Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Project: waffle-parent

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count
guava-18.0.jar com.google.guava:guava:18.0   0 16
servlet-api-2.5.jar javax.servlet:servlet-api:2.5   0 10
jna-platform-4.1.0.jar net.java.dev.jna:jna-platform:4.1.0   0 19
jna-4.1.0.jar net.java.dev.jna:jna:4.1.0   0 21
jna-4.1.0.jar: jnidispatch.dll   0 1
jna-4.1.0.jar: jnidispatch.dll   0 1
jna-4.1.0.jar: jnidispatch.dll   0 1
mockito-core-1.10.19.jar org.mockito:mockito-core:1.10.19   0 13
objenesis-2.1.jar org.objenesis:objenesis:2.1   0 18
jcl-over-slf4j-1.7.12.jar org.slf4j:jcl-over-slf4j:1.7.12   0 15
slf4j-api-1.7.12.jar org.slf4j:slf4j-api:1.7.12   0 15
commons-beanutils-1.8.3.jar commons-beanutils:commons-beanutils:1.8.3   0 22
shiro-core-1.2.3.jar cpe:/a:apache:shiro:1.2.3 org.apache.shiro:shiro-core:1.2.3   0 LOW 17
tomcat-api-8.0.24.jar cpe:/a:apache:tomcat:8.0.24
cpe:/a:apache_tomcat:apache_tomcat:8.0.24
org.apache.tomcat:tomcat-api:8.0.24 High 4 LOW 13
tomcat-el-api-8.0.24.jar cpe:/a:apache:tomcat:8.0.24 org.apache.tomcat:tomcat-el-api:8.0.24 High 4 LOW 11
slf4j-simple-1.7.12.jar org.slf4j:slf4j-simple:1.7.12   0 16
tomcat-api-7.0.63.jar cpe:/a:apache:tomcat:7.0.0
cpe:/a:apache_tomcat:apache_tomcat:7.0.63
org.apache.tomcat:tomcat-api:7.0.63 High 49 LOW 13
tomcat-servlet-api-7.0.63.jar cpe:/a:apache:tomcat:7.0.63 org.apache.tomcat:tomcat-servlet-api:7.0.63 High 4 LOW 11
aopalliance-1.0.jar aopalliance:aopalliance:1.0   0 10
javax.servlet-api-3.1.0.jar javax.servlet:javax.servlet-api:3.1.0   0 21
spring-security-core-4.0.1.RELEASE.jar org.springframework.security:spring-security-core:4.0.1.RELEASE   0 13
spring-security-web-4.0.1.RELEASE.jar org.springframework.security:spring-security-web:4.0.1.RELEASE   0 13
spring-aop-4.1.7.RELEASE.jar org.springframework:spring-aop:4.1.7.RELEASE   0 13
spring-beans-4.1.7.RELEASE.jar org.springframework:spring-beans:4.1.7.RELEASE   0 12
spring-context-4.1.7.RELEASE.jar cpe:/a:context_project:context:4.1.7 org.springframework:spring-context:4.1.7.RELEASE   0 LOW 15
spring-core-4.1.7.RELEASE.jar cpe:/a:springsource:spring_framework:4.1.7
cpe:/a:vmware:springsource_spring_framework:4.1.7
org.springframework:spring-core:4.1.7.RELEASE   0 LOW 20
spring-expression-4.1.7.RELEASE.jar org.springframework:spring-expression:4.1.7.RELEASE   0 13
spring-web-4.1.7.RELEASE.jar org.springframework:spring-web:4.1.7.RELEASE   0 13
annotations-api-6.0.44.jar cpe:/a:apache_tomcat:apache_tomcat:6.0.44 org.apache.tomcat:annotations-api:6.0.44   0 LOW 9
catalina-6.0.44.jar cpe:/a:apache:tomcat:6.0.0
cpe:/a:apache_software_foundation:tomcat:6.0.44
cpe:/a:apache_tomcat:apache_tomcat:6.0.44
org.apache.tomcat:catalina:6.0.44 High 62 LOW 14
coyote-6.0.44.jar cpe:/a:apache:tomcat:6.0.0
cpe:/a:apache_tomcat:apache_tomcat:6.0.44
org.apache.tomcat:coyote:6.0.44 High 62 LOW 12
juli-6.0.44.jar cpe:/a:apache:tomcat:6.0.0
cpe:/a:apache_software_foundation:tomcat:6.0.44
cpe:/a:apache_tomcat:apache_tomcat:6.0.44
org.apache.tomcat:juli:6.0.44 High 62 LOW 14
servlet-api-6.0.44.jar cpe:/a:apache_tomcat:apache_tomcat:6.0.44 org.apache.tomcat:servlet-api:6.0.44   0 LOW 9
javax.servlet-api-3.0.1.jar javax.servlet:javax.servlet-api:3.0.1   0 30
spring-security-core-3.2.7.RELEASE.jar cpe:/a:vmware:springsource_spring_security:3.2.7 org.springframework.security:spring-security-core:3.2.7.RELEASE   0 LOW 20
spring-aop-3.2.14.RELEASE.jar cpe:/a:springsource:spring_framework:3.2.14 org.springframework:spring-aop:3.2.14.RELEASE   0 LOW 16
spring-core-3.2.14.RELEASE.jar cpe:/a:springsource:spring_framework:3.2.14
cpe:/a:vmware:springsource_spring_framework:3.2.14
org.springframework:spring-core:3.2.14.RELEASE   0 LOW 19
logback-classic-1.1.3.jar ch.qos.logback:logback-classic:1.1.3   0 20
logback-core-1.1.3.jar ch.qos.logback:logback-core:1.1.3   0 20
javax.annotation-api-1.2.jar javax.annotation:javax.annotation-api:1.2   0 21
javax.el-api-3.0.1-b04.jar javax.el:javax.el-api:3.0.1-b04   0 20
javax.servlet.jsp-api-2.3.2-b01.jar cpe:/a:oracle:jsp:2.3.2.b01 javax.servlet.jsp:javax.servlet.jsp-api:2.3.2-b01   0 LOW 19
jstl-api-1.2.jar javax.servlet.jsp.jstl:jstl-api:1.2   0 12
javax.transaction-api-1.2.jar javax.transaction:javax.transaction-api:1.2   0 21
javax.websocket-api-1.0.jar javax.websocket:javax.websocket-api:1.0   0 18
ecj-4.4.2.jar org.eclipse.jdt.core.compiler:ecj:4.4.2   0 15
http2-hpack-9.3.0.v20150612.jar cpe:/a:jetty:jetty:9.3.0.v20150612 org.eclipse.jetty.http2:http2-hpack:9.3.0.v20150612   0 LOW 15
http2-server-9.3.0.v20150612.jar cpe:/a:jetty:jetty:9.3.0.v20150612
cpe:/a:jetty:jetty_http_server:9.3.0.v20150612
org.eclipse.jetty.http2:http2-server:9.3.0.v20150612   0 LOW 15
jetty-io-9.3.0.v20150612.jar cpe:/a:jetty:jetty:9.3.0.v20150612 org.eclipse.jetty:jetty-io:9.3.0.v20150612   0 LOW 14
javax.activation-1.1.0.v201105071233.jar cpe:/a:jetty:jetty:1.1.0.v20110507 org.eclipse.jetty.orbit:javax.activation:1.1.0.v201105071233   0 LOW 15
javax.mail.glassfish-1.4.1.v201005082020.jar cpe:/a:jetty:jetty:1.4.1.v20100508 org.eclipse.jetty.orbit:javax.mail.glassfish:1.4.1.v201005082020   0 LOW 15
javax.security.auth.message-1.0.0.v201108011116.jar cpe:/a:jetty:jetty:1.0.0.v20110801 org.eclipse.jetty.orbit:javax.security.auth.message:1.0.0.v201108011116   0 LOW 19
javax-websocket-client-impl-9.3.0.v20150612.jar cpe:/a:jetty:jetty:9.3.0.v20150612 org.eclipse.jetty.websocket:javax-websocket-client-impl:9.3.0.v20150612   0 LOW 14
websocket-api-9.3.0.v20150612.jar cpe:/a:jetty:jetty:9.3.0.v20150612 org.eclipse.jetty.websocket:websocket-api:9.3.0.v20150612   0 LOW 15
javax.el-3.0.1-b08.jar org.glassfish:javax.el:3.0.1-b08   0 24
javax.servlet.jsp.jstl-1.2.4.jar cpe:/a:oracle:glassfish:1.2.4
cpe:/a:oracle:glassfish_server:1.2.4
org.glassfish.web:javax.servlet.jsp.jstl:1.2.4 Medium 3 LOW 26
javax.servlet.jsp-2.3.3-b02.jar cpe:/a:oracle:jsp:2.3.3.b02 org.glassfish.web:javax.servlet.jsp:2.3.3-b02   0 LOW 20
asm-commons-5.0.1.jar org.ow2.asm:asm-commons:5.0.1   0 19
asm-tree-5.0.1.jar org.ow2.asm:asm-tree:5.0.1   0 19
asm-5.0.1.jar org.ow2.asm:asm:5.0.1   0 18

Dependencies

guava-18.0.jar

Description:  Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\guava\guava\18.0\guava-18.0.jar
MD5: 947641f6bb535b1d942d1bc387c45290
SHA1: cce0823396aa693798f8882e64213b1772032b09
Referenced In Projects:
  • waffle-spring-filter
  • waffle-tests
  • waffle-jaas
  • waffle-jetty
  • waffle-distro
  • waffle-negotiate
  • waffle-tomcat8
  • waffle-tomcat7
  • waffle-filter
  • waffle-mixed
  • waffle-tomcat6
  • waffle-mixed-post
  • waffle-jna
  • waffle-spring-security4
  • waffle-spring-security3
  • waffle-shiro
  • waffle-form
  • waffle-demo-parent
  • waffle-spring-form

Identifiers

  • maven: com.google.guava:guava:18.0   Confidence:HIGH

servlet-api-2.5.jar

File Path: C:\Users\Jeremy\.m2\repository\javax\servlet\servlet-api\2.5\servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
Referenced In Projects:

  • waffle-negotiate
  • waffle-filter
  • waffle-mixed
  • waffle-spring-filter
  • waffle-mixed-post
  • waffle-jna
  • waffle-tests
  • waffle-jaas
  • waffle-shiro
  • waffle-form
  • waffle-spring-form

Identifiers

  • maven: javax.servlet:servlet-api:2.5   Confidence:HIGH

jna-platform-4.1.0.jar

Description: Java Native Access Platform

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
ASL, version 2: http://www.apache.org/licenses/
File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna-platform\4.1.0\jna-platform-4.1.0.jar
MD5: 533e404eda70bbf8e40de134ffeec95b
SHA1: 23457ad1cf75c2c16763330de5565a0e67b4bc0a
Referenced In Projects:
  • waffle-spring-filter
  • waffle-tests
  • waffle-jaas
  • waffle-jetty
  • waffle-distro
  • waffle-negotiate
  • waffle-tomcat8
  • waffle-tomcat7
  • waffle-filter
  • waffle-mixed
  • waffle-tomcat6
  • waffle-mixed-post
  • waffle-jna
  • waffle-spring-security4
  • waffle-spring-security3
  • waffle-shiro
  • waffle-form
  • waffle-demo-parent
  • waffle-spring-form

Identifiers

  • maven: net.java.dev.jna:jna-platform:4.1.0   Confidence:HIGH

jna-4.1.0.jar

Description: Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
ASL, version 2: http://www.apache.org/licenses/
File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar
MD5: b0e08c9936dc52aa40439c71fcad6297
SHA1: 1c12d070e602efd8021891cdd7fd18bc129372d4
Referenced In Projects:
  • waffle-spring-filter
  • waffle-tests
  • waffle-jaas
  • waffle-jetty
  • waffle-distro
  • waffle-negotiate
  • waffle-tomcat8
  • waffle-tomcat7
  • waffle-filter
  • waffle-mixed
  • waffle-tomcat6
  • waffle-mixed-post
  • waffle-jna
  • waffle-spring-security4
  • waffle-spring-security3
  • waffle-shiro
  • waffle-form
  • waffle-demo-parent
  • waffle-spring-form

Identifiers

  • maven: net.java.dev.jna:jna:4.1.0   Confidence:HIGH

jna-4.1.0.jar: jnidispatch.dll

File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51

Identifiers

  • None

jna-4.1.0.jar: jnidispatch.dll

File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: 06b2f1f909d2436dff20d7a668ef26a9
SHA1: bd1bdda9a91f3b0d9067e323f7394bef933f81f6

Identifiers

  • None

jna-4.1.0.jar: jnidispatch.dll

File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: 05a72ada9247aeb114a9ef01a394b6c4
SHA1: 8b32cc82740fc62afdf5ea211f1ca8bb72269bbf

Identifiers

  • None

mockito-core-1.10.19.jar

Description: Mock objects library for java

License:

The MIT License: http://github.com/mockito/mockito/blob/master/LICENSE
File Path: C:\Users\Jeremy\.m2\repository\org\mockito\mockito-core\1.10.19\mockito-core-1.10.19.jar
MD5: c1967f0a515c4b8155f62478ec823464
SHA1: e8546f5bef4e061d8dd73895b4e8f40e3fe6effe
Referenced In Project: waffle-tests

Identifiers

  • maven: org.mockito:mockito-core:1.10.19   Confidence:HIGH

objenesis-2.1.jar

Description: A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\objenesis\objenesis\2.1\objenesis-2.1.jar
MD5: 32ccb1d20a42b5aaaceb90c9082a2efa
SHA1: 87c0ea803b69252868d09308b4618f766f135a96
Referenced In Project: waffle-tests

Identifiers

  • maven: org.objenesis:objenesis:2.1   Confidence:HIGH

jcl-over-slf4j-1.7.12.jar

Description: JCL 1.1.1 implemented over SLF4J

File Path: C:\Users\Jeremy\.m2\repository\org\slf4j\jcl-over-slf4j\1.7.12\jcl-over-slf4j-1.7.12.jar
MD5: 5989c932ad8fff557a90f6f9032e57f9
SHA1: adef7a9e1263298255fdb5cb107ff171d07c82f3
Referenced In Projects:

  • waffle-spring-filter
  • waffle-tests
  • waffle-jaas
  • waffle-jetty
  • waffle-distro
  • waffle-negotiate
  • waffle-tomcat8
  • waffle-tomcat7
  • waffle-filter
  • waffle-mixed
  • waffle-tomcat6
  • waffle-mixed-post
  • waffle-jna
  • waffle-spring-security4
  • waffle-spring-security3
  • waffle-shiro
  • waffle-form
  • waffle-demo-parent
  • waffle-spring-form

Identifiers

  • maven: org.slf4j:jcl-over-slf4j:1.7.12   Confidence:HIGH

slf4j-api-1.7.12.jar

Description: The slf4j API

File Path: C:\Users\Jeremy\.m2\repository\org\slf4j\slf4j-api\1.7.12\slf4j-api-1.7.12.jar
MD5: 68910bf95dbcf90ce5859128f0f75d1e
SHA1: 8e20852d05222dc286bf1c71d78d0531e177c317
Referenced In Projects:

  • waffle-spring-filter
  • waffle-tests
  • waffle-jaas
  • waffle-jetty
  • waffle-distro
  • waffle-negotiate
  • waffle-tomcat8
  • waffle-tomcat7
  • waffle-filter
  • waffle-mixed
  • waffle-tomcat6
  • waffle-mixed-post
  • waffle-jna
  • waffle-spring-security4
  • waffle-spring-security3
  • waffle-shiro
  • waffle-form
  • waffle-demo-parent
  • waffle-spring-form

Identifiers

  • maven: org.slf4j:slf4j-api:1.7.12   Confidence:HIGH

commons-beanutils-1.8.3.jar

Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\commons-beanutils\commons-beanutils\1.8.3\commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project: waffle-shiro

Identifiers

shiro-core-1.2.3.jar

Description: Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\shiro\shiro-core\1.2.3\shiro-core-1.2.3.jar
MD5: 9147beb1ddba5ed220608bdd90759108
SHA1: 4ddf1b83360c7e39f02e3e20ca364d2c448ed01f
Referenced In Project: waffle-shiro

Identifiers

tomcat-api-8.0.24.jar

Description: Definition of interfaces shared by Catalina and Jasper

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat-api\8.0.24\tomcat-api-8.0.24.jar
MD5: 6d7c87ba49b23cc02c915b1eaeeff8a2
SHA1: fc8c4b3748bee2396a3a98559b7cf9471fd5ca6d
Referenced In Project: waffle-tomcat8

Identifiers

CVE-2013-2185  

Severity: High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation

** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.

Vulnerable Software & Versions: (show all)

CVE-2009-2696  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.

Vulnerable Software & Versions:

CVE-2007-5461  

Severity: Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

Vulnerable Software & Versions:

CVE-2002-0493  

Severity: High
CVSS Score: 7.5

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.

Vulnerable Software & Versions:

tomcat-el-api-8.0.24.jar

Description: Expression language package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat-el-api\8.0.24\tomcat-el-api-8.0.24.jar
MD5: 083e30556b4d0fd5dea2e6e74a5a8390
SHA1: 035ec5c4c96924d0c8b130cc435609ee86bb2f74
Referenced In Project: waffle-tomcat8

Identifiers

CVE-2013-2185  

Severity: High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation

** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.

Vulnerable Software & Versions: (show all)

CVE-2009-2696  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.

Vulnerable Software & Versions:

CVE-2007-5461  

Severity: Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

Vulnerable Software & Versions:

CVE-2002-0493  

Severity: High
CVSS Score: 7.5

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.

Vulnerable Software & Versions:

slf4j-simple-1.7.12.jar

Description: SLF4J Simple binding

File Path: C:\Users\Jeremy\.m2\repository\org\slf4j\slf4j-simple\1.7.12\slf4j-simple-1.7.12.jar
MD5: cb57410c6be440d04777d60ad4e17dcd
SHA1: 42db62298b899818ff17352cbc00050e940bbfb0
Referenced In Project: waffle-jna

Identifiers

  • maven: org.slf4j:slf4j-simple:1.7.12   Confidence:HIGH

tomcat-api-7.0.63.jar

Description: Definition of interfaces shared by Catalina and Jasper

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat-api\7.0.63\tomcat-api-7.0.63.jar
MD5: ddd71b1094f9f0d29d1acaf4560f372b
SHA1: 112a664842381e8d65bd228a0de7e11eb552840d
Referenced In Project: waffle-tomcat7

Identifiers

CVE-2014-7810  

Severity: Medium
CVSS Score: 5.0
CWE: CWE-284 Improper Access Control

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Vulnerable Software & Versions: (show all)

CVE-2014-0230  

Severity: High
CVSS Score: 7.8
CWE: CWE-399 Resource Management Errors

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-0227  

Severity: Medium
CVSS Score: 6.4
CWE: CWE-19 Data Handling

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Vulnerable Software & Versions: (show all)

CVE-2014-0119  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Vulnerable Software & Versions: (show all)

CVE-2014-0099  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-189 Numeric Errors

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

Vulnerable Software & Versions: (show all)

CVE-2014-0096  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2014-0075  

Severity: Medium
CVSS Score: 5.0
CWE: CWE-189 Numeric Errors

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

Vulnerable Software & Versions: (show all)

CVE-2014-0050  

Severity: Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Vulnerable Software & Versions: (show all)

CVE-2013-4590  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-200 Information Exposure

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-4444  

Severity: Medium
CVSS Score: 6.8
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.

Vulnerable Software & Versions: (show all)

CVE-2013-4322  

Severity: Medium
CVSS Score: 4.3
CWE: CWE-20 Improper Input Validation

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

Vulnerable Software & Versions: (show all)

CVE-2013-4286  

Severity: Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Vulnerable Software & Versions: (show all)

CVE-2013-2185  

Severity: High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation

** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.

Vulnerable Software & Versions: (show all)

CVE-2013-2071  

Severity: Low
CVSS Score: 2.6
CWE: CWE-200 Information Exposure

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Vulnerable Software & Versions: (show all)

CVE-2013-2067  

Severity: Medium
CVSS Score: 6.8
CWE: CWE-287 Improper Authentication

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

Vulnerable Software & Versions: (show all)

CVE-2013-0346  

Severity: Low
CVSS Score: 2.1
CWE: CWE-264 Permissions, Privileges, and Access Controls

** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."

Vulnerable Software & Versions: (show all)

CVE-2012-5887  

Severity: Medium
CVSS Score: 5.0
CWE: CWE-287 Improper Authentication

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

Vulnerable Software & Versions: (show all)

CVE-2012-5886  

Severity: Medium
CVSS Score: 5.0
CWE: CWE-287 Improper Authentication

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.

Vulnerable Software & Versions: (show all)

CVE-2012-5885  

Severity: Medium
CVSS Score: 5.0
CWE: CWE-264 Permissions, Privileges, and Access Controls

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

Vulnerable Software & Versions: (show all)