Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: fgsms Apache Axis 1.x Agent

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count
commons-codec-1.10.jar commons-codec:commons-codec:1.10   0 25
commons-collections-3.2.jar cpe:/a:apache:commons_collections:3.2.1 commons-collections:commons-collections:3.2 High 1 LOW 19
commons-configuration-1.9.jar commons-configuration:commons-configuration:1.9   0 24
commons-lang-2.6.jar commons-lang:commons-lang:2.6   0 23
commons-logging-api-1.1.jar commons-logging:commons-logging-api:1.1   0 19
commons-logging-1.1.jar commons-logging:commons-logging:1.1   0 19
dnsjava-2.0.6.jar dnsjava:dnsjava:2.0.6   0 15
ejb-api-3.0.jar javax.ejb:ejb-api:3.0   0 15
servlet-api-2.5.jar javax.servlet:servlet-api:2.5   0 11
log4j-1.2.17.jar log4j:log4j:1.2.17   0 18
axis-1.4.jar cpe:/a:apache:axis:1.4 axis:axis:1.4 Medium 2 HIGHEST 13
commons-lang3-3.5.jar org.apache.commons:commons-lang3:3.5   0 27
httpclient-4.3.3.jar cpe:/a:apache:httpclient:4.3.3 org.apache.httpcomponents:httpclient:4.3.3 Medium 2 HIGHEST 22
httpcore-4.3.2.jar org.apache.httpcomponents:httpcore:4.3.2   0 22
juddi-client-3.3.3.jar org.apache.juddi:juddi-client:3.3.3   0 16
uddi-ws-3.3.3.jar org.apache.juddi:uddi-ws:3.3.3   0 16
wsdl4j-1.6.2.jar wsdl4j:wsdl4j:1.6.2   0 15

Dependencies

commons-codec-1.10.jar

Description:  The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\commons-codec\commons-codec\1.10\commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

commons-collections-3.2.jar

Description: Types that extend and augment the Java Collections Framework.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Dad\.m2\repository\commons-collections\commons-collections\3.2\commons-collections-3.2.jar
MD5: 7b9216b608d550787bdf43a63d88bf3b
SHA1: f951934aa5ae5a88d7e6dfaa6d32307d834a88be
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

CVE-2015-6420  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerable Software & Versions: (show all)

commons-configuration-1.9.jar

Description:  Tools to assist in the reading of configuration/preferences files in various formats

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\commons-configuration\commons-configuration\1.9\commons-configuration-1.9.jar
MD5: a433303bae1cd9ec6313fe7bbac8fbe9
SHA1: 5e8a4890284cf7eaa9241ace2cc07518d9519d22
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

commons-lang-2.6.jar

Description:  Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\commons-lang\commons-lang\2.6\commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

commons-logging-api-1.1.jar

Description: Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Dad\.m2\repository\commons-logging\commons-logging-api\1.1\commons-logging-api-1.1.jar
MD5: 4374238076ab08e60e0d296234480837
SHA1: 7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

commons-logging-1.1.jar

Description: Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Dad\.m2\repository\commons-logging\commons-logging\1.1\commons-logging-1.1.jar
MD5: 6b62417e77b000a87de66ee3935edbf5
SHA1: ba24d5de831911b684c92cd289ed5ff826271824
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

dnsjava-2.0.6.jar

Description: dnsjava is an implementation of DNS in Java

License:

BSD license: http://www.dnsjava.org/README
File Path: C:\Users\Dad\.m2\repository\dnsjava\dnsjava\2.0.6\dnsjava-2.0.6.jar
MD5: 3a783229899ea708d3a7c73624d305c4
SHA1: e367971f81d95e653552b5c8f3065d0fad724369
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

ejb-api-3.0.jar

File Path: C:\Users\Dad\.m2\repository\javax\ejb\ejb-api\3.0\ejb-api-3.0.jar
MD5: bf9716b5dd34838c272aa44dfbab5fbc
SHA1: d4855ba9a1ecd993b751880567ec06ffcbd6fe06
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

servlet-api-2.5.jar

File Path: C:\Users\Dad\.m2\repository\javax\servlet\servlet-api\2.5\servlet-api-2.5.jar
MD5: 116fc16f3f700d756a57a2b8ea7c1044
SHA1: e69999122202bb1c275a80ad3281c4f69f2ea0b2
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

  • maven: javax.servlet:servlet-api:2.5   Confidence:HIGH

log4j-1.2.17.jar

Description: Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

axis-1.4.jar

Description: POM was created from deploy:deploy-file

File Path: C:\Users\Dad\.m2\repository\org\apache\axis\axis\1.4\axis-1.4.jar
MD5: 03dcfdd88502505cc5a805a128bfdd8d
SHA1: 94a9ce681a42d0352b3ad22659f67835e560d107
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:provided

Identifiers

CVE-2014-3596  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Vulnerable Software & Versions: (show all)

CVE-2012-5784  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Vulnerable Software & Versions: (show all)

commons-lang3-3.5.jar

Description:  Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\org\apache\commons\commons-lang3\3.5\commons-lang3-3.5.jar
MD5: 780b5a8b72eebe6d0dbff1c11b5658fa
SHA1: 6c6c702c89bfff3cd9e80b04d668c5e190d588c6
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

httpclient-4.3.3.jar

Description:  HttpComponents Client

File Path: C:\Users\Dad\.m2\repository\org\apache\httpcomponents\httpclient\4.3.3\httpclient-4.3.3.jar
MD5: 88cc3123fce88d61b7c2cdbfc33542c5
SHA1: 18f4247ff4572a074444572cee34647c43e7c9c7
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

CVE-2015-5262  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Vulnerable Software & Versions:

CVE-2014-3577  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Vulnerable Software & Versions: (show all)

httpcore-4.3.2.jar

Description:  HttpComponents Core (blocking I/O)

File Path: C:\Users\Dad\.m2\repository\org\apache\httpcomponents\httpcore\4.3.2\httpcore-4.3.2.jar
MD5: ee3d34dce4a30c7d3002cadf8c9172c1
SHA1: 31fbbff1ddbf98f3aa7377c94d33b0447c646b6e
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

juddi-client-3.3.3.jar

Description: jUDDI (pronounced "Judy") is an open source Java implementation of the Universal Description, Discovery, and Integration (UDDI) specification for Web Services.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\org\apache\juddi\juddi-client\3.3.3\juddi-client-3.3.3.jar
MD5: 97c5bdf27e8b2b177d0621f8476942fd
SHA1: 02956c0e30405af75c9866ccf1dba30697d19781
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

uddi-ws-3.3.3.jar

Description: jUDDI (pronounced "Judy") is an open source Java implementation of the Universal Description, Discovery, and Integration (UDDI) specification for Web Services.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Dad\.m2\repository\org\apache\juddi\uddi-ws\3.3.3\uddi-ws-3.3.3.jar
MD5: bb20c0b7902db12bc44154a7883ba79a
SHA1: ba7abcb195c7fe6048e734925fd29622b1959447
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers

wsdl4j-1.6.2.jar

Description: Java stub generator for WSDL

License:

CPL: http://www.opensource.org/licenses/cpl1.0.txt
File Path: C:\Users\Dad\.m2\repository\wsdl4j\wsdl4j\1.6.2\wsdl4j-1.6.2.jar
MD5: 2608a8ea3f07b0c08de8a7d3d0d3fc09
SHA1: dec1669fb6801b7328e01ad72fc9e10b69ea06c1
Referenced In Project/Scope: fgsms Apache Axis 1.x Agent:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.