.jar

File Path: /root/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.0/commons-beanutils-core-1.8.0.jar
MD5: a33ba25ae637909a97a60ff1d1b38857
SHA1: 175dc721f87e4bc5cc0573f990e28c3cf9117508
SHA256:9038c7ddc61d3d8089eb5a52a24b430a202617d57d2d344a93b68e4eafefefde
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-rsc:provided

Identifiers

CVE-2014-0114  

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-cli-1.2.jar

Description:

    Commons CLI provides a simple API for presenting, processing and validating a command line interface.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-cli/commons-cli/1.2/commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-codec-1.9.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar
MD5: 75615356605c8128013da9e3ac62a249
SHA1: 9ce04e34240f674bc72680f8b843b1457383161a
SHA256:ad19d2601c3abf0b946b5c3a4113e226a8c1e3305e395b90013b78dd94a723ce
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-api:provided
  • livy-core-parent:compile
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-compiler-3.0.9.jar

Description:

The "commons-compiler" API, including the "IExpressionEvaluator", "IScriptEvaluator", "IClassBodyEvaluator" and "ISimpleCompiler" interfaces.

License:

https://raw.githubusercontent.com/janino-compiler/janino/master/LICENSE
File Path: /root/.m2/repository/org/codehaus/janino/commons-compiler/3.0.9/commons-compiler-3.0.9.jar
MD5: 8db21cabe3f77efc36498e43501a4b9d
SHA1: 6aac3c03d02dcab0d59f77ff00b682f5320e54e9
SHA256:d924418b051748034bae80f563499d5c0533c30383525f22aebbeb1d297b9e6e
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

commons-compress-1.4.1.jar

Description:

Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
MD5: 7f7ff9255a831325f38a170992b70073
SHA1: b02e84a993d88568417536240e970c4b809126fd
SHA256:28a00d80716f073d644b9da76e94b5e8ff94de8e9323f06f558fba653fcf5f86
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-rsc:provided

Identifiers

CVE-2021-35517  

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36090  

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11771 (OSSINDEX)  

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:L/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.commons:commons-compress:1.4.1:*:*:*:*:*:*:*

commons-compress-1.8.1.jar

Description:

Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-compress/1.8.1/commons-compress-1.8.1.jar
MD5: d862e30ff6b5d78264677dcd6507abb8
SHA1: a698750c16740fd5b3871425f4cb3bbaa87f529d
SHA256:5fca136503f86ecc6cb61fbd17b137d59e56b45c7a5494e6b8fd3cabd4697fbd
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-35515  

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35516  

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35517  

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36090  

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11771  

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

commons-configuration-1.6.jar

Description:

        Tools to assist in the reading of configuration/preferences files in
        various formats

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /root/.m2/repository/commons-configuration/commons-configuration/1.6/commons-configuration-1.6.jar
MD5: b099d9f9b4b99071cc52b259308df69a
SHA1: 32cadde23955d7681b0d94a2715846d20b425235
SHA256:46b71b9656154f6a16ea4b1dc84026b52a9305f8eff046a2b4655fa1738e5eee
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-crypto-1.0.0.jar

Description:

Apache Commons Crypto is a cryptographic library optimized with AES-NI (Advanced Encryption Standard New Instructions). It provides Java API for both cipher level and Java stream level. Developers can use it to implement high performance AES encryption/decryption with the minimum code and effort. Please note that Crypto doesn't implement the cryptographic algorithm such as AES directly. It wraps to Openssl or JCE which implement the algorithms. Features -------- 1. Cipher API for low level cryptographic operations. 2. Java stream API (CryptoInputStream/CryptoOutputStream) for high level stream encyrption/decryption. 3. Both optimized with high performance AES encryption/decryption. (1400 MB/s - 1700 MB/s throughput in modern Xeon processors). 4. JNI-based implementation to achieve comparable performance to the native C++ version based on OpenSsl. 5. Portable across various operating systems (currently only Linux/MacOSX/Windows); Apache Commons Crypto loads the library according to your machine environment (it checks system properties, `os.name` and `os.arch`). 6. Simple usage. Add the commons-crypto-(version).jar file to your classpath. Export restrictions ------------------- This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See for more information. The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code. The following provides more details on the included cryptographic software: * Commons Crypto use [Java Cryptography Extension](http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html) provided by Java * Commons Crypto link to and use [OpenSSL](https://www.openssl.org/) ciphers

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-crypto/1.0.0/commons-crypto-1.0.0.jar
MD5: 981c95e38457b10d429090496b96f2d6
SHA1: 7938f66b01f62f03ef8af8a64401e85e45d51c5d
SHA256:0043d8d74d8df632c57f938828e6f6efd555e293a9079dcdf59eab8e40107491
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-crypto-1.0.0.jar: commons-crypto.dll

File Path: /root/.m2/repository/org/apache/commons/commons-crypto/1.0.0/commons-crypto-1.0.0.jar/org/apache/commons/crypto/native/Windows/x86/commons-crypto.dll
MD5: 80df8a7e2032790a467db967ce60182e
SHA1: 2a8efda075679e8a913347c52f409015b4ce2e96
SHA256:02e008efb98e14d5b1f16a2219f71ad179ff301bed5a2267883c28d74bcfe6be
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

commons-crypto-1.0.0.jar: commons-crypto.dll

File Path: /root/.m2/repository/org/apache/commons/commons-crypto/1.0.0/commons-crypto-1.0.0.jar/org/apache/commons/crypto/native/Windows/x86_64/commons-crypto.dll
MD5: a330d40c0b4016e6fcff609473eeb44e
SHA1: ed34492e05a31791856eaecdd436db9a875926eb
SHA256:6d8783ac18bc5f770af7371fcf9684af4b531cad982e62ffe508fca22afa573f
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

commons-daemon-1.0.13.jar

Description:

     Apache Commons Daemon software provides an alternative invocation mechanism for unix-daemon-like Java code.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-daemon/commons-daemon/1.0.13/commons-daemon-1.0.13.jar
MD5: 686f1a2cc85f8f4e939bd3cd28c9720b
SHA1: 750856a1fdb3ddf721ccf73c3518e4211cffc3a3
SHA256:fd63b583fd3e8baeae22efacbd5a4f91c1fd97f56248e62e2615efa7b81daeaa
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-dbcp-1.4.jar

Description:

Commons Database Connection Pooling

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-dbcp/commons-dbcp/1.4/commons-dbcp-1.4.jar
MD5: b004158fab904f37f5831860898b3cd9
SHA1: 30be73c965cc990b153a100aaaaafcf239f82d39
SHA256:a6e2d83551d0e5b59aa942359f3010d35e79365e6552ad3dbaa6776e4851e4f6
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-digester-1.8.jar

Description:

The Digester package lets you configure an XML->Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /root/.m2/repository/commons-digester/commons-digester/1.8/commons-digester-1.8.jar
MD5: cf89c593f0378e9509a06fce7030aeba
SHA1: dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e
SHA256:05662373044f3dff112567b7bb5dfa1174e91e074c0c727b4412788013f49d56
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-httpclient-3.1.jar

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2012-5783  

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-io-2.4.jar

Description:

The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-io-2.5.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang-2.6.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-lang3-3.5.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-lang3/3.5/commons-lang3-3.5.jar
MD5: 780b5a8b72eebe6d0dbff1c11b5658fa
SHA1: 6c6c702c89bfff3cd9e80b04d668c5e190d588c6
SHA256:8ac96fc686512d777fca85e144f196cd7cfe0c0aec23127229497d1a38ff651c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-integration-test:compile
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-logging-1.1.3.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-logging/commons-logging/1.1.3/commons-logging-1.1.3.jar
MD5: 92eb5aabc1b47287de53d45c086a435c
SHA1: f6f66e966c70a83ffbdb6f17a0919eaf7c8aca7f
SHA256:70903f6fc82e9908c8da9f20443f61d90f0870a312642991fe8462a0b9391784
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-integration-test:compile
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-api:provided

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-math3-3.1.1.jar

Description:

The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-math3/3.1.1/commons-math3-3.1.1.jar
MD5: 505ece0d2261b037101e6c4bdf541ca7
SHA1: 6719d757a98ff24a83d9d727bef9cec83f59b6e1
SHA256:a07e39d31c46032879f0a48ae1bd0142b17dd67664c008b50216e9891f346c54
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-math3-3.4.1.jar

Description:

The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/commons/commons-math3/3.4.1/commons-math3-3.4.1.jar
MD5: 14a218d0ee57907dd2c7ef944b6c0afd
SHA1: 3ac44a8664228384bc68437264cf7c4cf112f579
SHA256:d1075b14a71087038b0bfd198f0f7dd8e49b5b3529d8e2eba99e7d9eb8565e4b
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-net-3.1.jar

Description:

Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-net/commons-net/3.1/commons-net-3.1.jar
MD5: 23c94d51e72f341fb412d6a015e16313
SHA1: 2298164a7c2484406f2aa5ac85b205d39019896f
SHA256:34a58d6d80a50748307e674ec27b4411e6536fd12e78bec428eb2ee49a123007
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

commons-pool-1.5.4.jar

Description:

Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/commons-pool/commons-pool/1.5.4/commons-pool-1.5.4.jar
MD5: 80e9d1cbd70542f4f293793d109679a9
SHA1: 75b6e20c596ed2945a259cea26d7fadd298398e6
SHA256:22095672ac3ad6503e42ec6d4cbc330cd1318040223f6c5d9605473b6d2aa0fd
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

compress-lzf-1.0.3.jar

Description:

 
Compression codec for LZF encoding for particularly encoding/decoding, with reasonable compression.
Compressor is basic Lempel-Ziv codec, without Huffman (deflate/gzip) or statistical post-encoding.
See "http://oldhome.schmorp.de/marc/liblzf.html" for more on original LZF package.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/com/ning/compress-lzf/1.0.3/compress-lzf-1.0.3.jar
MD5: dc55ed6fe0bbad93bbf38331768ba1b4
SHA1: 3e1495b0c532ebe58f1c8b1c5d9b3bdcc6c1504c
SHA256:6cf93bda1c2caf618652f97d2f36c883a5a9774345384c05d3593b173731bccd
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

core-1.1.2.jar

File Path: /root/.m2/repository/com/github/fommil/netlib/core/1.1.2/core-1.1.2.jar
MD5: ab845840ad73fa2ec1a5025a7c48b97e
SHA1: 574b480eca62f535fad6d259e144fee3ef24b66e
SHA256:5ffaddee0a3f8d09a56064aa05feb95837ddad9d42d9dcc37479c66e869aa139
Referenced In Projects/Scopes:

  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

curator-client-2.7.1.jar

Description:

Low-level API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/curator/curator-client/2.7.1/curator-client-2.7.1.jar
MD5: 3b43933c18d1dcf15f88db73ee646396
SHA1: a591dfc085db3e9d4d480381cc7e6ae8a26b34af
SHA256:949ac95323bb13b4d9cde33ab1ca73f07a87e6e43cf76629e89fdd74d5b378e4
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

curator-framework-2.6.0.jar

Description:

High-level API that greatly simplifies using ZooKeeper.

License:

file:///Users/cam/Documents/workspace/curator/target/checkout/curator-framework/LICENSE
File Path: /root/.m2/repository/org/apache/curator/curator-framework/2.6.0/curator-framework-2.6.0.jar
MD5: 673657556b6616c318884e1b0ead0c0b
SHA1: 81a699c39d127b5b4ff97cc77da7650b53e5b5ed
SHA256:3a76e2185663750b20713101f6b08cb941ec32851544c61d778262fd88b17735
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

curator-framework-2.7.1.jar

Description:

High-level API that greatly simplifies using ZooKeeper.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/curator/curator-framework/2.7.1/curator-framework-2.7.1.jar
MD5: 35bff30d2a79a8b0731269604b1327ee
SHA1: 8c7b1eeb78e43bb91ea737111ba3dec0512be876
SHA256:a65e3f515b022d84d86c553c99216e384bc82d1de51b5a32b10f33314ad81ceb
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

curator-recipes-2.6.0.jar

Description:

All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).

License:

file:///Users/cam/Documents/workspace/curator/target/checkout/curator-recipes/LICENSE
File Path: /root/.m2/repository/org/apache/curator/curator-recipes/2.6.0/curator-recipes-2.6.0.jar
MD5: 8e70a808344647a65033b30690ea01ed
SHA1: 8736b0fc42e6bf006d585fe85c90aaa4ade5cbef
SHA256:cdf18d26a96276646d69cd82ac0d8dd5d437c4786b1dbbaae02b1eaf0aaa327e
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

curator-recipes-2.7.1.jar

Description:

All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/curator/curator-recipes/2.7.1/curator-recipes-2.7.1.jar
MD5: 156ad30fb9995b072175ae60fbb352a5
SHA1: a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa
SHA256:ce122f137e36268e30082bf1565c51d874ca926801be3ca73b3c0d522b0dfe2c
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

dataTables.bootstrap.min.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/dataTables.bootstrap.min.js
MD5: 19b11075f9b46a3cd26fb39a6f252b5d
SHA1: 44074789abea496fc9402979617f7d815d5cc7a2
SHA256:5ffe7cb3959b946300c3d4a90edaa757c74b44d09ac2cc86c0daa7643d097bfb
Referenced In Project/Scope:livy-server

Identifiers

  • None

datanucleus-api-jdo-3.2.6.jar

Description:

        Plugin providing DataNucleus implementation of the JDO API.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/datanucleus/datanucleus-api-jdo/3.2.6/datanucleus-api-jdo-3.2.6.jar
MD5: ee20159b2f4995090a3650d8e0ea7b2f
SHA1: cb21100ecc0d2e80dfd62067046c8a2a25a95c50
SHA256:3780b008de45ea0599ec6e636f72694ff781028abc044fe5a49adf42d9560da2
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

datanucleus-core-3.2.10.jar

Description:

        DataNucleus Core provides the primary components of a heterogenous Java persistence solution. 
        It supports persistence API's being layered on top of the core functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/datanucleus/datanucleus-core/3.2.10/datanucleus-core-3.2.10.jar
MD5: 8ed6c39b31ea8cd355a791df3d0c4888
SHA1: 7ad66634f30d7c6a06373475e94bcfbe65e2648e
SHA256:6125a714a581b7fe538fd73364d5ce977ff13fbe53d6a5ae996c0017f13b55ff
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-41033  

In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

datanucleus-rdbms-3.2.9.jar

Description:

        Plugin for DataNucleus providing persistence to RDBMS datastores.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/datanucleus/datanucleus-rdbms/3.2.9/datanucleus-rdbms-3.2.9.jar
MD5: 7d07a9eb98373433d47a441b0e70166c
SHA1: b95b6ff6ea969ab67f06754108167c4f9fadfd7e
SHA256:d4aadfaf95bb2550b0e8ebb0bb8095b27c9f0e36edc49e42b8215d0852e371a9
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

derby-10.12.1.1.jar

Description:

Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.

File Path: /root/.m2/repository/org/apache/derby/derby/10.12.1.1/derby-10.12.1.1.jar
MD5: 372f9924d8ce658d8def342783319885
SHA1: 75070c744a8e52a7d17b8b476468580309d5cd09
SHA256:000a7e23220d0544d7034a9ccb313d0aa5d40074e724ba69c1bb713f765d4cfd
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-1313  

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

eigenbase-properties-1.1.5.jar

Description:

Type-safe access to Java system properties

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/net/hydromatic/eigenbase-properties/1.1.5/eigenbase-properties-1.1.5.jar
MD5: 74250b1aa57ff13507bf28c09e5299eb
SHA1: a941956b3a4664d0cf728ece06ba25cc2110a3aa
SHA256:9394a752411d9729a083cf578ed9666ec9a7f59c18c9ca889127480a44c7285c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

flatbuffers-1.2.0-3f79e055.jar

Description:

Memory efficient serialization library.

License:

Apache License (v2.0): http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/com/vlkan/flatbuffers/1.2.0-3f79e055/flatbuffers-1.2.0-3f79e055.jar
MD5: b9c68553bce2bcf28de077b28b491d99
SHA1: b4a3fa3b6f768a99c2540e8b96b83bbb051f926c
SHA256:743f97316096ba6e8528914ea2b062f6a02fc91ec73c98a5a46240d6d67e6898
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

gson-2.2.4.jar

Description:

Google Gson library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/google/code/gson/gson/2.2.4/gson-2.2.4.jar
MD5: 2f54fc24807a4cad7297012dd8cebf3d
SHA1: a60a5e993c98c864010053cb901b7eab25306568
SHA256:c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2022-25647  

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

guava-11.0.2.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    This project is a complete packaging of all the Guava libraries
    into a single jar.  Individual portions of Guava can be used
    by downloading the appropriate module and its dependencies.

    Guava (complete) has only one code dependency - javax.annotation,
    per the JSR-305 spec.

File Path: /root/.m2/repository/com/google/guava/guava/11.0.2/guava-11.0.2.jar
MD5: bed5977336ea1279d2bad3bb258dc8c3
SHA1: 35a3c69e19d72743cac83778aecbee68680f63eb
SHA256:e144a0ec7f5139c58d4f3729ccfb4240f9c576a1aa43790e4090e09316129ee1
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-rsc:provided

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

guava-16.0.1.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/google/guava/guava/16.0.1/guava-16.0.1.jar
MD5: a68693df58191585d9af914cfbe6067a
SHA1: 5fa98cd1a63c99a44dd8d3b77e4762b066a5d0c5
SHA256:a896857d07845d38c7dc5bbc0457b6d9b0f62ecffda010e5e9ec12d561f676d3
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

guice-3.0.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/google/inject/guice/3.0/guice-3.0.jar
MD5: ca1c7ba366884cfcd2cfb48d2395c400
SHA1: 9d84f15fe35e2c716a02979fb62f50a29f38aefa
SHA256:1a59d0421ffd355cc0b70b42df1c2e9af744c8a2d0c92da379f5fca2f07f1d22
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile

Identifiers

guice-servlet-3.0.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/google/inject/extensions/guice-servlet/3.0/guice-servlet-3.0.jar
MD5: c9f66a5f6a0d840d9057b30853f25b85
SHA1: 610cde0e8da5a8b7d8efb8f0b8987466ffebaaf9
SHA256:9e72a4b8582888d53c2f4297e93276a3c14c82880124490f2da7b16a9df1c618
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile

Identifiers

hadoop-hdfs-2.7.3-tests.jar: bootstrap.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/static/bootstrap-3.0.2/js/bootstrap.min.js
MD5: c2e5221c3336abe0dff8568e73cd0dae
SHA1: 15a81fe4074f920898e98b1b42cf11bda26da0a8
SHA256:13d9e9ce4061c6b648768b09a36d000a7bfba969d4570cf329f938ede6a8f393
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

CVE-2016-10735  

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*

CVE-2018-14040  

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2018-14041  

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2018-14042  

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2019-8331  

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.1
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.3.0; versions up to (excluding) 4.3.1
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.0

hadoop-hdfs-2.7.3-tests.jar: dfs-dust.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/static/dfs-dust.js
MD5: 226ab0c48f0b6577fa189a6ae774800d
SHA1: c14aac6c091bb9dd993ed1ab009c5d31ae8addda
SHA256:82da071d45b8769f43b984da039006e25ee2c65d263a05254eb2683eb8359506
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

hadoop-hdfs-2.7.3-tests.jar: dfshealth.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/hdfs/dfshealth.js
MD5: 68c28bb94d476cf8e67fb4975d7365b4
SHA1: 21e243a27bf7d63c573e089b17953f3da1063a81
SHA256:1358a7df491f8ea81ee4cc9a2e89ca1ee8eec2aae9a4c5de96ca9bc50fa7f42c
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

hadoop-hdfs-2.7.3-tests.jar: dust-full-2.0.0.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/static/dust-full-2.0.0.min.js
MD5: 7bf502ca71690989fdefb479db78f3d2
SHA1: 6db3768adde65396734a365491b4ae2a2fbd4679
SHA256:f11ba668337b8b61319b430164f631648b41949887bb8a7b9cc515f87bba3e3b
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

hadoop-hdfs-2.7.3-tests.jar: dust-helpers-1.1.1.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/static/dust-helpers-1.1.1.min.js
MD5: 773d66b65a95408b8b1194b5b477c96a
SHA1: 82a1e3398cf21a7b14f326091e9216fc4b0d7c84
SHA256:ff65ffc9e919f9ab7922d82db9ea9d7840a7543001ccba2a8c4f11195a08a7f6
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

hadoop-hdfs-2.7.3-tests.jar: explorer.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/hdfs/explorer.js
MD5: 011e39fe6510e7d92ec29e486263a5f4
SHA1: 67774588dd90ddd64e69251d166c53ee36cc1232
SHA256:e063a3c6eff9e64631ae9fbd6f1ec56b714d456d2159b4ac08c2871a0bcf9792
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

hadoop-hdfs-2.7.3-tests.jar: jquery-1.10.2.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/static/jquery-1.10.2.min.js
MD5: 628072e7212db1e8cdacb22b21752cda
SHA1: 0511abe9863c2ea7084efa7e24d1d86c5b3974f1
SHA256:0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

hadoop-hdfs-2.7.3-tests.jar: snn.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3-tests.jar/webapps/secondary/snn.js
MD5: 2b7afe0e647225ddbfd016116925c67b
SHA1: a1d65967b6d20981d7d4365bc84369670b5286d3
SHA256:9cff0528fee712dd51a99f346f08bdaabb916d3a4a1f58dbc668e63680a4a245
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

hadoop-yarn-common-2.7.3.jar: jquery-1.8.2.min.js.gz: jquery-1.8.2.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-common/2.7.3/hadoop-yarn-common-2.7.3.jar/webapps/static/jquery/jquery-1.8.2.min.js.gz/jquery-1.8.2.min.js
MD5: cfa9051cc0b05eb519f1e16b2a6645d7
SHA1: 149b5180cb9de3f646fc26802440a6ac6e758d40
SHA256:f23d4b309b72743aa8afe1f8c98a25b3ee31246fa572c66d9d8cb1982cae4fbc
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

hadoop-yarn-common-2.7.3.jar: jquery-ui-1.9.1.custom.min.js.gz: jquery-ui-1.9.1.custom.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-common/2.7.3/hadoop-yarn-common-2.7.3.jar/webapps/static/jquery/jquery-ui-1.9.1.custom.min.js.gz/jquery-ui-1.9.1.custom.min.js
MD5: ab92e49c769e9593ff52cbdb48a9dd03
SHA1: 43751816cc0b6480e8fb3b2398952d6a865e8b89
SHA256:1fb0b66548624c8cf9ebf2d0c81970910ab0c8031a8ada6f8e6f884114344e8d
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2016-7103  

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*

CVE-2021-41182  

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.0
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
  • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2021-41183  

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.0
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 11.14.0
  • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.5
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2021-41184  

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.0
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
  • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2022-31160  

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:*
  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:*
  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:*
  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:*
  • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.2
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

CVE-2010-5312  

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.10.0

hadoop-yarn-common-2.7.3.jar: jquery.dataTables.min.js.gz: jquery.dataTables.min.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-common/2.7.3/hadoop-yarn-common-2.7.3.jar/webapps/static/dt-1.9.4/js/jquery.dataTables.min.js.gz/jquery.dataTables.min.js
MD5: dd02e31cea8b6f07d665e5a0d0b53f50
SHA1: 98c517335f66552467f2372e1cd650f93cbffeaf
SHA256:1783d49bec463c334d276a72d3b239f6366f6487c2e77e544838e8c6dcc657d9
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

hadoop-yarn-common-2.7.3.jar: jquery.jstree.js.gz: jquery.jstree.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-common/2.7.3/hadoop-yarn-common-2.7.3.jar/webapps/static/jt/jquery.jstree.js.gz/jquery.jstree.js
MD5: 90107823a51eda2bbe77a6b2baac3466
SHA1: 89944976806fcac399356f8d698952473f936489
SHA256:9dcb812e3e7f2c38f0c93a37e4aa923ce3a74ab65a97656957ff3fb780baf3d0
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

hadoop-yarn-common-2.7.3.jar: natural.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-common/2.7.3/hadoop-yarn-common-2.7.3.jar/webapps/static/dt-sorting/natural.js
MD5: 6119b176fc9ded71d13d2d9e4b166ba9
SHA1: 2f5ecc90d7e4a8d6922c345cadf4952be2eb0d6d
SHA256:7abeaadbaef39a5a540701143e8bdc05a82be5030b69eb03373d3b7a84c0225f
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

hadoop-yarn-common-2.7.3.jar: yarn.dt.plugins.js

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-common/2.7.3/hadoop-yarn-common-2.7.3.jar/webapps/static/yarn.dt.plugins.js
MD5: 92892ffa06992a58682b3df403910d8f
SHA1: 6c45673282b91be2d21977d3ffb53797179e4854
SHA256:f3b3e49f23c491bbd0d3e15fbd1a7e60315e6cac4c2e8ba7be7ab1c058880ba1
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

hadoop-yarn-server-common-2.7.3.jar

File Path: /root/.m2/repository/org/apache/hadoop/hadoop-yarn-server-common/2.7.3/hadoop-yarn-server-common-2.7.3.jar
MD5: a658771fb65ec924560a7e0022aafa39
SHA1: 65f027fd3e81ceef40a64c53d02915da735524df
SHA256:53272b885ab327ad101fded390c82410a717cf7326e197daa2867e77d9cf1a00
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2017-15718  

The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-25168  

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
CWE-88 Argument Injection or Modification

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-26612  

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2016-6811  

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-33036  

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-3166  

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: MEDIUM (4.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

hive-exec-1.2.1.spark2.jar (shaded: com.esotericsoftware.kryo:kryo:2.21)

Description:

Fast, efficient Java serialization

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/META-INF/maven/com.esotericsoftware.kryo/kryo/pom.xml
MD5: b977301578f13902a8f073b155495ea5
SHA1: ec1516f1bd3e83783e1bc44d01f6d18ef0249174
SHA256:24f9bcbb62e6abc47a734288f3b7230dd591f16d95c21f3f2227c37c17613523
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive.shims:hive-shims-0.20S:1.2.1.spark2)

File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/META-INF/maven/org.spark-project.hive.shims/hive-shims-0.20S/pom.xml
MD5: 266504a2f32a7725a5e8b144f5b9fa1d
SHA1: 4853835dc25ee31dc4f7340cc8da5df6dc65a1a7
SHA256:5fae5fba15177f10a11e4d16fa993166a87ae082d0bf3f70dfb3201e78b28773
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive.shims:hive-shims-0.23:1.2.1.spark2)

File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/META-INF/maven/org.spark-project.hive.shims/hive-shims-0.23/pom.xml
MD5: 209a38acc818b2f4ce9a1d2237f35232
SHA1: 9d694ad80dcf46b3de2beac780bd1a8a0264ec91
SHA256:9c4c06723680baea76dcbca5a78e9bd943ded28b3797749c6176eda139e5d3ed
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive.shims:hive-shims-common:1.2.1.spark2)

File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/META-INF/maven/org.spark-project.hive.shims/hive-shims-common/pom.xml
MD5: 5dab1da35d7ac94d1673b4f58759a163
SHA1: f92b2d82ab373e18ccaf5692beefa75909df6ee3
SHA256:90ef9b752ef8281b27dd6b422b45719c78b8798e6d7404c5c7f38169e6552513
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive:hive-common:1.2.1.spark2)

File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/META-INF/maven/org.spark-project.hive/hive-common/pom.xml
MD5: 10da3a85e7d8d3958f7410dbd09c44c5
SHA1: 01642cb2c9671092ed35624ee9ed6bccd22aa38d
SHA256:4abe1a0c37336d6288e977f973d2786f7c9519acea3f6f404addbab4845098b2
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar (shaded: org.spark-project.hive:hive-serde:1.2.1.spark2)

File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/META-INF/maven/org.spark-project.hive/hive-serde/pom.xml
MD5: 7c4748654b41d6b1b03beef8d3b231cc
SHA1: 9a7bf1bee42d676a2df7763eaa7fafafc996e738
SHA256:12a297bd4531dba968bd4cf16b9b08da6919e8e660f3bce0cf43b6815c96efa3
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar

File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar
MD5: 24a49abbd771544bbcae9c0314eb5ec3
SHA1: 7a6236e2fce787814560970a49a1c517e6de1927
SHA256:f5921f426ab86899d2386e4152281514743c37f449681f4f3ec8963161073bfe
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1282  

This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2022-33891  

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2015-7521  

The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11777  

In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-4125  

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2016-3083  

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-312 Cleartext Storage of Sensitive Information

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13949  

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34538  

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
CWE-306 Missing Authentication for Critical Function

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-38296  

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CWE-294 Authentication Bypass by Capture-replay

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2017-7678  

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2020-1926  

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
CWE-203 Information Exposure Through Discrepancy

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-31777  

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1334  

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1314  

In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1284  

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

hive-exec-1.2.1.spark2.jar: minlog-1.2.jar

Description:

Minimal overhead Java logging

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/minlog-1.2.jar
MD5: 7a765ca0eb45dd86803ac22f9f0d7e4a
SHA1: 48686dd2bedabd935e9758fedde6f774b1d131af
SHA256:986bba7a2c1334e9f5384db5a148038689c4163d0c41df15512bd095d9108a2c
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hive-exec-1.2.1.spark2.jar: objenesis-1.2.jar

Description:

A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/objenesis-1.2.jar
MD5: bee117291d50b41b8e8cf0ac5435df1d
SHA1: bfcb0539a071a4c5a30690388903ac48c0667f2a
SHA256:8c65c237578149b87c6aedf2bd93a4925e8dcb8dd7ec5b0c2f9eaf6cfd09ba70
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

hive-exec-1.2.1.spark2.jar: reflectasm-1.07-shaded.jar

Description:

High performance Java reflection using code generation

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/org/spark-project/hive/hive-exec/1.2.1.spark2/hive-exec-1.2.1.spark2.jar/reflectasm-1.07-shaded.jar
MD5: 1782c2033ee4d70c378e937e601f37f5
SHA1: 142bb428f45d1fe67e343d04955eec6ebc0b757f
SHA256:518a74399de4e222f0d2fc859f0f86def8c089f5c200c8c3848ebc2b16ab50fe
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hk2-api-2.4.0-b34.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/hk2/hk2-api/2.4.0-b34/hk2-api-2.4.0-b34.jar
MD5: 2972849752ed511bd069812ba2b29d2d
SHA1: 1017432e219dbd1d4a1121b2d7e87c5b2f0bcfb9
SHA256:6eb071aaea327015ac3da18d5066c364c1a39978f4b6f94644158675ca5b9ced
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hk2-locator-2.4.0-b34.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/hk2/hk2-locator/2.4.0-b34/hk2-locator-2.4.0-b34.jar
MD5: 09eda1a8dd33d465ec7bac9536f3eaf7
SHA1: 1451fc3e5b7f00d7a5ca0feaff2c1bf68be5ac91
SHA256:ea47ebf7ed56ef751055710cfad36840bcc36383cf387c4a963b41447c066f8f
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hk2-utils-2.4.0-b34.jar (shaded: org.jvnet:tiger-types:1.4)

File Path: /root/.m2/repository/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar/META-INF/maven/org.jvnet/tiger-types/pom.xml
MD5: 51329dba505e7cc4a9bc2719cf195be0
SHA1: 5855a7ee03b816073c2b448bce93319bd71f7029
SHA256:58794aca99cadb3aab687b56fd6d84871956590323dd0ea5d611db759e78c6b9
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hk2-utils-2.4.0-b34.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
MD5: f0c9e9df24ad2c2feb1f950b82146245
SHA1: aacce18411fffef9621d8fc91464ca0477119c38
SHA256:70211b1f918819bf6afbf69d3d19d4ae6e2a75d6e26f6c39ba9f20eb8e5612d7
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

hppc-0.7.2.jar

Description:

High Performance Primitive Collections. 
  Fundamental data structures (maps, sets, lists, stacks, queues) generated for
  combinations of object and primitive types to conserve JVM memory and speed
  up execution.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/carrotsearch/hppc/0.7.2/hppc-0.7.2.jar
MD5: 7f4c5c74b8dc781db19abe151903a187
SHA1: 710398361f2ae8fd594a133e3619045c16b24137
SHA256:7b3dd6661e83e313d70b4aa82c5180bb39535e536a3435fa741fff9727433b6a
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)

Description:

Core Jackson abstractions, basic JSON streaming API implementation

File Path: /root/.m2/repository/org/apache/htrace/htrace-core/3.1.0-incubating/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
MD5: b5ed6cb7f987a4da86141638b1538d81
SHA1: ed8235ea6d84480833675e709b415bde24ce25f7
SHA256:8310978da8c7013ecaaba13c9b41b75ab3a09797ae4b946ae5e1614088f995d7
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)

Description:

General data-binding functionality for Jackson: works on core streaming API

File Path: /root/.m2/repository/org/apache/htrace/htrace-core/3.1.0-incubating/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
MD5: d3f7afe903419aa0c03f9cf8682e1a69
SHA1: 3c0d06b6c0a9f4135fcf5c5557c751c0cd066c0c
SHA256:083be927bdddaf1e992d0e9f0fff509b60f35deea307216d8ba773f065a6f30c
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (9.8)
  • Vector: /AV:N/AC:L/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2020-35490  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35491  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

htrace-core-3.1.0-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

File Path: /root/.m2/repository/org/apache/htrace/htrace-core/3.1.0-incubating/htrace-core-3.1.0-incubating.jar/META-INF/maven/commons-logging/commons-logging/pom.xml
MD5: 976d812430b8246deeaf2ea54610f263
SHA1: 76672afb562b9e903674ad3a544cdf2092f1faa3
SHA256:d0f2e16d054e8bb97add9ca26525eb2346f692809fcd2a28787da8ceb3c35ee8
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

htrace-core-3.1.0-incubating.jar

File Path: /root/.m2/repository/org/apache/htrace/htrace-core/3.1.0-incubating/htrace-core-3.1.0-incubating.jar
MD5: c49a4662d691a09eed10e0a35dd73299
SHA1: f73606e7c9ede5802335c290bf47490ad6d51df3
SHA256:d96c869afaf65315ece8ca09673b187557e9dbaad31df24467a5aa759812188d
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

httpclient-4.5.3.jar

Description:

   Apache HttpComponents Client

File Path: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
MD5: 1965ebb7aca0f9f8faaed3870d8cf689
SHA1: d1577ae15f01ef5438c5afc62162457c00a34713
SHA256:db3d1b6c2d6a5e5ad47577ad61854e2f0e0936199b8e05eb541ed52349263135
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

httpcore-4.4.4.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /root/.m2/repository/org/apache/httpcomponents/httpcore/4.4.4/httpcore-4.4.4.jar
MD5: e7776f2b03a4c62d691a90d3c68c93c0
SHA1: b31526a230871fbe285fbcbe2813f9c0839ae9b0
SHA256:f7bc09dc8a7003822d109634ffd3845d579d12e725ae54673e323a7ce7f5e325
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

httpmime-4.5.1.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /root/.m2/repository/org/apache/httpcomponents/httpmime/4.5.1/httpmime-4.5.1.jar
MD5: 2ea8e5d4753d0231620062e225de4162
SHA1: 96823b9421ebb9f490dec837d9f96134e864e3a7
SHA256:8376801929b82e1d64cbf554abc60be94cfe039a874f8e6f371d06dbd97b99df
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

ivy-2.4.0.jar

File Path: /root/.m2/repository/org/apache/ivy/ivy/2.4.0/ivy-2.4.0.jar
MD5: 8c88b943fcd643d5e592b86179c6fbeb
SHA1: 5abe4c24bbe992a9ac07ca563d5bd3e8d569e9ed
SHA256:ce81cb234406b093b5b8de9f6f5b2a50ed0824d6a235891353e8d3e941a53970
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2022-37865  

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2022-37866  

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

jackson-core-2.12.7.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.12.7/jackson-core-2.12.7.jar
MD5: e90114f7c87c241568606cc9e2c61cb1
SHA1: 04669a54b799c105572aa8de2a1ae0fe64a17745
SHA256:3987a6a335046e226e56b81d69668fb5a91b155ea7fd96b0851adbb7d4ac1ca6
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-core-parent:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

jackson-core-asl-1.9.13.jar

Description:

Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.13/jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256:440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

jackson-databind-2.12.7.1.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.7.1/jackson-databind-2.12.7.1.jar
MD5: 5c2dab5ceb80bddf3350ecc90bd99314
SHA1: 48d6674adb5a077f2c04b42795e2e7624997b8b9
SHA256:3f504cac405ce066d5665ff69541484d5322f35ac7a7ec6104cf86a01008e02d
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-core-parent:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

jackson-jaxrs-1.8.3.jar

Description:

Jax-RS provider for JSON content type, based on 
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /root/.m2/repository/org/codehaus/jackson/jackson-jaxrs/1.8.3/jackson-jaxrs-1.8.3.jar
MD5: 7634227657d2414a0c65e0818b30d5ed
SHA1: 3604ca9f572170e2ef5813141ec1f0e0100efd19
SHA256:cadd12137aaf121722630d00117df63e34afc5b3dab5be68c921740114a05fba
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

jackson-jaxrs-1.9.13.jar

Description:

Jax-RS provider for JSON content type, based on 
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /root/.m2/repository/org/codehaus/jackson/jackson-jaxrs/1.9.13/jackson-jaxrs-1.9.13.jar
MD5: 8481e1904d9bfe974157a6af04b4445e
SHA1: 534d72d2b9d6199dd531dfb27083dd4844082bba
SHA256:1770570a6ba5c87a4795c0aeb40ee7c5fe5e31df64ef1d4795a0d427796b84bb
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jackson-mapper-asl-1.9.13.jar

Description:

Data Mapper package is a high-performance data binding package
built on Jackson JSON processor

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar
MD5: 1750f9c339352fc4b728d61b57171613
SHA1: 1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7
SHA256:74e7a07a76f2edbade29312a5a2ebccfa019128bc021ece3856d76197e9be0c2
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (9.8)
  • Vector: /AV:N/AC:L/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2019-10172  

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

jackson-module-scala_2.11-2.12.7.jar

Description:

jackson-module-scala

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/fasterxml/jackson/module/jackson-module-scala_2.11/2.12.7/jackson-module-scala_2.11-2.12.7.jar
MD5: b2e032982da8847749193c918d377bed
SHA1: 130d9cc561cf5b4610df8a05251ba47dd996cea4
SHA256:a1b399b25a9edc90c9eb800b230bb9782b3ad111e5c8ee20a0b6d876e2992602
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

jackson-module-scala_2.12-2.12.7.jar

Description:

jackson-module-scala

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/fasterxml/jackson/module/jackson-module-scala_2.12/2.12.7/jackson-module-scala_2.12-2.12.7.jar
MD5: 76da25a3c493e4437f1fdcd225e17db7
SHA1: 36b89491441afff9cbd98e0b59359db5fbb58dbd
SHA256:e2426ee1d150f85eaceeca19dc50d3eeb80ead221c9574651af4997b7359bef1
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-repl_2.12:provided

Identifiers

jackson-xc-1.8.3.jar

Description:

Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /root/.m2/repository/org/codehaus/jackson/jackson-xc/1.8.3/jackson-xc-1.8.3.jar
MD5: 0ee32b08580654d69147ecfab0321270
SHA1: 1226667dcdb7c259b3ee07e112ed83446554516e
SHA256:e25789f6d6e0c60c0f46f89d33586190bef23626d9efd3b5d41fe42b45afec96
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-xc-1.9.13.jar

Description:

Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /root/.m2/repository/org/codehaus/jackson/jackson-xc/1.9.13/jackson-xc-1.9.13.jar
MD5: 49f6a735bae30745dcf5ecec27090720
SHA1: e3480072bc95c202476ffa1de99ff7ee9149f29c
SHA256:2d2905fcec7d1c55b775995617685dbb03672350704d9e40b492eab5b54d0be7
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

janino-3.0.9.jar

Description:

The "JANINO" implementation of the "commons-compiler" API: Super-small, super-fast, independent from the JDK's "tools.jar".

License:

https://raw.githubusercontent.com/janino-compiler/janino/master/LICENSE
File Path: /root/.m2/repository/org/codehaus/janino/janino/3.0.9/janino-3.0.9.jar
MD5: 4ee85915848cbe3344b21712128cab4a
SHA1: 0ddfd261063f2e6300e4c884aeef5f145dd0b38d
SHA256:32f17d3be316aa398840fe891136f8a26c2f07c0c53fc2944268c4ba96e3b734
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

java-xmlbuilder-0.4.jar

Description:

XML Builder is a utility that creates simple XML documents using relatively sparse Java code

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/com/jamesmurty/utils/java-xmlbuilder/0.4/java-xmlbuilder-0.4.jar
MD5: 0fa474213a6a0282cd9264f6e0dd3658
SHA1: ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf
SHA256:681e53c4ffd59fa12068803b259e3a83d43f07a47c112e748a187dee179eb31f
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided

Identifiers

javassist-3.18.1-GA.jar

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /root/.m2/repository/org/javassist/javassist/3.18.1-GA/javassist-3.18.1-GA.jar
MD5: 5bb83868c87334320562af7eded65cc2
SHA1: d9a09f7732226af26bf99f19e2cffe0ae219db5b
SHA256:3fb71231afd098bb0f93f5eb97aa8291c8d0556379125e596f92ec8f944c6162
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

javax.activation-1.2.0.jar

Description:

JavaBeans Activation Framework

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /root/.m2/repository/com/sun/activation/javax.activation/1.2.0/javax.activation-1.2.0.jar
MD5: be7c430df50b330cffc4848a3abedbfb
SHA1: bf744c1e2776ed1de3c55c8dac1057ec331ef744
SHA256:993302b16cd7056f21e779cc577d175a810bb4900ef73cd8fbf2b50f928ba9ce
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

javax.annotation-api-1.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /root/.m2/repository/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile

Identifiers

javax.inject-2.4.0-b34.jar

Description:

Injection API (JSR 330) version ${javax.inject.version} repackaged as OSGi bundle

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/hk2/external/javax.inject/2.4.0-b34/javax.inject-2.4.0-b34.jar
MD5: 0299609004955f54207ab8562273b5af
SHA1: a6a3d4935af7b03e44126b5aac2c2a0ce98fe6e9
SHA256:fdbf80a01b854045bd4004b7c6b1fdc2da81db475bfbd08ed574eeffcf9a7b1a
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

javax.servlet-api-3.1.0.jar

Description:

Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /root/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

javax.ws.rs-api-2.0.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0.1/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

javolution-5.5.1.jar

Description:

Javolution - Java Solution for Real-Time and Embedded Systems.
        This project uses template classes to generates java code for various versions
        of the Java run-time (e.g. J2ME, 1.4, GCJ, 1.5). The default maven compilation
        builds OSGI bundle for Java 1.5+ (parameterized classes).
        For others targets the ant script should be used directly (e.g. "ant j2me").

License:

BSD License: http://javolution.org/LICENSE.txt
File Path: /root/.m2/repository/javolution/javolution/5.5.1/javolution-5.5.1.jar
MD5: 1b7257da4690bada3cac7293985f8588
SHA1: 3fcba819cdb7861728405963ddc4b2755ab182e5
SHA256:6de167427fb5ad34fe533cb36a8b3427fa6052a2b99781874396ed5cca9f8ed1
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jaxb-api-2.2.2.jar

Description:

        JAXB (JSR 222) API

License:

CDDL 1.1: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/javax/xml/bind/jaxb-api/2.2.2/jaxb-api-2.2.2.jar
MD5: a415e9a322984be1e1f8a023d09dca5f
SHA1: aeb3021ca93dde265796d82015beecdcff95bf09
SHA256:30233df6215fb982d8784de91d307596748cea98d6d502293c7c3e85c1697137
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

jaxb-impl-2.2.3-1.jar

Description:

JAXB (JSR 222) reference implementation

License:

CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/com/sun/xml/bind/jaxb-impl/2.2.3-1/jaxb-impl-2.2.3-1.jar
MD5: 1b689e7f87caf2615c0f6a47831d0342
SHA1: 56baae106392040a45a06d4a41099173425da1e6
SHA256:fa3e1499b192c310312bf02881274b68394aaea4c9563e6c554cc406ae644ff8
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

jcl-over-slf4j-1.7.16.jar

Description:

JCL 1.1.1 implemented over SLF4J

File Path: /root/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.16/jcl-over-slf4j-1.7.16.jar
MD5: aeb458dc10a619bd32ebc9d399dd64a8
SHA1: 034e48073884704ac987d3d1a1ab9b60e62028a9
SHA256:764d8698e00c08dfbd8f6426ed95619cbf5473327a2a7d3b6bea6b1d987c6547
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jdo-api-3.0.1.jar

Description:

The Java Data Objects (JDO) API is a standard interface-based Java model abstraction of persistence, developed as Java Specification Request 243 under the auspices of the Java Community Process.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/javax/jdo/jdo-api/3.0.1/jdo-api-3.0.1.jar
MD5: 978ae9726514457b8cfe8a3ba1c17ca5
SHA1: 058e7a538e020b73871e232eeb064835fd98a492
SHA256:2a2e63d44a4d7fe267650d08431218648adee14f725df3896d09db3084d7a2f2
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jersey-common-2.22.2.jar

Description:

Jersey core common packages

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/jersey/core/jersey-common/2.22.2/jersey-common-2.22.2.jar
MD5: d855b5f16119a933768c13690c099375
SHA1: 1209b89878b60ce7d49afadeff7522d2fde0e217
SHA256:33c51bda7fe94c27056af05c6b6bb1a0c2968b5bcf09b4c098ccbe953231186d
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-28168 (OSSINDEX)  

Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: MEDIUM (5.5)
  • Vector: /AV:L/AC:L/Au:/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.glassfish.jersey.core:jersey-common:2.22.2:*:*:*:*:*:*:*

jersey-core-1.9.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar
MD5: 73d196595f5e410a37c0a4337350ceb7
SHA1: 8341846f18187013bb9e27e46b7ee00a6395daf4
SHA256:2c6d0ec88fc8c36cb41637d9c00d0698c22cb6b6a137fa526ef782e00d2265bc
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

CVE-2014-3643 (OSSINDEX)  

jersey: XXE via parameter entities not disabled by the jersey SAX parser
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.sun.jersey:jersey-core:1.9:*:*:*:*:*:*:*

jersey-server-1.9.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar
MD5: 0c98f6cca5df8197b310a0d1d89bb34a
SHA1: 3a6ea7cc5e15c824953f9f3ece2201b634d90d18
SHA256:3ded91b198077561bd51f6c0442c9cd70b754d8b31b61afaf448bda9d01848f0
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

jersey-server-2.22.2.jar

Description:

Jersey core server implementation

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /root/.m2/repository/org/glassfish/jersey/core/jersey-server/2.22.2/jersey-server-2.22.2.jar
MD5: 62d36194c28af7a49966554af421488f
SHA1: 5ede3e5f98f8b14d31d1d0fffe9908df2bd41c0f
SHA256:8f8649b568d068f053362fa3def56206166dfceb3baa74e9f19eff6f8f8d9f1f
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jets3t-0.9.0.jar

Description:

JetS3t is a free, open-source Java toolkit and application suite for Amazon Simple Storage Service (Amazon S3), Amazon CloudFront content delivery network, and Google Storage for Developers.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/net/java/dev/jets3t/jets3t/0.9.0/jets3t-0.9.0.jar
MD5: 22559a7c686b19534707228decc3c6d7
SHA1: 792bc96ee7e57b89f472aa0cb5a31015b9f59c96
SHA256:e89893fc754b252af717d7d14accda946f7dfcfc1e293fd3e04725163d661bd7
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided

Identifiers

jettison-1.1.jar

Description:

A StAX implementation for JSON.

File Path: /root/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-rsc:provided

Identifiers

CVE-2022-40149  

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2022-40150  

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

jetty-6.1.26.jar

Description:

Jetty server core

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /root/.m2/repository/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar
MD5: 12b65438bbaf225102d0396c21236052
SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided

Identifiers

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

jetty-server-9.3.24.v20180605.jar

Description:

The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.3.24.v20180605/jetty-server-9.3.24.v20180605.jar
MD5: edb61b344a4b0947328ca4acb5d7f258
SHA1: 0e629740cf0a08b353ec07c35eeab8fd06590041
SHA256:64f1b63ad2d41cf7b45b53be170706815cd82e9175820dd2cd496d93cd658f62
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2048  

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28169  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34428  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2047  

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (2.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

jetty-util-9.3.24.v20180605.jar

Description:

Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /root/.m2/repository/org/eclipse/jetty/jetty-util/9.3.24.v20180605/jetty-util-9.3.24.v20180605.jar
MD5: 3b9e470ba1ad988111c8459e14a74c3c
SHA1: f74fb3f999e658a2ddea397155e20da5b9126b5d
SHA256:7d77c6f41a70b12dd188056517bc20e484f5b12ae4e6aac700e6ffb941815763
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2048  

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10246 (OSSINDEX)  

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.3)
  • Vector: /AV:N/AC:L/Au:/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-util:9.3.24.v20180605:*:*:*:*:*:*:*

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28169  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34428  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2047  

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (2.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

jetty-xml-9.4.6.v20170531.jar

Description:

The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /root/.m2/repository/org/eclipse/jetty/jetty-xml/9.4.6.v20170531/jetty-xml-9.4.6.v20170531.jar
MD5: 7a6d5917b1c066cfef3b046f9c44ba3b
SHA1: 25818a656163364b89966fbfdc6f43a8d8b65d2a
SHA256:73a6460c8f856cadeb4f9b2469532b9ac2a5f9de2b6cdefe81aabd73a5a89a6d
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
CWE-384 Session Fixation

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2048  

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27223  

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28169  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27218  

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34428  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2047  

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (2.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

jline-0.9.94.jar

Description:

JLine is a java library for reading and editing user input in console applications. It features tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to chain to other console applications.

License:

BSD: LICENSE.txt
File Path: /root/.m2/repository/jline/jline/0.9.94/jline-0.9.94.jar
MD5: 46235c960277206f00fe24714437bc89
SHA1: 99a18e9a44834afdebc467294e1138364c207402
SHA256:d8df0ffb12d87ca876271cda4d59b3feb94123882c1be1763b7faf2e0a0b0cbb
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

jline-0.9.94.jar: jline32.dll

File Path: /root/.m2/repository/jline/jline/0.9.94/jline-0.9.94.jar/jline/jline32.dll
MD5: b3d9a08ff70440ba3638a325512f2cd8
SHA1: 67a55d8f8ca4937d784d4334e554770adc2a1079
SHA256:3ddb21ed441296861413cfd109c61f12626ecc66ece659754b621d295fe9b23c
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

  • None

jline-0.9.94.jar: jline64.dll

File Path: /root/.m2/repository/jline/jline/0.9.94/jline-0.9.94.jar/jline/jline64.dll
MD5: d2f7b0db1231aac1846a857f5c0c4f2c
SHA1: e297e4e990ce820e64d41f3f27b9be90283f3f96
SHA256:f496874c86992b7436962451e05d1ffc9ca32ab64ce819501c42d807670e376e
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

  • None

joda-time-2.9.1.jar

Description:

Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/joda-time/joda-time/2.9.1/joda-time-2.9.1.jar
MD5: 40e3bd5a6dfe51f8ffc7f5f93294fe07
SHA1: c261495d1e01df849cdb3cbc941564018f0d3539
SHA256:c508f78ed9ac388cfccad7974ee282175f05ae25b68f0cc6eef21f8aeb3ceeaa
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

joda-time-2.9.3.jar

Description:

Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/joda-time/joda-time/2.9.3/joda-time-2.9.3.jar
MD5: 9ffc66df25680a22463b41de17b3be5d
SHA1: 9e46be514a4ed60bcfbaaba88a3c668cf30476ab
SHA256:a05f5b8b021802a71919b18702aebdf286148188b3ee9d26e6ec40e8d0071487
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

jodd-core-3.5.2.jar

Description:

Jodd Core tools and utilities, including type converters, JDateTime, cache etc.

License:

The New BSD License: http://jodd.org/license.html
File Path: /root/.m2/repository/org/jodd/jodd-core/3.5.2/jodd-core-3.5.2.jar
MD5: 22c37c2de6e254dff68b787da51e160e
SHA1: a9ac8028eeeb5fa430e17017628629c94123c401
SHA256:562478781548bd9cbdeef87f940967cf5cbcd5c1e6497a9056c8c89e603ec9be
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-21234  

Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jquery.dataTables.min.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/jquery.dataTables.min.js
MD5: bcf14f55a3878cef5e522906ce13235b
SHA1: 588658fcd1f3acda0cd435dd583b1fe869d8f67b
SHA256:8f4d3b47b47a8a31163dad5d7fb15e27a0056d07b0c34c6089fd9225664e847c
Referenced In Project/Scope:livy-server

Identifiers

  • None

jsch-0.1.42.jar

Description:

JSch is a pure Java implementation of SSH2

License:

BSD: http://www.jcraft.com/jsch/LICENSE.txt
File Path: /root/.m2/repository/com/jcraft/jsch/0.1.42/jsch-0.1.42.jar
MD5: 74ea920580077b4c0b51101a8292a529
SHA1: a86104b0f2e0c0bab5b0df836065823a99b5e334
SHA256:74297550aecc3b566ee19e49befb9cd49e2326c9d8d71ad5071bacc655b760dc
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided

Identifiers

CVE-2016-5725  

Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

json4s-ast_2.11-3.5.3.jar

Description:

json4s-ast

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-ast_2.11/3.5.3/json4s-ast_2.11-3.5.3.jar
MD5: d6fa477dc3eb6993a089eba1ccc8011e
SHA1: f1b60133c0667114a02e122d7f05e334dadc03a7
SHA256:66659e7e7c3f744eceba8038a537aea39a8a416f9f830adb253eca18a36128ad
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-api:provided
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-examples:compile

Identifiers

json4s-ast_2.12-3.5.3.jar

Description:

json4s-ast

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-ast_2.12/3.5.3/json4s-ast_2.12-3.5.3.jar
MD5: 874bb12065ad37c9fdd7b7bbd3451c8f
SHA1: b5b380b29e6958126f423898b18985e123ccc903
SHA256:d3e98823cad21c00376121e53b75c9c25b4b235508ac14da36d50eabf419702f
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile

Identifiers

json4s-core_2.11-3.5.3.jar

Description:

json4s-core

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-core_2.11/3.5.3/json4s-core_2.11-3.5.3.jar
MD5: 20d39eb37345873b8cc1f08fca0a51f5
SHA1: 4ea70f8fec94e03341c81d21e924d8c469ef0b61
SHA256:e3fa5e679b63bd5df561624108b772c19d9c3541d1949449dbbb61e4eee328ea
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-api:provided
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-examples:compile

Identifiers

json4s-core_2.12-3.5.3.jar

Description:

json4s-core

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-core_2.12/3.5.3/json4s-core_2.12-3.5.3.jar
MD5: d72a1e9c1b10a7be0d5cba261e9fca75
SHA1: 607a376387d30ce87ed5f633f3e129b7a6101912
SHA256:f22d9dffa759f89c2f97219c276efbf2fcec93ed41168dc9860453f0884df1e3
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile

Identifiers

json4s-jackson_2.11-3.5.3.jar

Description:

json4s-jackson

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-jackson_2.11/3.5.3/json4s-jackson_2.11-3.5.3.jar
MD5: cbe4e8d6dcaded1c4193b629009e7153
SHA1: 733a711a66d8eecbde9cfd7618235eae0d349a6d
SHA256:228e25ecc31796340544c49e4b5ca97aceb9a345970b5b67b800a77cfdce9730
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-api:provided
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-examples:compile

Identifiers

json4s-jackson_2.12-3.5.3.jar

Description:

json4s-jackson

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-jackson_2.12/3.5.3/json4s-jackson_2.12-3.5.3.jar
MD5: 4b38ac21284874013a5b0675fa0d5941
SHA1: 284f9c35c34f758e8be8a33ec710946075988f0c
SHA256:5d4754659b4b87a0e6a8e00cc595c2922dd495e92eab74f0c5986a92455cfe25
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile

Identifiers

json4s-scalap_2.11-3.5.3.jar

Description:

json4s-scalap

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-scalap_2.11/3.5.3/json4s-scalap_2.11-3.5.3.jar
MD5: 769f3cd3c587adfa54ba794b108fd193
SHA1: a78590f694a565a63ca6ba0eae8cd19f52d79ec4
SHA256:972201e8e0ac11a79abebde92a3a918365001c5e3bfc0bd93d0f809550bce854
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-api:provided
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-examples:compile

Identifiers

json4s-scalap_2.12-3.5.3.jar

Description:

json4s-scalap

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-scalap_2.12/3.5.3/json4s-scalap_2.12-3.5.3.jar
MD5: 3cd4717522941dddb3c9961306b8453b
SHA1: fa973e0c8d3fe988e469753a9c2d922660c9f0f4
SHA256:5866d348b962e9e239bcaf3c0634fc9d93a3718098eb3230ee75ebde1129d3d1
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile

Identifiers

json4s-xml_2.11-3.6.3.jar

Description:

json4s-xml

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/json4s/json4s-xml_2.11/3.6.3/json4s-xml_2.11-3.6.3.jar
MD5: 4af379f6135c9e373552333b87fa0105
SHA1: 58cc93c75390ad3dadf53ced91424ac1345deb57
SHA256:3f9fff75fa0f0697823c9166b3ad3ebee076dba63013dc12164d2c1dc35f58f6
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

jsp-api-2.1.jar

File Path: /root/.m2/repository/javax/servlet/jsp/jsp-api/2.1/jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
SHA256:545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987b
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-server:runtime
  • livy-rsc:provided
  • livy-examples:runtime
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-coverage-report:runtime
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-assembly:runtime
  • livy-integration-test:runtime
  • livy-repl_2.12:provided
  • livy-repl_2.11:provided

Identifiers

jsr305-1.3.9.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.jar
MD5: 1d5a772e400b04bb67a7ef4a0e0996d8
SHA1: 40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf
SHA256:905721a0eea90a81534abb7ee6ef4ea2e5e645fa1def0a5cd88402df1b46c9ed
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jsr305-3.0.0.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.jar
MD5: 195d5db8981fbec5fa18d5df9fad95ed
SHA1: 5871fb60dc68d67da54a663c3fd636a10a532948
SHA256:bec0b24dcb23f9670172724826584802b80ae6cbdaba03bdebdef9327b962f6a
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

jta-1.1.jar

Description:

    The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.

File Path: /root/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar
MD5: 82a10ce714f411b28f13850059de09ee
SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
SHA256:b8ec163b4a47bad16f9a0b7d03c3210c6b0a29216d768031073ac20817c0ba50
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

jtransforms-2.4.0.jar

Description:

JTransforms is the first, open source, multithreaded FFT library written in pure Java. Benchmark results show better performance than FFTW.

License:

MPL: http://www.mozilla.org/MPL/2.0/index.txt
LGPL: http://www.gnu.org/licenses/lgpl-2.1.txt
GPL: http://www.gnu.org/licenses/gpl-2.0.txt
File Path: /root/.m2/repository/com/github/rwl/jtransforms/2.4.0/jtransforms-2.4.0.jar
MD5: 9c9fe6cc3f85b1afebdbd7aa25b8a268
SHA1: 20ab3d14a0375cc2baee9452b92b217aac7e3c57
SHA256:30be689d80d53a358951b183b083206430b7654199b13f6aa4b5e12078015f83
Referenced In Projects/Scopes:
  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

jul-to-slf4j-1.7.16.jar

Description:

JUL to SLF4J bridge

File Path: /root/.m2/repository/org/slf4j/jul-to-slf4j/1.7.16/jul-to-slf4j-1.7.16.jar
MD5: 228ccd417ce9b7b6dcd78e8fee1a8ca0
SHA1: 2d5b546c5557dcbf08c3a381d7dc9bd275a602c1
SHA256:a67d98d27bfcbc120e0efbf47cf07fab85cb32b6b274d43257a29fa14bb659d0
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

juniversalchardet-1.0.3.jar

Description:

Java port of universalchardet

License:

Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /root/.m2/repository/com/googlecode/juniversalchardet/juniversalchardet/1.0.3/juniversalchardet-1.0.3.jar
MD5: d9ea0a9a275336c175b343f2e4cd8f27
SHA1: cd49678784c46aa8789c060538e0154013bb421b
SHA256:757bfe906193b8b651e79dc26cd67d6b55d0770a2cdfb0381591504f779d4a76
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

kryo-shaded-4.0.2.jar (shaded: com.esotericsoftware:reflectasm:1.11.3)

Description:

High performance Java reflection using code generation

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/com/esotericsoftware/kryo-shaded/4.0.2/kryo-shaded-4.0.2.jar/META-INF/maven/com.esotericsoftware/reflectasm/pom.xml
MD5: 9ab3a0dad36d0b32447722ad06018470
SHA1: da632f37b4ae2181ea53e43b3212428c2a23c478
SHA256:1c5a80634d547bf5ec80c71624db9d8837e2702d01375e3b8b5c0f32d1e81e61
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-client-common:compile
  • livy-rsc:compile
  • livy-api:provided
  • livy-core-parent:compile
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

kryo-shaded-4.0.2.jar

Description:

Fast, efficient Java serialization. This is the parent pom that assembles the main kryo and shaded kryo artifacts.

License:

3-Clause BSD License: https://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/com/esotericsoftware/kryo-shaded/4.0.2/kryo-shaded-4.0.2.jar
MD5: 27717b481916c44eed34ea7a68782ed5
SHA1: e8c89779f93091aa9cb895093402b5d15065bf88
SHA256:a4899f57fef456b9ec66f730e7b493ecb3dc494cc5758721ed9c18416fd2d3b6
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-client-common:compile
  • livy-rsc:compile
  • livy-api:provided
  • livy-core-parent:compile
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

leveldbjni-all-1.8.jar

Description:

An uber jar which contains all the leveldbjni platform libraries and dependencies

License:

http://www.opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/fusesource/leveldbjni/leveldbjni-all/1.8/leveldbjni-all-1.8.jar
MD5: 6944e9bc03c7938868e53c96726ae914
SHA1: 707350a2eeb1fa2ed77a32ddb3893ed308e941db
SHA256:c297213b0e6f9392305952753f3099a4c02e70b3656266fe01867e7b6c160ffe
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

leveldbjni-all-1.8.jar: leveldbjni.dll

File Path: /root/.m2/repository/org/fusesource/leveldbjni/leveldbjni-all/1.8/leveldbjni-all-1.8.jar/META-INF/native/windows32/leveldbjni.dll
MD5: 551b9310a9ed358359296a89715df2f4
SHA1: bba450e93688b872b3fcaa31e8457950e97d8429
SHA256:3cf3f6284f99acad369a15f0b4eca8e0dec2b0342651c519e4665570da8a68ee
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

leveldbjni-all-1.8.jar: leveldbjni.dll

File Path: /root/.m2/repository/org/fusesource/leveldbjni/leveldbjni-all/1.8/leveldbjni-all-1.8.jar/META-INF/native/windows64/leveldbjni.dll
MD5: 4b6fa20009ca1eb556e752671461a3f2
SHA1: 978ca9c96c03eb220556ce5bc96c715f95a0967c
SHA256:7794f7bbc848d1a9ad98996f2c68a1cf12ac17562f646c6d7f5733404a7b5ef1
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

libfb303-0.9.3.jar

Description:

Thrift is a software framework for scalable cross-language services development.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/thrift/libfb303/0.9.3/libfb303-0.9.3.jar
MD5: 5e1c646346ecf2750a1b8b6cb2aa1c4f
SHA1: 5d1abb695642e88558f4e7e0d32aa1925a1fd0b7
SHA256:23fc397a42181b17bb7d0fada2213735ed8db38cfbf038d12b9c00ea7419e11b
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2016-5397  

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-1320  

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0205  

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0210  

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
CWE-125 Out-of-bounds Read

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13949  

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11798  

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
CWE-538 File and Directory Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

libthrift-0.9.3.jar

Description:

Thrift is a software framework for scalable cross-language services development.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/thrift/libthrift/0.9.3/libthrift-0.9.3.jar
MD5: 96af680a50acae601ce823b1da70b24a
SHA1: 8625e8f9b6f49b881fa5fd143172c2833df1ce47
SHA256:bca5e8cdee1e0fbf563de7d41c452385e7bed69723fa28225a9ce718a8ee3419
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2016-5397  

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-1320  

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0205  

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0210  

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
CWE-125 Out-of-bounds Read

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13949  

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11798  

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
CWE-538 File and Directory Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

livy-ui.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/livy-ui.js
MD5: e87b1c8eeb2537bc3537bdcb4d3b04fe
SHA1: 8acdfae9480e285fede9053b583c704b81ec8050
SHA256:71e084a3b2f757222a232f42e6bdaa4b179c8e3ecf9d03532b345e8f4646a25b
Referenced In Project/Scope:livy-server

Identifiers

  • None

log4j-1.2.16.jar

Description:

Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
MD5: 363678f015902bcc040308136f845a3f
SHA1: 7999a63bfccbc7c247a9aea10d83d4272bd492c6
SHA256:7ae3fdde7ab0cae4735a2aec04381ad9b6e25c93d24205f3ed315d9866f12fe1
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-core-parent:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2019-17571  

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9493  

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23305  

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23302  

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.0)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23307  

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-4104 (OSSINDEX)  

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:H/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:log4j:log4j:1.2.16:*:*:*:*:*:*:*

lz4-java-1.4.0.jar

Description:

Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/lz4/lz4-java/1.4.0/lz4-java-1.4.0.jar
MD5: 6af82e9b9f0db48ebf95e7118027e9e4
SHA1: db5083b84299ad982a19677316da9a49363ad6e0
SHA256:58516caefbfd99b3c5bac4065ba416d8e596efc58de2a2cc58e8a9302946a61b
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

machinist_2.11-0.6.1.jar

Description:

machinist

License:

MIT: http://opensource.org/licenses/MIT
File Path: /root/.m2/repository/org/typelevel/machinist_2.11/0.6.1/machinist_2.11-0.6.1.jar
MD5: 7711b4715549c2241f05df0c35d84490
SHA1: 239a56280d1cf730048f552a1a18f415bfcbf270
SHA256:a8cad9216bbc29571be7cadf8c0269920d5af5682d24fc83828bd870f6a17dd9
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

machinist_2.12-0.6.1.jar

Description:

machinist

License:

MIT: http://opensource.org/licenses/MIT
File Path: /root/.m2/repository/org/typelevel/machinist_2.12/0.6.1/machinist_2.12-0.6.1.jar
MD5: 97c4e58e88ccfc3f0c2cd25a586120b0
SHA1: 13f7388cf36bcecf51bde7b87a216d5aa101ae2a
SHA256:fee6035ab2db522083775b2d97f192fc76bb7d4eed5151081e6933bf3da800e6
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

macro-compat_2.11-1.1.1.jar

Description:

core

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/typelevel/macro-compat_2.11/1.1.1/macro-compat_2.11-1.1.1.jar
MD5: ee118c41bd4b59a558a3a158c9a49961
SHA1: 0cb87cb74fd5fb118fede3f98075c2044616b35d
SHA256:5200a80ad392f0b882021d6de2efb17b874cc179ff8539f9bcedabc100b7890b
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

macro-compat_2.12-1.1.1.jar

Description:

core

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/typelevel/macro-compat_2.12/1.1.1/macro-compat_2.12-1.1.1.jar
MD5: c6c8927e9d6b7e3e4f60c019f146d099
SHA1: ed809d26ef4237d7c079ae6cf7ebd0dfa7986adf
SHA256:8b1514ec99ac9c7eded284367b6c9f8f17a097198a44e6f24488706d66bbd2b8
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

metrics-core-3.1.0.jar

Description:

        Metrics is a Java library which gives you unparalleled insight into what your code does in
        production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
        components in your production environment.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-core/3.1.0/metrics-core-3.1.0.jar
MD5: 48e838f9753a2540cd5588466b20ec99
SHA1: 40e16d596ca49964a88bbce2261e387895b3499e
SHA256:d88845f17cd2c2d2203145e6f52e0c992cbe14d5887ddce97c9aceeae444b331
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

metrics-graphite-3.1.5.jar

Description:

        A reporter for Metrics which announces measurements to a Graphite server.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-graphite/3.1.5/metrics-graphite-3.1.5.jar
MD5: 453a1877761c6a31a3892207b92f2b28
SHA1: 366b727fe0e64fe43b60a3e2455c9dcc149cc0d3
SHA256:af7401be256f2e91a3d799957fe8ac0a44407a6df098092a0f9e14feb5c899c5
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

metrics-healthchecks-3.1.0.jar

Description:

        An addition to Metrics which provides the ability to run application-specific health checks,
        allowing you to check your application's heath in production.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-healthchecks/3.1.0/metrics-healthchecks-3.1.0.jar
MD5: f974d1ded236d33288ffd3cdbb778cee
SHA1: 475b277322856252b3e3d6b469140058c74dde0c
SHA256:588afcd8d6e1e0a70b0919a3f3f3034eff4904729eeef510eb56d4d2442aeb4c
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

metrics-json-3.1.5.jar

Description:

        A set of Jackson modules which provide serializers for most Metrics classes.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-json/3.1.5/metrics-json-3.1.5.jar
MD5: fd717ba329eaddc4c2e1c1716728ed69
SHA1: 46debd1b9f1b4ada07d084dffc3eb272e87c6f62
SHA256:2c7e7efa6cdf8d41f232eb2fe91f811f22675c36f9a7a711c66619bbafb3be96
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

metrics-json-3.2.3.jar

Description:

        A set of Jackson modules which provide serializers for most Metrics classes.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-json/3.2.3/metrics-json-3.2.3.jar
MD5: 95145a56f84bc13c78cc5b5b6f83b4d5
SHA1: c514ca9e836ed98e41bd16ed17098234a5c0a671
SHA256:71103dadbe42a758fcec1dc374da604496216a1dea0f92a35befeb1ad707d0a8
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

metrics-jvm-3.1.5.jar

Description:

        A set of classes which allow you to monitor critical aspects of your Java Virtual Machine
        using Metrics.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-jvm/3.1.5/metrics-jvm-3.1.5.jar
MD5: a35992ba955d3423678140941805db7b
SHA1: 042fe531a5873bd56dbca6e4b7678912b5df2a19
SHA256:9e3eca426f5cf6187505406a94d3b0e380e323157409253f559c679e6db01704
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

metrics-jvm-3.2.3.jar

Description:

        A set of classes which allow you to monitor critical aspects of your Java Virtual Machine
        using Metrics.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-jvm/3.2.3/metrics-jvm-3.2.3.jar
MD5: ee68dc5587733c66943cfe5d2ed3d843
SHA1: e7f47bc64cd226a61072c3b65a0d1265f13eae31
SHA256:e1cc65a0fde2a3ec9899ddeb46d8d2abc4d66d7dd24ade8444d640805a1c0dba
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

metrics-scala_2.11-3.5.9.jar

Description:

metrics-scala for Scala 2.11

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/nl/grons/metrics-scala_2.11/3.5.9/metrics-scala_2.11-3.5.9.jar
MD5: 74d21a6fbb869047c25c94e997e90890
SHA1: 7509eddc11f278be0189d7fce8713dc658a81bd9
SHA256:dff4855392ebcbe58e6176e7d383e9ebd96c65de2c4e536fe53fffeaed54f6d4
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

metrics-servlet-3.2.3.jar

Description:

        An instrumented filter for servlet environments.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-servlet/3.2.3/metrics-servlet-3.2.3.jar
MD5: b2d0ea63b845c20eee1cc79ec37aa412
SHA1: 51a2ff777e8dc5122b8fc2e0fe99546e944c7852
SHA256:cdd0d79976f0d753b0e99e9362bc9c452477e63a832ee6d3a508f4e2c280d957
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

metrics-servlets-3.2.3.jar

Description:

        A set of utility servlets for Metrics, allowing you to expose valuable information about
        your production environment.

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/io/dropwizard/metrics/metrics-servlets/3.2.3/metrics-servlets-3.2.3.jar
MD5: de7bb5604b8f997877908a1512a490ce
SHA1: 239216cfeff1c19c9c769e7a79eb96eaacb440b1
SHA256:eee5de553e4c4ce9f8dae787a26b280589472728f65b414cf41af9b4dbc8b9f6
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

mime-util-2.1.3.jar

Description:

mime-util is a simple to use, small, light weight and fast open source java utility library that can detect
		MIME types from files, input streams, URL's and byte arrays.
		Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar
MD5: 3d4f3e1a96eb79683197f1c8b182f4a6
SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
SHA256:7512022ecd4228458a0ab456f9fcddac21f0759f1b07100c3528174eb63bdcaf
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

minlog-1.3.0.jar

Description:

Minimal overhead Java logging

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/com/esotericsoftware/minlog/1.3.0/minlog-1.3.0.jar
MD5: 5ab0ee168b90e0ad7010b159e603d304
SHA1: ff07b5f1b01d2f92bb00a337f9a94873712f0827
SHA256:f7b399d3a5478a4f3e0d98bd1c9f47766119c66414bc33aa0f6cde0066f24cc2
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-client-common:compile
  • livy-rsc:compile
  • livy-api:provided
  • livy-core-parent:compile
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

mockito-core-2.7.22.jar

Description:

Mockito mock objects library core API and implementation

License:

The MIT License: http://github.com/mockito/mockito/blob/master/LICENSE
File Path: /root/.m2/repository/org/mockito/mockito-core/2.7.22/mockito-core-2.7.22.jar
MD5: 8e78b11e8c5fc86c3c563397f94b22d5
SHA1: fcf63bc8010ca77991e3cadd8d33ad1a40603404
SHA256:cd60ff78a3e51cc5e8d2fc5bb90e901f1b3a4d59e049b3e18386497b9fc12097
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

netty-3.6.2.Final.jar

Description:

    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
MD5: 65546c0885e83ba36f1f4d9ff9f8c776
SHA1: 69be11c61427f0604a30539755add84ad9e37e5e
SHA256:d4ff9f0a2959633e062edd0e678d8187bbe95ad19195384ac524fd41f00f5a44
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2015-2156  

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0193  

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-3488  

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

netty-3.7.0.Final.jar

Description:

    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
MD5: c9ef3b2f37d581e500a9d6c1efc4ab69
SHA1: 07a8c35599c68c0bf383df74469aa3e03d9aca87
SHA256:aa44be64442b9cbc5edd521476b9f1c272eec6a53dca104cf3032f42ad20ff89
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2015-2156  

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2014-0193  

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-3488  

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

netty-3.9.9.Final.jar

Description:

    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/io/netty/netty/3.9.9.Final/netty-3.9.9.Final.jar
MD5: cff043f83e1e74a25819082405057517
SHA1: 58e0a7e7ff773f84d02d4f006ae9dd31ad22a0b1
SHA256:697af248e216c9e158b3c9d6702f54541188fc92de19ac9d2f5496f80bce7aba
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

netty-all-4.1.17.Final.jar

File Path: /root/.m2/repository/io/netty/netty-all/4.1.17.Final/netty-all-4.1.17.Final.jar
MD5: 34863f57beeb33c6a7e0cc1e355a73d4
SHA1: 43142cd1d6a0ea281eb6a4990354b4d3ad23dd43
SHA256:578f39b27617662a69ad84cd3793f506f6350cbd75ae87e8e686f5e7bdd5161c
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-rsc:compile
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-9518 (OSSINDEX)  

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-all:4.1.17.Final:*:*:*:*:*:*:*

CVE-2020-11612  

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-7238 (OSSINDEX)  

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty-all:4.1.17.Final:*:*:*:*:*:*:*

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

netty-common-4.1.36.Final.jar (shaded: org.jctools:jctools-core:2.1.1)

Description:

Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/io/netty/netty-common/4.1.36.Final/netty-common-4.1.36.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: d532029de01ef1c790266dea91b1ecdc
SHA1: f9571c65e428d21c795a34de2b217419dfc0e2f7
SHA256:db8f1cd5b23d38e3dcf7020d739e1c2f9559489051291d8a07095e62b8d7f750
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

netty-reactive-streams-2.0.3.jar

Description:

Reactive streams implementation for Netty.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/typesafe/netty/netty-reactive-streams/2.0.3/netty-reactive-streams-2.0.3.jar
MD5: febb0012a726e2c1e7ba36ba6e0eb7ff
SHA1: be61d6a731ba66a998c22d96439621716bc30f79
SHA256:dd66261c22d2d19141e5be03909faa3d8fab5cd75b1a799ccc1344f11627f921
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

netty-transport-4.1.36.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/io/netty/netty-transport/4.1.36.Final/netty-transport-4.1.36.Final.jar
MD5: 99a444ea18d22bde04e6e4d1fe1446b5
SHA1: 8546e6be47be587acab86bbd106ca023678f07d9
SHA256:eaaf9464f0b1b7e9bb02918598aa78718436e3974b7ffd39f6c6b893200fc5a1
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11612  

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37136  

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137  

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-43797  

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24823  

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

objenesis-2.5.1.jar

Description:

A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/objenesis/objenesis/2.5.1/objenesis-2.5.1.jar
MD5: 84b9e3191629e53abbb05a92c683c617
SHA1: 272bab9a4e5994757044d1fc43ce480c8cb907a4
SHA256:b043f03e466752f7f03e2326a3b13a49b7c649f8f2a2dc87715827e24f73d9c6
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-client-common:compile
  • livy-rsc:compile
  • livy-api:provided
  • livy-core-parent:compile
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-core_2.12:compile
  • livy-examples:compile
  • livy-client-http:compile

Identifiers

objenesis-2.5.jar

Description:

A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/objenesis/objenesis/2.5/objenesis-2.5.jar
MD5: 65daddc231144b94cd66e7962e04e391
SHA1: 612ecb799912ccf77cba9b3ed8c813da086076e9
SHA256:293328e1b0d31ed30bb89fca542b6c52fac00989bb0e62eb9d98d630c4dd6b7c
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

opencsv-2.3.jar

Description:

A simple library for reading and writing CSV in Java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/net/sf/opencsv/opencsv/2.3/opencsv-2.3.jar
MD5: 9eebabaa007dc329845e5ab3c12b4e6b
SHA1: c23708cdb9e80a144db433e23344a788a1fd6599
SHA256:dc0ba5bff6140dc92339973026a0ecbddc2a3b01bdd46ed9d16becc2f6d78de6
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

orc-core-1.5.5-nohive.jar (shaded: org.apache.hive:hive-storage-api:2.6.0)

File Path: /root/.m2/repository/org/apache/orc/orc-core/1.5.5/orc-core-1.5.5-nohive.jar/META-INF/maven/org.apache.hive/hive-storage-api/pom.xml
MD5: bdb5d6de24941146e492df6bde461a4d
SHA1: 5e493551e9a147fb3fdab0181a948a1791531c54
SHA256:a0cf80e31e42e8fe3d22aedb56b02f019c71eee314fca4f2afd4dd6b911ee761
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-4125  

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34538  

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
CWE-306 Missing Authentication for Critical Function

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

orc-core-1.5.5-nohive.jar

Description:

    The core reader and writer for ORC files. Uses the vectorized column batch
    for the in memory representation.

File Path: /root/.m2/repository/org/apache/orc/orc-core/1.5.5/orc-core-1.5.5-nohive.jar
MD5: 607fa8be42c6687aaaab3adf80136501
SHA1: 031c4c6c741a558d68c76c4cf88fb06fdca82adc
SHA256:1ed6d28ff4880021a00e2fe9410483f0cf68e5731e53d13dc9290f77f92587b4
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

org.apache.livy:livy-api:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/api/pom.xml

Referenced In Projects/Scopes:
  • livy-core-parent
  • livy-repl_2.11
  • livy-coverage-report
  • livy-test-lib
  • livy-scala-api-parent
  • livy-core_2.12
  • livy-scala-api_2.11
  • livy-client-common
  • livy-integration-test
  • livy-core_2.11
  • livy-scala-api_2.12
  • livy-repl-parent
  • livy-client-http
  • livy-repl_2.12
  • livy-assembly
  • livy-rsc
  • livy-server
  • livy-examples

Identifiers

org.apache.livy:livy-client-common:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/client-common/pom.xml

Referenced In Projects/Scopes:
  • livy-core-parent
  • livy-repl_2.11
  • livy-coverage-report
  • livy-core_2.12
  • livy-integration-test
  • livy-core_2.11
  • livy-repl-parent
  • livy-client-http
  • livy-repl_2.12
  • livy-assembly
  • livy-rsc
  • livy-server
  • livy-examples

Identifiers

org.apache.livy:livy-client-http:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/client-http/pom.xml

Referenced In Projects/Scopes:
  • livy-coverage-report
  • livy-examples

Identifiers

org.apache.livy:livy-core_2.11:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/core/scala-2.11/pom.xml

Referenced In Projects/Scopes:
  • livy-integration-test
  • livy-repl-parent
  • livy-repl_2.11
  • livy-coverage-report
  • livy-assembly
  • livy-rsc
  • livy-server

Identifiers

org.apache.livy:livy-core_2.12:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/core/scala-2.12/pom.xml

Referenced In Projects/Scopes:
  • livy-coverage-report
  • livy-repl_2.12
  • livy-assembly

Identifiers

org.apache.livy:livy-repl_2.11:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/repl/scala-2.11/pom.xml

Referenced In Projects/Scopes:
  • livy-coverage-report
  • livy-assembly

Identifiers

org.apache.livy:livy-repl_2.12:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/repl/scala-2.12/pom.xml

Referenced In Projects/Scopes:
  • livy-coverage-report
  • livy-assembly

Identifiers

org.apache.livy:livy-rsc:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/rsc/pom.xml

Referenced In Projects/Scopes:
  • livy-integration-test
  • livy-repl-parent
  • livy-repl_2.11
  • livy-coverage-report
  • livy-repl_2.12
  • livy-assembly
  • livy-server

Identifiers

org.apache.livy:livy-scala-api_2.11:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/scala-api/scala-2.11/pom.xml

Referenced In Projects/Scopes:
  • livy-coverage-report
  • livy-examples

Identifiers

org.apache.livy:livy-scala-api_2.12:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/scala-api/scala-2.12/pom.xml

Referenced In Project/Scope:livy-coverage-report

Identifiers

org.apache.livy:livy-server:0.8.0-incubating-SNAPSHOT

Description:

Livy Project

License:

The Apache Software License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /workspace/server/pom.xml

Referenced In Projects/Scopes:
  • livy-integration-test
  • livy-coverage-report
  • livy-assembly

Identifiers

oro-2.0.8.jar

File Path: /root/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

osgi-resource-locator-1.0.1.jar

Description:

 See http://wiki.glassfish.java.net/Wiki.jsp?page=JdkSpiOsgi for more information

License:

https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /root/.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.1/osgi-resource-locator-1.0.1.jar
MD5: 51e70ad8fc9d1e9fb19debeb55555b75
SHA1: 4ed2b2d4738aed5786cfa64cba5a332779c4c708
SHA256:775003be577e8806f51b6e442be1033d83be2cb2207227b349be0bf16e6c0843
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

paranamer-2.8.jar

Description:

Paranamer allows runtime access to constructor and method parameter names for Java classes

License:

LICENSE.txt
File Path: /root/.m2/repository/com/thoughtworks/paranamer/paranamer/2.8/paranamer-2.8.jar
MD5: f213c72b67d4850f17a4a3e9064904de
SHA1: 619eba74c19ccf1da8ebec97a2d7f8ba05773dd6
SHA256:688cb118a6021d819138e855208c956031688be4b47a24bb615becc63acedf07
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:compile
  • livy-test-lib:provided
  • livy-api:provided
  • livy-repl_2.11:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile
  • livy-server:compile
  • livy-examples:compile

Identifiers

parquet-column-1.10.1.jar

File Path: /root/.m2/repository/org/apache/parquet/parquet-column/1.10.1/parquet-column-1.10.1.jar
MD5: 1f9dd05a9c588c54bd6fb7512de28240
SHA1: 10999fbe40cd5d26e7e800a9cf8e6cc0fcf1c99e
SHA256:7f60ce075164dca7ff2bb91ee4248bb1f319052924e21b1ce45f2f11f9ebd9e5
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-41561  

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

parquet-format-2.4.0.jar

Description:

Parquet is a columnar storage format that supports nested data. This provides all generated metadata code.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/parquet/parquet-format/2.4.0/parquet-format-2.4.0.jar
MD5: 694f51066294bd941a3f24fe870ec9f6
SHA1: d4508d385899dfb2dcecdc08fc5e4a5e6b747057
SHA256:de350bcac7b69af274db38ffe4892ab64291dbe1c66fdbec1fb5ef3ef8b98efa
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

parquet-hadoop-bundle-1.6.0.jar (shaded: com.twitter:parquet-column:1.6.0)

File Path: /root/.m2/repository/com/twitter/parquet-hadoop-bundle/1.6.0/parquet-hadoop-bundle-1.6.0.jar/META-INF/maven/com.twitter/parquet-column/pom.xml
MD5: 0b96517e31ca064f1b7f698a85fda8b7
SHA1: b708d7cb139d5ac965150841a8238e5755478c9b
SHA256:c6282b0cca120757f402e1501f1da75b5695ea70704479daa87ce925a0d62133
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-41561  

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

parquet-hadoop-bundle-1.6.0.jar (shaded: com.twitter:parquet-format:2.2.0-rc1)

Description:

Parquet is a columnar storage format that supports nested data. This provides all generated metadata code.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/twitter/parquet-hadoop-bundle/1.6.0/parquet-hadoop-bundle-1.6.0.jar/META-INF/maven/com.twitter/parquet-format/pom.xml
MD5: 55d1df47887cc578e0897e5125df1fa5
SHA1: 268f5420adf2e8cd42881fcf5ad83493a8cc7f69
SHA256:50b96fa214f911048b30e4382813322d8f1cd7149aba746625da76f2558a5d18
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

parquet-hadoop-bundle-1.6.0.jar (shaded: org.slf4j:slf4j-api:1.7.2)

Description:

The slf4j API

File Path: /root/.m2/repository/com/twitter/parquet-hadoop-bundle/1.6.0/parquet-hadoop-bundle-1.6.0.jar/META-INF/maven/org.slf4j/slf4j-api/pom.xml
MD5: 71f03f1293831ab1462ab5436b1e9ca3
SHA1: 3fceb45ce8f7a6f87f3f2077a24a3833d1ecb4c6
SHA256:2eaca71afe0a1516f4abd8e9ff907838d268f38c81c3a542cce8d7f3b87c5d4c
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

parquet-hadoop-bundle-1.6.0.jar

File Path: /root/.m2/repository/com/twitter/parquet-hadoop-bundle/1.6.0/parquet-hadoop-bundle-1.6.0.jar
MD5: f8ddd880590e8e1a239e3c54c8eebc18
SHA1: b5ac7d2781de212c84420962723093cd17cefd72
SHA256:2016abf10040c5eb7b4ff1f4b922d13121f1438199ee8eb85341c7ba1816cedc
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2022-26612  

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-41561  

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-3162  

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

CVE-2017-3161  

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2016-5001  

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

profiler-1.0.2.jar

Description:

A pure-java implementation of the twitter/util project's `CpuProfile` and related classes.

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/papertrail/profiler/1.0.2/profiler-1.0.2.jar
MD5: b6cb78e7d8a5c4ed1ad259afc4f7c793
SHA1: 138093a4ed2da6f0b07a2a2335584bd5a7d53bff
SHA256:188ec41349472a0c50fbe7e4cdcc6d6c8968ad6cd9047effeaa6a5c111f9074d
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

protobuf-java-2.5.0.jar

Description:

    Protocol Buffers are a way of encoding structured data in an efficient yet
    extensible format.

License:

New BSD license: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar
MD5: a44473b98947e2a54c54e0db1387d137
SHA1: a10732c76bfacdbd633a7eb0f7968b1059a65dfa
SHA256:e0c1c64575c005601725e7c6a02cebf9e1285e888f756b2a1d73ffa8d725cc74
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2022-3171  

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-3509 (OSSINDEX)  

protobuf-java - Denial of Service (DoS)
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.google.protobuf:protobuf-java:2.5.0:*:*:*:*:*:*:*

CVE-2021-22569  

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

py4j-0.10.7.jar

Description:

Py4J enables Python programs running in a Python interpreter to dynamically access Java objects in a Java Virtual Machine. Methods are called as if the Java objects resided in the Python interpreter and Java collections can be accessed through standard Python collection methods. Py4J also enables Java programs to call back Python objects.

License:

The New BSD License: http://www.opensource.org/licenses/bsd-license.html
File Path: /root/.m2/repository/net/sf/py4j/py4j/0.10.7/py4j-0.10.7.jar
MD5: 51552359047812808cde255ef38e78d2
SHA1: e733e888c2e798ea15802f12a9f3130949ca741f
SHA256:49d1e3e86532a6c68c399fb83508603ebeeb9b942e0cf301db71c7987fd4dfcb
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

pyrolite-4.13.jar

Description:

This library allows your Java program to interface very easily with the Python world. It uses the Pyro protocol to call methods on remote objects. (See https://github.com/irmen/Pyro4). To that end, it also contains and uses a feature complete pickle protocol implementation -read and write- to exchange data with Pyro/Python.

Pyrolite only implements part of the client side Pyro library, hence its name 'lite'...  But because Pyrolite has no dependencies, it is a much lighter way to use Pyro from Java/.NET than a solution with jython+pyro or IronPython+Pyro would provide. So if you don't need Pyro's full feature set, and don't require your Java/.NET code to host Pyro objects itself, Pyrolite may be a good choice to connect java or .NET and python.
Version 4.13 can now register a custom pickler for inheritance tree of interfaces or abstract base class.

License:

MIT License: https://raw.githubusercontent.com/irmen/Pyrolite/master/LICENSE
File Path: /root/.m2/repository/net/razorvine/pyrolite/4.13/pyrolite-4.13.jar
MD5: b4ab074cb07e995bcbd203c72e5efa1d
SHA1: b71a4668b0c4194486832fe7ce161eed2d0d12cb
SHA256:4ba424d328cbd7a6ff73108cce40d3cc376eef602b947e57fdc782171d92e463
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

reactive-streams-1.0.2.jar

Description:

A Protocol for Asynchronous Non-Blocking Data Sequence

License:

CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /root/.m2/repository/org/reactivestreams/reactive-streams/1.0.2/reactive-streams-1.0.2.jar
MD5: 022ff8ca0101daeb35c8df9b120ff99e
SHA1: 323964c36556eb0e6209f65c1cef72b53b461ab8
SHA256:cc09ab0b140e0d0496c2165d4b32ce24f4d6446c0a26c5dc77b06bdf99ee8fae
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

scala-compiler-2.11.12.jar (shaded: jline:jline:2.14.3)

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/META-INF/maven/jline/jline/pom.xml
MD5: 6f323a86fb397559d2a3b40149062a14
SHA1: ce2bf8d2c9c41583d06dff1be46268c39d8f5ee5
SHA256:289f90f55140af99a74cd6c20234f0dc6130463484a2ed5744035825ee3568aa
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

scala-compiler-2.11.12.jar

Description:

Compiler for the Scala Programming Language

License:

BSD 3-Clause: http://www.scala-lang.org/license.html
File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar
MD5: a014622503fb7c4326ee84ce7a01c490
SHA1: a1b5e58fd80cb1edc1413e904a346bfdb3a88333
SHA256:3e892546b72ab547cb77de4d840bcfd05c853e73390fed7370a8f19acb0735a0
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

CVE-2012-6708 (OSSINDEX)  

JQuery - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.scala-lang:scala-compiler:2.11.12:*:*:*:*:*:*:*

CVE-2015-9251 (OSSINDEX)  

jQuery - Cross-Site Scripting (XSS) [CVE-2015-9251]

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.scala-lang:scala-compiler:2.11.12:*:*:*:*:*:*:*

CVE-2019-11358 (OSSINDEX)  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321

CVSSv2:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.scala-lang:scala-compiler:2.11.12:*:*:*:*:*:*:*

CVE-2020-11023 (OSSINDEX)  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.scala-lang:scala-compiler:2.11.12:*:*:*:*:*:*:*

CVE-2020-7656 (OSSINDEX)  

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (6.1)
  • Vector: /AV:N/AC:L/Au:/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.scala-lang:scala-compiler:2.11.12:*:*:*:*:*:*:*

scala-compiler-2.11.12.jar: diagrams.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/diagrams.js
MD5: d848f67d1c7a1ca4bb026499648f7c3b
SHA1: a061d967fc0094d407fc7a25a9825570997b0a6c
SHA256:f5c001406ea4d8b88a301d33cf5841869d8c2a9d127853416d0b0df01a6fcefa
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: index.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/index.js
MD5: 22daf0417dcd85260677dda1ea258731
SHA1: 23b1437de3bf73140ddbf0346899f0c475efc568
SHA256:2bfe4678308bf8b4b96a3385a5e85b0c0a799087e1a9af9183c5d4cf2c852108
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: jansi.dll

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/META-INF/native/windows32/jansi.dll
MD5: 83fdcbb296f9732176748e443c7637a5
SHA1: f91fda2c7f9f485db21a50c05ff3a65c1fa20090
SHA256:7db0fdba01b93f8d45c8fa9ba949f424efb0361d6f8af5561d769378d8b3a1ac
Referenced In Projects/Scopes:

  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: jansi.dll

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/META-INF/native/windows64/jansi.dll
MD5: b009262ec2c7e84839af9729b752f14e
SHA1: 8d96f40da8970ddd48af4517512a0fdd077c33da
SHA256:daed7ea5b66bce3821742564af812b6f4e25939b3d273ed5a156ba7c92c452dc
Referenced In Projects/Scopes:

  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: jquery-ui.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/jquery-ui.js
MD5: 2e5cf7e1e4b6ad05bfb6aead63f372f9
SHA1: 81269986fe3d866d0430312c1dc18a718cc2d728
SHA256:f6c8f3c1c946e8a5b8d6e129c833fbd680159b53f2413e218675e0e9a72e6c2e
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

CVE-2016-7103  

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*

CVE-2021-41182  

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.0
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
  • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2021-41183  

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.0
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 11.14.0
  • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.5
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2021-41184  

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.0
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
  • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
  • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
  • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2022-31160  

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:*
  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:*
  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:*
  • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:*
  • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.2
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

CVE-2010-5312  

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.10.0

scala-compiler-2.11.12.jar: jquery.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/jquery.js
MD5: 0b6ecf17e30037994d3ffee51b525914
SHA1: d09d3a99ed25d0f1fbe6856de9e14ffd33557256
SHA256:f554d2f09272c6f71447ebfe4532d3b1dd1959bce669f9a5ccc99e64ef511729
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

scala-compiler-2.11.12.jar: jquery.layout.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/jquery.layout.js
MD5: 37b88eaeb78c3f65ac7dcd9cec082c9b
SHA1: 2a079f0531d0f4bf3756d390915c3bab23d59e95
SHA256:ed45fca8537824fce831d9420fec6b1d1a52ab312f90f04bb5625d7a9ce999c3
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: modernizr.custom.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/modernizr.custom.js
MD5: 350aeacb2780a90495094db70b7a6d21
SHA1: 0b78efd666ca58b71e87d86e83f4768ce51d6348
SHA256:d7ba4db2f617af853ad324e7e1a012c43f14ec7436afad430794bb1fe11f7e99
Referenced In Projects/Scopes:

  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: raphael-min.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/raphael-min.js
MD5: ffd330bd214b7b0a8e14e613765b606e
SHA1: bfd83096d2178219ccd3f8fc592ae41cdf4e822e
SHA256:bc48ca793c3d326ffb5dc26272f0080516416bb772bf97072f0ee44ef0902d4a
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: scheduler.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/scheduler.js
MD5: c8935628dd9136fbd393272f5ad4ddcf
SHA1: 3bfb402f3c98e5f16614849b2fef101d86dfd36e
SHA256:fc3f0dfd8c921b1bc7fe81ccc488cc019bdff330aa0ba82651c857acde10db15
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: template.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/template.js
MD5: 8cdd5585a8e1309998e3b04dc16df935
SHA1: 46d98368fe96e32c3326ae4a4da0bb9009497556
SHA256:7a2863204152529fd0351b45eb6668266c46ad3f65767120fcb9cee32da72d35
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.11.12.jar: tools.tooltip.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.11.12/scala-compiler-2.11.12.jar/scala/tools/nsc/doc/html/resource/lib/tools.tooltip.js
MD5: 03e77aac18ea20591d845ec76dff56de
SHA1: a792987be027c6076ba530129452482556515a9a
SHA256:57e3a83e9784ff5d76bead2740133ef115fd29eb76fc9a77f151f4674430048e
Referenced In Projects/Scopes:

  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

  • None

scala-compiler-2.12.10.jar (shaded: jline:jline:2.14.6)

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/META-INF/maven/jline/jline/pom.xml
MD5: 42f04f8b43896bbbfd67edf50a8eb8bd
SHA1: 4638d05b44d3a9ffc540a5be96be3d719b0c5227
SHA256:362c543167310e8ef364e6b50387d43943bf293a34db09fbdb5f25a26cf5f564
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

scala-compiler-2.12.10.jar: diagrams.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/scala/tools/nsc/doc/html/resource/lib/diagrams.js
MD5: 2e1f79e48b0e659ed965afa26a201107
SHA1: 4c35b9ae3fcb2fcee566878e808544a9c950925b
SHA256:d8a8ed1e20a29d4d9a42c984a0b6d74f8781f6258921c257dc234e1552938a74
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

  • None

scala-compiler-2.12.10.jar: index.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/scala/tools/nsc/doc/html/resource/lib/index.js
MD5: a08355a55bc59b335c9afa16d3682a7f
SHA1: d3092a1b9c9c06cad11e016c6c1143b2ad821135
SHA256:b4c417591851cc8f98521d1c5f6e012e5d853bc0d6efb0443642a39f8f3dc880
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

  • None

scala-compiler-2.12.10.jar: jquery.min.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/jquery.min.js
MD5: 220afd743d9e9643852e31a135a9f3ae
SHA1: 88523924351bac0b5d560fe0c5781e2556e7693d
SHA256:0925e8ad7bd971391a8b1e98be8e87a6971919eb5b60c196485941c3c1df089a
Referenced In Projects/Scopes:

  • livy-repl_2.12:provided
  • livy-server

Identifiers

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

scala-compiler-2.12.10.jar: jquery.mousewheel.min.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/scala/tools/nsc/doc/html/resource/lib/jquery.mousewheel.min.js
MD5: d5843dbdc71ff8014a5eafd346a262da
SHA1: 127e1d971efab9341db8079f10663dc28e8e0a2f
SHA256:8e73a30d35c83ea6a597c3343324d2b7df097ad26e67b62efb5266ee12d317b5
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

  • None

scala-compiler-2.12.10.jar: jquery.panzoom.min.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/scala/tools/nsc/doc/html/resource/lib/jquery.panzoom.min.js
MD5: c342421033e7969c439f653fb93a3157
SHA1: 57e8700a39d8f95e5768b40d0690c7e572ac0dbd
SHA256:970bfa8aa52c87a1a77718ecd3529037d89818560d90107529d55488612cbba2
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

  • None

scala-compiler-2.12.10.jar: jquery.slim.min.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/jquery.slim.min.js
MD5: d9b11ca4d877c327889805b73bb79edd
SHA1: dd15958a3f0f1f3601461f927c4703a56ed59011
SHA256:a5ab2a00a0439854f8787a0dda775dea5377ef4905886505c938941d6854ee4f
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

scala-compiler-2.12.10.jar: scheduler.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/scala/tools/nsc/doc/html/resource/lib/scheduler.js
MD5: 0a0d28a27d996abff56588994ce544e2
SHA1: 80370626df86212b4174ce17095abfd6c11105ec
SHA256:b38a639a32cfbbfa65bcd0536482c7b8f01e33460a96c1cad2321abf93626d8c
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

  • None

scala-compiler-2.12.10.jar: template.js

File Path: /root/.m2/repository/org/scala-lang/scala-compiler/2.12.10/scala-compiler-2.12.10.jar/scala/tools/nsc/doc/html/resource/lib/template.js
MD5: d34001437bfe41def06b041f374f4e90
SHA1: d932577b638f4bc737245e56a774f87b128efee1
SHA256:e64b8e321cb0d45471be40ce0069e223b2a84e7d2bb1758752742752e9473d5d
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

  • None

scala-library-2.11.12.jar

Description:

Standard library for the Scala Programming Language

License:

BSD 3-Clause: http://www.scala-lang.org/license.html
File Path: /root/.m2/repository/org/scala-lang/scala-library/2.11.12/scala-library-2.11.12.jar
MD5: 57c9d7745f84b5e590fd47cb745cb298
SHA1: bf5534e6fec3d665bd6419c952a929a8bdd4b591
SHA256:0b3d6fd42958ee98715ba2ec5fe221f4ca1e694d7c981b0ae0cd68e97baf6dce
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-core-parent:compile
  • livy-scala-api-parent:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile
  • livy-scala-api_2.11:compile
  • livy-core_2.11:compile
  • livy-repl_2.11:provided
  • livy-examples:compile
  • multi-scala-project-root:compile

Identifiers

scala-library-2.12.10.jar

Description:

Standard library for the Scala Programming Language

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/scala-lang/scala-library/2.12.10/scala-library-2.12.10.jar
MD5: 9fcf8259fb239c6f2b148963cac03af2
SHA1: 3509860bc2e5b3da001ed45aca94ffbe5694dbda
SHA256:0a57044d10895f8d3dd66ad4286891f607169d948845ac51e17b4c1cf0ab569d
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:compile
  • livy-repl_2.12:provided
  • livy-core_2.12:compile

Identifiers

scala-parser-combinators_2.11-1.0.4.jar

Description:

scala-parser-combinators

License:

BSD 3-clause: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/scala-lang/modules/scala-parser-combinators_2.11/1.0.4/scala-parser-combinators_2.11-1.0.4.jar
MD5: ff946f94319accb11847381d3c436837
SHA1: 7369d653bcfa95d321994660477a4d7e81d7f490
SHA256:0dfaafce29a9a245b0a9180ec2c1073d2bd8f0330f03a9f1f6a74d1bc83f62d6
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

scala-parser-combinators_2.11-1.0.6.jar

Description:

scala-parser-combinators

License:

BSD 3-clause: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/scala-lang/modules/scala-parser-combinators_2.11/1.0.6/scala-parser-combinators_2.11-1.0.6.jar
MD5: f3682e5aefec386abf633ff062fdd5c8
SHA1: 27b31450b7a5c8cc0b82bf8974ff543309f7deda
SHA256:e8d15ebde0ccad54b5c9c82501afef8f7506a12f9500f2526d9c7e76a6ec3618
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

scala-parser-combinators_2.11-1.1.0.jar

Description:

scala-parser-combinators

License:

BSD 3-clause: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/scala-lang/modules/scala-parser-combinators_2.11/1.1.0/scala-parser-combinators_2.11-1.1.0.jar
MD5: fecb6cb9effb41746bd661af6713baa7
SHA1: fbf4d9948b22f37c658c8c7712a621a732798b13
SHA256:5baaad7be5c6fc8142a31ab003f7ee797e488ee137d48df5d9c3c2b3fb0c5bc6
Referenced In Projects/Scopes:
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-rsc:provided
  • livy-test-lib:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

scala-parser-combinators_2.12-1.1.0.jar

Description:

scala-parser-combinators

License:

BSD 3-clause: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/scala-lang/modules/scala-parser-combinators_2.12/1.1.0/scala-parser-combinators_2.12-1.1.0.jar
MD5: 764fbf1a71d8d4f52c537189ec7c019c
SHA1: bbce493f8bf61b56623624ff96ac3865f7f6999a
SHA256:102f2a13efae9486cb4fc01aa4eb92c0543dbd8403f825041746c689f80556e3
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-repl_2.12:provided

Identifiers

scala-xml_2.11-1.0.6.jar

Description:

scala-xml

License:

BSD 3-clause: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/scala-lang/modules/scala-xml_2.11/1.0.6/scala-xml_2.11-1.0.6.jar
MD5: 3c314aacb4c9a0850eb110cf02640030
SHA1: 4ebd108453e6455351c0ec50d32509ae1154fdb1
SHA256:a3ec190294a15a26706123f140a087a8c0a5db8980e86755e5b8e8fc33ac8d3d
Referenced In Projects/Scopes:
  • livy-repl_2.11:compile
  • livy-server:compile
  • livy-repl-parent:compile

Identifiers

scala-xml_2.11-1.2.0.jar

Description:

scala-xml

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/scala-lang/modules/scala-xml_2.11/1.2.0/scala-xml_2.11-1.2.0.jar
MD5: 6a24761f45627897e9859f18ade065e2
SHA1: 0d53914287e29deeb04c9d6031d63f9fbe0c86da
SHA256:eaddac168ef1e28978af768706490fa4358323a08964c25fa1027c52238e3702
Referenced In Projects/Scopes:
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-rsc:provided
  • livy-test-lib:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

scala-xml_2.12-1.0.6.jar

Description:

scala-xml

License:

BSD 3-clause: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/scala-lang/modules/scala-xml_2.12/1.0.6/scala-xml_2.12-1.0.6.jar
MD5: ac867dfb81feb7c874f2cbc953453700
SHA1: e22de3366a698a9f744106fb6dda4335838cf6a7
SHA256:7cc3b6ceb56e879cb977e8e043f4bfe2e062f78795efd7efa09f85003cb3230a
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:compile

Identifiers

scala-xml_2.12-1.2.0.jar

Description:

scala-xml

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/scala-lang/modules/scala-xml_2.12/1.2.0/scala-xml_2.12-1.2.0.jar
MD5: 5daf691f15978092fc8424e1fe5245e4
SHA1: 5d38ac30beb8420dd395c0af447ba412158965e6
SHA256:1b48dc206f527b7604ef32492ada8e71706c63a65d999e0cabdafdc5793b4d63
Referenced In Project/Scope:livy-scala-api_2.12:provided

Identifiers

scalactic_2.11-3.0.8.jar

Description:

scalactic

License:

the Apache License, ASL Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/scalactic/scalactic_2.11/3.0.8/scalactic_2.11-3.0.8.jar
MD5: 044356dba0192aeea5c13ce1492657e6
SHA1: 519147915d9c205eace6a9c75c2068d74fade61e
SHA256:88cdac4628c42215d08449db85159ba0a72dea9465e9d6eb4c8b4a784ef7ef23
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

scalatest_2.11-3.0.8.jar

Description:

scalatest

License:

the Apache License, ASL Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /root/.m2/repository/org/scalatest/scalatest_2.11/3.0.8/scalatest_2.11-3.0.8.jar
MD5: b3db0bd9b2f60b754b17da2043237a25
SHA1: c75fddee2d6e792d8ac6edcb575f8f23662869cc
SHA256:606f4324a7d03522303fb30d9370eafdecc42c648c5a0a0ea85f114e09054940
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

scalatest_2.11-3.0.8.jar: d3.v2.min.js

File Path: /root/.m2/repository/org/scalatest/scalatest_2.11/3.0.8/scalatest_2.11-3.0.8.jar/org/scalatest/d3.v2.min.js
MD5: 3d9462e26cf0d0d54173cac85cb16b6f
SHA1: 4ecc882b90979714b1e13e2222b2350028b75215
SHA256:4ab5438363baac545e128763c63a7055f8ad89efa181551598e2544ed423bc11
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

scalatest_2.11-3.0.8.jar: sorttable.js

File Path: /root/.m2/repository/org/scalatest/scalatest_2.11/3.0.8/scalatest_2.11-3.0.8.jar/org/scalatest/sorttable.js
MD5: eedc4aca5982d90967b744f8b6d3f65b
SHA1: eb14586215b095107ef577f99c3880405f317376
SHA256:5fc1b3d1104c662122cdcfbda9a6d6a51614b3bf14f33483f2090df4bbb1dfa3
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

  • None

scalatra-common_2.11-2.6.5.jar

Description:

scalatra-common

License:

BSD: http://github.com/scalatra/scalatra/raw/HEAD/LICENSE
File Path: /root/.m2/repository/org/scalatra/scalatra-common_2.11/2.6.5/scalatra-common_2.11-2.6.5.jar
MD5: 20fe4a9c3643f0a729eb4bcc5d732f69
SHA1: 22883468ca8cf0c462a847fc5dba29b6300ef220
SHA256:dd6613b5a7249675386ee603a12b9d7735a532d189c74ffa34f0bda1a9fd110a
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

scalatra-json_2.11-2.6.5.jar

Description:

JSON support for Scalatra

License:

BSD: http://github.com/scalatra/scalatra/raw/HEAD/LICENSE
File Path: /root/.m2/repository/org/scalatra/scalatra-json_2.11/2.6.5/scalatra-json_2.11-2.6.5.jar
MD5: 29eb5d2d42fba7c027d5a075a2ea4858
SHA1: 36c9e400c76a68446935431b6c0705b03fd3ebe6
SHA256:f6ae969877a437347eaa439e167de3fc349936028cdca5442cb3b00443081f84
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

scalatra-metrics_2.11-2.6.5.jar

Description:

Scalatra integration with Metrics

License:

BSD: http://github.com/scalatra/scalatra/raw/HEAD/LICENSE
File Path: /root/.m2/repository/org/scalatra/scalatra-metrics_2.11/2.6.5/scalatra-metrics_2.11-2.6.5.jar
MD5: 78475aa6e9bacc3dff2bbf83025e751c
SHA1: 6861d435bd53835d1a11ccb2dc403d9aa7dad19b
SHA256:7bf0d118531f51531a1dfa20d6169a5aa156985adde116ad88db24079f16f672
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

scalatra-test_2.11-2.6.5.jar

Description:

The abstract Scalatra test framework

License:

BSD: http://github.com/scalatra/scalatra/raw/HEAD/LICENSE
File Path: /root/.m2/repository/org/scalatra/scalatra-test_2.11/2.6.5/scalatra-test_2.11-2.6.5.jar
MD5: 2c994ac12aadda02ce201417dd478704
SHA1: a19b5c6f00397ad95e91282d1de2911377c75bfd
SHA256:1ba76f87dac38f2b8fc17304af5080254b8087e8b636c71feff36ac540437304
Referenced In Project/Scope:livy-integration-test:compile

Identifiers

scalatra_2.11-2.6.5.jar

Description:

The core Scalatra framework

License:

BSD: http://github.com/scalatra/scalatra/raw/HEAD/LICENSE
File Path: /root/.m2/repository/org/scalatra/scalatra_2.11/2.6.5/scalatra_2.11-2.6.5.jar
MD5: 539d7f5d10e953be3a7b1c1aabe62b43
SHA1: 6ca1ffe7a04da1ca8deb49d8d9b3019b8c237b29
SHA256:90a6529ff67e41b662f0c5add54b54ead12e2cc496c84e825974da9ebdaf902f
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

servlet-api-2.5.jar

File Path: /root/.m2/repository/javax/servlet/servlet-api/2.5/servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile

Identifiers

session-log.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/session-log.js
MD5: d704ff0ccceb642c627e06ea6f2adec4
SHA1: bb83c229530e49ea7ac43d12752d1550331b7f43
SHA256:859378d7665f63d0812cd92656979e39771ed298ebf6036fdad39b35f1bda211
Referenced In Project/Scope:livy-server

Identifiers

  • None

session.js

File Path: /workspace/server/src/main/resources/org/apache/livy/server/ui/static/js/session.js
MD5: 786599b0ac61084d3b1dca8ca8b56ca3
SHA1: cec3f31396236c38c2b3f86a47d4531611bc922d
SHA256:c9b198bfb44cc5161caa4341609c3afc76208e0ad40bf1445d016dfb60a4afc2
Referenced In Project/Scope:livy-server

Identifiers

  • None

shapeless_2.11-2.3.2.jar

Description:

core

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/chuusai/shapeless_2.11/2.3.2/shapeless_2.11-2.3.2.jar
MD5: c3c1d18f6978a2b10983c75499d36930
SHA1: f40ed6e303d550293f5f8f3743681d98e31f2360
SHA256:f9741699b9a84d218c97907f445ea24f401f84239041c91332ca53c481670e36
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

shapeless_2.12-2.3.2.jar

Description:

core

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/chuusai/shapeless_2.12/2.3.2/shapeless_2.12-2.3.2.jar
MD5: 17a0b8115c75da11076791ac4fe950f7
SHA1: 27e115ffed7917b456e54891de67173f4a68d5f1
SHA256:75926d9dd4688710ca16d852b58746dcfc013a2a1a58d1e817a27f95b2d42303
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

shims-0.7.45.jar

File Path: /root/.m2/repository/org/roaringbitmap/shims/0.7.45/shims-0.7.45.jar
MD5: 3b98287c4745f90a9dda7aa77e4405f1
SHA1: efcebd3284aaba8bc0c72040018a72e8ba7530bc
SHA256:8eab000cdb5d24a51007a853734f361469327ed7bade44ba8180fd3e4fb0fd5d
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

slf4j-api-1.7.25.jar

Description:

The slf4j API

File Path: /root/.m2/repository/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar
MD5: caafe376afb7086dcbee79f780394ca3
SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256:18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-core-parent:compile
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-core_2.11:compile
  • livy-client-common:provided
  • livy-core_2.12:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

slf4j-log4j12-1.7.10.jar

Description:

SLF4J LOG4J-12 Binding

File Path: /root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.10/slf4j-log4j12-1.7.10.jar
MD5: 77c1e048b5110a007dd5b8e808d76b1f
SHA1: b3eeae7d1765f988a1f45ea81517191315c69c9e
SHA256:2e4eebc6e346c92c417aa4e662738802645ef21c5eb4435132dc78d631f2eebb
Referenced In Projects/Scopes:

  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-server:compile

Identifiers

slf4j-log4j12-1.7.16.jar

Description:

SLF4J LOG4J-12 Binding

File Path: /root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.16/slf4j-log4j12-1.7.16.jar
MD5: 3a8f282432cbe7b0bad2c0183e6f52e9
SHA1: 54c6dd23a7c420e40b8848e962d5f2a3534260af
SHA256:9dd065184eaaa0e92bb9d4b82d036456cbbb0e09b8c7eaed6ac59b8cfe9fe429
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

snappy-0.2.jar

Description:

Port of Snappy to Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /root/.m2/repository/org/iq80/snappy/snappy/0.2/snappy-0.2.jar
MD5: a5407f2fac7109aa0734a2d9daec87ba
SHA1: c41f070352713ea90cda7712f493f933fcb066e8
SHA256:58e906a75f1a5a73d6b527f5acfd15a01f14408fecefe5be6ed88f217647f36a
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

snappy-java-1.0.4.1.jar

Description:

snappy-java: A fast compression/decompression library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar
MD5: 3fad0dcafbced1e3475e3ad7bdd3236b
SHA1: f88b89a5a21a466aeb0ecf0c063605bd584b4947
SHA256:52533e94f79beacb9862bac33fa2e2fc724a8cfb2a739c33ae4ea10515f2bb86
Referenced In Projects/Scopes:
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

snappy-java-1.0.4.1.jar: snappyjava.dll

File Path: /root/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar/org/xerial/snappy/native/Windows/amd64/snappyjava.dll
MD5: 09989290a9d23aa887ad3919c8daf6bd
SHA1: 1ca8cb25c14aa3574e1c2d362e11b97b889dc466
SHA256:f0bcc10fb910803d2ce1dfc36fe792066a27570ecacdeedf9d98e7b758f37b44
Referenced In Projects/Scopes:

  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

  • None

snappy-java-1.0.4.1.jar: snappyjava.dll

File Path: /root/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dll
MD5: 02d0731854ac1be878dc4d6e2555aa2d
SHA1: baf474b2ad0b6873e2d99764ea61dcb42f850e24
SHA256:e063f8c7329c9e95f61fac2d2c91330440cd45ff832582a46080c082fa8a0c56
Referenced In Projects/Scopes:

  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

  • None

snappy-java-1.1.7.3.jar

Description:

snappy-java: A fast compression/decompression library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/xerial/snappy/snappy-java/1.1.7.3/snappy-java-1.1.7.3.jar
MD5: 069c880d31204a1a0fc28a4054f5372a
SHA1: 241bb74a1eb37d68a4e324a4bc3865427de0a62d
SHA256:7eea31c0a25d35cd092d8aec08bed04f22152409b58d63d43839074a9ab7ab97
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

snappy-java-1.1.7.3.jar: snappyjava.dll

File Path: /root/.m2/repository/org/xerial/snappy/snappy-java/1.1.7.3/snappy-java-1.1.7.3.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dll
MD5: 3311b452e8619f09b279575c5ebac4c7
SHA1: b2ab0f778657b4ff3521d7c93e3e5b3b31b96ff9
SHA256:0be631df962e3dc0c5086869e77d00dde089dbde44ebb7a3e7a75b9f61fa2931
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

snappy-java-1.1.7.3.jar: snappyjava.dll

File Path: /root/.m2/repository/org/xerial/snappy/snappy-java/1.1.7.3/snappy-java-1.1.7.3.jar/org/xerial/snappy/native/Windows/x86_64/snappyjava.dll
MD5: 82578a05ced2f0dc97c2e6b7d350e4c4
SHA1: 79d91441d17e3c81a8bf107ebc9843c642d9e278
SHA256:cfc8d0ea172f838b3a7502e378baed72a3ac45020fb9772667e5dffee46d588b
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

  • None

spark-core_2.11-2.4.5.jar (shaded: org.eclipse.jetty:jetty-proxy:9.3.27.v20190418)

Description:

Jetty Proxy

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/META-INF/maven/org.eclipse.jetty/jetty-proxy/pom.xml
MD5: 06ad2fef832bcdb5436edeedfcec9422
SHA1: 1814a288a8955c5c844191bf875459d49c90ad32
SHA256:9855e5f6fac9acafe83b70d3c19b8a9eea89deaa8143823fc57392bc81aa1582
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2022-2047 (OSSINDEX)  

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: LOW (2.7)
  • Vector: /AV:N/AC:L/Au:/C:N/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-proxy:9.3.27.v20190418:*:*:*:*:*:*:*

spark-core_2.11-2.4.5.jar (shaded: org.eclipse.jetty:jetty-server:9.3.27.v20190418)

Description:

The core jetty server artifact.

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: 856e0a0779cce00e85eece4e30a49bcb
SHA1: 975397061afe31ee424c4082ef8252c3aeb3c028
SHA256:c629cfd6e9b1c5ef749c365c6dd1420359580259a657c2eff507acf18638a194
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2048  

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28169  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34428  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CWE-613 Insufficient Session Expiration

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2022-2047  

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: LOW (2.7)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

spark-core_2.11-2.4.5.jar

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar
MD5: ad5d86f1bff0981cd9e18ed4a13c0935
SHA1: 8f658b9b71ad2ea211fa09296ae88645109ea8d8
SHA256:671aed5ec24f5e57ca0dd596d20d2f44508c549702b5698ec18cb4da444f0d7e
Referenced In Projects/Scopes:

  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-33891  

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2021-38296  

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CWE-294 Authentication Bypass by Capture-replay

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-31777  

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

spark-core_2.11-2.4.5.jar: additional-metrics.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/additional-metrics.js
MD5: 7fa27b76aeb0681abb2e6fe720669bae
SHA1: 7eb83bced737a22b17115be924b4400b444fdbda
SHA256:c40ff9923a081ba6fcfb125db5237d7e50a03198cae783c2b6aed8abbf8a5eed
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: bootstrap-tooltip.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/bootstrap-tooltip.js
MD5: 709947628312aa8a4abaaf4e164c4f2c
SHA1: f4497d890717ded6be81af60dc211dd5528be2bd
SHA256:7b4898d4fe0ee9e363ded6e1fd5ea1302c400ccd35590b863c9c7d95de71a652
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: d3.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/d3.min.js
MD5: e1b9f89cc778a8c619cde3aea8b6f9d4
SHA1: 71188357fc005e40125b0ad76586c1f4bd53cffd
SHA256:3d4c7c277efd3bb019ed0aba5d2dfbe575ded9b9055b842997774bee02f2b76a
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: dagre-d3.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/dagre-d3.min.js
MD5: 2a602f00fd01dc07a0cb4def2f19850f
SHA1: f7552c9cb333c9dfc81c01149f7c321ed95ae0ef
SHA256:f38a54a35b59d44f359e1ecdbccc457ebae3f37c5448fc007107081d518144a3
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: dataTables.bootstrap.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/dataTables.bootstrap.min.js
MD5: 0b47c89e21f255c1dd714c4acf7ff89c
SHA1: a66a9406643303fc2a33d53ab773e0a76ad49f5a
SHA256:a905062b971bfb70ba70dda1a454d9cb7f7389be7ff515f6eb9009c8e697a34b
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: dataTables.rowsGroup.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/dataTables.rowsGroup.js
MD5: 9473e0a904f35fdf0110d912d16d5fb7
SHA1: 195a59175be1992aab636c5c641b405ba0283581
SHA256:5856c937e4fe8a921364a14de58f406788db336ed9066b3aed897c0ced755c42
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: executorspage.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/executorspage.js
MD5: 8f41b562277b66ed7b1d6228e3f2dd10
SHA1: 911071fffe2a5448fd337c85d860ccf6d8c51d4f
SHA256:9b639b79d44f8942772a23b1758c23f26fb093172be4c807446ce21f5f28026c
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: graphlib-dot.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/graphlib-dot.min.js
MD5: 4c5ef7d11656cbc9c5efa082c2cc171a
SHA1: 197289ce3c78118bdeae5f312f97ed2b76cbd367
SHA256:668584b1ed5fe082dc65c895d7cf4b4b3f0868758b1bdbaf056905418594a556
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: historypage-common.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/historypage-common.js
MD5: d6dffdb2dd396a5f5f7b979cb94358f6
SHA1: 0b4accc75a43b3cba74d27a2dcc931b3d959cc74
SHA256:ca2aa7c8eb2d8a79ff69d47700f9faa55ea4269a95fdf1ec84f99ca988f7be61
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: historypage.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/historypage.js
MD5: d9ffb809062db9c75b59c8c71ca0a41d
SHA1: e58e27b549ddf1963c4fc89e00e59964fba729c4
SHA256:9a4fd5cf9b9ab32b55ea2fd35e2e121c894109785abe3ab3b1503908558227e6
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: initialize-tooltips.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/initialize-tooltips.js
MD5: a7d09087f6ad4fb363268e35875c039d
SHA1: 5a3e6fade32d14c4607fabd6c3c687055aeb83d2
SHA256:a1accf33abb4abb4a65359b042db1c6afd92e437aa7cd08cb914590f5dd92c88
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: jquery-1.12.4.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/jquery-1.12.4.min.js
MD5: 4f252523d4af0b478c810c2547a63e19
SHA1: 5a9dcfbef655a2668e78baebeaa8dc6f41d8dabb
SHA256:668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-1321

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

spark-core_2.11-2.4.5.jar: jquery.blockUI.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/jquery.blockUI.min.js
MD5: d8199c4bdb9f8a6bdfb27f3e3e4d1385
SHA1: 2accb3541d62d724734aa65cbb7a8f6dc959b00e
SHA256:5b6f08f589840a27b74ec78944a46aa55e58812a99c5aa634aed6b45041a1761
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: jquery.cookies.2.2.0.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/jquery.cookies.2.2.0.min.js
MD5: 03b9574487d06f8f8513f95758c7cab3
SHA1: 90a61ac9835905ebec2bb1499dd0b0de894f8045
SHA256:10fdbfbb18a947e7024457f52fd2dfe94ebddd612156c886731474b02aa45d23
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: jquery.dataTables.1.10.18.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/jquery.dataTables.1.10.18.min.js
MD5: 7b395d818b854ed93638578031d0874e
SHA1: 39398e2f7984f61c8bfa1589e4adbe774271ff9b
SHA256:2ad40bb3c5f0b5e598d833478e241f9f3b1cbc16aec3ad44b0e0cad32cb6114e
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: jquery.mustache.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/jquery.mustache.js
MD5: a8678316d7ed318e27e453ccf58bc214
SHA1: 8662bfee6a48f878cfcb783c512359ab6f47afbd
SHA256:2a4f4169e59d11cca8e24b0f44784f803c9e7724f0c0f09b73381c228093be5b
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: jsonFormatter.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/jsonFormatter.min.js
MD5: beca83ee888fc4e974d0069b5e94b6ea
SHA1: 0795631699a4d227e3cf13398792d54c0f4e4eb2
SHA256:182aaeba495cc66257d9c46ea68df28139bd6f02eb97695341ef4dae69dd0539
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: log-view.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/log-view.js
MD5: efe8661ce20a440c0cef49fd2065a619
SHA1: 209be33395581d7910508e7d5fbcf34128276410
SHA256:70aa723cc996ac25cf0e33914fec32545cd6013f4cab35ed1d031d26ab3508d4
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: sorttable.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/sorttable.js
MD5: 8d85fe2d93f0c9e2823b9ecc00094a00
SHA1: 04cfb707c2bb77b50f3dc87ce3e78646f4765d30
SHA256:94761e7b1c4ad7423a09f334f6a2fa6e6ac2faf354ced60984a0b88f423f95f3
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: spark-dag-viz.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/spark-dag-viz.js
MD5: 5bd6afd0f6a84724900815d9bca46579
SHA1: c02bc10e545436dae6b5cd3a1b59b25d614cfdc9
SHA256:8797a36ba1d907c2203ccff6315db6a5385e9c2fc259925eb2cb2dd288c86c7c
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: table.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/table.js
MD5: a5898f0bcd5ec1686d1d72f47c524909
SHA1: 33a086242b5716193ce7382be92e4e25fc0c47d1
SHA256:0fd719ead123ad6eacae5373bb1ccb7fd6339ea816adcaceae822f8d578e21c6
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: timeline-view.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/timeline-view.js
MD5: fe77e2089d19861ca0278a001d52f195
SHA1: 77c61492434d964e5f4422fed65060c348228ae8
SHA256:e504907cf922602b0b06a860eadaa88fe2c3eafdc4a6e7f4f95e50ba68335faa
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: utils.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/utils.js
MD5: 6a10332e5ee728f81289ab6b986383ea
SHA1: bb009d0572015214f8be488976108507c2d1a062
SHA256:d926f4c3e7a66932458f62b53d3e87790989f4c7096b2a19ffbfa19ef70eaba5
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: vis.min.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/vis.min.js
MD5: 8f16db863f54b83e1a0a33d2b2249c79
SHA1: 15c8115cdd5e9d70183f7995aa84a8c498c5a5e6
SHA256:7b461b95eaf9aedbb6e4765a2913a75ffe086d8c5b45d12c18a96fd43c55edc4
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-core_2.11-2.4.5.jar: webui.js

File Path: /root/.m2/repository/org/apache/spark/spark-core_2.11/2.4.5/spark-core_2.11-2.4.5.jar/org/apache/spark/ui/static/webui.js
MD5: 0beb65aa7b4fe9189c2a1e7fc8f18e42
SHA1: a947d3df6dec086cbf63e5c70e78b65cac35cf23
SHA256:e36e5d356aab1681f84aad982cc66ef3301ccdbba9d1c0ee4717408d200d616b
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-hive_2.11-2.4.5.jar

File Path: /root/.m2/repository/org/apache/spark/spark-hive_2.11/2.4.5/spark-hive_2.11-2.4.5.jar
MD5: 1817637846469cc1aebd80b3d2d61011
SHA1: a0fc06e7331a2ffaa4191d3c88bcacfd0665c696
SHA256:fdd7d5f29fd3af6a3148b769377ceedc5813d2f9d8502ff1f39c41518c6d090a
Referenced In Projects/Scopes:

  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-33891  

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-4125  

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-13949  

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-34538  

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
CWE-306 Missing Authentication for Critical Function

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-38296  

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CWE-294 Authentication Bypass by Capture-replay

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-31777  

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

spark-mllib_2.11-2.4.5.jar (shaded: org.jpmml:pmml-model:1.2.15)

Description:

JPMML class model

License:

BSD 3-Clause License: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/apache/spark/spark-mllib_2.11/2.4.5/spark-mllib_2.11-2.4.5.jar/META-INF/maven/org.jpmml/pmml-model/pom.xml
MD5: ea46ab07e3bc3397ca24b9a0d684a8fd
SHA1: 5678af1ade1a35bbe213ffebe7e8a2f3ec29a615
SHA256:85b54b25181fc6fc8527aecf470f0b095d7f45a98e567dae10a106d53898e0b7
Referenced In Projects/Scopes:
  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

spark-mllib_2.11-2.4.5.jar (shaded: org.jpmml:pmml-schema:1.2.15)

Description:

JPMML schema annotations for class model

License:

BSD 3-Clause License: http://opensource.org/licenses/BSD-3-Clause
File Path: /root/.m2/repository/org/apache/spark/spark-mllib_2.11/2.4.5/spark-mllib_2.11-2.4.5.jar/META-INF/maven/org.jpmml/pmml-schema/pom.xml
MD5: e48f897f27355474a94bbe0be8f210d1
SHA1: 52540b943355975f6e9ae84e31955f7117983c71
SHA256:a606562fee742b5f8eb7fc587f9132fa19b19428f267ff770c300285dd0a8899
Referenced In Projects/Scopes:
  • livy-repl_2.12:provided
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

spark-network-common_2.11-2.4.5.jar (shaded: com.google.guava:guava:14.0.1)

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has two code dependencies - javax.annotation
    per the JSR-305 spec and javax.inject per the JSR-330 spec.

File Path: /root/.m2/repository/org/apache/spark/spark-network-common_2.11/2.4.5/spark-network-common_2.11-2.4.5.jar/META-INF/maven/com.google.guava/guava/pom.xml
MD5: b9406eec5781ea391a26972c394bf129
SHA1: 7b4c8f117c11a8f1fcaf4f1b0fd07cbe756a1430
SHA256:3dd4a992d53eb524a1c6546a24b853b332b26520755e26b25d38100131424b7b
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

spark-sql_2.11-2.4.5.jar

File Path: /root/.m2/repository/org/apache/spark/spark-sql_2.11/2.4.5/spark-sql_2.11-2.4.5.jar
MD5: debd29be2fd993c4f4c40fc64c79079d
SHA1: f5cb7af2983ff36d629c37f19ea30db640714ec2
SHA256:aa7a3f9913f82dc4380b5676e7dd684548f56b148cf856c068dbc38a841c123b
Referenced In Projects/Scopes:

  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-33891  

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2021-38296  

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CWE-294 Authentication Bypass by Capture-replay

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2022-31777  

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

spark-sql_2.11-2.4.5.jar: spark-sql-viz.js

File Path: /root/.m2/repository/org/apache/spark/spark-sql_2.11/2.4.5/spark-sql_2.11-2.4.5.jar/org/apache/spark/sql/execution/ui/static/spark-sql-viz.js
MD5: b0f96c132acf2e1af7cfdf81e35d4554
SHA1: 4fdb3cadde3fe6f7040ee82330551e3a145d98d2
SHA256:881405934698972ffb239581833e4b976e9bac3900428ea351d73dc22abf9d48
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

spark-streaming_2.11-2.4.5.jar: streaming-page.js

File Path: /root/.m2/repository/org/apache/spark/spark-streaming_2.11/2.4.5/spark-streaming_2.11-2.4.5.jar/org/apache/spark/streaming/ui/static/streaming-page.js
MD5: 8f2c8e93e82ee62b0e68c525a4a1f69f
SHA1: 5bc61284a596e1ebc1c62080169c37d14e3ef3f6
SHA256:056120555f8925fb000591f5b7f4e2eedb086b7958c29625671b95f4c8e4ad9c
Referenced In Projects/Scopes:

  • livy-examples:provided
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-api:provided

Identifiers

  • None

spire-macros_2.11-0.13.0.jar

Description:

macros

License:

MIT: http://opensource.org/licenses/MIT
File Path: /root/.m2/repository/org/spire-math/spire-macros_2.11/0.13.0/spire-macros_2.11-0.13.0.jar
MD5: d8c010ccced0a06707175b1c7e4a1aac
SHA1: 17059a17d2ee67ffd7eeaa825e68c9732cecf15a
SHA256:a8f79a0b05c2c5c915eafbf060aacea7af85b8f45f0d88ebe99251fc97477f08
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

spire-macros_2.12-0.13.0.jar

Description:

macros

License:

MIT: http://opensource.org/licenses/MIT
File Path: /root/.m2/repository/org/spire-math/spire-macros_2.12/0.13.0/spire-macros_2.12-0.13.0.jar
MD5: e78738c28404e963cdc6eb7582c04847
SHA1: 2276ac9864b9209049fdc2a151352ccffebe4bad
SHA256:c0cc92326a85384b83fce3d9fceae12cb23cf4f24168c5d1f3f04d62ccf4afa5
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

spire_2.11-0.13.0.jar

Description:

core

License:

MIT: http://opensource.org/licenses/MIT
File Path: /root/.m2/repository/org/spire-math/spire_2.11/0.13.0/spire_2.11-0.13.0.jar
MD5: 3ff6c074cee4905bc0472098a3c13a95
SHA1: 32f131bf5002a637fbe9b1b9417a66aaad67bc5e
SHA256:92381b2555e691bf25d7a987c24f0487a10940b6562cf51056c11052e4f1e5eb
Referenced In Projects/Scopes:
  • livy-repl-parent:provided
  • livy-repl_2.11:provided

Identifiers

spire_2.12-0.13.0.jar

Description:

core

License:

MIT: http://opensource.org/licenses/MIT
File Path: /root/.m2/repository/org/spire-math/spire_2.12/0.13.0/spire_2.12-0.13.0.jar
MD5: 3fb9b7fd4352f4ca501bbc15498e424a
SHA1: 28b4a0b11618f82ded3d34ef58292c6c93d7550d
SHA256:63b4b858904e855f3961fc783d3138a44f8b6bf4ed0254d02c9638978d0bb202
Referenced In Project/Scope:livy-repl_2.12:provided

Identifiers

stax-api-1.0-2.jar

Description:

    StAX is a standard XML processing API that allows you to stream XML data from and to your application.

License:

GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /root/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar
MD5: 7d18b63063580284c3f5734081fdc99f
SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

stax-api-1.0.1.jar

Description:

StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

stream-2.7.0.jar

Description:

A library for summarizing data in streams for which it is infeasible to store all events

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/clearspring/analytics/stream/2.7.0/stream-2.7.0.jar
MD5: 02fc1abdf3c14a1d759c3ac799b54cec
SHA1: 9998f8cf87d329fef226405f8d519638cfe1431d
SHA256:eb66267be63bba45f3e9d4e143bc32906db595dbbedafb62842e7ea340796e01
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

stringtemplate-3.2.1.jar

Description:

StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.

StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. 

It evolved over years of effort developing jGuru.com. 

StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic 
is that unlike other engines, it strictly enforces model-view separation.

Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.

There are currently about 600 StringTemplate source downloads a month.

License:

BSD licence: http://antlr.org/license.html
File Path: /root/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar
MD5: b58ca53e518a92a1991eb63b61917582
SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
SHA256:f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

univocity-parsers-2.7.3.jar

Description:

univocity's open source parsers for processing different text formats using a consistent API

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/com/univocity/univocity-parsers/2.7.3/univocity-parsers-2.7.3.jar
MD5: f030c01958dc0d7a7dd82c9424b80e66
SHA1: 2d7b2cbe31d203333e0ce2b99ddb9f8afa03fc42
SHA256:fe14476f24434a2e1ad56f1ede561bd0143145dddf8d42e31568e1129c241b77
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

unused-1.0.0.jar

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/spark-project/spark/unused/1.0.0/unused-1.0.0.jar
MD5: 763373ce9fe48581d4f2b8ffca35bb82
SHA1: 205fe37a2fade6ce6dfcf8eff57ed21a4a1c22af
SHA256:00fd27fc9bde701581e7dcf5b95981d9e749a1c176bb8bfcd49f675768ff6bf0
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-integration-test:compile
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

validation-api-1.1.0.Final.jar

Description:

        Bean Validation API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

xbean-asm6-shaded-4.8.jar (shaded: org.apache.xbean:xbean-asm-util:4.8)

File Path: /root/.m2/repository/org/apache/xbean/xbean-asm6-shaded/4.8/xbean-asm6-shaded-4.8.jar/META-INF/maven/org.apache.xbean/xbean-asm-util/pom.xml
MD5: c7a9a112732cbde351e5cce475c3595c
SHA1: a4dfeabf9e8c7efd0a78a21303bf0297f71531b9
SHA256:e5db31ed9ab5a663fde08cad3802b12c0f761c7c3e87931a90ac64b64b1f06f7
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

xbean-asm6-shaded-4.8.jar

Description:

Repackaged and shaded asm 6.x jars

License:

http://asm.ow2.org/license.html
http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/xbean/xbean-asm6-shaded/4.8/xbean-asm6-shaded-4.8.jar
MD5: 274b8443321c484dc67c0ae0ef3458dd
SHA1: 034bd7c7236dfa87de173e4328354ba0701a374c
SHA256:6fcc2dee8aac3c47d70e90423673c346f3e4f9eb1d14e1df5c218f83cdd60408
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

xercesImpl-2.9.1.jar

Description:

    Xerces2 is the next generation of high performance, fully compliant XML parsers in the
    Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
    a complete framework for building parser components and configurations that is extremely
    modular and easy to program.

File Path: /root/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
MD5: f807f86d7d9db25edbfc782aca7ca2a9
SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
SHA256:6ae540a7c85c814ac64bea48016b3a6f45c95d4765f547fcc0053dc36c94ed5c
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2012-0881  

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

CVE-2013-4002  

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.1)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C

References:

Vulnerable Software & Versions: (show all)

CVE-2022-23437  

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv2:
  • Base Score: HIGH (7.1)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-10355 (OSSINDEX)  

sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
CWE-833 Deadlock

CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:xerces:xercesImpl:2.9.1:*:*:*:*:*:*:*

CVE-2018-2799  

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2009-2625  

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

xml-apis-1.3.04.jar

Description:

xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

File Path: /root/.m2/repository/xml-apis/xml-apis/1.3.04/xml-apis-1.3.04.jar
MD5: 9ae9c29e4497fc35a3eade1e6dd0bbeb
SHA1: 90b215f48fe42776c8c7f6e3509ec54e84fd65ef
SHA256:d404aa881eb9c5f7a4fb546e84ea11506cd417a72b5972e88eff17f43f9f8a64
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2021-37533  

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

xmlenc-0.52.jar

Description:

xmlenc Library

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /root/.m2/repository/xmlenc/xmlenc/0.52/xmlenc-0.52.jar
MD5: c962b6bc3c8de46795b0ed94851fa9c7
SHA1: d82554efbe65906d83b3d97bd7509289e9db561a
SHA256:282ae185fc2ff27da7714af9962897c09cfefafb88072219c4a2f9c73616c026
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

xz-1.0.jar

Description:

XZ data compression

License:

Public Domain
File Path: /root/.m2/repository/org/tukaani/xz/1.0/xz-1.0.jar
MD5: 8c53d7a772f11a88ee95c6ed0c215e49
SHA1: ecff5cb8b1189514c9d1d8d68eb77ac372e000c9
SHA256:7eafdc8880da10286c2398fa42e3bf68c3e845c35ae7a6ae67f5cc1fa16c7405
Referenced In Projects/Scopes:
  • livy-integration-test:compile
  • livy-coverage-report:compile
  • livy-assembly:compile

Identifiers

xz-1.5.jar

Description:

XZ data compression

License:

Public Domain
File Path: /root/.m2/repository/org/tukaani/xz/1.5/xz-1.5.jar
MD5: 51050e595b308c4aec8ac314f66e18bc
SHA1: 9c64274b7dbb65288237216e3fae7877fd3f2bee
SHA256:86f30fa8775fa3a62cdb39d1ed78a6019164c1058864048d42cbee244e26e840
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

zookeeper-3.4.6.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /root/.m2/repository/org/apache/zookeeper/zookeeper/3.4.6/zookeeper-3.4.6.jar
MD5: 7d01d317c717268725896cfb81b18152
SHA1: 01b2502e29da1ebaade2357cd1de35a855fa3755
SHA256:8a375a1ef98cbc0e1f6e9dfd0d96d914b74d37ad00b4bf81beb77fa8f34d33ae
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-integration-test:compile
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-api:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-coverage-report:compile
  • livy-assembly:compile
  • livy-repl_2.12:provided
  • livy-server:compile
  • livy-repl_2.11:provided
  • livy-examples:compile

Identifiers

CVE-2016-5017  

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5637  

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8012  

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0201  

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

zstd-jni-1.3.2-2.jar

Description:

JNI bindings for Zstd native library that provides fast and high compression lossless algorithm for Java and all JVM languages.

License:

BSD 2-Clause License: https://opensource.org/licenses/BSD-2-Clause
File Path: /root/.m2/repository/com/github/luben/zstd-jni/1.3.2-2/zstd-jni-1.3.2-2.jar
MD5: 0ad847203d50c89396c18acc5b4dd45c
SHA1: bde2d9e205aa832222a02e59ab155f42efefbf44
SHA256:4eb1ecb9f1ee2fff1eddecd367b56c9c3c269575de5396dadeed3b67a73f4a3d
Referenced In Projects/Scopes:
  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

zstd-jni-1.3.2-2.jar: libzstd-jni.dll

File Path: /root/.m2/repository/com/github/luben/zstd-jni/1.3.2-2/zstd-jni-1.3.2-2.jar/win/amd64/libzstd-jni.dll
MD5: 39cb3f79b1384280e2047927ac1b21bc
SHA1: ce3d585d6242bd529b2d8914537e9a937e7566a4
SHA256:a0e6c4171331f6cfc4f1ffb375c2cd8749cece9e705526df51da7eb54570530d
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None

zstd-jni-1.3.2-2.jar: libzstd-jni.dll

File Path: /root/.m2/repository/com/github/luben/zstd-jni/1.3.2-2/zstd-jni-1.3.2-2.jar/win/x86/libzstd-jni.dll
MD5: ea65babb99d547c1c979f3b7c348ef4c
SHA1: a3f6b5f8236ecb3ac4047749bdd3fd3857a20e6e
SHA256:a086c78acce49277005d9b2fc490a018c09272bfd40d3bcba007f077570fbfe6
Referenced In Projects/Scopes:

  • livy-scala-api_2.12:provided
  • livy-scala-api_2.11:provided
  • livy-scala-api-parent:provided
  • livy-repl_2.12:provided
  • livy-rsc:provided
  • livy-repl-parent:provided
  • livy-test-lib:provided
  • livy-repl_2.11:provided
  • livy-examples:compile
  • livy-api:provided

Identifiers

  • None


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.