Neat little tool that generates vulnerability reports on dependencies during a maven build. N.B. the following aren't actual dependencies of Phoenix.

<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>

Cheers,

Pete.

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


     How to read the report
     <http://jeremylong.github.io/DependencyCheck/general/thereport.html>
     | Suppressing false positives
     <http://jeremylong.github.io/DependencyCheck/general/suppression.html>
     | Getting Help: google group
     <https://groups.google.com/forum/#%21forum/dependency-check> |
     github issues <https://github.com/jeremylong/DependencyCheck/issues>


   Project: Module :: Phoenix

Scan Information (show all):

   * /dependency-check version/: 1.4.4
   * /Report Generated On/: Jan 7, 2017 at 19:06:08 EST
   * /Dependencies Scanned/: 62 (62 unique)
   * /Vulnerable Dependencies/: 4
   * /Vulnerabilities Found/: 9
   * /Vulnerabilities Suppressed/: 0
   * ...


Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count commons-httpclient-3.0.jar cpe:/a:apache:commons-httpclient:3.0 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0> cpe:/a:apache:httpclient:3.0 commons-httpclient:commons-httpclient:3.0 Medium 4 HIGHEST 15 jackrabbit-jcr-commons-1.5.0.jar cpe:/a:apache:jackrabbit:1.5.0 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> org.apache.jackrabbit:jackrabbit-jcr-commons:1.5.0 Medium 2 HIGHEST 15 jackrabbit-webdav-1.5.0.jar cpe:/a:apache:jackrabbit:1.5.0 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> org.apache.jackrabbit:jackrabbit-webdav:1.5.0 Medium 2 HIGHEST 13 wagon-webdav-jackrabbit-1.0-beta-6.jar cpe:/a:apache:jackrabbit:1.0 org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6 Medium 1 LOW 16


   Dependencies


     commons-httpclient-3.0.jar

*Description:* The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

*License:*

Apache License: http://www.apache.org/licenses/LICENSE-2.0

*File Path:* C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\commons-httpclient\commons-httpclient\3.0\commons-httpclient-3.0.jar
*MD5:* cd69c70d6c078f4340bd5e867ec6f1b6
*SHA1:* 336a280d178bb957e5233189f0f32e067366c4e5
*Referenced In Project/Scope:* Module :: Phoenix:runtime


       Evidence


       Identifiers

   * *maven:* commons-httpclient:commons-httpclient:3.0 /Confidence/:HIGH
   * *cpe:* cpe:/a:apache:commons-httpclient:3.0
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0>
     /Confidence/:HIGHEST

*cpe:* cpe:/a:apache:httpclient:3.0 /Confidence/:LOW


       Published Vulnerabilities

*CVE-2015-5262 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262>*

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

   * CONFIRM -
     http://svn.apache.org/viewvc?view=revision&revision=1626784
     <http://svn.apache.org/viewvc?view=revision&revision=1626784>
   * CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1261538
   * CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1478
   * FEDORA - FEDORA-2015-15588
     
<http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html>
   * FEDORA - FEDORA-2015-15589
     
<http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html>
   * FEDORA - FEDORA-2015-15590
     
<http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html>
   * SECTRACK - 1033743 <http://www.securitytracker.com/id/1033743>
   * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>

Vulnerable Software & Versions:

   * cpe:/a:apache:httpclient:4.3.5
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttpclient%3A4.3.5>
     and all previous versions

*CVE-2014-3577 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577>*

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

   * BID - 69258 <http://www.securityfocus.com/bid/69258>
   * CONFIRM - https://access.redhat.com/solutions/1165533
   * CONFIRM -
     
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
   * FULLDISC - 20140818 CVE-2014-3577: Apache HttpComponents client:
     Hostname verification susceptible to MITM attack
     <http://seclists.org/fulldisclosure/2014/Aug/48>
   * MISC -
     
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
   * OSVDB - 110143 <http://www.osvdb.org/110143>
   * REDHAT - RHSA-2014:1146
     <http://rhn.redhat.com/errata/RHSA-2014-1146.html>
   * REDHAT - RHSA-2014:1166
     <http://rhn.redhat.com/errata/RHSA-2014-1166.html>
   * REDHAT - RHSA-2014:1833
     <http://rhn.redhat.com/errata/RHSA-2014-1833.html>
   * REDHAT - RHSA-2014:1834
     <http://rhn.redhat.com/errata/RHSA-2014-1834.html>
   * REDHAT - RHSA-2014:1835
     <http://rhn.redhat.com/errata/RHSA-2014-1835.html>
   * REDHAT - RHSA-2014:1836
     <http://rhn.redhat.com/errata/RHSA-2014-1836.html>
   * REDHAT - RHSA-2014:1891
     <http://rhn.redhat.com/errata/RHSA-2014-1891.html>
   * REDHAT - RHSA-2014:1892
     <http://rhn.redhat.com/errata/RHSA-2014-1892.html>
   * REDHAT - RHSA-2015:0125
     <http://rhn.redhat.com/errata/RHSA-2015-0125.html>
   * REDHAT - RHSA-2015:0158
     <http://rhn.redhat.com/errata/RHSA-2015-0158.html>
   * REDHAT - RHSA-2015:0675
     <http://rhn.redhat.com/errata/RHSA-2015-0675.html>
   * REDHAT - RHSA-2015:0720
     <http://rhn.redhat.com/errata/RHSA-2015-0720.html>
   * REDHAT - RHSA-2015:0765
     <http://rhn.redhat.com/errata/RHSA-2015-0765.html>
   * REDHAT - RHSA-2015:0850
     <http://rhn.redhat.com/errata/RHSA-2015-0850.html>
   * REDHAT - RHSA-2015:0851
     <http://rhn.redhat.com/errata/RHSA-2015-0851.html>
   * REDHAT - RHSA-2015:1176
     <http://rhn.redhat.com/errata/RHSA-2015-1176.html>
   * REDHAT - RHSA-2015:1177
     <http://rhn.redhat.com/errata/RHSA-2015-1177.html>
   * SECTRACK - 1030812 <http://www.securitytracker.com/id/1030812>
   * SECUNIA - 60466 <http://secunia.com/advisories/60466>
   * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>
   * XF - apache-cve20143577-spoofing(95327)
     <http://xforce.iss.net/xforce/xfdb/95327>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:httpclient:4.3.4
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttpclient%3A4.3.4>
     and all previous versions
   * ...

*CVE-2012-6153 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153>*

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

   * BID - 69257 <http://www.securityfocus.com/bid/69257>
   * CONFIRM -
     http://svn.apache.org/viewvc?view=revision&revision=1411705
     <http://svn.apache.org/viewvc?view=revision&revision=1411705>
   * CONFIRM - https://access.redhat.com/solutions/1165533
   * CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1129916
   * CONFIRM -
     
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
   * REDHAT - RHSA-2014:1098
     <http://rhn.redhat.com/errata/RHSA-2014-1098.html>
   * REDHAT - RHSA-2014:1833
     <http://rhn.redhat.com/errata/RHSA-2014-1833.html>
   * REDHAT - RHSA-2014:1834
     <http://rhn.redhat.com/errata/RHSA-2014-1834.html>
   * REDHAT - RHSA-2014:1835
     <http://rhn.redhat.com/errata/RHSA-2014-1835.html>
   * REDHAT - RHSA-2014:1836
     <http://rhn.redhat.com/errata/RHSA-2014-1836.html>
   * REDHAT - RHSA-2014:1891
     <http://rhn.redhat.com/errata/RHSA-2014-1891.html>
   * REDHAT - RHSA-2014:1892
     <http://rhn.redhat.com/errata/RHSA-2014-1892.html>
   * REDHAT - RHSA-2015:0125
     <http://rhn.redhat.com/errata/RHSA-2015-0125.html>
   * REDHAT - RHSA-2015:0158
     <http://rhn.redhat.com/errata/RHSA-2015-0158.html>
   * REDHAT - RHSA-2015:0675
     <http://rhn.redhat.com/errata/RHSA-2015-0675.html>
   * REDHAT - RHSA-2015:0720
     <http://rhn.redhat.com/errata/RHSA-2015-0720.html>
   * REDHAT - RHSA-2015:0765
     <http://rhn.redhat.com/errata/RHSA-2015-0765.html>
   * REDHAT - RHSA-2015:0850
     <http://rhn.redhat.com/errata/RHSA-2015-0850.html>
   * REDHAT - RHSA-2015:0851
     <http://rhn.redhat.com/errata/RHSA-2015-0851.html>
   * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:commons-httpclient:4.2.2
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A4.2.2>
     and all previous versions
   * ...

*CVE-2012-5783 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783>*

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

   * BID - 58073 <http://www.securityfocus.com/bid/58073>
   * MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
     <http://www.cs.utexas.edu/%7Eshmat/shmat_ccs12.pdf>
   * REDHAT - RHSA-2013:0270
     <http://rhn.redhat.com/errata/RHSA-2013-0270.html>
   * REDHAT - RHSA-2013:0679
     <http://rhn.redhat.com/errata/RHSA-2013-0679.html>
   * REDHAT - RHSA-2013:0680
     <http://rhn.redhat.com/errata/RHSA-2013-0680.html>
   * REDHAT - RHSA-2013:0681
     <http://rhn.redhat.com/errata/RHSA-2013-0681.html>
   * REDHAT - RHSA-2013:0682
     <http://rhn.redhat.com/errata/RHSA-2013-0682.html>
   * REDHAT - RHSA-2013:1147
     <http://rhn.redhat.com/errata/RHSA-2013-1147.html>
   * REDHAT - RHSA-2013:1853
     <http://rhn.redhat.com/errata/RHSA-2013-1853.html>
   * REDHAT - RHSA-2014:0224
     <http://rhn.redhat.com/errata/RHSA-2014-0224.html>
   * SUSE - openSUSE-SU-2013:0354
     <http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html>
   * SUSE - openSUSE-SU-2013:0622
     <http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html>
   * SUSE - openSUSE-SU-2013:0623
     <http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html>
   * SUSE - openSUSE-SU-2013:0638
     <http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html>
   * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1>
   * XF - apache-commons-ssl-spoofing(79984)
     <http://xforce.iss.net/xforce/xfdb/79984>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:commons-httpclient:3.0
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0>

   * ...


     jackrabbit-jcr-commons-1.5.0.jar

*Description:* General purpose classes for use with the JCR API

*License:*

http://www.apache.org/licenses/LICENSE-2.0.txt

*File Path:* C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\jackrabbit\jackrabbit-jcr-commons\1.5.0\jackrabbit-jcr-commons-1.5.0.jar
*MD5:* 579d2a761b42553e07f6dcd8225f0d53
*SHA1:* 816ca280dc631b277e7b963723f2e99b038383f2
*Referenced In Project/Scope:* Module :: Phoenix:runtime


       Evidence


       Identifiers

   * *cpe:* cpe:/a:apache:jackrabbit:1.5.0
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
     /Confidence/:HIGHEST

   * *maven:* org.apache.jackrabbit:jackrabbit-jcr-commons:1.5.0
     /Confidence/:HIGH


       Published Vulnerabilities

*CVE-2015-1833 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>*

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

   * BID - 74761 <http://www.securityfocus.com/bid/74761>
   * BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE
     vulnerability)
     <http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded>
   * CONFIRM -
     http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
   * CONFIRM - https://issues.apache.org/jira/browse/JCR-3883
   * DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298>
   * EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/>
   * MISC -
     
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
   * MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit
     WebDAV XXE vulnerability)
     
<http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:jackrabbit:2.0.5
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5>
     and all previous versions
   * ...

*CVE-2009-0026 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0026>*

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.

   * BID - 33360 <http://www.securityfocus.com/bid/33360>
   * BUGTRAQ - 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released
     <http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded>
   * CONFIRM -
     http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt
   * CONFIRM - https://issues.apache.org/jira/browse/JCR-1925
   * SREASON - 4942 <http://securityreason.com/securityalert/4942>
   * VUPEN - ADV-2009-0177
     <http://www.vupen.com/english/advisories/2009/0177>
   * XF - jackrabbit-search-swr-xss(48110)
     <http://xforce.iss.net/xforce/xfdb/48110>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:jackrabbit:1.5.0
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>

   * ...


     jackrabbit-webdav-1.5.0.jar

*Description:* WebDAV library used by the Jackrabbit WebDAV support

*File Path:* C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\jackrabbit\jackrabbit-webdav\1.5.0\jackrabbit-webdav-1.5.0.jar
*MD5:* 137d4d30c1c78972fec7628c94f4f4a1
*SHA1:* b14c7fbbd34862d4d51c5e72ba3a69cde892c260
*Referenced In Project/Scope:* Module :: Phoenix:runtime


       Evidence


       Identifiers

   * *cpe:* cpe:/a:apache:jackrabbit:1.5.0
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>
     /Confidence/:HIGHEST

   * *maven:* org.apache.jackrabbit:jackrabbit-webdav:1.5.0
     /Confidence/:HIGH


       Published Vulnerabilities

*CVE-2015-1833 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>*

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

   * BID - 74761 <http://www.securityfocus.com/bid/74761>
   * BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE
     vulnerability)
     <http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded>
   * CONFIRM -
     http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
   * CONFIRM - https://issues.apache.org/jira/browse/JCR-3883
   * DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298>
   * EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/>
   * MISC -
     
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
   * MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit
     WebDAV XXE vulnerability)
     
<http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:jackrabbit:2.0.5
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5>
     and all previous versions
   * ...

*CVE-2009-0026 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0026>*

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.

   * BID - 33360 <http://www.securityfocus.com/bid/33360>
   * BUGTRAQ - 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released
     <http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded>
   * CONFIRM -
     http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt
   * CONFIRM - https://issues.apache.org/jira/browse/JCR-1925
   * SREASON - 4942 <http://securityreason.com/securityalert/4942>
   * VUPEN - ADV-2009-0177
     <http://www.vupen.com/english/advisories/2009/0177>
   * XF - jackrabbit-search-swr-xss(48110)
     <http://xforce.iss.net/xforce/xfdb/48110>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:jackrabbit:1.5.0
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0>

   * ...


     wagon-webdav-jackrabbit-1.0-beta-6.jar

*Description:* Wagon that gets and puts artifacts through webdav protocol

*File Path:* C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\maven\wagon\wagon-webdav-jackrabbit\1.0-beta-6\wagon-webdav-jackrabbit-1.0-beta-6.jar
*MD5:* 54e5811336dab214bd598b4ac92cdf99
*SHA1:* b694b223d0f19abcb32e304ebd5054061ee0f7b5
*Referenced In Project/Scope:* Module :: Phoenix:runtime


       Evidence


       Identifiers

   * *cpe:* cpe:/a:apache:jackrabbit:1.0 /Confidence/:LOW

   * *maven:* org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6
     /Confidence/:HIGH


       Published Vulnerabilities

*CVE-2015-1833 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>*

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

   * BID - 74761 <http://www.securityfocus.com/bid/74761>
   * BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE
     vulnerability)
     <http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded>
   * CONFIRM -
     http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
   * CONFIRM - https://issues.apache.org/jira/browse/JCR-3883
   * DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298>
   * EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/>
   * MISC -
     
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
   * MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit
     WebDAV XXE vulnerability)
     
<http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E>

Vulnerable Software & Versions: (show all)

   * cpe:/a:apache:jackrabbit:2.0.5
     
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5>
     and all previous versions
   * ...



This report contains data retrieved from the National Vulnerability Database <http://nvd.nist.gov>.

Reply via email to