Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Handler Commons

io.wcm:io.wcm.handler.commons:1.4.3-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest41
commons-lang3-3.6.jarpkg:maven/org.apache.commons/commons-lang3@3.6 041
guava-15.0.jarcpe:2.3:a:google:guava:15.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@15.0MEDIUM2Highest20
io.wcm.sling.commons-1.4.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.4.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.sling.commons@1.4.0 0Low36
io.wcm.sling.models-1.6.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.6.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.sling.models@1.6.0 0Low37
io.wcm.wcm.commons-1.9.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.9.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.wcm.commons@1.9.0 0Low39
io.wcm.wcm.ui.granite-1.8.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.8.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.wcm.ui.granite@1.8.0 0Low37
io.wcm.wcm.ui.granite-1.8.0.jar: showhide.js 00
io.wcm.wcm.ui.granite-1.8.0.jar: validation.js 00
javax.servlet-api-3.1.0.jarcpe:2.3:a:oracle:java_se:3.1.0:*:*:*:*:*:*:*pkg:maven/javax.servlet/javax.servlet-api@3.1.0 0Low37
jaxen-1.2.0.jarpkg:maven/jaxen/jaxen@1.2.0 026
jcr-2.0.jarpkg:maven/javax.jcr/jcr@2.0 032
jdom2-2.0.6.jarcpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom2@2.0.6HIGH1Highest53
jsp-api-2.1.jarpkg:maven/javax.servlet.jsp/jsp-api@2.1 021
org.apache.sling.caconfig.api-1.1.0.jarcpe:2.3:a:apache:sling:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:sling_api:1.1.0:*:*:*:*:*:*:*		pkg:maven/org.apache.sling/org.apache.sling.caconfig.api@1.1.0MEDIUM1Highest35
org.osgi.framework-1.8.0.jarpkg:maven/org.osgi/org.osgi.framework@1.8.0 040
org.osgi.service.cm-1.6.0.jarpkg:maven/org.osgi/org.osgi.service.cm@1.6.0 039
org.osgi.util.tracker-1.5.1.jarpkg:maven/org.osgi/org.osgi.util.tracker@1.5.1 039
slf4j-api-1.7.25.jarpkg:maven/org.slf4j/slf4j-api@1.7.25 027

Dependencies

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:Handler Commons:compile

Identifiers

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:Handler Commons:compile

Identifiers

guava-15.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has two code dependencies - javax.annotation
    per the JSR-305 spec and javax.inject per the JSR-330 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/guava/guava/15.0/guava-15.0.jar
MD5: 2c10bb2ca3ac8b55b0e77e54a7eb3744
SHA1: ed727a8d9f247e2050281cb083f1c77b09dcb5cd
SHA256:7a34575770eebc60a5476616e3676a6cb6f2975c78c415e2a6014ac724ba5783
Referenced In Project/Scope:Handler Commons:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

io.wcm.sling.commons-1.4.0.jar

Description:

Common Sling utility and helper functions.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.sling.commons/1.4.0/io.wcm.sling.commons-1.4.0.jar
MD5: d62de019c010f8bc770e3779c2ef9b77
SHA1: 57bab1d2edf776d551f5c994b705add0fda569b7
SHA256:a6fcc35671f64d43f0a4253340e01655694a8e7fa60aed781410e9440dc053b2
Referenced In Project/Scope:Handler Commons:compile

Identifiers

io.wcm.sling.models-1.6.0.jar

Description:

AEM Object Injector for Sling Models.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.sling.models/1.6.0/io.wcm.sling.models-1.6.0.jar
MD5: 11233d382ac989a7c00b69fe6191d0cc
SHA1: 06a9483c7502638bc25552917a20cdfb904c34bb
SHA256:eb19e7903e1cb3c9d98f9d70d68b0687c82923b70a3d6f84f435b358223c64fa
Referenced In Project/Scope:Handler Commons:compile

Identifiers

io.wcm.wcm.commons-1.9.0.jar

Description:

Common WCM utility and helper functions.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.wcm.commons/1.9.0/io.wcm.wcm.commons-1.9.0.jar
MD5: 04799632ef83b8d9295c7328d5c0b247
SHA1: 15b79398cd63bbc02ff54a04a98cc04cc0b04d1c
SHA256:98b6e6915fbba4d4642bbf6500d590c430765a1e28279e86fb63546b24a97e98
Referenced In Project/Scope:Handler Commons:compile

Identifiers

io.wcm.wcm.ui.granite-1.8.0.jar

Description:

Granite UI Components for AEM Touch UI.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.wcm.ui.granite/1.8.0/io.wcm.wcm.ui.granite-1.8.0.jar
MD5: 6af6dbee86e9885d22ea6b5827397a8c
SHA1: 93944ff43600dd24d7257e13de9261e2973c3050
SHA256:e99d87ce7340396d8ebb6c68ed9d12119be6d398030f944249cbfa3fdb9eb006
Referenced In Project/Scope:Handler Commons:compile

Identifiers

io.wcm.wcm.ui.granite-1.8.0.jar: showhide.js

File Path: /home/runner/.m2/repository/io/wcm/io.wcm.wcm.ui.granite/1.8.0/io.wcm.wcm.ui.granite-1.8.0.jar/SLING-INF/app-root/clientlibs/io.wcm.ui.granite.showhidedialogfields/js/showhide.js
MD5: 8dac12e53129a74b52cfad2a9b0e3da6
SHA1: e7462e84281e399c1603d2f27ae18307568f0020
SHA256:15a10493faebc8f947792f91bdc29ae5af34e7e45fa318a851144982510be626
Referenced In Project/Scope:Handler Commons:compile

Identifiers

  • None

io.wcm.wcm.ui.granite-1.8.0.jar: validation.js

File Path: /home/runner/.m2/repository/io/wcm/io.wcm.wcm.ui.granite/1.8.0/io.wcm.wcm.ui.granite-1.8.0.jar/SLING-INF/app-root/clientlibs/io.wcm.ui.granite.validation/js/validation.js
MD5: edad5110d166c768cd7f0fd2b4013d3b
SHA1: 6a28b836ec56eff5783abf566825e876cf45b8a2
SHA256:e2fc0a071a292fb9b3a9c9ce4d99081930519bbb6193d01ecd6f7e6418322364
Referenced In Project/Scope:Handler Commons:compile

Identifiers

  • None

javax.servlet-api-3.1.0.jar

Description:

Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/runner/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Project/Scope:Handler Commons:compile

Identifiers

jaxen-1.2.0.jar

Description:

Jaxen is a universal XPath engine for Java.

License:

BSD License 2.0: https://raw.githubusercontent.com/jaxen-xpath/jaxen/master/LICENSE.txt
File Path: /home/runner/.m2/repository/jaxen/jaxen/1.2.0/jaxen-1.2.0.jar
MD5: c32cf69356254b8f5050fce6e86358e9
SHA1: c10535a925bd35129a4329bc75065cc6b5293f2c
SHA256:70feef9dd75ad064def05a3ce8975aeba515ee7d1be146d12199c8828a64174c
Referenced In Project/Scope:Handler Commons:compile

Identifiers

jcr-2.0.jar

Description:

        The Content Repository API for JavaTM Technology Version 2.0 is specified by JSR-283.
        This module contains the complete API as specified.

License:

Day Specification License: http://www.day.com/dam/day/downloads/jsr283/day-spec-license.htm
Day Specification License addendum: http://www.day.com/content/dam/day/downloads/jsr283/LICENSE.txt
File Path: /home/runner/.m2/repository/javax/jcr/jcr/2.0/jcr-2.0.jar
MD5: ede5e78b16c8ed298ce0b6d296584ebd
SHA1: 08297216bcfe4aea369ed6ee0d1718133f752e97
SHA256:cbf083bc58cb88a0c19112187a4c52d3115f525b5bb7f2913635f5679e6e9743
Referenced In Project/Scope:Handler Commons:compile

Identifiers

jdom2-2.0.6.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/runner/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope:Handler Commons:compile

Identifiers

CVE-2021-33813  

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jsp-api-2.1.jar

File Path: /home/runner/.m2/repository/javax/servlet/jsp/jsp-api/2.1/jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
SHA256:545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987b
Referenced In Project/Scope:Handler Commons:compile

Identifiers

org.apache.sling.caconfig.api-1.1.0.jar

Description:

Apache Sling Context-Aware Configuration API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/sling/org.apache.sling.caconfig.api/1.1.0/org.apache.sling.caconfig.api-1.1.0.jar
MD5: 231c80a8f980016d79f32ee99ad9e920
SHA1: 4a8674192c5da0d03d090e4dade5055b84aa0885
SHA256:dda109a6b232a7f92c042b5e15e7b381f27eebe3ce526aaed496892288516a4b
Referenced In Project/Scope:Handler Commons:compile

Identifiers

CVE-2015-2944  

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

org.osgi.framework-1.8.0.jar

Description:

OSGi Companion Code for org.osgi.framework Version 1.8.0.

License:

Apache License, Version 2.0: http://opensource.org/licenses/apache2.0.php
File Path: /home/runner/.m2/repository/org/osgi/org.osgi.framework/1.8.0/org.osgi.framework-1.8.0.jar
MD5: 1a40fb57099ef5530d25bc9600d509b1
SHA1: b54d03f9621136b7d9d93b5017b0a4fa490e78b0
SHA256:ec194b7871af27681716ff05259319a5c3c9b9727e8000e9e832499b93484b4e
Referenced In Project/Scope:Handler Commons:compile

Identifiers

org.osgi.service.cm-1.6.0.jar

Description:

OSGi Companion Code for org.osgi.service.cm Version 1.6.0

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/osgi/org.osgi.service.cm/1.6.0/org.osgi.service.cm-1.6.0.jar
MD5: b0756197dc4ce853b05e686ec0df8dbf
SHA1: f0c01d6da3799107b17f894ae7920cfd6fa69da6
SHA256:c1768352603abdeb18ca160ac8c712768f88d2e418fe4c5cf50845e783154233
Referenced In Project/Scope:Handler Commons:compile

Identifiers

org.osgi.util.tracker-1.5.1.jar

Description:

OSGi Companion Code for org.osgi.util.tracker Version 1.5.1.

License:

Apache License, Version 2.0: http://opensource.org/licenses/apache2.0.php
File Path: /home/runner/.m2/repository/org/osgi/org.osgi.util.tracker/1.5.1/org.osgi.util.tracker-1.5.1.jar
MD5: fd34c8f47613e751a25aa7e627c7cc85
SHA1: 18c3821aa2e98b3e5aacf73b3833347a894a5053
SHA256:5efad34ab9a7753dcde1415b62e6e21e4dec83dfad5a570df485c1b931c1ebed
Referenced In Project/Scope:Handler Commons:compile

Identifiers

slf4j-api-1.7.25.jar

Description:

The slf4j API

File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar
MD5: caafe376afb7086dcbee79f780394ca3
SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256:18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Referenced In Project/Scope:Handler Commons:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.