Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 1.4.5
Report Generated On: Mar 12, 2017 at 00:07:12 EST
Dependencies Scanned: 8 (7 unique)
Vulnerable Dependencies: 1
Vulnerabilities Found: 2
Vulnerabilities Suppressed: 0
...
CurrentEngineRelease:
NVD CVE 2002: 19/02/2017 03:25:58
NVD CVE 2003: 19/02/2017 03:24:25
NVD CVE 2004: 19/02/2017 03:23:59
NVD CVE 2005: 24/02/2017 03:12:32
NVD CVE 2006: 19/02/2017 03:20:36
NVD CVE 2007: 19/02/2017 03:18:20
NVD CVE 2008: 19/02/2017 03:16:18
NVD CVE 2009: 19/02/2017 03:14:03
NVD CVE 2010: 09/02/2017 03:09:26
NVD CVE 2011: 19/02/2017 03:11:57
NVD CVE 2012: 24/02/2017 03:11:07
NVD CVE 2013: 24/02/2017 03:09:00
NVD CVE 2014: 01/03/2017 03:07:38
NVD CVE 2015: 04/03/2017 03:06:02
NVD CVE 2016: 05/03/2017 03:02:53
NVD CVE 2017: 05/03/2017 03:00:24
NVD CVE Checked: 11/03/2017 23:34:50
NVD CVE Modified: 11/03/2017 20:00:24
VersionCheckOn: 1486838497071

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	CPE	GAV	Highest Severity	CVE Count	CPE Confidence	Evidence Count
geronimo-spec-j2ee-connector-1.5-rc4.jar	cpe:/a:apache:geronimo:1.5.rc4	geronimo-spec:geronimo-spec-j2ee-connector:1.5-rc4	High	2	LOW	14
activation-1.1.jar		javax.activation:activation:1.1		0		17
mail-1.4.7.jar	cpe:/a:sun:javamail:1.4.7	javax.mail:mail:1.4.7		0	LOW	26
log4j-1.2.17.jar		log4j:log4j:1.2.17		0		18
commons-lang3-3.5.jar		org.apache.commons:commons-lang3:3.5		0		27
qpid-client-6.0.0.jar	cpe:/a:apache:qpid:6.0.0	org.apache.qpid:qpid-client:6.0.0		0	LOW	19
slf4j-api-1.7.7.jar		org.slf4j:slf4j-api:1.7.7		0		20

Dependencies

geronimo-spec-j2ee-connector-1.5-rc4.jar

File Path: C:\Users\Dad\.m2\repository\geronimo-spec\geronimo-spec-j2ee-connector\1.5-rc4\geronimo-spec-j2ee-connector-1.5-rc4.jar
MD5: 6a2ccbc1d0af6329c00b2089ae1a31d7
SHA1: 2f5310631817f11c5b170d3a0084a58766d49269
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	geronimo-spec-j2ee-connector
central	groupid	geronimo-spec
central	version	1.5-rc4
file	name	geronimo-spec-j2ee-connector
file	version	1.5.rc4
Manifest	extension-name	geronimo-spec-j2ee-connector
Manifest	Implementation-Title	javax.resource
Manifest	Implementation-Vendor	Apache Software Foundation
Manifest	Implementation-Version	1.5-rc4
Manifest	specification-title	J2EE Connector Architecture
Manifest	specification-vendor	Apache Software Foundation
pom	artifactid	geronimo-spec-j2ee-connector
pom	groupid	geronimo-spec
pom	version	1.5-rc4

Identifiers

cpe: cpe:/a:apache:geronimo:1.5.rc4 Confidence:LOW
maven: geronimo-spec:geronimo-spec-j2ee-connector:1.5-rc4 Confidence:HIGHEST

Published Vulnerabilities

CVE-2011-5034

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

Vulnerable Software & Versions: (show all)

cpe:/a:apache:geronimo:2.2.1 and all previous versions
...
cpe:/a:apache:geronimo:1.0
cpe:/a:apache:geronimo:1.1
cpe:/a:apache:geronimo:1.1.1
cpe:/a:apache:geronimo:1.2
cpe:/a:apache:geronimo:2.0.1
cpe:/a:apache:geronimo:2.0.2
cpe:/a:apache:geronimo:2.1
cpe:/a:apache:geronimo:2.1.1
cpe:/a:apache:geronimo:2.1.2
cpe:/a:apache:geronimo:2.1.3
cpe:/a:apache:geronimo:2.1.4
cpe:/a:apache:geronimo:2.1.5
cpe:/a:apache:geronimo:2.1.6
cpe:/a:apache:geronimo:2.1.7
cpe:/a:apache:geronimo:2.1.8
cpe:/a:apache:geronimo:2.2
cpe:/a:apache:geronimo:2.2.1 and all previous versions

CVE-2008-0732

Severity: Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.

SUSE - SUSE-SR:2008:003

Vulnerable Software & Versions:

cpe:/a:apache:geronimo

activation-1.1.jar

Description: JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html

File Path: C:\Users\Dad\.m2\repository\javax\activation\activation\1.1\activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	activation
central	groupid	javax.activation
central	version	1.1
file	name	activation
file	version	1.1
Manifest	extension-name	javax.activation
Manifest	Implementation-Vendor	Sun Microsystems, Inc.
Manifest	Implementation-Vendor-Id	com.sun
Manifest	Implementation-Version	1.1
Manifest	specification-title	JavaBeans(TM) Activation Framework Specification
Manifest	specification-vendor	Sun Microsystems, Inc.
pom	artifactid	activation
pom	description	JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
pom	groupid	javax.activation
pom	name	JavaBeans Activation Framework (JAF)
pom	url	http://java.sun.com/products/javabeans/jaf/index.jsp
pom	version	1.1

Identifiers

maven: javax.activation:activation:1.1 Confidence:HIGHEST

mail-1.4.7.jar

Description: JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: C:\Users\Dad\.m2\repository\javax\mail\mail\1.4.7\mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	mail
central	groupid	javax.mail
central	version	1.4.7
file	name	mail
file	version	1.4.7
manifest	Bundle-Description	JavaMail API (compat)
Manifest	bundle-docurl	http://www.oracle.com
Manifest	Bundle-Name	JavaMail API (compat)
Manifest	bundle-symbolicname	javax.mail
Manifest	extension-name	javax.mail
Manifest	Implementation-Title	javax.mail
Manifest	Implementation-Vendor	Oracle
Manifest	Implementation-Vendor-Id	com.sun
Manifest	Implementation-Version	1.4.7
Manifest	originally-created-by	1.7.0_15 (Oracle Corporation)
Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml
Manifest	specification-title	JavaMail(TM) API Design Specification
Manifest	specification-vendor	Oracle
Manifest (hint)	Implementation-Vendor	sun
Manifest (hint)	specification-vendor	sun
pom	artifactid	mail
pom	groupid	javax.mail
pom	name	JavaMail API (compat)
pom	parent-artifactid	all
pom	parent-groupid	com.sun.mail
pom	version	1.4.7

Identifiers

cpe: cpe:/a:sun:javamail:1.4.7 Confidence:LOW
maven: javax.mail:mail:1.4.7 Confidence:HIGHEST

log4j-1.2.17.jar

Description: Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	log4j
central	groupid	log4j
central	version	1.2.17
file	name	log4j
file	version	1.2.17
manifest	Bundle-Description	Apache Log4j 1.2
Manifest	bundle-docurl	http://logging.apache.org/log4j/1.2
Manifest	Bundle-Name	Apache Log4j
Manifest	bundle-symbolicname	log4j
manifest: org.apache.log4j	Implementation-Title	log4j
manifest: org.apache.log4j	Implementation-Vendor	"Apache Software Foundation"
pom	artifactid	log4j
pom	description	Apache Log4j 1.2
pom	groupid	log4j
pom	name	Apache Log4j
pom	organization name	http://www.apache.org
pom	url	http://logging.apache.org/log4j/1.2/
pom	version	1.2.17

Identifiers

maven: log4j:log4j:1.2.17 Confidence:HIGHEST

commons-lang3-3.5.jar

Description: Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\commons\commons-lang3\3.5\commons-lang3-3.5.jar
MD5: 780b5a8b72eebe6d0dbff1c11b5658fa
SHA1: 6c6c702c89bfff3cd9e80b04d668c5e190d588c6
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	commons-lang3
central	groupid	org.apache.commons
central	version	3.5
file	name	commons-lang3
file	version	3.5
manifest	Bundle-Description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/
Manifest	Bundle-Name	Apache Commons Lang
Manifest	bundle-symbolicname	org.apache.commons.lang3
Manifest	implementation-build	release@r36f98d87b24c2f542b02abbf6ec1ee742f1b158b; 2016-10-13 19:52:17+0000
Manifest	Implementation-Title	Apache Commons Lang
Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	3.5
Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
Manifest	specification-title	Apache Commons Lang
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	commons-lang3
pom	description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
pom	groupid	apache.commons
pom	groupid	org.apache.commons
pom	name	Apache Commons Lang
pom	parent-artifactid	commons-parent
pom	parent-groupid	org.apache.commons
pom	url	http://commons.apache.org/proper/commons-lang/
pom	version	3.5

Identifiers

maven: org.apache.commons:commons-lang3:3.5 Confidence:HIGHEST

qpid-client-6.0.0.jar

Description: JMS client supporting AMQP 0-8, 0-9, 0-9-1 and 0-10.

File Path: C:\Users\Dad\.m2\repository\org\apache\qpid\qpid-client\6.0.0\qpid-client-6.0.0.jar
MD5: 244a004182de831f2ff3774dbac2741f
SHA1: 0a4c3e81e2c4777bf3d50c293391831a5dd1acf9
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	qpid-client
central	groupid	org.apache.qpid
central	version	6.0.0
file	name	qpid-client
file	version	6.0.0
Manifest	Implementation-Title	Qpid AMQP 0-x JMS Client
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache.qpid
Manifest	Implementation-Version	6.0.0
Manifest	specification-title	Qpid AMQP 0-x JMS Client
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	qpid-client
pom	description	JMS client supporting AMQP 0-8, 0-9, 0-9-1 and 0-10.
pom	groupid	apache.qpid
pom	groupid	org.apache.qpid
pom	name	Qpid AMQP 0-x JMS Client
pom	parent-artifactid	qpid-java-build
pom	parent-groupid	org.apache.qpid
pom	version	6.0.0

Related Dependencies

Identifiers

cpe: cpe:/a:apache:qpid:6.0.0 Confidence:LOW
maven: org.apache.qpid:qpid-client:6.0.0 Confidence:HIGHEST

slf4j-api-1.7.7.jar

Description: The slf4j API

File Path: C:\Users\Dad\.m2\repository\org\slf4j\slf4j-api\1.7.7\slf4j-api-1.7.7.jar
MD5: ca4280bf93d64367723ae5c8d42dd0b9
SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
Referenced In Project/Scope: fgsms Apache ServiceMix/ActiveMQ JMX Agent:compile

Evidence

Source	Name	Value
central	artifactid	slf4j-api
central	groupid	org.slf4j
central	version	1.7.7
file	name	slf4j-api
file	version	1.7.7
manifest	Bundle-Description	The slf4j API
Manifest	Bundle-Name	slf4j-api
Manifest	bundle-requiredexecutionenvironment	J2SE-1.3
Manifest	bundle-symbolicname	slf4j.api
Manifest	Implementation-Title	slf4j-api
Manifest	Implementation-Version	1.7.7
pom	artifactid	slf4j-api
pom	description	The slf4j API
pom	groupid	org.slf4j
pom	groupid	slf4j
pom	name	SLF4J API Module
pom	parent-artifactid	slf4j-parent
pom	parent-groupid	org.slf4j
pom	url	http://www.slf4j.org
pom	version	1.7.7

Identifiers

maven: org.slf4j:slf4j-api:1.7.7 Confidence:HIGHEST

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: fgsms Apache ServiceMix/ActiveMQ JMX Agent

Dependencies

geronimo-spec-j2ee-connector-1.5-rc4.jar

Evidence

Identifiers

Published Vulnerabilities

activation-1.1.jar

Evidence

Identifiers

mail-1.4.7.jar

Evidence

Identifiers

log4j-1.2.17.jar

Evidence

Identifiers

commons-lang3-3.5.jar

Evidence

Identifiers

qpid-client-6.0.0.jar

Evidence

Related Dependencies

Identifiers

slf4j-api-1.7.7.jar

Evidence

Identifiers