Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: WCM Mock Helper

io.wcm:io.wcm.testing.wcm-io-mock.wcm:1.2.1-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
commons-lang3-3.6.jarpkg:maven/org.apache.commons/commons-lang3@3.6 041
guava-15.0.jarcpe:2.3:a:google:guava:15.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@15.0MEDIUM2Highest20
io.wcm.sling.commons-1.4.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.4.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.sling.commons@1.4.0 0Low36
io.wcm.sling.models-1.6.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.6.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.sling.models@1.6.0 0Low37
io.wcm.wcm.commons-1.9.0.jarcpe:2.3:a:list_site_pro:list_site_pro:1.9.0:*:*:*:*:*:*:*pkg:maven/io.wcm/io.wcm.wcm.commons@1.9.0 0Low39
javax.servlet-api-3.1.0.jarcpe:2.3:a:oracle:java_se:3.1.0:*:*:*:*:*:*:*pkg:maven/javax.servlet/javax.servlet-api@3.1.0 0Low37
jsp-api-2.1.jarpkg:maven/javax.servlet.jsp/jsp-api@2.1 021
org.osgi.framework-1.8.0.jarpkg:maven/org.osgi/org.osgi.framework@1.8.0 040
org.osgi.service.cm-1.6.0.jarpkg:maven/org.osgi/org.osgi.service.cm@1.6.0 039
org.osgi.util.tracker-1.5.1.jarpkg:maven/org.osgi/org.osgi.util.tracker@1.5.1 039
slf4j-api-1.7.25.jarpkg:maven/org.slf4j/slf4j-api@1.7.25 027

Dependencies

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

guava-15.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has two code dependencies - javax.annotation
    per the JSR-305 spec and javax.inject per the JSR-330 spec.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/guava/guava/15.0/guava-15.0.jar
MD5: 2c10bb2ca3ac8b55b0e77e54a7eb3744
SHA1: ed727a8d9f247e2050281cb083f1c77b09dcb5cd
SHA256:7a34575770eebc60a5476616e3676a6cb6f2975c78c415e2a6014ac724ba5783
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

io.wcm.sling.commons-1.4.0.jar

Description:

Common Sling utility and helper functions.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.sling.commons/1.4.0/io.wcm.sling.commons-1.4.0.jar
MD5: d62de019c010f8bc770e3779c2ef9b77
SHA1: 57bab1d2edf776d551f5c994b705add0fda569b7
SHA256:a6fcc35671f64d43f0a4253340e01655694a8e7fa60aed781410e9440dc053b2
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

io.wcm.sling.models-1.6.0.jar

Description:

AEM Object Injector for Sling Models.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.sling.models/1.6.0/io.wcm.sling.models-1.6.0.jar
MD5: 11233d382ac989a7c00b69fe6191d0cc
SHA1: 06a9483c7502638bc25552917a20cdfb904c34bb
SHA256:eb19e7903e1cb3c9d98f9d70d68b0687c82923b70a3d6f84f435b358223c64fa
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

io.wcm.wcm.commons-1.9.0.jar

Description:

Common WCM utility and helper functions.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/io.wcm.wcm.commons/1.9.0/io.wcm.wcm.commons-1.9.0.jar
MD5: 04799632ef83b8d9295c7328d5c0b247
SHA1: 15b79398cd63bbc02ff54a04a98cc04cc0b04d1c
SHA256:98b6e6915fbba4d4642bbf6500d590c430765a1e28279e86fb63546b24a97e98
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

javax.servlet-api-3.1.0.jar

Description:

Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/runner/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

jsp-api-2.1.jar

File Path: /home/runner/.m2/repository/javax/servlet/jsp/jsp-api/2.1/jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
SHA256:545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987b
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

org.osgi.framework-1.8.0.jar

Description:

OSGi Companion Code for org.osgi.framework Version 1.8.0.

License:

Apache License, Version 2.0: http://opensource.org/licenses/apache2.0.php
File Path: /home/runner/.m2/repository/org/osgi/org.osgi.framework/1.8.0/org.osgi.framework-1.8.0.jar
MD5: 1a40fb57099ef5530d25bc9600d509b1
SHA1: b54d03f9621136b7d9d93b5017b0a4fa490e78b0
SHA256:ec194b7871af27681716ff05259319a5c3c9b9727e8000e9e832499b93484b4e
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

org.osgi.service.cm-1.6.0.jar

Description:

OSGi Companion Code for org.osgi.service.cm Version 1.6.0

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/osgi/org.osgi.service.cm/1.6.0/org.osgi.service.cm-1.6.0.jar
MD5: b0756197dc4ce853b05e686ec0df8dbf
SHA1: f0c01d6da3799107b17f894ae7920cfd6fa69da6
SHA256:c1768352603abdeb18ca160ac8c712768f88d2e418fe4c5cf50845e783154233
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

org.osgi.util.tracker-1.5.1.jar

Description:

OSGi Companion Code for org.osgi.util.tracker Version 1.5.1.

License:

Apache License, Version 2.0: http://opensource.org/licenses/apache2.0.php
File Path: /home/runner/.m2/repository/org/osgi/org.osgi.util.tracker/1.5.1/org.osgi.util.tracker-1.5.1.jar
MD5: fd34c8f47613e751a25aa7e627c7cc85
SHA1: 18c3821aa2e98b3e5aacf73b3833347a894a5053
SHA256:5efad34ab9a7753dcde1415b62e6e21e4dec83dfad5a570df485c1b931c1ebed
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers

slf4j-api-1.7.25.jar

Description:

The slf4j API

File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar
MD5: caafe376afb7086dcbee79f780394ca3
SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256:18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Referenced In Project/Scope:WCM Mock Helper:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.