This is a nice looking tool! Gregg
Sent from my iPhone > On Jan 7, 2017, at 4:56 AM, Peter <j...@zeus.net.au> wrote: > > Neat little tool that generates vulnerability reports on dependencies during > a maven build. N.B. the following aren't actual dependencies of Phoenix. > > <groupId>org.owasp</groupId> > <artifactId>dependency-check-maven</artifactId> > > Cheers, > > Pete. > > Dependency-Check is an open source tool performing a best effort analysis of > 3rd party dependencies; false positives and false negatives may exist in the > analysis performed by the tool. Use of the tool and the reporting provided > constitutes acceptance for use in an AS IS condition, and there are NO > warranties, implied or otherwise, with regard to the analysis or its use. Any > use of the tool and the reporting provided is at the user’s risk. In no event > shall the copyright holder or OWASP be held liable for any damages whatsoever > arising out of or in connection with the use of this tool, the analysis > performed, or the resulting report. > > > How to read the report > <http://jeremylong.github.io/DependencyCheck/general/thereport.html> > | Suppressing false positives > <http://jeremylong.github.io/DependencyCheck/general/suppression.html> > | Getting Help: google group > <https://groups.google.com/forum/#%21forum/dependency-check> | > github issues <https://github.com/jeremylong/DependencyCheck/issues> > > > Project: Module :: Phoenix > > Scan Information (show all): > > * /dependency-check version/: 1.4.4 > * /Report Generated On/: Jan 7, 2017 at 19:06:08 EST > * /Dependencies Scanned/: 62 (62 unique) > * /Vulnerable Dependencies/: 4 > * /Vulnerabilities Found/: 9 > Neat little tool that generates vulnerability reports on dependencies during > a maven build. N.B. the following aren't actual dependencies of Phoenix. > > <groupId>org.owasp</groupId> > <artifactId>dependency-check-maven</artifactId> > > Cheers, > > Pete. > > Dependency-Check is an open source tool performing a best effort analysis of > 3rd party dependencies; false positives and false negatives may exist in the > analysis performed by the tool. Use of the tool and the reporting provided > constitutes acceptance for use in an AS IS condition, and there are NO > warranties, implied or otherwise, with regard to the analysis or its use. Any > use of the tool and the reporting provided is at the user’s risk. In no event > shall the copyright holder or OWASP be held liable for any damages whatsoever > arising out of or in connection with the use of this tool, the analysis > performed, or the resulting report. > > > How to read the report > <http://jeremylong.github.io/DependencyCheck/general/thereport.html> > | Suppressing false positives > <http://jeremylong.github.io/DependencyCheck/general/suppression.html> > | Getting Help: google group > <https://groups.google.com/forum/#%21forum/dependency-check> | > github issues <https://github.com/jeremylong/DependencyCheck/issues> > > > Project: Module :: Phoenix > > Scan Information (show all): > > * /dependency-check version/: 1.4.4 > * /Report Generated On/: Jan 7, 2017 at 19:06:08 EST > * /Dependencies Scanned/: 62 (62 unique) > * /Vulnerable Dependencies/: 4 > * /Vulnerabilities Found/: 9 > * /Vulnerabilities Suppressed/: 0 > * ... > > > Display: Showing Vulnerable Dependencies (click to show all) > > Dependency CPE GAV Highest Severity CVE Count CPE Confidence > Evidence Count > commons-httpclient-3.0.jar cpe:/a:apache:commons-httpclient:3.0 > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0> > > cpe:/a:apache:httpclient:3.0 commons-httpclient:commons-httpclient:3.0 > Medium 4 HIGHEST 15 > jackrabbit-jcr-commons-1.5.0.jar cpe:/a:apache:jackrabbit:1.5.0 > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> > org.apache.jackrabbit:jackrabbit-jcr-commons:1.5.0 Medium 2 > HIGHEST 15 > jackrabbit-webdav-1.5.0.jar cpe:/a:apache:jackrabbit:1.5.0 > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> > org.apache.jackrabbit:jackrabbit-webdav:1.5.0 Medium 2 HIGHEST > 13 > wagon-webdav-jackrabbit-1.0-beta-6.jar cpe:/a:apache:jackrabbit:1.0 > org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6 Medium 1 LOW > 16 > > > Dependencies > > > commons-httpclient-3.0.jar > > *Description:* The HttpClient component supports the client-side of RFC 1945 > (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 > (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework > by which new request types (methods) or HTTP extensions can be created easily. > > *License:* > > Apache License: http://www.apache.org/licenses/LICENSE-2.0 > > *File Path:* > C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\commons-httpclient\commons-httpclient\3.0\commons-httpclient-3.0.jar > *MD5:* cd69c70d6c078f4340bd5e867ec6f1b6 > *SHA1:* 336a280d178bb957e5233189f0f32e067366c4e5 > *Referenced In Project/Scope:* Module :: Phoenix:runtime > > > Evidence > > > Identifiers > > * *maven:* commons-httpclient:commons-httpclient:3.0 /Confidence/:HIGH > * *cpe:* cpe:/a:apache:commons-httpclient:3.0 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0> > /Confidence/:HIGHEST > > *cpe:* cpe:/a:apache:httpclient:3.0 /Confidence/:LOW > > > Published Vulnerabilities > > *CVE-2015-5262 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262>* > > Severity: Medium > CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) > CWE: CWE-399 Resource Management Errors > > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > > * CONFIRM - > http://svn.apache.org/viewvc?view=revision&revision=1626784 > <http://svn.apache.org/viewvc?view=revision&revision=1626784> > * CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1261538 > * CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1478 > * FEDORA - FEDORA-2015-15588 > > <http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html> > * FEDORA - FEDORA-2015-15589 > > <http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html> > * FEDORA - FEDORA-2015-15590 > > <http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html> > * SECTRACK - 1033743 <http://www.securitytracker.com/id/1033743> > * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1> > > Vulnerable Software & Versions: > > * cpe:/a:apache:httpclient:4.3.5 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttpclient%3A4.3.5> > and all previous versions > > *CVE-2014-3577 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577>* > > Severity: Medium > CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) > > org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient > before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that > the server hostname matches a domain name in the subject's Common Name (CN) > or subjectAltName field of the X.509 certificate, which allows > man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a > field in the distinguished name (DN) of a certificate, as demonstrated by the > "foo,CN=www.apache.org" string in the O field. > > * BID - 69258 <http://www.securityfocus.com/bid/69258> > * CONFIRM - https://access.redhat.com/solutions/1165533 > * CONFIRM - > > https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564 > * FULLDISC - 20140818 CVE-2014-3577: Apache HttpComponents client: > Hostname verification susceptible to MITM attack > <http://seclists.org/fulldisclosure/2014/Aug/48> > * MISC - > > http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html > * OSVDB - 110143 <http://www.osvdb.org/110143> > * REDHAT - RHSA-2014:1146 > <http://rhn.redhat.com/errata/RHSA-2014-1146.html> > * REDHAT - RHSA-2014:1166 > <http://rhn.redhat.com/errata/RHSA-2014-1166.html> > * REDHAT - RHSA-2014:1833 > <http://rhn.redhat.com/errata/RHSA-2014-1833.html> > * REDHAT - RHSA-2014:1834 > <http://rhn.redhat.com/errata/RHSA-2014-1834.html> > * REDHAT - RHSA-2014:1835 > <http://rhn.redhat.com/errata/RHSA-2014-1835.html> > * REDHAT - RHSA-2014:1836 > <http://rhn.redhat.com/errata/RHSA-2014-1836.html> > * REDHAT - RHSA-2014:1891 > <http://rhn.redhat.com/errata/RHSA-2014-1891.html> > * REDHAT - RHSA-2014:1892 > <http://rhn.redhat.com/errata/RHSA-2014-1892.html> > * REDHAT - RHSA-2015:0125 > <http://rhn.redhat.com/errata/RHSA-2015-0125.html> > * REDHAT - RHSA-2015:0158 > <http://rhn.redhat.com/errata/RHSA-2015-0158.html> > * REDHAT - RHSA-2015:0675 > <http://rhn.redhat.com/errata/RHSA-2015-0675.html> > * REDHAT - RHSA-2015:0720 > <http://rhn.redhat.com/errata/RHSA-2015-0720.html> > * REDHAT - RHSA-2015:0765 > <http://rhn.redhat.com/errata/RHSA-2015-0765.html> > * REDHAT - RHSA-2015:0850 > <http://rhn.redhat.com/errata/RHSA-2015-0850.html> > * REDHAT - RHSA-2015:0851 > <http://rhn.redhat.com/errata/RHSA-2015-0851.html> > * REDHAT - RHSA-2015:1176 > <http://rhn.redhat.com/errata/RHSA-2015-1176.html> > * REDHAT - RHSA-2015:1177 > <http://rhn.redhat.com/errata/RHSA-2015-1177.html> > * SECTRACK - 1030812 <http://www.securitytracker.com/id/1030812> > * SECUNIA - 60466 <http://secunia.com/advisories/60466> > * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1> > * XF - apache-cve20143577-spoofing(95327) > <http://xforce.iss.net/xforce/xfdb/95327> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:httpclient:4.3.4 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttpclient%3A4.3.4> > and all previous versions > * ... > > *CVE-2012-6153 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153>* > > Severity: Medium > CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) > CWE: CWE-20 Improper Input Validation > > http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 > does not properly verify that the server hostname matches a domain name in > the subject's Common Name (CN) or subjectAltName field of the X.509 > certificate, which allows man-in-the-middle attackers to spoof SSL servers > via a certificate with a subject that specifies a common name in a field that > is not the CN field. NOTE: this issue exists because of an incomplete fix for > CVE-2012-5783. > > * BID - 69257 <http://www.securityfocus.com/bid/69257> > * CONFIRM - > http://svn.apache.org/viewvc?view=revision&revision=1411705 > <http://svn.apache.org/viewvc?view=revision&revision=1411705> > * CONFIRM - https://access.redhat.com/solutions/1165533 > * CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1129916 > * CONFIRM - > > https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564 > * REDHAT - RHSA-2014:1098 > <http://rhn.redhat.com/errata/RHSA-2014-1098.html> > * REDHAT - RHSA-2014:1833 > <http://rhn.redhat.com/errata/RHSA-2014-1833.html> > * REDHAT - RHSA-2014:1834 > <http://rhn.redhat.com/errata/RHSA-2014-1834.html> > * REDHAT - RHSA-2014:1835 > <http://rhn.redhat.com/errata/RHSA-2014-1835.html> > * REDHAT - RHSA-2014:1836 > <http://rhn.redhat.com/errata/RHSA-2014-1836.html> > * REDHAT - RHSA-2014:1891 > <http://rhn.redhat.com/errata/RHSA-2014-1891.html> > * REDHAT - RHSA-2014:1892 > <http://rhn.redhat.com/errata/RHSA-2014-1892.html> > * REDHAT - RHSA-2015:0125 > <http://rhn.redhat.com/errata/RHSA-2015-0125.html> > * REDHAT - RHSA-2015:0158 > <http://rhn.redhat.com/errata/RHSA-2015-0158.html> > * REDHAT - RHSA-2015:0675 > <http://rhn.redhat.com/errata/RHSA-2015-0675.html> > * REDHAT - RHSA-2015:0720 > <http://rhn.redhat.com/errata/RHSA-2015-0720.html> > * REDHAT - RHSA-2015:0765 > <http://rhn.redhat.com/errata/RHSA-2015-0765.html> > * REDHAT - RHSA-2015:0850 > <http://rhn.redhat.com/errata/RHSA-2015-0850.html> > * REDHAT - RHSA-2015:0851 > <http://rhn.redhat.com/errata/RHSA-2015-0851.html> > * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:commons-httpclient:4.2.2 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A4.2.2> > and all previous versions > * ... > > *CVE-2012-5783 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783>* > > Severity: Medium > CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) > CWE: CWE-20 Improper Input Validation > > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service > (FPS) merchant Java SDK and other products, does not verify that the server > hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. > > * BID - 58073 <http://www.securityfocus.com/bid/58073> > * MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf > <http://www.cs.utexas.edu/%7Eshmat/shmat_ccs12.pdf> > * REDHAT - RHSA-2013:0270 > <http://rhn.redhat.com/errata/RHSA-2013-0270.html> > * REDHAT - RHSA-2013:0679 > <http://rhn.redhat.com/errata/RHSA-2013-0679.html> > * REDHAT - RHSA-2013:0680 > <http://rhn.redhat.com/errata/RHSA-2013-0680.html> > * REDHAT - RHSA-2013:0681 > <http://rhn.redhat.com/errata/RHSA-2013-0681.html> > * REDHAT - RHSA-2013:0682 > <http://rhn.redhat.com/errata/RHSA-2013-0682.html> > * REDHAT - RHSA-2013:1147 > <http://rhn.redhat.com/errata/RHSA-2013-1147.html> > * REDHAT - RHSA-2013:1853 > <http://rhn.redhat.com/errata/RHSA-2013-1853.html> > * REDHAT - RHSA-2014:0224 > <http://rhn.redhat.com/errata/RHSA-2014-0224.html> > * SUSE - openSUSE-SU-2013:0354 > <http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html> > * SUSE - openSUSE-SU-2013:0622 > <http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html> > * SUSE - openSUSE-SU-2013:0623 > <http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html> > * SUSE - openSUSE-SU-2013:0638 > <http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html> > * UBUNTU - USN-2769-1 <http://www.ubuntu.com/usn/USN-2769-1> > * XF - apache-commons-ssl-spoofing(79984) > <http://xforce.iss.net/xforce/xfdb/79984> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:commons-httpclient:3.0 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons-httpclient%3A3.0> > > * ... > > > jackrabbit-jcr-commons-1.5.0.jar > > *Description:* General purpose classes for use with the JCR API > > *License:* > > http://www.apache.org/licenses/LICENSE-2.0.txt > > *File Path:* > C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\jackrabbit\jackrabbit-jcr-commons\1.5.0\jackrabbit-jcr-commons-1.5.0.jar > *MD5:* 579d2a761b42553e07f6dcd8225f0d53 > *SHA1:* 816ca280dc631b277e7b963723f2e99b038383f2 > *Referenced In Project/Scope:* Module :: Phoenix:runtime > > > Evidence > > > Identifiers > > * *cpe:* cpe:/a:apache:jackrabbit:1.5.0 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> > /Confidence/:HIGHEST > > * *maven:* org.apache.jackrabbit:jackrabbit-jcr-commons:1.5.0 > /Confidence/:HIGH > > > Published Vulnerabilities > > *CVE-2015-1833 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>* > > Severity: Medium > CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) > CWE: CWE-20 Improper Input Validation > > XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, > 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before > 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary > files and send requests to intranet servers via a crafted WebDAV request. > > * BID - 74761 <http://www.securityfocus.com/bid/74761> > * BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE > vulnerability) > <http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded> > * CONFIRM - > http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt > * CONFIRM - https://issues.apache.org/jira/browse/JCR-3883 > * DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298> > * EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/> > * MISC - > > http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html > * MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit > WebDAV XXE vulnerability) > > <http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:jackrabbit:2.0.5 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5> > and all previous versions > * ... > > *CVE-2009-0026 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0026>* > > Severity: Medium > CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) > CWE: CWE-79 Improper Neutralization of Input During Web Page Generation > ('Cross-site Scripting') > > Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit > before 1.5.2 allow remote attackers to inject arbitrary web script or HTML > via the q parameter to (1) search.jsp or (2) swr.jsp. > > * BID - 33360 <http://www.securityfocus.com/bid/33360> > * BUGTRAQ - 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released > <http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded> > * CONFIRM - > http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt > * CONFIRM - https://issues.apache.org/jira/browse/JCR-1925 > * SREASON - 4942 <http://securityreason.com/securityalert/4942> > * VUPEN - ADV-2009-0177 > <http://www.vupen.com/english/advisories/2009/0177> > * XF - jackrabbit-search-swr-xss(48110) > <http://xforce.iss.net/xforce/xfdb/48110> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:jackrabbit:1.5.0 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> > > * ... > > > jackrabbit-webdav-1.5.0.jar > > *Description:* WebDAV library used by the Jackrabbit WebDAV support > > *File Path:* > C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\jackrabbit\jackrabbit-webdav\1.5.0\jackrabbit-webdav-1.5.0.jar > *MD5:* 137d4d30c1c78972fec7628c94f4f4a1 > *SHA1:* b14c7fbbd34862d4d51c5e72ba3a69cde892c260 > *Referenced In Project/Scope:* Module :: Phoenix:runtime > > > Evidence > > > Identifiers > > * *cpe:* cpe:/a:apache:jackrabbit:1.5.0 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> > /Confidence/:HIGHEST > > * *maven:* org.apache.jackrabbit:jackrabbit-webdav:1.5.0 > /Confidence/:HIGH > > > Published Vulnerabilities > > *CVE-2015-1833 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>* > > Severity: Medium > CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) > CWE: CWE-20 Improper Input Validation > > XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, > 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before > 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary > files and send requests to intranet servers via a crafted WebDAV request. > > * BID - 74761 <http://www.securityfocus.com/bid/74761> > * BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE > vulnerability) > <http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded> > * CONFIRM - > http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt > * CONFIRM - https://issues.apache.org/jira/browse/JCR-3883 > * DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298> > * EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/> > * MISC - > > http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html > * MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit > WebDAV XXE vulnerability) > > <http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:jackrabbit:2.0.5 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5> > and all previous versions > * ... > > *CVE-2009-0026 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0026>* > > Severity: Medium > CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) > CWE: CWE-79 Improper Neutralization of Input During Web Page Generation > ('Cross-site Scripting') > > Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit > before 1.5.2 allow remote attackers to inject arbitrary web script or HTML > via the q parameter to (1) search.jsp or (2) swr.jsp. > > * BID - 33360 <http://www.securityfocus.com/bid/33360> > * BUGTRAQ - 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released > <http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded> > * CONFIRM - > http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt > * CONFIRM - https://issues.apache.org/jira/browse/JCR-1925 > * SREASON - 4942 <http://securityreason.com/securityalert/4942> > * VUPEN - ADV-2009-0177 > <http://www.vupen.com/english/advisories/2009/0177> > * XF - jackrabbit-search-swr-xss(48110) > <http://xforce.iss.net/xforce/xfdb/48110> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:jackrabbit:1.5.0 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A1.5.0> > > * ... > > > wagon-webdav-jackrabbit-1.0-beta-6.jar > > *Description:* Wagon that gets and puts artifacts through webdav protocol > > *File Path:* > C:\Users\peter\Documents\NetBeansProjects\river-internet\modularize\JGDMS\target\test-repo\org\apache\maven\wagon\wagon-webdav-jackrabbit\1.0-beta-6\wagon-webdav-jackrabbit-1.0-beta-6.jar > *MD5:* 54e5811336dab214bd598b4ac92cdf99 > *SHA1:* b694b223d0f19abcb32e304ebd5054061ee0f7b5 > *Referenced In Project/Scope:* Module :: Phoenix:runtime > > > Evidence > > > Identifiers > > * *cpe:* cpe:/a:apache:jackrabbit:1.0 /Confidence/:LOW > > * *maven:* org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6 > /Confidence/:HIGH > > > Published Vulnerabilities > > *CVE-2015-1833 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833>* > > Severity: Medium > CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) > CWE: CWE-20 Improper Input Validation > > XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, > 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before > 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary > files and send requests to intranet servers via a crafted WebDAV request. > > * BID - 74761 <http://www.securityfocus.com/bid/74761> > * BUGTRAQ - 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE > vulnerability) > <http://www.securityfocus.com/archive/1/archive/1/535582/100/0/threaded> > * CONFIRM - > http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt > * CONFIRM - https://issues.apache.org/jira/browse/JCR-3883 > * DEBIAN - DSA-3298 <http://www.debian.org/security/2015/dsa-3298> > * EXPLOIT-DB - 37110 <https://www.exploit-db.com/exploits/37110/> > * MISC - > > http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html > * MLIST - [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit > WebDAV XXE vulnerability) > > <http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E> > > Vulnerable Software & Versions: (show all) > > * cpe:/a:apache:jackrabbit:2.0.5 > > <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ajackrabbit%3A2.0.5> > and all previous versions > * ... > > > > This report contains data retrieved from the National Vulnerability Database > <http://nvd.nist.gov>.
