Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 1.4.5
Report Generated On: Mar 11, 2017 at 23:42:54 EST
Dependencies Scanned: 72 (57 unique)
Vulnerable Dependencies: 7
Vulnerabilities Found: 18
Vulnerabilities Suppressed: 0
...
CurrentEngineRelease:
NVD CVE 2002: 19/02/2017 03:25:58
NVD CVE 2003: 19/02/2017 03:24:25
NVD CVE 2004: 19/02/2017 03:23:59
NVD CVE 2005: 24/02/2017 03:12:32
NVD CVE 2006: 19/02/2017 03:20:36
NVD CVE 2007: 19/02/2017 03:18:20
NVD CVE 2008: 19/02/2017 03:16:18
NVD CVE 2009: 19/02/2017 03:14:03
NVD CVE 2010: 09/02/2017 03:09:26
NVD CVE 2011: 19/02/2017 03:11:57
NVD CVE 2012: 24/02/2017 03:11:07
NVD CVE 2013: 24/02/2017 03:09:00
NVD CVE 2014: 01/03/2017 03:07:38
NVD CVE 2015: 04/03/2017 03:06:02
NVD CVE 2016: 05/03/2017 03:02:53
NVD CVE 2017: 05/03/2017 03:00:24
NVD CVE Checked: 11/03/2017 23:34:50
NVD CVE Modified: 11/03/2017 20:00:24
VersionCheckOn: 1486838497071

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	CPE	GAV	Highest Severity	CVE Count	CPE Confidence	Evidence Count
antlr-2.7.7.jar		antlr:antlr:2.7.7		0		11
aopalliance-1.0.jar		aopalliance:aopalliance:1.0		0		13
asm-3.3.1.jar		asm:asm:3.3.1		0		13
jaxb-impl-2.1.13.jar		com.sun.xml.bind:jaxb-impl:2.1.13		0		19
jaxb-xjc-2.1.13.jar		com.sun.xml.bind:jaxb-xjc:2.1.13		0		18
commons-codec-1.10.jar		commons-codec:commons-codec:1.10		0		25
commons-collections-3.2.jar	cpe:/a:apache:commons_collections:3.2.1	commons-collections:commons-collections:3.2	High	1	LOW	19
commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe				0		1
commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe				0		1
commons-daemon-1.0.15-bin-windows.zip: prunmgr.exe				0		1
commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe				0		1
commons-lang-2.6.jar		commons-lang:commons-lang:2.6		0		23
commons-logging-1.1.jar		commons-logging:commons-logging:1.1		0		19
javax.ws.rs-api-2.0-m10.jar		javax.ws.rs:javax.ws.rs-api:2.0-m10		0		20
joda-time-2.2.jar		joda-time:joda-time:2.2		0		22
log4j-1.2.17.jar		log4j:log4j:1.2.17		0		18
oauth-provider-20100527.jar		net.oauth.core:oauth-provider:20100527		0		12
oauth-20100527.jar		net.oauth.core:oauth:20100527		0		12
ehcache-core-2.5.1.jar		net.sf.ehcache:ehcache-core:2.5.1		0		12
ehcache-core-2.5.1.jar: sizeof-agent.jar		net.sf.ehcache:sizeof-agent:1.0.1		0		14
commons-lang3-3.5.jar		org.apache.commons:commons-lang3:3.5		0		27
cxf-rt-core-2.7.11.jar	cpe:/a:apache:cxf:2.7.11	org.apache.cxf:cxf-rt-core:2.7.11	Medium	3	HIGHEST	26
geronimo-javamail_1.4_spec-1.7.1.jar		org.apache.geronimo.specs:geronimo-javamail_1.4_spec:1.7.1		0		21
geronimo-jaxws_2.2_spec-1.1.jar		org.apache.geronimo.specs:geronimo-jaxws_2.2_spec:1.1		0		21
geronimo-jms_1.1_spec-1.1.1.jar		org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1		0		17
geronimo-servlet_3.0_spec-1.0.jar		org.apache.geronimo.specs:geronimo-servlet_3.0_spec:1.0		0		19
httpasyncclient-4.0-beta3.jar	cpe:/a:apache:httpasyncclient:4.0.beta	org.apache.httpcomponents:httpasyncclient:4.0-beta3	Medium	1	LOW	21
httpclient-4.3.3.jar	cpe:/a:apache:httpclient:4.3.3	org.apache.httpcomponents:httpclient:4.3.3	Medium	2	HIGHEST	22
httpcore-nio-4.2.4.jar		org.apache.httpcomponents:httpcore-nio:4.2.4		0		22
httpcore-4.2.4.jar		org.apache.httpcomponents:httpcore:4.2.4		0		22
mina-core-2.0.7.jar		org.apache.mina:mina-core:2.0.7		0		16
neethi-3.0.3.jar	cpe:/a:apache:apache_test:3.0.3	org.apache.neethi:neethi:3.0.3		0	LOW	25
xmlsec-1.5.6.jar	cpe:/a:apache:xml_security_for_java:1.5.6	org.apache.santuario:xmlsec:1.5.6		0	LOW	25
velocity-1.7.jar		org.apache.velocity:velocity:1.7		0		23
wss4j-1.6.15.jar	cpe:/a:apache:wss4j:1.6.15	org.apache.ws.security:wss4j:1.6.15	Medium	2	HIGHEST	25
xmlschema-core-2.1.0.jar		org.apache.ws.xmlschema:xmlschema-core:2.1.0		0		17
xmlbeans-2.6.0.jar		org.apache.xmlbeans:xmlbeans:2.6.0		0		15
stax2-api-3.1.4.jar		org.codehaus.woodstox:stax2-api:3.1.4		0		17
woodstox-core-asl-4.2.1.jar		org.codehaus.woodstox:woodstox-core-asl:4.2.1		0		21
jetty-http-8.1.14.v20131031.jar	cpe:/a:eclipse:jetty:8.1.14.v20131031 cpe:/a:jetty:jetty:8.1.14.v20131031	org.eclipse.jetty:jetty-http:8.1.14.v20131031		0	LOW	22
jetty-io-8.1.14.v20131031.jar	cpe:/a:eclipse:jetty:8.1.14.v20131031	org.eclipse.jetty:jetty-io:8.1.14.v20131031		0	LOW	22
opensaml-2.6.1.jar		org.opensaml:opensaml:2.6.1		0		19
openws-1.5.1.jar		org.opensaml:openws:1.5.1		0		21
xmltooling-1.4.1.jar		org.opensaml:xmltooling:1.4.1		0		17
slf4j-api-1.7.7.jar		org.slf4j:slf4j-api:1.7.7		0		20
spring-aop-3.0.7.RELEASE.jar		org.springframework:spring-aop:3.0.7.RELEASE		0		14
spring-asm-3.0.7.RELEASE.jar		org.springframework:spring-asm:3.0.7.RELEASE		0		15
spring-beans-3.0.7.RELEASE.jar		org.springframework:spring-beans:3.0.7.RELEASE		0		14
spring-context-3.2.8.RELEASE.jar	cpe:/a:springsource:spring_framework:3.2.8	org.springframework:spring-context:3.2.8.RELEASE		0	LOW	14
spring-core-3.0.7.RELEASE.jar	cpe:/a:pivotal:spring_framework:3.0.7 cpe:/a:pivotal_software:spring_framework:3.0.7 cpe:/a:springsource:spring_framework:3.0.7 cpe:/a:vmware:springsource_spring_framework:3.0.7	org.springframework:spring-core:3.0.7.RELEASE	Medium	8	HIGHEST	18
spring-expression-3.0.7.RELEASE.jar		org.springframework:spring-expression:3.0.7.RELEASE		0		14
spring-jms-3.0.7.RELEASE.jar		org.springframework:spring-jms:3.0.7.RELEASE		0		14
spring-tx-3.0.7.RELEASE.jar		org.springframework:spring-tx:3.0.7.RELEASE		0		14
js-1.7R2.jar		rhino:js:1.7R2		0		13
wsdl4j-1.6.3.jar		wsdl4j:wsdl4j:1.6.3		0		16
serializer-2.7.1.jar	cpe:/a:apache:xalan-java:2.7.1	xalan:serializer:2.7.1	High	1	HIGHEST	18
xml-resolver-1.2.jar		xml-resolver:xml-resolver:1.2		0		15

Dependencies

antlr-2.7.7.jar

File Path: C:\Users\Dad\.m2\repository\antlr\antlr\2.7.7\antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	antlr
central	groupid	antlr
central	version	2.7.7
file	name	antlr
file	version	2.7.7
jar	package name	antlr
pom	artifactid	antlr
pom	groupid	antlr
pom	name	AntLR
pom	url	http://www.antlr.org/
pom	version	2.7.7

Identifiers

maven: antlr:antlr:2.7.7 Confidence:HIGHEST

aopalliance-1.0.jar

Description: AOP Alliance

License:

Public Domain

File Path: C:\Users\Dad\.m2\repository\aopalliance\aopalliance\1.0\aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	aopalliance
central	groupid	aopalliance
central	version	1.0
file	name	aopalliance
file	version	1.0
jar	package name	aopalliance
jar	package name	intercept
pom	artifactid	aopalliance
pom	description	AOP Alliance
pom	groupid	aopalliance
pom	name	AOP alliance
pom	url	http://aopalliance.sourceforge.net
pom	version	1.0

Identifiers

maven: aopalliance:aopalliance:1.0 Confidence:HIGHEST

asm-3.3.1.jar

File Path: C:\Users\Dad\.m2\repository\asm\asm\3.3.1\asm-3.3.1.jar
MD5: 1ad1e8959324b0f680b8e62406955642
SHA1: 1d5f20b4ea675e6fab6ab79f1cd60ec268ddc015
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	asm
central	groupid	asm
central	version	3.3.1
file	name	asm
file	version	3.3.1
Manifest	Implementation-Title	ASM
Manifest	Implementation-Vendor	France Telecom R&D
Manifest	Implementation-Version	3.3.1
pom	artifactid	asm
pom	groupid	asm
pom	name	ASM Core
pom	parent-artifactid	asm-parent
pom	version	3.3.1

Identifiers

maven: asm:asm:3.3.1 Confidence:HIGHEST

jaxb-impl-2.1.13.jar

Description: JAXB (JSR 222) reference implementation

License:

CDDL 1.0: https://glassfish.dev.java.net/public/CDDL+GPL.html
GPL2 w/ CPE: https://glassfish.dev.java.net/public/CDDL+GPL.html

File Path: C:\Users\Dad\.m2\repository\com\sun\xml\bind\jaxb-impl\2.1.13\jaxb-impl-2.1.13.jar
MD5: 97e9e91a0824277ca351063e1ee6d2de
SHA1: 7c1ea3e298d0a32fafcebcb734e77990598f7720
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	jaxb-impl
central	groupid	com.sun.xml.bind
central	version	2.1.13
file	name	jaxb-impl
file	version	2.1.13
Manifest	extension-name	com.sun.xml.bind
Manifest	Implementation-Title	JAXB Reference Implementation
Manifest	Implementation-Vendor	Sun Microsystems, Inc.
Manifest	Implementation-Vendor-Id	com.sun
Manifest	Implementation-Version	2.1.13
Manifest	specification-title	Java Architecture for XML Binding
Manifest	specification-vendor	Sun Microsystems, Inc.
pom	artifactid	jaxb-impl
pom	description	JAXB (JSR 222) reference implementation
pom	groupid	com.sun.xml.bind
pom	groupid	sun.xml.bind
pom	name	JAXB RI
pom	url	https://jaxb.dev.java.net/
pom	version	2.1.13

Identifiers

maven: com.sun.xml.bind:jaxb-impl:2.1.13 Confidence:HIGHEST

jaxb-xjc-2.1.13.jar

Description: The core functionality of the CodeModel java source code generation library

File Path: C:\Users\Dad\.m2\repository\com\sun\xml\bind\jaxb-xjc\2.1.13\jaxb-xjc-2.1.13.jar
MD5: bd159bfd1ad36963f8f7bb05d7e8f644
SHA1: 0a953200fed20f683c09e8f419c2babb1d89d82a
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	jaxb-xjc
central	groupid	com.sun.xml.bind
file	name	jaxb-xjc
file	version	2.1.13
Manifest	extension-name	com.sun.tools.xjc
Manifest	Implementation-Title	JAXB Reference Implementation
Manifest	Implementation-Vendor	Sun Microsystems, Inc.
Manifest	Implementation-Vendor-Id	com.sun
Manifest	Implementation-Version	2.1.13
Manifest	specification-title	Java Architecture for XML Binding
Manifest	specification-vendor	Sun Microsystems, Inc.
pom	artifactid	codemodel
pom	artifactid	jaxb-xjc
pom	description	The core functionality of the CodeModel java source code generation library
pom	groupid	com.sun.xml.bind
pom	groupid	sun.codemodel
pom	name	Codemodel Core
pom	parent-groupid	com.sun

Identifiers

maven: com.sun.codemodel:codemodel:2.2-SNAPSHOT Confidence:HIGH
maven: com.sun.xml.bind:jaxb-xjc:2.1.13 Confidence:HIGHEST

commons-codec-1.10.jar

Description: The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\commons-codec\commons-codec\1.10\commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	commons-codec
central	groupid	commons-codec
central	version	1.10
file	name	commons-codec
file	version	1.10
manifest	Bundle-Description	The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Manifest	bundle-docurl	http://commons.apache.org/proper/commons-codec/
Manifest	Bundle-Name	Apache Commons Codec
Manifest	bundle-symbolicname	org.apache.commons.codec
Manifest	implementation-build	trunk@r1637108; 2014-11-06 14:14:12+0000
Manifest	Implementation-Title	Apache Commons Codec
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	1.10
Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
Manifest	specification-title	Apache Commons Codec
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	commons-codec
pom	description	The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
pom	groupid	commons-codec
pom	name	Apache Commons Codec
pom	parent-artifactid	commons-parent
pom	parent-groupid	org.apache.commons
pom	url	http://commons.apache.org/proper/commons-codec/
pom	version	1.10

Identifiers

maven: commons-codec:commons-codec:1.10 Confidence:HIGHEST

commons-collections-3.2.jar

Description: Types that extend and augment the Java Collections Framework.

License:

The Apache Software License, Version 2.0: /LICENSE.txt

File Path: C:\Users\Dad\.m2\repository\commons-collections\commons-collections\3.2\commons-collections-3.2.jar
MD5: 7b9216b608d550787bdf43a63d88bf3b
SHA1: f951934aa5ae5a88d7e6dfaa6d32307d834a88be
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	commons-collections
central	groupid	commons-collections
central	version	3.2
file	name	commons-collections
file	version	3.2
Manifest	extension-name	commons-collections
Manifest	Implementation-Title	Commons Collections
Manifest	Implementation-Vendor	Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	3.2
Manifest	specification-title	Commons Collections
Manifest	specification-vendor	Apache Software Foundation
pom	artifactid	commons-collections
pom	description	Types that extend and augment the Java Collections Framework.
pom	groupid	commons-collections
pom	name	Collections
pom	organization name	http://jakarta.apache.org
pom	url	http://jakarta.apache.org/commons/collections/
pom	version	3.2

Identifiers

maven: commons-collections:commons-collections:3.2 Confidence:HIGHEST
cpe: cpe:/a:apache:commons_collections:3.2.1 Confidence:LOW

Published Vulnerabilities

CVE-2015-6420

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerable Software & Versions: (show all)

cpe:/a:apache:commons_collections:3.2.1 and all previous versions
...
cpe:/a:apache:commons_collections:3.2.1 and all previous versions
cpe:/a:apache:commons_collections:4.0 and all previous versions

commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe

File Path: C:\Users\Dad\.m2\repository\commons-daemon\commons-daemon\1.0.15\commons-daemon-1.0.15-bin-windows.zip\amd64\prunsrv.exe
MD5: c8a57f4ca413effd5897d8a20e05fc80
SHA1: aac510a623eeb46aad1af2a91930535e4fe28f91
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
file	name	prunsrv

Identifiers

None

commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe

File Path: C:\Users\Dad\.m2\repository\commons-daemon\commons-daemon\1.0.15\commons-daemon-1.0.15-bin-windows.zip\ia64\prunsrv.exe
MD5: 3b06d0e5454e6812bba21b39ecfc83ba
SHA1: 0715fee00e5fcc4ce1c2b3dabbbddc4f3fa13e7e
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
file	name	prunsrv

Identifiers

None

commons-daemon-1.0.15-bin-windows.zip: prunmgr.exe

File Path: C:\Users\Dad\.m2\repository\commons-daemon\commons-daemon\1.0.15\commons-daemon-1.0.15-bin-windows.zip\prunmgr.exe
MD5: dcf47773e046ee212d937d5cabea5f4c
SHA1: 57483ea86f52ee8e529a9a53e2e18d7ddcd47e51
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
file	name	prunmgr

Identifiers

None

commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe

File Path: C:\Users\Dad\.m2\repository\commons-daemon\commons-daemon\1.0.15\commons-daemon-1.0.15-bin-windows.zip\prunsrv.exe
MD5: 0be207e358e5c198e7cb005c08e96e89
SHA1: 8c31d27449cee7bf326485987dc3145f17ffaa66
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
file	name	prunsrv

Identifiers

None

commons-lang-2.6.jar

Description: Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\commons-lang\commons-lang\2.6\commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	commons-lang
central	groupid	commons-lang
central	version	2.6
file	name	commons-lang
file	version	2.6
manifest	Bundle-Description	Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Manifest	bundle-docurl	http://commons.apache.org/lang/
Manifest	Bundle-Name	Commons Lang
Manifest	bundle-symbolicname	org.apache.commons.lang
Manifest	Implementation-Title	Commons Lang
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	2.6
Manifest	specification-title	Commons Lang
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	commons-lang
pom	description	Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
pom	groupid	commons-lang
pom	name	Commons Lang
pom	parent-artifactid	commons-parent
pom	parent-groupid	org.apache.commons
pom	url	http://commons.apache.org/lang/
pom	version	2.6

Identifiers

maven: commons-lang:commons-lang:2.6 Confidence:HIGHEST

commons-logging-1.1.jar

Description: Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

The Apache Software License, Version 2.0: /LICENSE.txt

File Path: C:\Users\Dad\.m2\repository\commons-logging\commons-logging\1.1\commons-logging-1.1.jar
MD5: 6b62417e77b000a87de66ee3935edbf5
SHA1: ba24d5de831911b684c92cd289ed5ff826271824
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	commons-logging
central	groupid	commons-logging
central	version	1.1
file	name	commons-logging
file	version	1.1
Manifest	extension-name	org.apache.commons.logging
Manifest	Implementation-Title	Jakarta Commons Logging
Manifest	Implementation-Vendor	Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	1.1
Manifest	specification-title	Jakarta Commons Logging
Manifest	specification-vendor	Apache Software Foundation
pom	artifactid	commons-logging
pom	description	Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.
pom	groupid	commons-logging
pom	name	Logging
pom	organization name	http://jakarta.apache.org
pom	url	http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/
pom	version	1.1

Identifiers

maven: commons-logging:commons-logging:1.1 Confidence:HIGHEST

javax.ws.rs-api-2.0-m10.jar

Description: Java.net - The Source for Java Technology Collaboration

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: C:\Users\Dad\.m2\repository\javax\ws\rs\javax.ws.rs-api\2.0-m10\javax.ws.rs-api-2.0-m10.jar
MD5: 86cdb9036c14a84efa2711e2791e9210
SHA1: 74705b1b0c448f88cff1a46f431b70b23588e8f4
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	javax.ws.rs-api
central	groupid	javax.ws.rs
central	version	2.0-m10
file	name	javax.ws.rs-api
file	version	2.0.m10
manifest	Bundle-Description	Java.net - The Source for Java Technology Collaboration
Manifest	bundle-docurl	http://www.oracle.com/
Manifest	Bundle-Name	javax.ws.rs-api
Manifest	bundle-symbolicname	javax.ws.rs.javax.ws.rs-api
Manifest	extension-name	javax.ws.rs
Manifest	specification-title	Java API for RESTful Web Services (JAX-RS)
Manifest	specification-vendor	Oracle Corporation
pom	artifactid	javax.ws.rs-api
pom	groupid	javax.ws.rs
pom	name	javax.ws.rs-api
pom	organization name	http://www.oracle.com/
pom	parent-artifactid	jvnet-parent
pom	parent-groupid	net.java
pom	url	http://jax-rs-spec.java.net
pom	version	2.0-m10

Identifiers

maven: javax.ws.rs:javax.ws.rs-api:2.0-m10 Confidence:HIGHEST

joda-time-2.2.jar

Description: Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\joda-time\joda-time\2.2\joda-time-2.2.jar
MD5: 226f5207543c490f10f234e82108b998
SHA1: a5f29a7acaddea3f4af307e8cf2d0cc82645fd7d
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	joda-time
central	groupid	joda-time
central	version	2.2
file	name	joda-time
file	version	2.2
Manifest	bundle-docurl	http://joda-time.sourceforge.net/
Manifest	Bundle-Name	Joda-Time
Manifest	bundle-symbolicname	joda-time
Manifest	extension-name	joda-time
Manifest	Implementation-Title	org.joda.time
Manifest	Implementation-Vendor	Joda.org
Manifest	Implementation-Vendor-Id	org.joda
Manifest	Implementation-Version	2.2
Manifest	specification-title	Joda-Time
Manifest	specification-vendor	Joda.org
pom	artifactid	joda-time
pom	description	Date and time library to replace JDK date handling
pom	groupid	joda-time
pom	name	Joda time
pom	organization name	http://www.joda.org
pom	url	http://joda-time.sourceforge.net
pom	version	2.2

Identifiers

maven: joda-time:joda-time:2.2 Confidence:HIGHEST

log4j-1.2.17.jar

Description: Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
Referenced In Project/Scope: fgsms Agent Core:compile

Evidence

Source	Name	Value
central	artifactid	log4j
central	groupid	log4j
central	version	1.2.17
file	name	log4j
file	version	1.2.17
manifest	Bundle-Description	Apache Log4j 1.2
Manifest	bundle-docurl	http://logging.apache.org/log4j/1.2
Manifest	Bundle-Name	Apache Log4j
Manifest	bundle-symbolicname	log4j
manifest: org.apache.log4j	Implementation-Title	log4j
manifest: org.apache.log4j	Implementation-Vendor	"Apache Software Foundation"
pom	artifactid	log4j
pom	description	Apache Log4j 1.2
pom	groupid	log4j
pom	name	Apache Log4j
pom	organization name	http://www.apache.org
pom	url	http://logging.apache.org/log4j/1.2/
pom	version	1.2.17

Identifiers

maven: log4j:log4j:1.2.17 Confidence:HIGHEST

oauth-provider-20100527.jar

File Path: C:\Users\Dad\.m2\repository\net\oauth\core\oauth-provider\20100527\oauth-provider-20100527.jar
MD5: afdc85d3f14481e4842c317c4f414f7e
SHA1: 165bfc97e63e5af8e052a47f4dee832ce06bf7d7
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	oauth-provider
central	groupid	net.oauth.core
central	version	20100527
file	name	oauth-provider-20100527
file	version	20100527
jar	package name	net
jar	package name	oauth
pom	artifactid	oauth-provider
pom	groupid	net.oauth.core
pom	name	OAuth Core: Provider
pom	parent-artifactid	oauth-core-parent
pom	version	20100527

Identifiers

maven: net.oauth.core:oauth-provider:20100527 Confidence:HIGHEST

oauth-20100527.jar

File Path: C:\Users\Dad\.m2\repository\net\oauth\core\oauth\20100527\oauth-20100527.jar
MD5: 91c7c70579f95b7ddee95b2143a49b41
SHA1: a84c5331e225bc25a5a288db328048d6b1bb6fd5
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	oauth
central	groupid	net.oauth.core
central	version	20100527
file	name	oauth-20100527
file	version	20100527
jar	package name	net
jar	package name	oauth
pom	artifactid	oauth
pom	groupid	net.oauth.core
pom	name	OAuth Core
pom	parent-artifactid	oauth-core-parent
pom	version	20100527

Identifiers

maven: net.oauth.core:oauth:20100527 Confidence:HIGHEST

ehcache-core-2.5.1.jar

Description: This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt

File Path: C:\Users\Dad\.m2\repository\net\sf\ehcache\ehcache-core\2.5.1\ehcache-core-2.5.1.jar
MD5: 143cfff4c10373af9e422eb9fe4ec561
SHA1: 574be2dda111c3c05d4684e279e9e973fbdc4967
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	ehcache-core
central	groupid	net.sf.ehcache
central	version	2.5.1
file	name	ehcache-core
file	version	2.5.1
pom	artifactid	ehcache-core
pom	description	This is the ehcache core module. Pair it with other modules for added functionality.
pom	groupid	net.sf.ehcache
pom	name	Ehcache Core
pom	parent-artifactid	ehcache-parent
pom	url	http://ehcache.org
pom	version	2.5.1

Identifiers

maven: net.sf.ehcache:ehcache-core:2.5.1 Confidence:HIGHEST

ehcache-core-2.5.1.jar: sizeof-agent.jar

File Path: C:\Users\Dad\.m2\repository\net\sf\ehcache\ehcache-core\2.5.1\ehcache-core-2.5.1.jar\net\sf\ehcache\pool\sizeof\sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
file	name	sizeof-agent
Manifest	hudson-build-number	6
Manifest	hudson-project	sizeof-agent_sizeof-agent-1.0.1_publisher
Manifest	hudson-version	1.449
Manifest	jenkins-build-number	6
Manifest	jenkins-project	sizeof-agent_sizeof-agent-1.0.1_publisher
Manifest	jenkins-version	1.449
pom	artifactid	sizeof-agent
pom	groupid	net.sf.ehcache
pom	name	Ehcache Size-Of Agent
pom	parent-artifactid	ehcache-parent
pom	parent-version	1.0.1
pom	url	http://www.ehcache.org
pom	version	1.0.1

Identifiers

maven: net.sf.ehcache:sizeof-agent:1.0.1 Confidence:HIGH

commons-lang3-3.5.jar

Description: Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\commons\commons-lang3\3.5\commons-lang3-3.5.jar
MD5: 780b5a8b72eebe6d0dbff1c11b5658fa
SHA1: 6c6c702c89bfff3cd9e80b04d668c5e190d588c6
Referenced In Project/Scope: fgsms Agent Core:compile

Evidence

Source	Name	Value
central	artifactid	commons-lang3
central	groupid	org.apache.commons
central	version	3.5
file	name	commons-lang3
file	version	3.5
manifest	Bundle-Description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/
Manifest	Bundle-Name	Apache Commons Lang
Manifest	bundle-symbolicname	org.apache.commons.lang3
Manifest	implementation-build	release@r36f98d87b24c2f542b02abbf6ec1ee742f1b158b; 2016-10-13 19:52:17+0000
Manifest	Implementation-Title	Apache Commons Lang
Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	3.5
Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
Manifest	specification-title	Apache Commons Lang
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	commons-lang3
pom	description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
pom	groupid	apache.commons
pom	groupid	org.apache.commons
pom	name	Apache Commons Lang
pom	parent-artifactid	commons-parent
pom	parent-groupid	org.apache.commons
pom	url	http://commons.apache.org/proper/commons-lang/
pom	version	3.5

Identifiers

maven: org.apache.commons:commons-lang3:3.5 Confidence:HIGHEST

cxf-rt-core-2.7.11.jar

Description: Apache CXF Runtime Core

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-core\2.7.11\cxf-rt-core-2.7.11.jar
MD5: 6e9ff60dd475ba1c91d8c358e70b540f
SHA1: 928f3aaeea343f2b370527f21d9e8379e7d0d6b7
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	cxf-rt-core
central	groupid	org.apache.cxf
central	version	2.7.11
file	name	cxf-rt-core
file	version	2.7.11
Manifest	bundle-blueprint	OSGI-INF/blueprint/cxf-core.xml
manifest	Bundle-Description	Apache CXF Runtime Core
Manifest	bundle-docurl	http://cxf.apache.org
Manifest	Bundle-Name	Apache CXF Runtime Core
Manifest	bundle-symbolicname	org.apache.cxf.cxf-rt-core
Manifest	export-service	org.apache.aries.blueprint.NamespaceHandler;osgi.service.blueprint.namespace="http://cxf.apache.org/blueprint/core"
Manifest	Implementation-Title	Apache CXF Runtime Core
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	2.7.11
Manifest	specification-title	Apache CXF Runtime Core
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	cxf-rt-core
pom	description	Apache CXF Runtime Core
pom	groupid	apache.cxf
pom	groupid	org.apache.cxf
pom	name	Apache CXF Runtime Core
pom	parent-artifactid	cxf-parent
pom	parent-groupid	org.apache.cxf
pom	url	http://cxf.apache.org
pom	version	2.7.11

Related Dependencies

cxf-api-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-api\2.7.11\cxf-api-2.7.11.jar
- SHA1: 569572a9fcd03893fe011d94c9bdf1c0eb964a67
- MD5: d658862309445790563ae3d41e9dd381
- maven: org.apache.cxf:cxf-api:2.7.11
cxf-bundle-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-bundle\2.7.11\cxf-bundle-2.7.11.jar
- SHA1: e23a61971c89494ed797a6b0a7ab2ed3d4bb50ee
- MD5: decd0e7230868af06e455667605c6007
- maven: org.apache.cxf:cxf-bundle:2.7.11
cxf-rt-bindings-soap-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-bindings-soap\2.7.11\cxf-rt-bindings-soap-2.7.11.jar
- SHA1: de0a53472593332f6f6a8c73f9d7c4e3338e9be4
- MD5: d3147004491c0dee40ec42f20248cebb
- maven: org.apache.cxf:cxf-rt-bindings-soap:2.7.11
cxf-rt-bindings-xml-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-bindings-xml\2.7.11\cxf-rt-bindings-xml-2.7.11.jar
- SHA1: 362b1ed91d495044992d46c0cb5a3fb0b08330c6
- MD5: 47999489a05cb58893e666ff9d322330
- maven: org.apache.cxf:cxf-rt-bindings-xml:2.7.11
cxf-rt-databinding-jaxb-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-databinding-jaxb\2.7.11\cxf-rt-databinding-jaxb-2.7.11.jar
- SHA1: e6f24189fcf4a97dbaec46d53621376c798513db
- MD5: 0be2df49428e4b7d9489f3ab103aac35
- maven: org.apache.cxf:cxf-rt-databinding-jaxb:2.7.11
cxf-rt-frontend-jaxws-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-frontend-jaxws\2.7.11\cxf-rt-frontend-jaxws-2.7.11.jar
- SHA1: 81fe848ab1f57c650e74c4a9d691a8c7fc2de996
- MD5: 936f6a5788a926da4319a7c3f9843d39
- maven: org.apache.cxf:cxf-rt-frontend-jaxws:2.7.11
cxf-rt-frontend-simple-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-frontend-simple\2.7.11\cxf-rt-frontend-simple-2.7.11.jar
- SHA1: 4d2bdf8745189d828aa20943c318f96c26834cbc
- MD5: 051a4dadd67296673eb0c655ae9e4f7b
- maven: org.apache.cxf:cxf-rt-frontend-simple:2.7.11
cxf-rt-transports-http-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-transports-http\2.7.11\cxf-rt-transports-http-2.7.11.jar
- SHA1: d3499d88a28120ef6b4fa2430f36acd399d5e83d
- MD5: c194c1056706ddb0f2866af322ec3bcc
- maven: org.apache.cxf:cxf-rt-transports-http:2.7.11
cxf-rt-ws-addr-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-ws-addr\2.7.11\cxf-rt-ws-addr-2.7.11.jar
- SHA1: d6dd43de3ecab8f9f603efb02fb8239250165d2a
- MD5: dc5a8fc838e5755e87afc5b654569928
- maven: org.apache.cxf:cxf-rt-ws-addr:2.7.11
cxf-rt-ws-policy-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-rt-ws-policy\2.7.11\cxf-rt-ws-policy-2.7.11.jar
- SHA1: b70f5e108339cfb1170c3b809ab04054bd22bc65
- MD5: ff885b84c6a4cd3fdca63140dbc2ed24
- maven: org.apache.cxf:cxf-rt-ws-policy:2.7.11
cxf-tools-common-2.7.11.jar
- File Path: C:\Users\Dad\.m2\repository\org\apache\cxf\cxf-tools-common\2.7.11\cxf-tools-common-2.7.11.jar
- SHA1: d2a3812c0762f77047b10e6005a5de815480982d
- MD5: 4d001a005b7587fdd37900e7f3de3347
- maven: org.apache.cxf:cxf-tools-common:2.7.11

Identifiers

cpe: cpe:/a:apache:cxf:2.7.11 Confidence:HIGHEST
maven: org.apache.cxf:cxf-rt-core:2.7.11 Confidence:HIGHEST

Published Vulnerabilities

CVE-2015-5253

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

CONFIRM - http://cxf.apache.org/security-advisories.data/CVE-2015-5253.txt.asc
CONFIRM - https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commitdiff;h=845eccb6484b43ba02875c71e824db23ae4f20c0
MLIST - [oss-security] 20151114 New security advisory for Apache CXF
REDHAT - RHSA-2016:0321
SECTRACK - 1034162

Vulnerable Software & Versions: (show all)

cpe:/a:apache:cxf:2.7.17 and all previous versions
...
cpe:/a:apache:cxf:2.7.17 and all previous versions
cpe:/a:apache:cxf:3.0.6 and all previous versions
cpe:/a:apache:cxf:3.1.2 and all previous versions

CVE-2014-3623

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-287 Improper Authentication

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

BID - 70736
CONFIRM - https://issues.apache.org/jira/browse/WSS-511
MLIST - [oss-security] 20141024 New security advisories released for Apache CXF
REDHAT - RHSA-2015:0236
REDHAT - RHSA-2015:0675
REDHAT - RHSA-2015:0850
REDHAT - RHSA-2015:0851
XF - apache-cxf-cve20143623-sec-bypass(97754)

Vulnerable Software & Versions: (show all)

CVE-2012-5786

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF, possibly 2.6.0, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
XF - apache-cxf-ssl-spoofing(79983)

Vulnerable Software & Versions: (show all)

geronimo-javamail_1.4_spec-1.7.1.jar

Description: Javamail 1.4 Specification

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\geronimo\specs\geronimo-javamail_1.4_spec\1.7.1\geronimo-javamail_1.4_spec-1.7.1.jar
MD5: f3b9d8c9a79eefdc0ebe07c34612646d
SHA1: 43ad4090b1a07a11c82ac40c01fc4e2fbad20013
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	geronimo-javamail_1.4_spec
central	groupid	org.apache.geronimo.specs
central	version	1.7.1
file	name	geronimo-javamail_1.4_spec-1.7.1
manifest	Bundle-Description	Javamail 1.4 Specification
Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-javamail_1.4_spec/1.7.1
Manifest	Bundle-Name	JavaMail 1.4
Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-javamail_1.4_spec;singleton=true
Manifest	Implementation-Title	JavaMail 1.4
Manifest	Implementation-Version	1.7.1
Manifest	specification-title	JSR-919 Javamail API 1.4
Manifest	specification-vendor	Sun Microsystems, Inc.
pom	artifactid	geronimo-javamail_1.4_spec
pom	description	Javamail 1.4 Specification
pom	groupid	apache.geronimo.specs
pom	groupid	org.apache.geronimo.specs
pom	name	JavaMail 1.4
pom	parent-artifactid	genesis-java5-flava
pom	parent-groupid	org.apache.geronimo.genesis
pom	url	http://geronimo.apache.org/maven/${siteId}/${version}
pom	version	1.7.1

Identifiers

maven: org.apache.geronimo.specs:geronimo-javamail_1.4_spec:1.7.1 Confidence:HIGHEST

geronimo-jaxws_2.2_spec-1.1.jar

Description: Java API for XML Web Services 2.2

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\geronimo\specs\geronimo-jaxws_2.2_spec\1.1\geronimo-jaxws_2.2_spec-1.1.jar
MD5: d5cbeee473208a649112127e3dc528d3
SHA1: 90745e1423874010d561588c944efeb9552a0091
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	geronimo-jaxws_2.2_spec
central	groupid	org.apache.geronimo.specs
central	version	1.1
file	name	geronimo-jaxws_2.2_spec-1.1
manifest	Bundle-Description	Java API for XML Web Services 2.2
Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-jaxws_2.2_spec/1.1
Manifest	Bundle-Name	Apache Geronimo JAX-WS Spec 2.2
Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-jaxws_2.2_spec;singleton=true
Manifest	Implementation-Title	Apache Geronimo JAX-WS Spec 2.2
Manifest	Implementation-Version	1.1
Manifest	specification-title	JSR-224 Java API for XML based Web Services 2.2
Manifest	specification-vendor	Sun Microsystems, Inc.
pom	artifactid	geronimo-jaxws_2.2_spec
pom	description	Java API for XML Web Services 2.2
pom	groupid	apache.geronimo.specs
pom	groupid	org.apache.geronimo.specs
pom	name	Apache Geronimo JAX-WS Spec 2.2
pom	parent-artifactid	genesis-java5-flava
pom	parent-groupid	org.apache.geronimo.genesis
pom	url	http://geronimo.apache.org/maven/${siteId}/${version}
pom	version	1.1

Identifiers

maven: org.apache.geronimo.specs:geronimo-jaxws_2.2_spec:1.1 Confidence:HIGHEST

geronimo-jms_1.1_spec-1.1.1.jar

Description: Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\geronimo\specs\geronimo-jms_1.1_spec\1.1.1\geronimo-jms_1.1_spec-1.1.1.jar
MD5: d80ce71285696d36c1add1989b94f084
SHA1: c872b46c601d8dc03633288b81269f9e42762cea
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	geronimo-jms_1.1_spec
central	groupid	org.apache.geronimo.specs
central	version	1.1.1
file	name	geronimo-jms_1.1_spec-1.1.1
manifest	Bundle-Description	Provides open-source implementations of Sun specifications.
Manifest	bundle-docurl	http://www.apache.org
Manifest	Bundle-Name	geronimo-jms_1.1_spec
Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-jms_1.1_spec
Manifest	Implementation-Title	Apache Geronimo
Manifest	Implementation-Version	1.1.1
pom	artifactid	geronimo-jms_1.1_spec
pom	groupid	apache.geronimo.specs
pom	groupid	org.apache.geronimo.specs
pom	name	JMS 1.1
pom	parent-artifactid	specs
pom	parent-groupid	org.apache.geronimo.specs
pom	version	1.1.1

Identifiers

maven: org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1 Confidence:HIGHEST

geronimo-servlet_3.0_spec-1.0.jar

Description: Servlet 3.0 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\geronimo\specs\geronimo-servlet_3.0_spec\1.0\geronimo-servlet_3.0_spec-1.0.jar
MD5: 10d92f2ddb23703f0f48d046016e3e9d
SHA1: 0d45e479fd200236c71182c5f6b6077a5fb53f89
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	geronimo-servlet_3.0_spec
central	groupid	org.apache.geronimo.specs
central	version	1.0
file	name	geronimo-servlet_3.0_spec-1.0
manifest	Bundle-Description	Servlet 3.0 API
Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-servlet_3.0_spec/1.0
Manifest	Bundle-Name	Servlet 3.0
Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-servlet_3.0_spec
Manifest	Implementation-Title	Servlet 3.0
Manifest	Implementation-Version	1.0
pom	artifactid	geronimo-servlet_3.0_spec
pom	description	Servlet 3.0 API
pom	groupid	apache.geronimo.specs
pom	groupid	org.apache.geronimo.specs
pom	name	Servlet 3.0
pom	parent-artifactid	genesis-java5-flava
pom	parent-groupid	org.apache.geronimo.genesis
pom	url	http://geronimo.apache.org/maven/${siteId}/${version}
pom	version	1.0

Identifiers

maven: org.apache.geronimo.specs:geronimo-servlet_3.0_spec:1.0 Confidence:HIGHEST

httpasyncclient-4.0-beta3.jar

Description: HttpComponents AsyncClient (base module)

File Path: C:\Users\Dad\.m2\repository\org\apache\httpcomponents\httpasyncclient\4.0-beta3\httpasyncclient-4.0-beta3.jar
MD5: 0d7de844d1e348bf2d01ea84da612edf
SHA1: c841ffe78b77d6ca1fd38f744e2b107b5f6f74d6
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	httpasyncclient
central	groupid	org.apache.httpcomponents
central	version	4.0-beta3
file	name	httpasyncclient
Manifest	implementation-build	tags/4.0-beta3-RC1/httpasyncclient@r1389512; 2012-09-24 20:03:55+0100
Manifest	Implementation-Title	HttpComponents HttpAsyncClient
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	4.0-beta3
Manifest	specification-title	HttpComponents HttpAsyncClient
Manifest	specification-vendor	The Apache Software Foundation
Manifest	url	http://hc.apache.org/httpcomponents-asyncclient
pom	artifactid	httpasyncclient
pom	description	HttpComponents AsyncClient (base module)
pom	groupid	apache.httpcomponents
pom	groupid	org.apache.httpcomponents
pom	name	HttpAsyncClient
pom	parent-artifactid	httpcomponents-asyncclient
pom	parent-groupid	org.apache.httpcomponents
pom	url	http://hc.apache.org/httpcomponents-asyncclient
pom	version	4.0-beta3

Identifiers

cpe: cpe:/a:apache:httpasyncclient:4.0.beta Confidence:LOW
maven: org.apache.httpcomponents:httpasyncclient:4.0-beta3 Confidence:HIGHEST

Published Vulnerabilities

CVE-2014-3577

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

BID - 69258
CONFIRM - https://access.redhat.com/solutions/1165533
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782
FULLDISC - 20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
MISC - http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
OSVDB - 110143
REDHAT - RHSA-2014:1146
REDHAT - RHSA-2014:1166
REDHAT - RHSA-2014:1833
REDHAT - RHSA-2014:1834
REDHAT - RHSA-2014:1835
REDHAT - RHSA-2014:1836
REDHAT - RHSA-2014:1891
REDHAT - RHSA-2014:1892
REDHAT - RHSA-2015:0125
REDHAT - RHSA-2015:0158
REDHAT - RHSA-2015:0675
REDHAT - RHSA-2015:0720
REDHAT - RHSA-2015:0765
REDHAT - RHSA-2015:0850
REDHAT - RHSA-2015:0851
REDHAT - RHSA-2015:1176
REDHAT - RHSA-2015:1177
SECTRACK - 1030812
SECUNIA - 60466
UBUNTU - USN-2769-1
XF - apache-cve20143577-spoofing(95327)

Vulnerable Software & Versions: (show all)

httpclient-4.3.3.jar

Description: HttpComponents Client

File Path: C:\Users\Dad\.m2\repository\org\apache\httpcomponents\httpclient\4.3.3\httpclient-4.3.3.jar
MD5: 88cc3123fce88d61b7c2cdbfc33542c5
SHA1: 18f4247ff4572a074444572cee34647c43e7c9c7
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	httpclient
central	groupid	org.apache.httpcomponents
central	version	4.3.3
file	name	httpclient
file	version	4.3.3
Manifest	implementation-build	tags/4.3.3-RC1/httpclient@r1570731; 2014-02-22 09:04:11-0500
Manifest	Implementation-Title	HttpComponents Apache HttpClient
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	4.3.3
Manifest	specification-title	HttpComponents Apache HttpClient
Manifest	specification-vendor	The Apache Software Foundation
Manifest	url	http://hc.apache.org/httpcomponents-client
pom	artifactid	httpclient
pom	description	HttpComponents Client
pom	groupid	apache.httpcomponents
pom	groupid	org.apache.httpcomponents
pom	name	Apache HttpClient
pom	parent-artifactid	httpcomponents-client
pom	parent-groupid	org.apache.httpcomponents
pom	url	http://hc.apache.org/httpcomponents-client
pom	version	4.3.3

Identifiers

cpe: cpe:/a:apache:httpclient:4.3.3 Confidence:HIGHEST
maven: org.apache.httpcomponents:httpclient:4.3.3 Confidence:HIGHEST

Published Vulnerabilities

CVE-2015-5262

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1626784
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1261538
CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1478
FEDORA - FEDORA-2015-15588
FEDORA - FEDORA-2015-15589
FEDORA - FEDORA-2015-15590
SECTRACK - 1033743
UBUNTU - USN-2769-1

Vulnerable Software & Versions:

cpe:/a:apache:httpclient:4.3.5 and all previous versions

CVE-2014-3577

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

BID - 69258
CONFIRM - https://access.redhat.com/solutions/1165533
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782
FULLDISC - 20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
MISC - http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
OSVDB - 110143
REDHAT - RHSA-2014:1146
REDHAT - RHSA-2014:1166
REDHAT - RHSA-2014:1833
REDHAT - RHSA-2014:1834
REDHAT - RHSA-2014:1835
REDHAT - RHSA-2014:1836
REDHAT - RHSA-2014:1891
REDHAT - RHSA-2014:1892
REDHAT - RHSA-2015:0125
REDHAT - RHSA-2015:0158
REDHAT - RHSA-2015:0675
REDHAT - RHSA-2015:0720
REDHAT - RHSA-2015:0765
REDHAT - RHSA-2015:0850
REDHAT - RHSA-2015:0851
REDHAT - RHSA-2015:1176
REDHAT - RHSA-2015:1177
SECTRACK - 1030812
SECUNIA - 60466
UBUNTU - USN-2769-1
XF - apache-cve20143577-spoofing(95327)

Vulnerable Software & Versions: (show all)

httpcore-nio-4.2.4.jar

Description: HttpComponents Core (non-blocking I/O)

File Path: C:\Users\Dad\.m2\repository\org\apache\httpcomponents\httpcore-nio\4.2.4\httpcore-nio-4.2.4.jar
MD5: db3f32abe8abad5b442e77d624db666f
SHA1: 78afeee7048b6f541f0b2290a926b2af5768410f
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	httpcore-nio
central	groupid	org.apache.httpcomponents
central	version	4.2.4
file	name	httpcore-nio
file	version	4.2.4
Manifest	implementation-build	tags/4.2.4-RC2/httpcore-nio@r1458734; 2013-03-20 17:11:49+0100
Manifest	Implementation-Title	HttpComponents HttpCore NIO
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	4.2.4
Manifest	specification-title	HttpComponents HttpCore NIO
Manifest	specification-vendor	The Apache Software Foundation
Manifest	url	http://hc.apache.org/httpcomponents-core-ga
pom	artifactid	httpcore-nio
pom	description	HttpComponents Core (non-blocking I/O)
pom	groupid	apache.httpcomponents
pom	groupid	org.apache.httpcomponents
pom	name	HttpCore NIO
pom	parent-artifactid	httpcomponents-core
pom	parent-groupid	org.apache.httpcomponents
pom	url	http://hc.apache.org/httpcomponents-core-ga
pom	version	4.2.4

Identifiers

maven: org.apache.httpcomponents:httpcore-nio:4.2.4 Confidence:HIGHEST

httpcore-4.2.4.jar

Description: HttpComponents Core (blocking I/O)

File Path: C:\Users\Dad\.m2\repository\org\apache\httpcomponents\httpcore\4.2.4\httpcore-4.2.4.jar
MD5: 6ccb86231d8a8b99c551b4ddf926ddd1
SHA1: 3b7f38df6de5dd8b500e602ae8c2dd5ee446f883
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	httpcore
central	groupid	org.apache.httpcomponents
central	version	4.2.4
file	name	httpcore
file	version	4.2.4
Manifest	implementation-build	tags/4.2.4-RC2/httpcore@r1458734; 2013-03-20 17:11:49+0100
Manifest	Implementation-Title	HttpComponents HttpCore
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	4.2.4
Manifest	specification-title	HttpComponents HttpCore
Manifest	specification-vendor	The Apache Software Foundation
Manifest	url	http://hc.apache.org/httpcomponents-core-ga
pom	artifactid	httpcore
pom	description	HttpComponents Core (blocking I/O)
pom	groupid	apache.httpcomponents
pom	groupid	org.apache.httpcomponents
pom	name	HttpCore
pom	parent-artifactid	httpcomponents-core
pom	parent-groupid	org.apache.httpcomponents
pom	url	http://hc.apache.org/httpcomponents-core-ga
pom	version	4.2.4

Identifiers

maven: org.apache.httpcomponents:httpcore:4.2.4 Confidence:HIGHEST

mina-core-2.0.7.jar

Description: Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.

License:

http://www.apache.org/licenses/LICENSE-2.0

File Path: C:\Users\Dad\.m2\repository\org\apache\mina\mina-core\2.0.7\mina-core-2.0.7.jar
MD5: f4e43e7fa0514a9bc88968d64a6322d8
SHA1: c878e2aa82de748474a624ec3933e4604e446dec
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	mina-core
central	groupid	org.apache.mina
central	version	2.0.7
file	name	mina-core
file	version	2.0.7
manifest	Bundle-Description	Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports ...
Manifest	bundle-docurl	http://mina.apache.org/
Manifest	Bundle-Name	Apache MINA Core
Manifest	bundle-symbolicname	org.apache.mina.core
pom	artifactid	mina-core
pom	groupid	apache.mina
pom	groupid	org.apache.mina
pom	name	Apache MINA Core
pom	parent-artifactid	mina-parent
pom	parent-groupid	org.apache.mina
pom	version	2.0.7

Identifiers

maven: org.apache.mina:mina-core:2.0.7 Confidence:HIGHEST

neethi-3.0.3.jar

Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\neethi\neethi\3.0.3\neethi-3.0.3.jar
MD5: 8a81813a03e2899ccd31f0e92f6cc691
SHA1: ee37a38bbf9f355ee88ba554a85c9220b75ba500
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	neethi
central	groupid	org.apache.neethi
central	version	3.0.3
file	name	neethi
file	version	3.0.3
manifest	Bundle-Description	Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
Manifest	bundle-docurl	http://www.apache.org/
Manifest	Bundle-Name	Apache Neethi
Manifest	bundle-symbolicname	org.apache.neethi
Manifest	Implementation-Title	Apache Neethi
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	3.0.3
Manifest	specification-title	Apache Neethi
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	neethi
pom	description	Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
pom	groupid	apache.neethi
pom	groupid	org.apache.neethi
pom	name	Apache Neethi
pom	organization name	http://www.apache.org/
pom	parent-artifactid	apache
pom	parent-groupid	org.apache
pom	url	http://ws.apache.org/neethi/
pom	version	3.0.3

Identifiers

cpe: cpe:/a:apache:apache_test:3.0.3 Confidence:LOW
maven: org.apache.neethi:neethi:3.0.3 Confidence:HIGHEST

xmlsec-1.5.6.jar

Description: Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\santuario\xmlsec\1.5.6\xmlsec-1.5.6.jar
MD5: 592e0d74b5d62663ff1eb0ca95b410cc
SHA1: 0586cd437eaf166640b632eb6cfcfec2ebf52474
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	xmlsec
central	groupid	org.apache.santuario
central	version	1.5.6
file	name	xmlsec
file	version	1.5.6
manifest	Bundle-Description	Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Manifest	bundle-docurl	http://www.apache.org/
Manifest	Bundle-Name	Apache XML Security for Java
Manifest	bundle-symbolicname	org.apache.santuario.xmlsec
Manifest	Implementation-Title	Apache XML Security for Java
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache.santuario
Manifest	Implementation-Version	1.5.6
Manifest	specification-title	Apache XML Security for Java
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	xmlsec
pom	description	Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
pom	groupid	apache.santuario
pom	groupid	org.apache.santuario
pom	name	Apache XML Security for Java
pom	organization name	http://www.apache.org/
pom	parent-artifactid	apache
pom	parent-groupid	org.apache
pom	url	http://santuario.apache.org/
pom	version	1.5.6

Identifiers

cpe: cpe:/a:apache:xml_security_for_java:1.5.6 Confidence:LOW
maven: org.apache.santuario:xmlsec:1.5.6 Confidence:HIGHEST

velocity-1.7.jar

Description: Apache Velocity is a general purpose template engine.

File Path: C:\Users\Dad\.m2\repository\org\apache\velocity\velocity\1.7\velocity-1.7.jar
MD5: 3692dd72f8367cb35fb6280dc2916725
SHA1: 2ceb567b8f3f21118ecdec129fe1271dbc09aa7a
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	velocity
central	groupid	org.apache.velocity
central	version	1.7
file	name	velocity
file	version	1.7
Manifest	Bundle-Name	Apache Velocity
Manifest	bundle-symbolicname	org.apache.velocity
Manifest	extension-name	velocity
Manifest	Implementation-Title	org.apache.velocity
Manifest	Implementation-Vendor	Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	1.7
Manifest	specification-title	Velocity is a Java-based template engine
Manifest	specification-vendor	Apache Software Foundation
pom	artifactid	velocity
pom	description	Apache Velocity is a general purpose template engine.
pom	groupid	apache.velocity
pom	groupid	org.apache.velocity
pom	name	Apache Velocity
pom	parent-artifactid	apache
pom	parent-groupid	org.apache
pom	url	http://velocity.apache.org/engine/devel/
pom	version	1.7

Identifiers

maven: org.apache.velocity:velocity:1.7 Confidence:HIGHEST

wss4j-1.6.15.jar

Description: The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\ws\security\wss4j\1.6.15\wss4j-1.6.15.jar
MD5: 33fb88ebda6899f82a0a1a9b6279d8f8
SHA1: aa3313807a4cdd2dcc4c984643619d9f8df4a267
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	wss4j
central	groupid	org.apache.ws.security
central	version	1.6.15
file	name	wss4j
file	version	1.6.15
manifest	Bundle-Description	The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
Manifest	bundle-docurl	http://www.apache.org/
Manifest	Bundle-Name	Apache WSS4J
Manifest	bundle-symbolicname	org.apache.ws.security.wss4j
Manifest	Implementation-Title	Apache WSS4J
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	1.6.15
Manifest	specification-title	Apache WSS4J
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	wss4j
pom	description	The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
pom	groupid	apache.ws.security
pom	groupid	org.apache.ws.security
pom	name	Apache WSS4J
pom	organization name	http://www.apache.org/
pom	parent-artifactid	apache
pom	parent-groupid	org.apache
pom	url	http://ws.apache.org/wss4j/
pom	version	1.6.15

Identifiers

cpe: cpe:/a:apache:wss4j:1.6.15 Confidence:HIGHEST
maven: org.apache.ws.security:wss4j:1.6.15 Confidence:HIGHEST

Published Vulnerabilities

CVE-2015-0227

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

BID - 72557
CONFIRM - http://ws.apache.org/wss4j/advisories/CVE-2015-0227.txt.asc
REDHAT - RHSA-2015:0773
REDHAT - RHSA-2015:0846
REDHAT - RHSA-2015:0847
REDHAT - RHSA-2015:0848
REDHAT - RHSA-2015:0849
REDHAT - RHSA-2015:1176
REDHAT - RHSA-2015:1177
XF - apache-wss4j-sec-bypass(100837)

Vulnerable Software & Versions: (show all)

cpe:/a:apache:wss4j:1.6.16 and all previous versions
...
cpe:/a:apache:wss4j:1.6.16 and all previous versions
cpe:/a:apache:wss4j:2.0.0
cpe:/a:apache:wss4j:2.0.0:rc1
cpe:/a:apache:wss4j:2.0.1

CVE-2014-3623

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-287 Improper Authentication

BID - 70736
CONFIRM - https://issues.apache.org/jira/browse/WSS-511
MLIST - [oss-security] 20141024 New security advisories released for Apache CXF
REDHAT - RHSA-2015:0236
REDHAT - RHSA-2015:0675
REDHAT - RHSA-2015:0850
REDHAT - RHSA-2015:0851
XF - apache-cxf-cve20143623-sec-bypass(97754)

Vulnerable Software & Versions: (show all)

xmlschema-core-2.1.0.jar

Description: Commons XMLSchema is a light weight schema object model that can be used to manipulate or generate XML schema.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\ws\xmlschema\xmlschema-core\2.1.0\xmlschema-core-2.1.0.jar
MD5: 0856f69b09dcb6e0f47f1aee13c9b74d
SHA1: 93415557e2867469c33be98ab330655dd714297d
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	xmlschema-core
central	groupid	org.apache.ws.xmlschema
central	version	2.1.0
file	name	xmlschema-core
file	version	2.1.0
manifest	Bundle-Description	Commons XMLSchema is a light weight schema object model that can be used to manipulate or generate XML schema.
Manifest	bundle-docurl	http://www.apache.org/
Manifest	Bundle-Name	XmlSchema Core
Manifest	bundle-symbolicname	org.apache.ws.xmlschema.core
pom	artifactid	xmlschema-core
pom	description	Commons XMLSchema is a light weight schema object model that can be used to manipulate or generate XML schema.
pom	groupid	apache.ws.xmlschema
pom	groupid	org.apache.ws.xmlschema
pom	name	XmlSchema Core
pom	parent-artifactid	xmlschema
pom	parent-groupid	org.apache.ws.xmlschema
pom	version	2.1.0

Identifiers

maven: org.apache.ws.xmlschema:xmlschema-core:2.1.0 Confidence:HIGHEST

xmlbeans-2.6.0.jar

Description: XmlBeans main jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\xmlbeans\xmlbeans\2.6.0\xmlbeans-2.6.0.jar
MD5: 6591c08682d613194dacb01e95c78c2c
SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	xmlbeans
central	groupid	org.apache.xmlbeans
central	version	2.6.0
file	name	xmlbeans
file	version	2.6.0
manifest: org/apache/xmlbeans/	Implementation-Title	org.apache.xmlbeans
manifest: org/apache/xmlbeans/	Implementation-Vendor	Apache Software Foundation
pom	artifactid	xmlbeans
pom	description	XmlBeans main jar
pom	groupid	apache.xmlbeans
pom	groupid	org.apache.xmlbeans
pom	name	XmlBeans
pom	organization name	http://xmlbeans.apache.org/
pom	url	http://xmlbeans.apache.org
pom	version	2.6.0

Identifiers

maven: org.apache.xmlbeans:xmlbeans:2.6.0 Confidence:HIGHEST

stax2-api-3.1.4.jar

Description: tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php

File Path: C:\Users\Dad\.m2\repository\org\codehaus\woodstox\stax2-api\3.1.4\stax2-api-3.1.4.jar
MD5: c08e89de601b0a78f941b2c29db565c3
SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	stax2-api
central	groupid	org.codehaus.woodstox
central	version	3.1.4
file	name	stax2-api
file	version	3.1.4
manifest	Bundle-Description	tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Manifest	bundle-docurl	http://fasterxml.com
Manifest	Bundle-Name	Stax2 API
Manifest	bundle-symbolicname	stax2-api
pom	artifactid	stax2-api
pom	description	tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
pom	groupid	codehaus.woodstox
pom	groupid	org.codehaus.woodstox
pom	name	Stax2 API
pom	organization name	http://fasterxml.com
pom	url	http://wiki.fasterxml.com/WoodstoxStax2
pom	version	3.1.4

Identifiers

maven: org.codehaus.woodstox:stax2-api:3.1.4 Confidence:HIGHEST

woodstox-core-asl-4.2.1.jar

Description: Woodstox is a high-performance XML processor that implements Stax (JSR-173) and SAX2 APIs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\codehaus\woodstox\woodstox-core-asl\4.2.1\woodstox-core-asl-4.2.1.jar
MD5: 767eb8001863dd8bf101c6756e7feed2
SHA1: 0ce8115adb515bc740dbe726a918983c48c9752d
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	woodstox-core-asl
central	groupid	org.codehaus.woodstox
central	version	4.2.1
file	name	woodstox-core-asl
file	version	4.2.1
Manifest	Bundle-Name	Woodstox XML-processor
Manifest	bundle-requiredexecutionenvironment	J2SE-1.4
Manifest	bundle-symbolicname	woodstox-core-asl
Manifest	Implementation-Title	Woodstox XML-processor
Manifest	Implementation-Vendor	http://woodstox.codehaus.org
Manifest	Implementation-Version	4.2.1
Manifest	specification-title	Stax 1.0 API
Manifest	specification-vendor	http://jcp.org/en/jsr/detail?id=173
pom	artifactid	woodstox-core-asl
pom	description	Woodstox is a high-performance XML processor that implements Stax (JSR-173) and SAX2 APIs
pom	groupid	codehaus.woodstox
pom	groupid	org.codehaus.woodstox
pom	name	Woodstox
pom	organization name	http://www.codehaus.org/
pom	url	http://woodstox.codehaus.org
pom	version	4.2.1

Identifiers

maven: org.codehaus.woodstox:woodstox-core-asl:4.2.1 Confidence:HIGHEST

jetty-http-8.1.14.v20131031.jar

Description: Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php

File Path: C:\Users\Dad\.m2\repository\org\eclipse\jetty\jetty-http\8.1.14.v20131031\jetty-http-8.1.14.v20131031.jar
MD5: b8fe3573099f356c3d4af675e05f1790
SHA1: 8dd4e01b374e16cf0335b7975a7aa0a57396d5da
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	jetty-http
central	groupid	org.eclipse.jetty
central	version	8.1.14.v20131031
file	name	jetty-http
file	version	8.1.14.v20131031
Manifest	bundle-copyright	Copyright (c) 2008-2012 Mort Bay Consulting Pty. Ltd.
manifest	Bundle-Description	Administrative parent pom for Jetty modules
Manifest	bundle-docurl	http://www.eclipse.org/jetty
Manifest	Bundle-Name	Jetty :: Http Utility
Manifest	bundle-requiredexecutionenvironment	J2SE-1.5
Manifest	bundle-symbolicname	org.eclipse.jetty.http
Manifest	Implementation-Vendor	Eclipse.org - Jetty
Manifest	Implementation-Version	8.1.14.v20131031
Manifest	url	http://www.eclipse.org/jetty
pom	artifactid	jetty-http
pom	groupid	eclipse.jetty
pom	groupid	org.eclipse.jetty
pom	name	Jetty :: Http Utility
pom	parent-artifactid	jetty-project
pom	parent-groupid	org.eclipse.jetty
pom	url	http://www.eclipse.org/jetty
pom	version	8.1.14.v20131031

Related Dependencies

jetty-continuation-8.1.14.v20131031.jar
- File Path: C:\Users\Dad\.m2\repository\org\eclipse\jetty\jetty-continuation\8.1.14.v20131031\jetty-continuation-8.1.14.v20131031.jar
- SHA1: e3396abd21360191c2277e848eff489b58bba45d
- MD5: 357ae1274620514ed1ef0c9d6aa0b495
- maven: org.eclipse.jetty:jetty-continuation:8.1.14.v20131031
jetty-security-8.1.14.v20131031.jar
- File Path: C:\Users\Dad\.m2\repository\org\eclipse\jetty\jetty-security\8.1.14.v20131031\jetty-security-8.1.14.v20131031.jar
- SHA1: d6fd7add8e6015a95558b67b43edf7752a925884
- MD5: b17854f63e7e9b643bfc6840deda9f32
- maven: org.eclipse.jetty:jetty-security:8.1.14.v20131031
jetty-server-8.1.14.v20131031.jar
- File Path: C:\Users\Dad\.m2\repository\org\eclipse\jetty\jetty-server\8.1.14.v20131031\jetty-server-8.1.14.v20131031.jar
- SHA1: 7f7f9b929b9d9169dd68f36327c819ab9a03a661
- MD5: 66cf44a05a3590a888d74249887981c5
- maven: org.eclipse.jetty:jetty-server:8.1.14.v20131031
jetty-util-8.1.14.v20131031.jar
- File Path: C:\Users\Dad\.m2\repository\org\eclipse\jetty\jetty-util\8.1.14.v20131031\jetty-util-8.1.14.v20131031.jar
- SHA1: 43063284480a41eca024dc8852452eedf6379c16
- MD5: 40b85a1c68dd0254ac48e901767d8d61
- maven: org.eclipse.jetty:jetty-util:8.1.14.v20131031

Identifiers

cpe: cpe:/a:eclipse:jetty:8.1.14.v20131031 Confidence:LOW
cpe: cpe:/a:jetty:jetty:8.1.14.v20131031 Confidence:LOW
maven: org.eclipse.jetty:jetty-http:8.1.14.v20131031 Confidence:HIGHEST

jetty-io-8.1.14.v20131031.jar

Description: Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php

File Path: C:\Users\Dad\.m2\repository\org\eclipse\jetty\jetty-io\8.1.14.v20131031\jetty-io-8.1.14.v20131031.jar
MD5: e62180200f8e3cf6be6aebc4b5988723
SHA1: 12f6f92d7e58349501f2cfc0716b8f1c6a2962eb
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	jetty-io
central	groupid	org.eclipse.jetty
central	version	8.1.14.v20131031
file	name	jetty-io
file	version	8.1.14.v20131031
Manifest	bundle-copyright	Copyright (c) 2008-2012 Mort Bay Consulting Pty. Ltd.
manifest	Bundle-Description	Administrative parent pom for Jetty modules
Manifest	bundle-docurl	http://www.eclipse.org/jetty
Manifest	Bundle-Name	Jetty :: IO Utility
Manifest	bundle-requiredexecutionenvironment	J2SE-1.5
Manifest	bundle-symbolicname	org.eclipse.jetty.io
Manifest	Implementation-Vendor	Eclipse.org - Jetty
Manifest	Implementation-Version	8.1.14.v20131031
Manifest	url	http://www.eclipse.org/jetty
pom	artifactid	jetty-io
pom	groupid	eclipse.jetty
pom	groupid	org.eclipse.jetty
pom	name	Jetty :: IO Utility
pom	parent-artifactid	jetty-project
pom	parent-groupid	org.eclipse.jetty
pom	url	http://www.eclipse.org/jetty
pom	version	8.1.14.v20131031

Identifiers

cpe: cpe:/a:eclipse:jetty:8.1.14.v20131031 Confidence:LOW
maven: org.eclipse.jetty:jetty-io:8.1.14.v20131031 Confidence:HIGHEST

opensaml-2.6.1.jar

Description: The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).

File Path: C:\Users\Dad\.m2\repository\org\opensaml\opensaml\2.6.1\opensaml-2.6.1.jar
MD5: ba52e68b7522c3804fc196f56e31ca64
SHA1: 66992ce167f18e4552b79bc38d412f53ad2d80a1
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	opensaml
central	groupid	org.opensaml
central	version	2.6.1
file	name	opensaml
file	version	2.6.1
manifest: org/opensaml/	Implementation-Title	opensaml
manifest: org/opensaml/	Implementation-Vendor	www.opensaml.org
manifest: org/opensaml/saml1/	Specification-Title	Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1
manifest: org/opensaml/saml2/	Specification-Title	Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0
manifest: org/opensaml/xacml/	Specification-Title	eXtensible Access Control Markup Language (XACML) Version 2.0
manifest: org/opensaml/xacml/profile/saml/	Specification-Title	SAML 2.0 Profile of XACML, Version 2
pom	artifactid	opensaml
pom	description	The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).
pom	groupid	opensaml
pom	groupid	org.opensaml
pom	name	OpenSAML-J
pom	parent-artifactid	parent-v2
pom	parent-groupid	net.shibboleth
pom	version	2.6.1

Identifiers

maven: org.opensaml:opensaml:2.6.1 Confidence:HIGHEST

openws-1.5.1.jar

Description: The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include classes for creating and reading SOAP messages, transport-independent clients for connecting to web services, and various transports for use with those clients.

File Path: C:\Users\Dad\.m2\repository\org\opensaml\openws\1.5.1\openws-1.5.1.jar
MD5: 4a6340e00990a21cc822e9430c70e022
SHA1: 5e9b1075c477871f78983d1c24eb3dacf6b2aa65
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	openws
central	groupid	org.opensaml
central	version	1.5.1
file	name	openws
file	version	1.5.1
manifest: org/opensaml/ws/	Implementation-Title	openws
manifest: org/opensaml/ws/	Implementation-Vendor	www.opensaml.org
manifest: org/opensaml/ws/soap/soap11/	Specification-Title	Simple Object Access Protocol (SOAP) 1.1
manifest: org/opensaml/ws/wsaddressing/	Specification-Title	WS-Addressing
manifest: org/opensaml/ws/wsfed/	Specification-Title	WS-Federation
manifest: org/opensaml/ws/wspolicy/	Specification-Title	WS-Policy
manifest: org/opensaml/ws/wssecurity/	Specification-Title	WS-Security
manifest: org/opensaml/ws/wstrust/	Specification-Title	WS-Trust
pom	artifactid	openws
pom	description	The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include classes for creating and reading SOAP messages, transport-independent clients for connecting to web services, and various transports for use with those clients.
pom	groupid	opensaml
pom	groupid	org.opensaml
pom	name	OpenWS
pom	parent-artifactid	parent-v2
pom	parent-groupid	net.shibboleth
pom	version	1.5.1

Identifiers

maven: org.opensaml:openws:1.5.1 Confidence:HIGHEST

xmltooling-1.4.1.jar

Description: XMLTooling-J is a low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner.

File Path: C:\Users\Dad\.m2\repository\org\opensaml\xmltooling\1.4.1\xmltooling-1.4.1.jar
MD5: 5f29a776cece576a6bf8a2529d3b8419
SHA1: aa39174a71035bdd28b3a3c890cac86b705c4980
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	xmltooling
central	groupid	org.opensaml
central	version	1.4.1
file	name	xmltooling
file	version	1.4.1
manifest: org/opensaml/xml/	Implementation-Title	xmltooling
manifest: org/opensaml/xml/	Implementation-Vendor	www.opensaml.org
manifest: org/opensaml/xml/encryption/	Specification-Title	XML Encryption Syntax and Processing
manifest: org/opensaml/xml/signature/	Specification-Title	XML Signature Syntax and Processing
pom	artifactid	xmltooling
pom	description	XMLTooling-J is a low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner.
pom	groupid	opensaml
pom	groupid	org.opensaml
pom	name	XMLTooling-J
pom	parent-artifactid	parent-v2
pom	parent-groupid	net.shibboleth
pom	version	1.4.1

Identifiers

maven: org.opensaml:xmltooling:1.4.1 Confidence:HIGHEST

slf4j-api-1.7.7.jar

Description: The slf4j API

File Path: C:\Users\Dad\.m2\repository\org\slf4j\slf4j-api\1.7.7\slf4j-api-1.7.7.jar
MD5: ca4280bf93d64367723ae5c8d42dd0b9
SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	slf4j-api
central	groupid	org.slf4j
central	version	1.7.7
file	name	slf4j-api
file	version	1.7.7
manifest	Bundle-Description	The slf4j API
Manifest	Bundle-Name	slf4j-api
Manifest	bundle-requiredexecutionenvironment	J2SE-1.3
Manifest	bundle-symbolicname	slf4j.api
Manifest	Implementation-Title	slf4j-api
Manifest	Implementation-Version	1.7.7
pom	artifactid	slf4j-api
pom	description	The slf4j API
pom	groupid	org.slf4j
pom	groupid	slf4j
pom	name	SLF4J API Module
pom	parent-artifactid	slf4j-parent
pom	parent-groupid	org.slf4j
pom	url	http://www.slf4j.org
pom	version	1.7.7

Identifiers

maven: org.slf4j:slf4j-api:1.7.7 Confidence:HIGHEST

spring-aop-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-aop\3.0.7.RELEASE\spring-aop-3.0.7.RELEASE.jar
MD5: 833e6c239fa50bada08e5cb82582c82b
SHA1: e52176ba360e47d132bbc80dc144a916dd75eee7
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-aop
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-aop
Manifest	Bundle-Name	Spring AOP
Manifest	bundle-symbolicname	org.springframework.aop
Manifest	Implementation-Title	org.springframework.aop
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-aop
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

maven: org.springframework:spring-aop:3.0.7.RELEASE Confidence:HIGHEST

spring-asm-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-asm\3.0.7.RELEASE\spring-asm-3.0.7.RELEASE.jar
MD5: 5d479c7bf32d4bb3cb3b81dfdf3080f7
SHA1: cadd0ed7b1aeea0c2858ada0d6397e8423aad6a3
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-asm
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-asm
Manifest	Bundle-Name	Spring ASM
Manifest	bundle-symbolicname	org.springframework.asm
Manifest	Implementation-Title	org.springframework.asm
Manifest	Implementation-Vendor	France Telecom R&D
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-asm
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

maven: org.springframework:spring-asm:3.0.7.RELEASE Confidence:HIGHEST

spring-beans-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-beans\3.0.7.RELEASE\spring-beans-3.0.7.RELEASE.jar
MD5: 0b9954842f12133fcff91bd90235182d
SHA1: 5915c3eee8dc193b19b648719d653439c57fc0d8
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-beans
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-beans
Manifest	Bundle-Name	Spring Beans
Manifest	bundle-symbolicname	org.springframework.beans
Manifest	Implementation-Title	org.springframework.beans
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-beans
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

maven: org.springframework:spring-beans:3.0.7.RELEASE Confidence:HIGHEST

spring-context-3.2.8.RELEASE.jar

Description: Spring Context

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-context\3.2.8.RELEASE\spring-context-3.2.8.RELEASE.jar
MD5: 062fd8c0edb7b69c4886946f884217ae
SHA1: 7edfc6e4283b549504793682cab1f8c37d9f1890
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-context
central	groupid	org.springframework
central	version	3.2.8.RELEASE
file	name	spring-context
Manifest	Implementation-Title	spring-context
Manifest	Implementation-Version	3.2.8.RELEASE
pom	artifactid	spring-context
pom	description	Spring Context
pom	groupid	org.springframework
pom	groupid	springframework
pom	name	Spring Context
pom	organization name	http://springsource.org/spring-framework
pom	url	https://github.com/SpringSource/spring-framework
pom	version	3.2.8.RELEASE

Identifiers

cpe: cpe:/a:springsource:spring_framework:3.2.8 Confidence:LOW
maven: org.springframework:spring-context:3.2.8.RELEASE Confidence:HIGHEST

spring-core-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-core\3.0.7.RELEASE\spring-core-3.0.7.RELEASE.jar
MD5: feeca5dd71af07bda262b0ed14dc1951
SHA1: 2c90825834a037aab6f6a71bbd05d81680832c49
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-core
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-core
hint analyzer	product	springsource_spring_framework
hint analyzer	vendor	pivotal software
hint analyzer	vendor	SpringSource
hint analyzer	vendor	vmware
Manifest	Bundle-Name	Spring Core
Manifest	bundle-symbolicname	org.springframework.core
Manifest	Implementation-Title	org.springframework.core
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-core
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

cpe: cpe:/a:pivotal:spring_framework:3.0.7 Confidence:HIGHEST
cpe: cpe:/a:pivotal_software:spring_framework:3.0.7 Confidence:LOW
cpe: cpe:/a:springsource:spring_framework:3.0.7 Confidence:HIGHEST
cpe: cpe:/a:vmware:springsource_spring_framework:3.0.7 Confidence:LOW
maven: org.springframework:spring-core:3.0.7.RELEASE Confidence:HIGHEST

Published Vulnerabilities

CVE-2016-9878

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

BID - 95072
CONFIRM - https://pivotal.io/security/cve-2016-9878

Vulnerable Software & Versions: (show all)

CVE-2014-3625

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CONFIRM - http://www.pivotal.io/security/cve-2014-3625
CONFIRM - https://jira.spring.io/browse/SPR-12354
REDHAT - RHSA-2015:0236
REDHAT - RHSA-2015:0720

Vulnerable Software & Versions: (show all)

CVE-2014-3578

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

BID - 68042
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1131882
JVN - JVN#49154900
JVNDB - JVNDB-2014-000054
MISC - http://pivotal.io/security/cve-2014-3578
REDHAT - RHSA-2015:0234
REDHAT - RHSA-2015:0235
REDHAT - RHSA-2015:0720

Vulnerable Software & Versions: (show all)

CVE-2014-1904

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

BID - 66137
BUGTRAQ - 20140311 CVE-2014-1904 XSS when using Spring MVC
CONFIRM - http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt
CONFIRM - http://www.gopivotal.com/security/cve-2014-1904
CONFIRM - https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
CONFIRM - https://jira.springsource.org/browse/SPR-11426
FULLDISC - 20140312 CVE-2014-1904 XSS when using Spring MVC
REDHAT - RHSA-2014:0400

Vulnerable Software & Versions: (show all)

CVE-2014-0054

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

BID - 66148
CONFIRM - https://jira.spring.io/browse/SPR-11376
REDHAT - RHSA-2014:0400

Vulnerable Software & Versions: (show all)

CVE-2013-7315

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

BID - 77998
BUGTRAQ - 20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework
CONFIRM - http://www.gopivotal.com/security/cve-2013-4152
CONFIRM - https://jira.springsource.org/browse/SPR-10806
DEBIAN - DSA-2842
FULLDISC - 20131102 XXE Injection in Spring Framework

Vulnerable Software & Versions: (show all)

CVE-2013-6429

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-4152

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

BID - 61951
BUGTRAQ - 20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework
CONFIRM - http://www.gopivotal.com/security/cve-2013-4152
CONFIRM - https://github.com/spring-projects/spring-framework/pull/317/files
CONFIRM - https://jira.springsource.org/browse/SPR-10806
DEBIAN - DSA-2842
FULLDISC - 20131102 XXE Injection in Spring Framework
REDHAT - RHSA-2014:0212
REDHAT - RHSA-2014:0245
REDHAT - RHSA-2014:0254
REDHAT - RHSA-2014:0400

Vulnerable Software & Versions: (show all)

spring-expression-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-expression\3.0.7.RELEASE\spring-expression-3.0.7.RELEASE.jar
MD5: 7880f6d36ee0352560700517d59e80a1
SHA1: 61999bb2e1e5f7a1c13e91a58761c48dc1d71cf9
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-expression
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-expression
Manifest	Bundle-Name	Spring Expression Language
Manifest	bundle-symbolicname	org.springframework.expression
Manifest	Implementation-Title	org.springframework.expression
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-expression
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

maven: org.springframework:spring-expression:3.0.7.RELEASE Confidence:HIGHEST

spring-jms-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-jms\3.0.7.RELEASE\spring-jms-3.0.7.RELEASE.jar
MD5: bb872e0744176677ae65705317efa46f
SHA1: 1647b17010e96c713f589ec1b0265556443db00e
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-jms
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-jms
Manifest	Bundle-Name	Spring JMS
Manifest	bundle-symbolicname	org.springframework.jms
Manifest	Implementation-Title	org.springframework.jms
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-jms
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

maven: org.springframework:spring-jms:3.0.7.RELEASE Confidence:HIGHEST

spring-tx-3.0.7.RELEASE.jar

File Path: C:\Users\Dad\.m2\repository\org\springframework\spring-tx\3.0.7.RELEASE\spring-tx-3.0.7.RELEASE.jar
MD5: 9d8af113502df57b03734164654df6a3
SHA1: c340bf8606f6bf235bc1277d25315df1abe51c31
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	spring-tx
central	groupid	org.springframework
central	version	3.0.7.RELEASE
file	name	spring-tx
Manifest	Bundle-Name	Spring Transaction
Manifest	bundle-symbolicname	org.springframework.transaction
Manifest	Implementation-Title	org.springframework.transaction
Manifest	Implementation-Version	3.0.7.RELEASE
pom	artifactid	spring-tx
pom	groupid	org.springframework
pom	groupid	springframework
pom	parent-artifactid	spring-parent
pom	parent-groupid	org.springframework
pom	version	3.0.7.RELEASE

Identifiers

maven: org.springframework:spring-tx:3.0.7.RELEASE Confidence:HIGHEST

js-1.7R2.jar

Description: Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically embedded into Java applications to provide scripting to end users.

License:

Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html

File Path: C:\Users\Dad\.m2\repository\rhino\js\1.7R2\js-1.7R2.jar
MD5: a4166cafe6e5d37c363b6795ee92c92c
SHA1: b95d5212ff4cea92cee1c3c6fa50aa82c9d4905b
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	js
central	groupid	rhino
central	version	1.7R2
file	name	js
file	version	1.7.r2
jar	package name	javascript
jar	package name	mozilla
pom	artifactid	js
pom	description	Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically embedded into Java applications to provide scripting to end users.
pom	groupid	rhino
pom	name	Rhino
pom	url	http://www.mozilla.org/rhino/
pom	version	1.7R2

Identifiers

maven: rhino:js:1.7R2 Confidence:HIGHEST

wsdl4j-1.6.3.jar

Description: Java stub generator for WSDL

License:

CPL: http://www.opensource.org/licenses/cpl1.0.txt

File Path: C:\Users\Dad\.m2\repository\wsdl4j\wsdl4j\1.6.3\wsdl4j-1.6.3.jar
MD5: cfc28d89625c5e88589aec7a9aee0208
SHA1: 6d106a6845a3d3477a1560008479312888e94f2f
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	wsdl4j
central	groupid	wsdl4j
central	version	1.6.3
file	name	wsdl4j
file	version	1.6.3
Manifest	Implementation-Title	WSDL4J
Manifest	Implementation-Vendor	IBM
Manifest	Implementation-Version	1.6.3
Manifest	specification-title	JWSDL
Manifest	specification-vendor	IBM (Java Community Process)
pom	artifactid	wsdl4j
pom	description	Java stub generator for WSDL
pom	groupid	wsdl4j
pom	name	WSDL4J
pom	url	http://sf.net/projects/wsdl4j
pom	version	1.6.3

Identifiers

maven: wsdl4j:wsdl4j:1.6.3 Confidence:HIGHEST

serializer-2.7.1.jar

Description: Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input SAX events.

File Path: C:\Users\Dad\.m2\repository\xalan\serializer\2.7.1\serializer-2.7.1.jar
MD5: a6b64dfe58229bdd810263fa0cc54cff
SHA1: 4b4b18df434451249bb65a63f2fb69e215a6a020
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	serializer
central	groupid	xalan
central	version	2.7.1
file	name	serializer
file	version	2.7.1
manifest: org/apache/xml/serializer/	Implementation-Title	org.apache.xml.serializer
manifest: org/apache/xml/serializer/	Implementation-Vendor	Apache Software Foundation
manifest: org/apache/xml/serializer/	Specification-Title	XSL Transformations (XSLT), at http://www.w3.org/TR/xslt
manifest: org/apache/xml/serializer/utils/	Implementation-Title	org.apache.xml.serializer.utils
manifest: org/apache/xml/serializer/utils/	Implementation-Vendor	Apache Software Foundation
pom	artifactid	serializer
pom	description	Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input SAX events.
pom	groupid	xalan
pom	name	Xalan Java Serializer
pom	parent-artifactid	apache
pom	parent-groupid	org.apache
pom	url	http://xml.apache.org/xalan-j/
pom	version	2.7.1

Identifiers

cpe: cpe:/a:apache:xalan-java:2.7.1 Confidence:HIGHEST
maven: xalan:serializer:2.7.1 Confidence:HIGHEST

Published Vulnerabilities

CVE-2014-0107

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

BID - 66397
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1581058
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674334
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676093
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677145
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21680703
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681933
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21677967
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
CONFIRM - https://issues.apache.org/jira/browse/XALANJ-2435
GENTOO - GLSA-201604-02
MISC - http://www.ocert.org/advisories/ocert-2014-002.html
REDHAT - RHSA-2014:1351
SECUNIA - 59151
SECUNIA - 59247
SECUNIA - 59290
SECUNIA - 59291
SECUNIA - 59515
XF - apache-xalanjava-cve20140107-sec-bypass(92023)

Vulnerable Software & Versions: (show all)

xml-resolver-1.2.jar

Description: xml-commons provides an Apache-hosted set of DOM, SAX, and JAXP interfaces for use in other xml-based projects. Our hope is that we can standardize on both a common version and packaging scheme for these critical XML standards interfaces to make the lives of both our developers and users easier.

File Path: C:\Users\Dad\.m2\repository\xml-resolver\xml-resolver\1.2\xml-resolver-1.2.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
Referenced In Project/Scope: fgsms Agent Core:provided

Evidence

Source	Name	Value
central	artifactid	xml-resolver
central	groupid	xml-resolver
central	version	1.2
file	name	xml-resolver
file	version	1.2
manifest: org/apache/xml/resolver	Implementation-Title	org.apache.xml.resolver.Catalog
manifest: org/apache/xml/resolver	Implementation-Vendor	Apache Software Foundation
pom	artifactid	xml-resolver
pom	description	xml-commons provides an Apache-hosted set of DOM, SAX, and JAXP interfaces for use in other xml-based projects. Our hope is that we can standardize on both a common version and packaging scheme for these critical XML standards interfaces to make the lives of both our developers and users easier.
pom	groupid	xml-resolver
pom	name	XML Commons Resolver Component
pom	parent-artifactid	apache
pom	parent-groupid	org.apache
pom	url	http://xml.apache.org/commons/components/resolver/
pom	version	1.2

Identifiers

maven: xml-resolver:xml-resolver:1.2 Confidence:HIGHEST

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: fgsms Agent Core

Dependencies

antlr-2.7.7.jar

Evidence

Identifiers

aopalliance-1.0.jar

Evidence

Identifiers

asm-3.3.1.jar

Evidence

Identifiers

jaxb-impl-2.1.13.jar

Evidence

Identifiers

jaxb-xjc-2.1.13.jar

Evidence

Identifiers

commons-codec-1.10.jar

Evidence

Identifiers

commons-collections-3.2.jar

Evidence

Identifiers

Published Vulnerabilities

commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe

Evidence

Identifiers

commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe

Evidence

Identifiers

commons-daemon-1.0.15-bin-windows.zip: prunmgr.exe

Evidence

Identifiers

commons-daemon-1.0.15-bin-windows.zip: prunsrv.exe

Evidence

Identifiers

commons-lang-2.6.jar

Evidence

Identifiers

commons-logging-1.1.jar

Evidence

Identifiers

javax.ws.rs-api-2.0-m10.jar

Evidence

Identifiers

joda-time-2.2.jar

Evidence

Identifiers

log4j-1.2.17.jar

Evidence

Identifiers

oauth-provider-20100527.jar

Evidence

Identifiers

oauth-20100527.jar

Evidence

Identifiers

ehcache-core-2.5.1.jar

Evidence

Identifiers

ehcache-core-2.5.1.jar: sizeof-agent.jar

Evidence

Identifiers

commons-lang3-3.5.jar

Evidence

Identifiers

cxf-rt-core-2.7.11.jar

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

geronimo-javamail_1.4_spec-1.7.1.jar

Evidence

Identifiers

geronimo-jaxws_2.2_spec-1.1.jar

Evidence

Identifiers

geronimo-jms_1.1_spec-1.1.1.jar

Evidence