Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Sling-Initial-Content Transformation Maven Plugin

io.wcm.maven.plugins:sling-initial-content-transform-maven-plugin:1.0.1-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
aether-api-0.9.0.M2.jarpkg:maven/org.eclipse.aether/aether-api@0.9.0.M2 026
aether-impl-0.9.0.M2.jarpkg:maven/org.eclipse.aether/aether-impl@0.9.0.M2 026
aether-spi-0.9.0.M2.jarpkg:maven/org.eclipse.aether/aether-spi@0.9.0.M2 026
aether-util-0.9.0.M2.jarpkg:maven/org.eclipse.aether/aether-util@0.9.0.M2 028
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 019
asm-3.3.1.jarpkg:maven/asm/asm@3.3.1 017
cdi-api-1.0.jarpkg:maven/javax.enterprise/cdi-api@1.0 024
commons-io-2.5.jarcpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.5MEDIUM1Highest40
commons-lang3-3.6.jarpkg:maven/org.apache.commons/commons-lang3@3.6 041
geronimo-json_1.1_spec-1.0.jarpkg:maven/org.apache.geronimo.specs/geronimo-json_1.1_spec@1.0 028
guava-15.0.jarcpe:2.3:a:google:guava:15.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@15.0MEDIUM2Highest20
io.wcm.tooling.commons.content-package-builder-1.6.2.jarpkg:maven/io.wcm.tooling.commons/io.wcm.tooling.commons.content-package-builder@1.6.2 033
jackrabbit-api-2.16.0.jarcpe:2.3:a:apache:jackrabbit:2.16.0:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit/jackrabbit-api@2.16.0 0Highest29
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 019
jcr-2.0.jarpkg:maven/javax.jcr/jcr@2.0 032
johnzon-core-1.1.1.jarpkg:maven/org.apache.johnzon/johnzon-core@1.1.1 037
jsr250-api-1.0.jarpkg:maven/javax.annotation/jsr250-api@1.0 019
maven-aether-provider-3.1.0.jarpkg:maven/org.apache.maven/maven-aether-provider@3.1.0 027
maven-artifact-3.1.0.jarpkg:maven/org.apache.maven/maven-artifact@3.1.0 027
maven-core-3.1.0.jarcpe:2.3:a:apache:maven:3.1.0:*:*:*:*:*:*:*pkg:maven/org.apache.maven/maven-core@3.1.0CRITICAL1Highest25
maven-model-3.1.0.jarpkg:maven/org.apache.maven/maven-model@3.1.0 027
maven-model-builder-3.1.0.jarpkg:maven/org.apache.maven/maven-model-builder@3.1.0 033
maven-plugin-api-3.1.0.jarpkg:maven/org.apache.maven/maven-plugin-api@3.1.0 027
maven-repository-metadata-3.1.0.jarpkg:maven/org.apache.maven/maven-repository-metadata@3.1.0 027
maven-settings-3.1.0.jarpkg:maven/org.apache.maven/maven-settings@3.1.0 027
maven-settings-builder-3.1.0.jarpkg:maven/org.apache.maven/maven-settings-builder@3.1.0 027
org.apache.jackrabbit.vault-3.1.44.jarcpe:2.3:a:apache:jackrabbit:3.1.44:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit.vault/org.apache.jackrabbit.vault@3.1.44 0Highest39
org.apache.jackrabbit.vault-3.1.44.jar: jackrabbit-spi-2.16.1.jarcpe:2.3:a:apache:jackrabbit:2.16.1:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit/jackrabbit-spi@2.16.1 0Highest28
org.apache.sling.commons.osgi-2.4.0.jarcpe:2.3:a:apache:sling:2.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.sling/org.apache.sling.commons.osgi@2.4.0 0Highest37
org.apache.sling.contentparser.api-2.0.0.jarcpe:2.3:a:apache:sling:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:sling_api:2.0.0:*:*:*:*:*:*:*		pkg:maven/org.apache.sling/org.apache.sling.contentparser.api@2.0.0MEDIUM1Highest45
org.apache.sling.contentparser.xml-2.0.0.jarcpe:2.3:a:apache:sling:2.0.0:*:*:*:*:*:*:*pkg:maven/org.apache.sling/org.apache.sling.contentparser.xml@2.0.0 0Highest49
org.eclipse.sisu.inject-0.0.0.M2a.jarpkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.0.0.M2a 031
org.eclipse.sisu.plexus-0.0.0.M2a.jarpkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.0.0.M2a 022
plexus-cipher-1.4.jarpkg:maven/org.sonatype.plexus/plexus-cipher@1.4 030
plexus-classworlds-2.4.2.jarpkg:maven/org.codehaus.plexus/plexus-classworlds@2.4.2 027
plexus-component-annotations-1.5.5.jarpkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5 029
plexus-interpolation-1.16.jarpkg:maven/org.codehaus.plexus/plexus-interpolation@1.16 027
plexus-sec-dispatcher-1.3.jarpkg:maven/org.sonatype.plexus/plexus-sec-dispatcher@1.3 030
plexus-utils-3.0.10.jarcpe:2.3:a:plexus-utils_project:plexus-utils:3.0.10:*:*:*:*:*:*:*pkg:maven/org.codehaus.plexus/plexus-utils@3.0.10Unknown3Highest29
sisu-guice-3.1.0-no_aop.jarpkg:maven/org.sonatype.sisu/sisu-guice@3.1.0 028

Dependencies

aether-api-0.9.0.M2.jar

Description:

    The application programming interface for the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/eclipse/aether/aether-api/0.9.0.M2/aether-api-0.9.0.M2.jar
MD5: 4f45381e19be0eb964f3be5df6351b95
SHA1: 97662c999c6b2fbf2ee50e814a34639c1c1d22de
SHA256:e220097cffad96c2963ab12652ff8833ec6f40143d509f0a2ea59d22209b6ecd
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

aether-impl-0.9.0.M2.jar

Description:

    An implementation of the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar
MD5: ffc94e83df65abdc44580b4046ee3b8f
SHA1: eab9a4baae8de96a24c04219236363d0ca73e8a9
SHA256:637f5fb07d9b03957bc5f1a57b77a8202ba0a44f52a0d2c30e5d59b65e89ce48
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

aether-spi-0.9.0.M2.jar

Description:

    The service provider interface for repository system implementations and repository connectors.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/eclipse/aether/aether-spi/0.9.0.M2/aether-spi-0.9.0.M2.jar
MD5: 552d54d8bb3691eedd831b50bb87c309
SHA1: 3647d00620a91360990c9680f29fbcc22d69c2ee
SHA256:b7b78090d4e708ccbc42b039c8c36c8efb19296146584a14d5bb3e66935ddfe4
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

aether-util-0.9.0.M2.jar

Description:

    A collection of utility classes to ease usage of the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar
MD5: fc6315129d2e2063e2f2725e6337587f
SHA1: b957089deb654647da320ad7507b0a4b5ce23813
SHA256:7d62b0fdef90196ec4b2947f5973d750bfd3935785244e77cc06780131c404e9
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

aopalliance-1.0.jar

Description:

AOP Alliance

License:

Public Domain
File Path: /home/runner/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

asm-3.3.1.jar

File Path: /home/runner/.m2/repository/asm/asm/3.3.1/asm-3.3.1.jar
MD5: 1ad1e8959324b0f680b8e62406955642
SHA1: 1d5f20b4ea675e6fab6ab79f1cd60ec268ddc015
SHA256:c2b39275f8e951bc74750080a1266cdabc39399bc5e13d642bf2d346449df7f3
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

cdi-api-1.0.jar

Description:

APIs for JSR-299: Contexts and Dependency Injection for Java EE

File Path: /home/runner/.m2/repository/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar
MD5: 462c0959f0322016495f4598243bc0f2
SHA1: 44c453f60909dfc223552ace63e05c694215156b
SHA256:1f10b2204cc77c919301f20ff90461c3df1b6e6cb148be1c2d22107f4851d423
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

commons-io-2.5.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

geronimo-json_1.1_spec-1.0.jar

Description:

Apache Geronimo implementation of the JSR-374

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/geronimo/specs/geronimo-json_1.1_spec/1.0/geronimo-json_1.1_spec-1.0.jar
MD5: cebdac023b86830a21a119ce73a6eb76
SHA1: 9949887a93a1336e78cf424336a2008377f37851
SHA256:9277e9b259b62d9942cdfc39780d540459372aa5d4a50ae9ecff9e408b9814f2
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

guava-15.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has two code dependencies - javax.annotation
    per the JSR-305 spec and javax.inject per the JSR-330 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/guava/guava/15.0/guava-15.0.jar
MD5: 2c10bb2ca3ac8b55b0e77e54a7eb3744
SHA1: ed727a8d9f247e2050281cb083f1c77b09dcb5cd
SHA256:7a34575770eebc60a5476616e3676a6cb6f2975c78c415e2a6014ac724ba5783
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

io.wcm.tooling.commons.content-package-builder-1.6.2.jar

Description:

Java Library for building AEM Content Packages with content pages and binary files.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/io/wcm/tooling/commons/io.wcm.tooling.commons.content-package-builder/1.6.2/io.wcm.tooling.commons.content-package-builder-1.6.2.jar
MD5: 06d8c580e8d1131bdf11c92f0356f63d
SHA1: 084e94c8cbf8cb66cffa93cf37adbf56de2cbc85
SHA256:56b05b612eafadabacadb0fd0cd94cbc276401b6966153e8d51c524160adc0c7
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

jackrabbit-api-2.16.0.jar

Description:

Jackrabbit-specific extensions to the JCR API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/jackrabbit-api/2.16.0/jackrabbit-api-2.16.0.jar
MD5: 4f66766e7153e75726867e49781346c4
SHA1: 0bda9c9da2ca4d6fc14918ebf7b5ab1f72e5a089
SHA256:51e881d990efef071ea6f201fce7e6c660f359faa10873106017098a506e0953
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

jcr-2.0.jar

Description:

        The Content Repository API for JavaTM Technology Version 2.0 is specified by JSR-283.
        This module contains the complete API as specified.

License:

Day Specification License: http://www.day.com/dam/day/downloads/jsr283/day-spec-license.htm
Day Specification License addendum: http://www.day.com/content/dam/day/downloads/jsr283/LICENSE.txt
File Path: /home/runner/.m2/repository/javax/jcr/jcr/2.0/jcr-2.0.jar
MD5: ede5e78b16c8ed298ce0b6d296584ebd
SHA1: 08297216bcfe4aea369ed6ee0d1718133f752e97
SHA256:cbf083bc58cb88a0c19112187a4c52d3115f525b5bb7f2913635f5679e6e9743
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

johnzon-core-1.1.1.jar

Description:

Apache Johnzon is an implementation of JSR-353 (JavaTM API for JSON Processing).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/johnzon/johnzon-core/1.1.1/johnzon-core-1.1.1.jar
MD5: 382db6f05ae30248c43ad2c5ace1f527
SHA1: 72a57f53f160a6cbadef1ea25fe3843206bc8aa4
SHA256:bf0d0785e942b57071bf3f68e635ce6a38189bd382a6ef14a190d2f859532318
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

jsr250-api-1.0.jar

Description:

JSR-250 Reference Implementation by Glassfish

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/runner/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
MD5: 4cd56b2e4977e541186de69f5126b4a6
SHA1: 5025422767732a1ab45d93abfea846513d742dcf
SHA256:a1a922d0d9b6d183ed3800dfac01d1e1eb159f0e8c6f94736931c1def54a941f
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-aether-provider-3.1.0.jar

Description:

Extensions to Aether for utilizing Maven POM and repository metadata.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-aether-provider/3.1.0/maven-aether-provider-3.1.0.jar
MD5: 223a5fac960a7398aa3c6607f8da4558
SHA1: dda2231a2be2768109d474805c702b76a8e794e6
SHA256:ec5edc09f3cc4d4e23c7f8a1105b520d63498f5a18bd00b8d3833aa38d3f136e
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-artifact-3.1.0.jar

File Path: /home/runner/.m2/repository/org/apache/maven/maven-artifact/3.1.0/maven-artifact-3.1.0.jar
MD5: d8facb86c908e0977b21b1e83746e342
SHA1: 446e6a69fee5b7f2b0f498c0e4dfbd38f740a8f9
SHA256:7f8a8ca4b2df5f81918fab2b9231a008f470d88ec54ddcbe38474bbf21b7571e
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-core-3.1.0.jar

Description:

Maven Core classes.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-core/3.1.0/maven-core-3.1.0.jar
MD5: 67c1cd4fa81ff39826826f46e88f420f
SHA1: 3aca07a1e496f1fb9c0d2d950b6aac7779c67b98
SHA256:603cea35d0812036f68c48d02a20af674db2235ce9d251ecb96fe72df07be8fe
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

CVE-2021-26291  

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
CWE-346 Origin Validation Error

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

maven-model-3.1.0.jar

Description:

Model for Maven POM (Project Object Model)

File Path: /home/runner/.m2/repository/org/apache/maven/maven-model/3.1.0/maven-model-3.1.0.jar
MD5: f632d28a057446fa533d08e877100b3b
SHA1: 82b2f097c1cc9a8d0e6b99af5e56327d5002c30f
SHA256:f9f7ad6301942d385fc79ed0615a7d5f06dbda60dee70b709e679624313e642a
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-model-builder-3.1.0.jar

Description:

The effective model builder, with inheritance, profile activation, interpolation, ...

File Path: /home/runner/.m2/repository/org/apache/maven/maven-model-builder/3.1.0/maven-model-builder-3.1.0.jar
MD5: 0affc5812b09809c99ddb077f615dc21
SHA1: 13ba294cedb659c3851f0c2980af7f44bcc6a8e0
SHA256:45f437ef89851578e7d230c873b7aa766147e807100a044e7d17213f0a8ac2e5
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-plugin-api-3.1.0.jar

Description:

The API for plugins - Mojos - development.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-plugin-api/3.1.0/maven-plugin-api-3.1.0.jar
MD5: 3a2af8945d7b2ae38ca33a97f60a9611
SHA1: 8821fd1b81c6b960f7ce39f5dde612c665146fd8
SHA256:c6e743680d5ca55a39652f14777181fadf98b6cfef870c3985996f2a5cd0bf6d
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-repository-metadata-3.1.0.jar

Description:

Per-directory local and remote repository metadata.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-repository-metadata/3.1.0/maven-repository-metadata-3.1.0.jar
MD5: ae0f6b92d5a03661cd47df621c4eee6c
SHA1: 77bb2c383b1654b158cf9f905f4105d9d522fc7e
SHA256:1f98b8b101fea1167d3d5dfd6439757bd96f79e62388323af258fddc1e60382e
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-settings-3.1.0.jar

Description:

Maven Settings model.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-settings/3.1.0/maven-settings-3.1.0.jar
MD5: b18f33545dacd6f3860930934c3dd30d
SHA1: 032c65d957271cb15ae3c93c883ab7e6aca39138
SHA256:a44bb2a6c8571269a06ab8efba046fd319af34c4985deda66512dc1e648f301a
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

maven-settings-builder-3.1.0.jar

Description:

The effective settings builder, with inheritance and password decryption.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-settings-builder/3.1.0/maven-settings-builder-3.1.0.jar
MD5: eb9de409fb60d13e107b094a1764d3c3
SHA1: ab0e825308fb8862d6d2b6fecea80c0d06c48407
SHA256:d73d0740f1ae3f903eaac1e9f69229068d8ffd60e6afe84e64cc6bad42de2ff2
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

org.apache.jackrabbit.vault-3.1.44.jar

Description:

        Builds an OSGi bundle for the file vault parts

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.1.44/org.apache.jackrabbit.vault-3.1.44.jar
MD5: 6fcbf022b81ce371d7c31d06d1a147ba
SHA1: 10b5306bf2432bfd8a4ec3b18007eff383985808
SHA256:42d903a39f2b8c4003f9c58510abb049655399157cfc760540a58daf35273735
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

org.apache.jackrabbit.vault-3.1.44.jar: jackrabbit-spi-2.16.1.jar

Description:

The Apache Jackrabbit™ content repository is a fully conforming    implementation of the Content Repository for Java Technology API    (JCR, specified in JSR 170 and 283). A content repository is a    hierarchical content store with support for structured and unstructured    content, full text search, versioning, transactions, observation, and more.    Apache Jackrabbit is a project of the Apache Software Foundation.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.1.44/org.apache.jackrabbit.vault-3.1.44.jar/jackrabbit-spi-2.16.1.jar
MD5: 34af186319cfc56397ae5374275b7255
SHA1: d8fa398bc1ef0d943a94c0b93bf000705fd5c13d
SHA256:4b09b47b7fe69f12c2d9f61d9bc97a3881b140d79c22453e32e84b95edf8b006
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

org.apache.sling.commons.osgi-2.4.0.jar

Description:

Commons OSGi

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/sling/org.apache.sling.commons.osgi/2.4.0/org.apache.sling.commons.osgi-2.4.0.jar
MD5: eee508e63a7721b33b9a9f5a402f02fd
SHA1: 8a7f6ebd0694eb4f1f44620e3615f483194d51c8
SHA256:4a97362b8eb38ac23b423d5fd91e0eb9ad34cb44135ecd0fb3fbb57094fa5072
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

org.apache.sling.contentparser.api-2.0.0.jar

Description:

        API for parsing Apache Sling Resource trees stored in files (e.g. JSON, FileVault XML, etc.)

License:

"Apache License, Version 2.0";link="https://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/org/apache/sling/org.apache.sling.contentparser.api/2.0.0/org.apache.sling.contentparser.api-2.0.0.jar
MD5: 3eb906352a0f03504e360574db4df6be
SHA1: be6dca46a31df6abe3836fbba7b9d21681aa495d
SHA256:4dbbe0d338c13d2152fce5a31ce3b138b202746b0dcbdea4dd76c6c46ed6a46c
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

CVE-2015-2944  

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

org.apache.sling.contentparser.xml-2.0.0.jar

Description:

        Apache Sling Content Parser for resource trees stored in XML files

License:

"Apache License, Version 2.0";link="https://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/org/apache/sling/org.apache.sling.contentparser.xml/2.0.0/org.apache.sling.contentparser.xml-2.0.0.jar
MD5: 25060bc2347d0af12fca0d3b0c2cf535
SHA1: 26ec54dd8adcc1b7fd2ec20d19c3da007d897e69
SHA256:579de30af29953b457134f926be8d155fc86abeb083ff9e0b2470f8b726c9c26
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

org.eclipse.sisu.inject-0.0.0.M2a.jar

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.inject/0.0.0.M2a/org.eclipse.sisu.inject-0.0.0.M2a.jar
MD5: 6112d58a332b93e86b63aacc66200477
SHA1: 17941e32c751179a9628b25f54ce5641edafb9be
SHA256:3e745c61748a4780839cbc6c0b10854abae3be26f3cf283a00bc002d2ed98bd1
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

org.eclipse.sisu.plexus-0.0.0.M2a.jar

File Path: /home/runner/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.plexus/0.0.0.M2a/org.eclipse.sisu.plexus-0.0.0.M2a.jar
MD5: ad12584ce30edeacab4a6c32f4afd9b9
SHA1: 07510dc8dfe27a0b57c17601bc760b7b0c8f95fa
SHA256:03df90434ddf1851924dd9ba4d5f22aff7b134265fe9c7ecdb59d9b1dc3c1987
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

plexus-cipher-1.4.jar

File Path: /home/runner/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
MD5: 7b2d6fcf0d5800d5b1ce09d98d98dcaf
SHA1: 50ade46f23bb38cd984b4ec560c46223432aac38
SHA256:5a15fdba22669e0fdd06e10dcce6320879e1f7398fbc910cd0677b50672a78c4
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

plexus-classworlds-2.4.2.jar

Description:

A class loader framework

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-classworlds/2.4.2/plexus-classworlds-2.4.2.jar
MD5: e5e410378fb6c1c355c279d5e9b87f56
SHA1: e006f28662eba33d91d1c5e342e0bd66f8e9da18
SHA256:c7cf8ef0b2d82fe1bb6e3fbcc2bab993118220f289548ce9b61a07ac47ec9826
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

plexus-component-annotations-1.5.5.jar

Description:

    Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with
    standard annotations instead of javadoc annotations.

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
MD5: ef37dcdb84030422db428b63c4354e5b
SHA1: c72f2660d0cbed24246ddb55d7fdc4f7374d2078
SHA256:4df7a6a7be64b35bbccf60b5c115697f9ea3421d22674ae67135dde375fcca1f
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

plexus-interpolation-1.16.jar

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.16/plexus-interpolation-1.16.jar
MD5: 17124c31e7f9b739688b31ef47fee6c0
SHA1: a868d4a603bd42c9dee67890c4e60e360a11838c
SHA256:bc4053a078ec83523a010c321c0d6852b43ddc4e076a6500b8bc133b6c69e561
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

plexus-sec-dispatcher-1.3.jar

File Path: /home/runner/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar
MD5: 53160199f5667de3fca69b723173639b
SHA1: dedc02034fb8fcd7615d66593228cb71709134b4
SHA256:3b0559bb8432f28937efe6ca193ef54a8506d0075d73fd7406b9b116c6a11063
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

plexus-utils-3.0.10.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.10/plexus-utils-3.0.10.jar
MD5: b8e14dd6e93c8f34888846dcac492160
SHA1: 65e6460a49460d2ca038f8644ff9ae6d878733b8
SHA256:9fc0794062be85c3606000b326ea0339e8620d15949cb96a254b85a8f958e955
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers

CVE-2017-1000487  

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

Directory traversal in org.codehaus.plexus.util.Expand (OSSINDEX)  

> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/4)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.plexus:plexus-utils:3.0.10:*:*:*:*:*:*:*

Possible XML Injection (OSSINDEX)  

> `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)` does not check if the comment includes a `"-->"` sequence.  This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/3)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.plexus:plexus-utils:3.0.10:*:*:*:*:*:*:*

sisu-guice-3.1.0-no_aop.jar

Description:

Patched build of Guice: a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0-no_aop.jar
MD5: 19f877ae736fa153a545d0cf801dcec9
SHA1: 97c87d15d749c86b2be1b9809b28321a1d926c7f
SHA256:4b76079f35407e5682aac1ecbe67afd5f430ae619044a9d6a413666a45750c25
Referenced In Project/Scope:Sling-Initial-Content Transformation Maven Plugin:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.