Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
| Dependency | CPE | GAV | Highest Severity | CVE Count | CPE Confidence | Evidence Count |
|---|---|---|---|---|---|---|
| guava-18.0.jar | com.google.guava:guava:18.0 | 0 | 18 | |||
| jna-platform-4.1.0.jar | net.java.dev.jna:jna-platform:4.1.0 | 0 | 21 | |||
| jna-4.1.0.jar | net.java.dev.jna:jna:4.1.0 | 0 | 23 | |||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| tomcat-api-8.0.24.jar |
cpe:/a:apache:tomcat:8.0.24
cpe:/a:apache_tomcat:apache_tomcat:8.0.24 |
org.apache.tomcat:tomcat-api:8.0.24 | High | 4 | LOW | 13 |
| tomcat-el-api-8.0.24.jar | cpe:/a:apache:tomcat:8.0.24 | org.apache.tomcat:tomcat-el-api:8.0.24 | High | 4 | LOW | 11 |
| jcl-over-slf4j-1.7.12.jar | org.slf4j:jcl-over-slf4j:1.7.12 | 0 | 17 | |||
| slf4j-api-1.7.12.jar | org.slf4j:slf4j-api:1.7.12 | 0 | 17 |
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\com\google\guava\guava\18.0\guava-18.0.jar
Description: Java Native Access Platform
License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html ASL, version 2: http://www.apache.org/licenses/File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna-platform\4.1.0\jna-platform-4.1.0.jar
Description: Java Native Access
License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html ASL, version 2: http://www.apache.org/licenses/File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar
File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: 06b2f1f909d2436dff20d7a668ef26a9
SHA1: bd1bdda9a91f3b0d9067e323f7394bef933f81f6
File Path: C:\Users\Jeremy\.m2\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: 05a72ada9247aeb114a9ef01a394b6c4
SHA1: 8b32cc82740fc62afdf5ea211f1ca8bb72269bbf
Description: Definition of interfaces shared by Catalina and Jasper
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat-api\8.0.24\tomcat-api-8.0.24.jar
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Expression language package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat-el-api\8.0.24\tomcat-el-api-8.0.24.jar
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: JCL 1.1.1 implemented over SLF4J
File Path: C:\Users\Jeremy\.m2\repository\org\slf4j\jcl-over-slf4j\1.7.12\jcl-over-slf4j-1.7.12.jar
MD5: 5989c932ad8fff557a90f6f9032e57f9
SHA1: adef7a9e1263298255fdb5cb107ff171d07c82f3
Referenced In Project:
waffle-tomcat8
Description: The slf4j API
File Path: C:\Users\Jeremy\.m2\repository\org\slf4j\slf4j-api\1.7.12\slf4j-api-1.7.12.jar
MD5: 68910bf95dbcf90ce5859128f0f75d1e
SHA1: 8e20852d05222dc286bf1c71d78d0531e177c317
Referenced In Project:
waffle-tomcat8