Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Content Package Maven Plugin

io.wcm.maven.plugins:wcmio-content-package-maven-plugin:1.8.5-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
aether-api-1.13.1.jarpkg:maven/org.sonatype.aether/aether-api@1.13.1 024
aether-impl-1.13.1.jarpkg:maven/org.sonatype.aether/aether-impl@1.13.1 027
aether-spi-1.13.1.jarpkg:maven/org.sonatype.aether/aether-spi@1.13.1 027
aether-util-1.13.1.jarpkg:maven/org.sonatype.aether/aether-util@1.13.1 028
commons-codec-1.10.jarpkg:maven/commons-codec/commons-codec@1.10 040
commons-compress-1.21.jarcpe:2.3:a:apache:commons_compress:1.21:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-compress@1.21 0Highest45
commons-io-2.5.jarcpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.5MEDIUM1Highest40
commons-lang3-3.6.jarpkg:maven/org.apache.commons/commons-lang3@3.6 041
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 036
httpclient-4.5.13.jarcpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 0Highest34
httpcore-4.4.14.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.14 034
httpmime-4.5.13.jarpkg:maven/org.apache.httpcomponents/httpmime@4.5.13 032
io.wcm.tooling.commons.crx-packmgr-helper-1.7.5-SNAPSHOT.jarpkg:maven/io.wcm.tooling.commons/io.wcm.tooling.commons.crx-packmgr-helper@1.7.5-SNAPSHOT 031
jackrabbit-api-2.19.3.jarcpe:2.3:a:apache:jackrabbit:2.19.3:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit/jackrabbit-api@2.19.3 0Highest29
jaxen-1.1.6.jarpkg:maven/jaxen/jaxen@1.1.6 026
jcl-over-slf4j-1.7.32.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.32 033
jcr-2.0.jarpkg:maven/javax.jcr/jcr@2.0 032
jdom2-2.0.6.jarcpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom2@2.0.6HIGH1Highest53
json-20140107.jarpkg:maven/org.json/json@20140107 022
maven-aether-provider-3.0.5.jarpkg:maven/org.apache.maven/maven-aether-provider@3.0.5 027
maven-archiver-3.1.1.jarpkg:maven/org.apache.maven/maven-archiver@3.1.1 030
maven-artifact-3.0.5.jarpkg:maven/org.apache.maven/maven-artifact@3.0.5 027
maven-core-3.0.5.jarcpe:2.3:a:apache:maven:3.0.5:*:*:*:*:*:*:*pkg:maven/org.apache.maven/maven-core@3.0.5CRITICAL1Highest25
maven-model-3.0.5.jarpkg:maven/org.apache.maven/maven-model@3.0.5 027
maven-model-builder-3.0.5.jarpkg:maven/org.apache.maven/maven-model-builder@3.0.5 033
maven-plugin-api-3.0.5.jarpkg:maven/org.apache.maven/maven-plugin-api@3.0.5 027
maven-repository-metadata-3.0.5.jarpkg:maven/org.apache.maven/maven-repository-metadata@3.0.5 027
maven-settings-3.0.5.jarpkg:maven/org.apache.maven/maven-settings@3.0.5 027
maven-settings-builder-3.0.5.jarpkg:maven/org.apache.maven/maven-settings-builder@3.0.5 027
maven-shared-utils-3.0.1.jarpkg:maven/org.apache.maven.shared/maven-shared-utils@3.0.1 032
org.apache.jackrabbit.vault-3.5.6.jarcpe:2.3:a:apache:jackrabbit:3.5.6:*:*:*:*:*:*:*pkg:maven/org.apache.jackrabbit.vault/org.apache.jackrabbit.vault@3.5.6 0Highest47
plexus-archiver-3.4.jarcpe:2.3:a:plexus-archiver_project:plexus-archiver:3.4:*:*:*:*:*:*:*pkg:maven/org.codehaus.plexus/plexus-archiver@3.4MEDIUM1Highest27
plexus-cipher-1.4.jarpkg:maven/org.sonatype.plexus/plexus-cipher@1.4 030
plexus-classworlds-2.4.jarpkg:maven/org.codehaus.plexus/plexus-classworlds@2.4 027
plexus-component-annotations-1.5.5.jarpkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5 029
plexus-interpolation-1.14.jarpkg:maven/org.codehaus.plexus/plexus-interpolation@1.14 027
plexus-io-2.7.1.jarpkg:maven/org.codehaus.plexus/plexus-io@2.7.1 030
plexus-sec-dispatcher-1.3.jarpkg:maven/org.sonatype.plexus/plexus-sec-dispatcher@1.3 030
plexus-utils-2.0.6.jarcpe:2.3:a:plexus-utils_project:plexus-utils:2.0.6:*:*:*:*:*:*:*pkg:maven/org.codehaus.plexus/plexus-utils@2.0.6Unknown3Highest29
sisu-guava-0.9.9.jarcpe:2.3:a:google:guava:0.9.9:*:*:*:*:*:*:*pkg:maven/org.sonatype.sisu/sisu-guava@0.9.9LOW1Low26
sisu-guice-3.1.0-no_aop.jarpkg:maven/org.sonatype.sisu/sisu-guice@3.1.0 028
sisu-inject-bean-2.3.0.jarpkg:maven/org.sonatype.sisu/sisu-inject-bean@2.3.0 039
sisu-inject-plexus-2.3.0.jarpkg:maven/org.sonatype.sisu/sisu-inject-plexus@2.3.0 031
slf4j-api-1.7.25.jarpkg:maven/org.slf4j/slf4j-api@1.7.25 027
snappy-0.4.jarpkg:maven/org.iq80.snappy/snappy@0.4 020
stax2-api-4.2.jarpkg:maven/org.codehaus.woodstox/stax2-api@4.2 048
txw2-2.3.2.jarpkg:maven/org.glassfish.jaxb/txw2@2.3.2 034
woodstox-core-6.1.1.jarpkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1 041
woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)pkg:maven/com.sun.xml.bind.jaxb/isorelax@20090621 012
woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)pkg:maven/net.java.dev.msv/xsdlib@2013.6.1 09

Dependencies

aether-api-1.13.1.jar

Description:

    The application programming interface for the repository system.

File Path: /home/runner/.m2/repository/org/sonatype/aether/aether-api/1.13.1/aether-api-1.13.1.jar
MD5: 6438f4b31d3f3220d88edc16abdc3721
SHA1: e48292eae5e14ec44978aa53debb1af7ddd6df93
SHA256:ae8dc80232771f8913febfa410c5719e9ba8ded81fb99788e214fd676dbbe13f
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

aether-impl-1.13.1.jar

Description:

    An implementation of the repository system.

File Path: /home/runner/.m2/repository/org/sonatype/aether/aether-impl/1.13.1/aether-impl-1.13.1.jar
MD5: 4236e1586cfdd28f032bcf71293f6bb1
SHA1: ba2656934fa7c0f20c0c3882873dc705e16ae201
SHA256:865511994805827e88f327944a089142bb7f3d88cde271ba3dceb732cb137a93
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

aether-spi-1.13.1.jar

Description:

    The service provider interface for repository system implementations and repository connectors.

File Path: /home/runner/.m2/repository/org/sonatype/aether/aether-spi/1.13.1/aether-spi-1.13.1.jar
MD5: 3f1881f890062e779fa27aa9a6789ceb
SHA1: c62b02d2a5a3939fded72039dd83e5b8ed42d45e
SHA256:d5de4e299be5a79feb1dbe8ff3814034c6e44314b4c00b92ffa8d97576ded5b3
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

aether-util-1.13.1.jar

Description:

    A collection of utility classes to ease usage of the repository system.

File Path: /home/runner/.m2/repository/org/sonatype/aether/aether-util/1.13.1/aether-util-1.13.1.jar
MD5: 119757ef761de4a43c763622dcb1f56e
SHA1: c8487ceb499b9ced96694731810acd1a70e13aca
SHA256:687799a0ce988bee9e8eb9ae0ba870300adc0114248ad4a4327bdb625d27e010
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

commons-codec-1.10.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
SHA256:4241dfa94e711d435f29a4604a3e2de5c4aa3c165e23bd066be6fc1fc4309569
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

commons-compress-1.21.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar
MD5: 2a713d10331bc4e13459a3dc0463f16f
SHA1: 4ec95b60d4e86b5c95a0e919cb172a0af98011ef
SHA256:6aecfd5459728a595601cfa07258d131972ffc39b492eb48bdd596577a2f244a
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

commons-io-2.5.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

httpclient-4.5.13.jar

Description:

   Apache HttpComponents Client

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

httpcore-4.4.14.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

httpmime-4.5.13.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar
MD5: 3f0c1ef2c9dc47b62b780192f54b0c18
SHA1: efc110bad4a0d45cda7858e6beee1d8a8313da5a
SHA256:06e754d99245b98dcc2860dcb43d20e737d650da2bf2077a105f68accbd5c5cc
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

io.wcm.tooling.commons.crx-packmgr-helper-1.7.5-SNAPSHOT.jar

Description:

Java Library for uploading and downloading AEM content packages via CRX Package Manager.

License:

"The Apache Software License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/work/wcm-io-tooling/wcm-io-tooling/commons/crx-packmgr-helper/target/io.wcm.tooling.commons.crx-packmgr-helper-1.7.5-SNAPSHOT.jar
MD5: ff01434d57fc995f3a9da67fb33ec60f
SHA1: 5a22fad9dd5ba73740e894d0f6f31f007e04420f
SHA256:d8b10ee4388007bcd723dfc4d0d9435c564ab194fd8aa182d6a8fdc0ec071949
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

jackrabbit-api-2.19.3.jar

Description:

Jackrabbit-specific extensions to the JCR API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/jackrabbit-api/2.19.3/jackrabbit-api-2.19.3.jar
MD5: 70fa2dc7695900e62e96aea2792f3a3a
SHA1: 8503de04a71ea05b680692d47bfe8a185ec5f4d0
SHA256:045be6c97e17c771bbe885d6d0308722bb540b5bf693322a96aadb976de7aa5a
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

jaxen-1.1.6.jar

Description:

Jaxen is a universal Java XPath engine.

License:

http://jaxen.codehaus.org/license.html
File Path: /home/runner/.m2/repository/jaxen/jaxen/1.1.6/jaxen-1.1.6.jar
MD5: a140517286b56eea981e188dcc3a13f6
SHA1: 3f8c36d9a0578e8e98f030c662b69888b1430ac0
SHA256:5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

jcl-over-slf4j-1.7.32.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.32/jcl-over-slf4j-1.7.32.jar
MD5: 8788169f5d5be6550efc75d3bfffc82c
SHA1: 32c060250bcc5282cdbc1fd7008c12eb4ebad00e
SHA256:60f3bda5922e3912889cca1311d1b227753610bf60cb4e5e914e8b2eaa0326b4
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

jcr-2.0.jar

Description:

        The Content Repository API for JavaTM Technology Version 2.0 is specified by JSR-283.
        This module contains the complete API as specified.

License:

Day Specification License: http://www.day.com/dam/day/downloads/jsr283/day-spec-license.htm
Day Specification License addendum: http://www.day.com/content/dam/day/downloads/jsr283/LICENSE.txt
File Path: /home/runner/.m2/repository/javax/jcr/jcr/2.0/jcr-2.0.jar
MD5: ede5e78b16c8ed298ce0b6d296584ebd
SHA1: 08297216bcfe4aea369ed6ee0d1718133f752e97
SHA256:cbf083bc58cb88a0c19112187a4c52d3115f525b5bb7f2913635f5679e6e9743
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

jdom2-2.0.6.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/runner/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

CVE-2021-33813  

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

json-20140107.jar

Description:

		JSON is a light-weight, language independent, data interchange format.
		See http://www.JSON.org/

		The files in this package implement JSON encoders/decoders in Java.
		It also includes the capability to convert between JSON and XML, HTTP
		headers, Cookies, and CDL.

		This is a reference implementation. There is a large number of JSON packages
		in Java. Perhaps someday the Java community will standardize on one. Until
		then, choose carefully.

		The license includes this restriction: "The software shall be used for good,
		not evil." If your conscience cannot live with that, then choose a different
		package.

		The package compiles on Java 1.2 thru Java 1.4.

License:

The JSON License: http://json.org/license.html
File Path: /home/runner/.m2/repository/org/json/json/20140107/json-20140107.jar
MD5: 8ca2437d3dbbaa2e76195adedfd901f4
SHA1: d1ffca6e2482b002702c6a576166fd685e3370e3
SHA256:8e5aa0a368bee60347b5a4ad861d9f68c7793f60deeea89efd449eb70d5ae622
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-aether-provider-3.0.5.jar

Description:

    This module provides extensions to Aether for utilizing the Maven POM and Maven repository metadata for artifacts resolution
    and download.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-aether-provider/3.0.5/maven-aether-provider-3.0.5.jar
MD5: aad430d4111400e0d78c4e79eb0f9797
SHA1: e0716af7536efeb1da5d90b12464fea2a6fb40ef
SHA256:c74327cd5d7b137c8be3591c766271ac8ace1a617518f0410b8a95579f9839b0
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-archiver-3.1.1.jar

Description:

Provides utility methods for creating JARs and other archive files from a Maven project.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-archiver/3.1.1/maven-archiver-3.1.1.jar
MD5: 66d6f10af50840da5b7088bf0903356b
SHA1: 978c773786667a2f642b034e55fac72ad8215385
SHA256:f001bc8c7b2a378f50865799a85962dd9cc6d66f84a0bdeacc6333d72fd10788
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-artifact-3.0.5.jar

File Path: /home/runner/.m2/repository/org/apache/maven/maven-artifact/3.0.5/maven-artifact-3.0.5.jar
MD5: 37818c6f0ef84b6338fdd1520e9831db
SHA1: 7cd9aa7425c4a967bd39c2f6f61ab9535570fcb4
SHA256:c6d5e244dd2329971f91b8df666ffe9e0b00a7dd014d6ee073b6f6cb82877f5c
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-core-3.0.5.jar

Description:

Maven Core classes.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-core/3.0.5/maven-core-3.0.5.jar
MD5: ee0bd82403231f5e268fd85044027221
SHA1: 27659b27346aff66d36e8ab16c7050220d875bca
SHA256:ac8e617f951ecde3c4f6bca4922fdd7861500fe7d58289f26ad5adac443075bc
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

CVE-2021-26291  

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
CWE-346 Origin Validation Error

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

maven-model-3.0.5.jar

Description:

Model for Maven POM (Project Object Model)

File Path: /home/runner/.m2/repository/org/apache/maven/maven-model/3.0.5/maven-model-3.0.5.jar
MD5: 40a2c5b201caf14b90faa27fd55f9515
SHA1: 490d7489dd73137f6afef52c5a3e465201c533bf
SHA256:876a76b663db6c7326ad234afe430c473d3261a06b3284f31d5eb4889d1c3084
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-model-builder-3.0.5.jar

Description:

The effective model builder, with inheritance, profile activation, interpolation, ...

File Path: /home/runner/.m2/repository/org/apache/maven/maven-model-builder/3.0.5/maven-model-builder-3.0.5.jar
MD5: 98198ff5698781c9bf48b081bad49e62
SHA1: f1e0b49ebe74335c11c93eec7549c65291053bc9
SHA256:45a2c6ff76e12678eaf576bd7a68d028c5a5ba85fdc216a381ea86e9187e1b51
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-plugin-api-3.0.5.jar

Description:

The API for plugins - Mojos - development.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-plugin-api/3.0.5/maven-plugin-api-3.0.5.jar
MD5: cbe2f575d378fc6163c157a0e6af42a3
SHA1: 958b87b581d46e7958b39733b0cc600927e8521e
SHA256:469505f75b8526a338cfd7e0ec841655ae52ddbcc1b36482e97d72f52ce7d890
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-repository-metadata-3.0.5.jar

Description:

Per-directory local and remote repository metadata.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-repository-metadata/3.0.5/maven-repository-metadata-3.0.5.jar
MD5: 2b5e8628b7d1d32829437dd1dc66f97a
SHA1: 94475fff77103ae46a1b02284a0950ed74497fc3
SHA256:c867b4e075a4548bf27422542f96b159f94c4e7ffaaf6427b10433afd6a3a38c
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-settings-3.0.5.jar

Description:

Maven Settings model.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-settings/3.0.5/maven-settings-3.0.5.jar
MD5: a608e0ce2bffaf9f89418e657746c894
SHA1: 8e98d918ba2b41175d72307853f792e3bded4fc7
SHA256:d8f9f237afc21d8202eedffa29cbf6e9d46c78b3c22b217d16267216988221b9
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-settings-builder-3.0.5.jar

Description:

The effective settings builder, with inheritance and password decryption.

File Path: /home/runner/.m2/repository/org/apache/maven/maven-settings-builder/3.0.5/maven-settings-builder-3.0.5.jar
MD5: 9446d7885d57cd95170f1c2cccd89564
SHA1: 7b87eb83abd6efa77e51882bbebc1b316739c681
SHA256:ac0e62e26b7f690e265ba75667531973b8a2da12b3b0ff102a612f05b42b6faf
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

maven-shared-utils-3.0.1.jar

Description:

Shared utils without any further dependencies

File Path: /home/runner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.0.1/maven-shared-utils-3.0.1.jar
MD5: 98b5ed54f633e6c59f0f9f26ff12f00b
SHA1: 67e99046630df6c4f4b2c8f2143481240198105e
SHA256:fe7c84582900b5243d1c107353157c187697dab809ef4c40672fd9407916c4ae
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

org.apache.jackrabbit.vault-3.5.6.jar

Description:

The core classes of Apache Jackrabbit FileVault

License:

"Apache License, Version 2.0";link="https://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /home/runner/.m2/repository/org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.5.6/org.apache.jackrabbit.vault-3.5.6.jar
MD5: 7311cb5a35268eb640213d16658cefa1
SHA1: 936eb3333d7389aa59b635669ad8867643c9eda2
SHA256:961bb956259edfc3cb08766d88e1508573613b6f085e5b98cb7710caf49df761
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-archiver-3.4.jar

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-archiver/3.4/plexus-archiver-3.4.jar
MD5: 1d9a183c24155d3ba19f2ef07ceea177
SHA1: d99cffd480e050d87d93defa605a959a15cbb611
SHA256:3c6611c98547dbf3f5125848c273ba719bc10df44e3f492fa2e302d6135a6ea5
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

CVE-2018-1002200  

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

plexus-cipher-1.4.jar

File Path: /home/runner/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
MD5: 7b2d6fcf0d5800d5b1ce09d98d98dcaf
SHA1: 50ade46f23bb38cd984b4ec560c46223432aac38
SHA256:5a15fdba22669e0fdd06e10dcce6320879e1f7398fbc910cd0677b50672a78c4
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-classworlds-2.4.jar

Description:

A class loader framework

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-classworlds/2.4/plexus-classworlds-2.4.jar
MD5: 4b6ec19d96af7d901c1aad7d2415d498
SHA1: ef38ff5c25f83a4a02fcd9843d85f3e47012873e
SHA256:259d528a29722cab6349d7e7d432e3fd4877c087ffcb04985a6612e97023bba8
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-component-annotations-1.5.5.jar

Description:

    Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with
    standard annotations instead of javadoc annotations.

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
MD5: ef37dcdb84030422db428b63c4354e5b
SHA1: c72f2660d0cbed24246ddb55d7fdc4f7374d2078
SHA256:4df7a6a7be64b35bbccf60b5c115697f9ea3421d22674ae67135dde375fcca1f
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-interpolation-1.14.jar

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.14/plexus-interpolation-1.14.jar
MD5: f92db8b194fc417d72cc74c428afacf8
SHA1: c88dd864fe8b8256c25558ce7cd63be66ba07693
SHA256:7fc63378d3e84663619b9bedace9f9fe78b276c2be3c62ca2245449294c84176
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-io-2.7.1.jar

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-io/2.7.1/plexus-io-2.7.1.jar
MD5: 34115f3dad3322f24be2682c45302540
SHA1: e1cce34eca8f2c5fc053e1a15d1405984b527b32
SHA256:20aa9dd74536ad9ce65d1253b5c4386747483a7a65c48008c9affb51854539cf
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-sec-dispatcher-1.3.jar

File Path: /home/runner/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar
MD5: 53160199f5667de3fca69b723173639b
SHA1: dedc02034fb8fcd7615d66593228cb71709134b4
SHA256:3b0559bb8432f28937efe6ca193ef54a8506d0075d73fd7406b9b116c6a11063
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

plexus-utils-2.0.6.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.6/plexus-utils-2.0.6.jar
MD5: 64523c08c852c1ffb7650f207baca314
SHA1: 3a20c424a712a7c02b02af61dcad5f001b29a9fd
SHA256:8b909f4ca9788647942f883d4e559bcc642123f7c6bcd3846983a2e465469c33
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

CVE-2017-1000487  

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

Directory traversal in org.codehaus.plexus.util.Expand (OSSINDEX)  

> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/4)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.plexus:plexus-utils:2.0.6:*:*:*:*:*:*:*

Possible XML Injection (OSSINDEX)  

> `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)` does not check if the comment includes a `"-->"` sequence.  This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/3)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.plexus:plexus-utils:2.0.6:*:*:*:*:*:*:*

sisu-guava-0.9.9.jar

Description:

Patched build of Guava: Google Core Libraries for Java 1.5+

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/sonatype/sisu/sisu-guava/0.9.9/sisu-guava-0.9.9.jar
MD5: 36484b30beda10de99c56801db4657e0
SHA1: 91395a7816ad64c5ef68e1a1b5b861463f0eb3e2
SHA256:9897e80ff6c08fc45b5b5ebd81d9e943a1087bdf0ad50cda457d616abbdaacd9
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

sisu-guice-3.1.0-no_aop.jar

Description:

Patched build of Guice: a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0-no_aop.jar
MD5: 19f877ae736fa153a545d0cf801dcec9
SHA1: 97c87d15d749c86b2be1b9809b28321a1d926c7f
SHA256:4b76079f35407e5682aac1ecbe67afd5f430ae619044a9d6a413666a45750c25
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

sisu-inject-bean-2.3.0.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt, http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/sonatype/sisu/sisu-inject-bean/2.3.0/sisu-inject-bean-2.3.0.jar
MD5: 27a128e32326472ebfec3a7b8cb2cdf9
SHA1: 4767ee22f0b84fc0fe3af2095c30bfbdafba9459
SHA256:75819b29737c2bee1bfbda1011d455c7036738e0ef32ffbf85ba1d8fa157ceb2
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

sisu-inject-plexus-2.3.0.jar

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/org/sonatype/sisu/sisu-inject-plexus/2.3.0/sisu-inject-plexus-2.3.0.jar
MD5: 5c35e512b479cc0d1c830c0cc9452504
SHA1: 7d8ecdce497bf361b83cfbc890670ca50d6ec299
SHA256:bf9083fb846993689409b2bdbc735048e53bac6cc32707cde7ef84817b6e9365
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

slf4j-api-1.7.25.jar

Description:

The slf4j API

File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar
MD5: caafe376afb7086dcbee79f780394ca3
SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256:18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

snappy-0.4.jar

Description:

Port of Snappy to Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/org/iq80/snappy/snappy/0.4/snappy-0.4.jar
MD5: f0792d1dbe7f90d8b34c7c19961e0073
SHA1: a42b2d92a89efd35bb14738000dabcac6bd07a8d
SHA256:46a0c87d504ce9d6063e1ff6e4d20738feb49d8abf85b5071a7d18df4f11bac9
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

stax2-api-4.2.jar

Description:

tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/runner/.m2/repository/org/codehaus/woodstox/stax2-api/4.2/stax2-api-4.2.jar
MD5: 5d22fe6dbb276d1fd6dab40c386a4f0a
SHA1: 13c2b30926bca0429c704c4b4ca0b5d0432b69cd
SHA256:badf6081a0bb526fd2c01951dfefad91b6846b6dd0eb0048587e30d1dd334e68
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

txw2-2.3.2.jar

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/runner/.m2/repository/org/glassfish/jaxb/txw2/2.3.2/txw2-2.3.2.jar
MD5: 3f278f148c5d27dc608c25cb7d093b94
SHA1: ce5be7da2e442c25ec14c766cb60cb802741727b
SHA256:4a6a9f483388d461b81aa9a28c685b8b74c0597993bf1884b04eddbca95f48fe
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

woodstox-core-6.1.1.jar

Description:

        Woodstox is a high-performance XML processor that
        implements Stax (JSR-173), SAX2 and Stax2 APIs

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar
MD5: 992e39013de489a1373f14b7e153f9da
SHA1: 989bb31963ed1758b95c7c4381a91592a9a8df61
SHA256:f250662a245570fdd49c6916c1c3cd3d6511a8e5cd0d7460e989844b1d66ed67
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)

Description:

Unknown version of isorelax library used in JAXB project

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xml
MD5: 6fbb4bc95fbf2072bc6e3b790553fe81
SHA1: 314ec72948d5c1fc71d553cbbd7a130caa6f9f13
SHA256:cda6451d0231a973352b592ff950e39224ba6ba1a2f35eeab66511b5c225dff1
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers

woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)

Description:

XML Schema datatypes library

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar/META-INF/maven/net.java.dev.msv/xsdlib/pom.xml
MD5: aaf872ed9d1aabee25e03c2a132ffd8e
SHA1: 47f218a999411ed028f089d59ebef8f14e0fe914
SHA256:d6e83c124436049d83238fc532a26c5d8ccd7e4ab10eba6d96043c850ac82f3c
Referenced In Project/Scope:Content Package Maven Plugin:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.