Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: CRX Package Manager Helper

io.wcm.tooling.commons:io.wcm.tooling.commons.crx-packmgr-helper:1.7.5-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
commons-codec-1.10.jarpkg:maven/commons-codec/commons-codec@1.10 040
commons-compress-1.21.jarcpe:2.3:a:apache:commons_compress:1.21:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-compress@1.21 0Highest45
commons-io-2.5.jarcpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.5MEDIUM1Highest40
commons-lang3-3.6.jarpkg:maven/org.apache.commons/commons-lang3@3.6 041
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 036
httpclient-4.5.13.jarcpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 0Highest34
httpcore-4.4.14.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.14 034
httpmime-4.5.13.jarpkg:maven/org.apache.httpcomponents/httpmime@4.5.13 032
jackrabbit-api-2.19.3.jarcpe:2.3:a:apache:jackrabbit:2.19.3:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit/jackrabbit-api@2.19.3 0Highest29
jaxen-1.1.6.jarpkg:maven/jaxen/jaxen@1.1.6 026
jcr-2.0.jarpkg:maven/javax.jcr/jcr@2.0 032
jdom2-2.0.6.jarcpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom2@2.0.6HIGH1Highest53
json-20140107.jarpkg:maven/org.json/json@20140107 022
maven-artifact-3.8.1.jarpkg:maven/org.apache.maven/maven-artifact@3.8.1 028
org.apache.jackrabbit.vault-3.5.6.jarcpe:2.3:a:apache:jackrabbit:3.5.6:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit.vault/org.apache.jackrabbit.vault@3.5.6 0Highest47
plexus-utils-3.2.1.jarcpe:2.3:a:plexus-utils_project:plexus-utils:3.2.1:*:*:*:*:*:*:*pkg:maven/org.codehaus.plexus/plexus-utils@3.2.1 0Highest27
stax2-api-4.2.jarpkg:maven/org.codehaus.woodstox/stax2-api@4.2 048
txw2-2.3.2.jarpkg:maven/org.glassfish.jaxb/txw2@2.3.2 034
woodstox-core-6.1.1.jarpkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1 041
woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)pkg:maven/com.sun.xml.bind.jaxb/isorelax@20090621 012
woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)pkg:maven/net.java.dev.msv/xsdlib@2013.6.1 09

Dependencies

commons-codec-1.10.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
SHA256:4241dfa94e711d435f29a4604a3e2de5c4aa3c165e23bd066be6fc1fc4309569
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

commons-compress-1.21.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar
MD5: 2a713d10331bc4e13459a3dc0463f16f
SHA1: 4ec95b60d4e86b5c95a0e919cb172a0af98011ef
SHA256:6aecfd5459728a595601cfa07258d131972ffc39b492eb48bdd596577a2f244a
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

commons-io-2.5.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

httpclient-4.5.13.jar

Description:

   Apache HttpComponents Client
  

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

httpcore-4.4.14.jar

Description:

   Apache HttpComponents Core (blocking I/O)
  

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

httpmime-4.5.13.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities
  

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar
MD5: 3f0c1ef2c9dc47b62b780192f54b0c18
SHA1: efc110bad4a0d45cda7858e6beee1d8a8313da5a
SHA256:06e754d99245b98dcc2860dcb43d20e737d650da2bf2077a105f68accbd5c5cc
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

jackrabbit-api-2.19.3.jar

Description:

Jackrabbit-specific extensions to the JCR API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/jackrabbit-api/2.19.3/jackrabbit-api-2.19.3.jar
MD5: 70fa2dc7695900e62e96aea2792f3a3a
SHA1: 8503de04a71ea05b680692d47bfe8a185ec5f4d0
SHA256:045be6c97e17c771bbe885d6d0308722bb540b5bf693322a96aadb976de7aa5a
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

jaxen-1.1.6.jar

Description:

Jaxen is a universal Java XPath engine.

License:

http://jaxen.codehaus.org/license.html
File Path: /home/runner/.m2/repository/jaxen/jaxen/1.1.6/jaxen-1.1.6.jar
MD5: a140517286b56eea981e188dcc3a13f6
SHA1: 3f8c36d9a0578e8e98f030c662b69888b1430ac0
SHA256:5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

jcr-2.0.jar

Description:

        The Content Repository API for JavaTM Technology Version 2.0 is specified by JSR-283.
        This module contains the complete API as specified.
    

License:

Day Specification License: http://www.day.com/dam/day/downloads/jsr283/day-spec-license.htm
Day Specification License addendum: http://www.day.com/content/dam/day/downloads/jsr283/LICENSE.txt
File Path: /home/runner/.m2/repository/javax/jcr/jcr/2.0/jcr-2.0.jar
MD5: ede5e78b16c8ed298ce0b6d296584ebd
SHA1: 08297216bcfe4aea369ed6ee0d1718133f752e97
SHA256:cbf083bc58cb88a0c19112187a4c52d3115f525b5bb7f2913635f5679e6e9743
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

jdom2-2.0.6.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data
	

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/runner/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

CVE-2021-33813  

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

json-20140107.jar

Description:

		JSON is a light-weight, language independent, data interchange format.
		See http://www.JSON.org/

		The files in this package implement JSON encoders/decoders in Java.
		It also includes the capability to convert between JSON and XML, HTTP
		headers, Cookies, and CDL.

		This is a reference implementation. There is a large number of JSON packages
		in Java. Perhaps someday the Java community will standardize on one. Until
		then, choose carefully.

		The license includes this restriction: "The software shall be used for good,
		not evil." If your conscience cannot live with that, then choose a different
		package.

		The package compiles on Java 1.2 thru Java 1.4.
	

License:

The JSON License: http://json.org/license.html
File Path: /home/runner/.m2/repository/org/json/json/20140107/json-20140107.jar
MD5: 8ca2437d3dbbaa2e76195adedfd901f4
SHA1: d1ffca6e2482b002702c6a576166fd685e3370e3
SHA256:8e5aa0a368bee60347b5a4ad861d9f68c7793f60deeea89efd449eb70d5ae622
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

maven-artifact-3.8.1.jar

File Path: /home/runner/.m2/repository/org/apache/maven/maven-artifact/3.8.1/maven-artifact-3.8.1.jar
MD5: 6f07d7c18fb630df205d8175fe37b74e
SHA1: 114a2dd16c4c568bf0ca57719b83f2685dcc5734
SHA256:9dbd3db15ac4816471e72981cb06ef90f3ffa8be6628dddf7135f7bd69bee0c0
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

org.apache.jackrabbit.vault-3.5.6.jar

Description:

The core classes of Apache Jackrabbit FileVault

License:

"Apache License, Version 2.0";link="https://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.5.6/org.apache.jackrabbit.vault-3.5.6.jar
MD5: 7311cb5a35268eb640213d16658cefa1
SHA1: 936eb3333d7389aa59b635669ad8867643c9eda2
SHA256:961bb956259edfc3cb08766d88e1508573613b6f085e5b98cb7710caf49df761
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

plexus-utils-3.2.1.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.
  

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-utils/3.2.1/plexus-utils-3.2.1.jar
MD5: a1b7cb2baeae4bb4c3a016417d5d3cb0
SHA1: 13b015768e0d04849d2794e4c47eb02d01a0de32
SHA256:8d07b497bb8deb167ee5329cae87ef2043833bf52e4f15a5a9379cec447a5b2b
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

stax2-api-4.2.jar

Description:

tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
  

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/runner/.m2/repository/org/codehaus/woodstox/stax2-api/4.2/stax2-api-4.2.jar
MD5: 5d22fe6dbb276d1fd6dab40c386a4f0a
SHA1: 13c2b30926bca0429c704c4b4ca0b5d0432b69cd
SHA256:badf6081a0bb526fd2c01951dfefad91b6846b6dd0eb0048587e30d1dd334e68
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

txw2-2.3.2.jar

Description:

        TXW is a library that allows you to write XML documents.
    

File Path: /home/runner/.m2/repository/org/glassfish/jaxb/txw2/2.3.2/txw2-2.3.2.jar
MD5: 3f278f148c5d27dc608c25cb7d093b94
SHA1: ce5be7da2e442c25ec14c766cb60cb802741727b
SHA256:4a6a9f483388d461b81aa9a28c685b8b74c0597993bf1884b04eddbca95f48fe
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

woodstox-core-6.1.1.jar

Description:

        Woodstox is a high-performance XML processor that
        implements Stax (JSR-173), SAX2 and Stax2 APIs
    

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar
MD5: 992e39013de489a1373f14b7e153f9da
SHA1: 989bb31963ed1758b95c7c4381a91592a9a8df61
SHA256:f250662a245570fdd49c6916c1c3cd3d6511a8e5cd0d7460e989844b1d66ed67
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)

Description:

Unknown version of isorelax library used in JAXB project

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xml
MD5: 6fbb4bc95fbf2072bc6e3b790553fe81
SHA1: 314ec72948d5c1fc71d553cbbd7a130caa6f9f13
SHA256:cda6451d0231a973352b592ff950e39224ba6ba1a2f35eeab66511b5c225dff1
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers

woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)

Description:

XML Schema datatypes library

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar/META-INF/maven/net.java.dev.msv/xsdlib/pom.xml
MD5: aaf872ed9d1aabee25e03c2a132ffd8e
SHA1: 47f218a999411ed028f089d59ebef8f14e0fe914
SHA256:d6e83c124436049d83238fc532a26c5d8ccd7e4ab10eba6d96043c850ac82f3c
Referenced In Project/Scope:CRX Package Manager Helper:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.