Modified: ofbiz/trunk/tools/security/dependency-check/dependency-check-report.html URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/dependency-check-report.html?rev=1754072&r1=1754071&r2=1754072&view=diff ============================================================================== --- ofbiz/trunk/tools/security/dependency-check/dependency-check-report.html (original) +++ ofbiz/trunk/tools/security/dependency-check/dependency-check-report.html Tue Jul 26 06:33:00 2016 @@ -1,879 +1,62631 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";> + + + + +<!DOCTYPE html> <html> -<head> - <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> - <meta http-equiv="Content-Style-Type" content="text/css"> - <title>Dependency-Check Report</title> - <meta name="Generator" content="Cocoa HTML Writer"> - <meta name="CocoaVersion" content="1404.47"> - <style type="text/css"> - p.p1 {margin: 0.0px 0.0px 9.0px 0.0px; line-height: 10.0px; font: 9.0px Arial; color: #888888; -webkit-text-stroke: #888888} - p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000} - p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; min-height: 15.0px} - p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #0000ee; -webkit-text-stroke: #0000ee} - p.p7 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000} - p.p9 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #0000ee; -webkit-text-stroke: #0000ee} - p.p10 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; min-height: 15.0px} - p.p11 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Courier; color: #000000; -webkit-text-stroke: #000000} - p.p12 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff} - li.li3 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000} - li.li5 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #0000ee; -webkit-text-stroke: #0000ee} - li.li13 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #0000ee} - li.li14 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #0000ee; -webkit-text-stroke: #000000} - span.s1 {font-kerning: none} - span.s2 {text-decoration: underline ; font-kerning: none; color: #0000ee; -webkit-text-stroke: 0px #0000ee} - span.s3 {-webkit-text-stroke: 0px #000000} - span.s4 {font-kerning: none; color: #000000; -webkit-text-stroke: 0px #000000} - span.s5 {text-decoration: underline ; font-kerning: none} - span.s6 {font-kerning: none; background-color: #ffffff} - span.s7 {color: #000000; background-color: #ffffff; -webkit-text-stroke: 0px #000000} - span.s8 {font-kerning: none; color: #000000; background-color: #ffffff; -webkit-text-stroke: 0px #000000} - span.s9 {background-color: #ffffff; -webkit-text-stroke: 0px #000000} - span.s10 {font: 11.0px '.AppleSystemUIFont'; font-kerning: none; color: #555555; background-color: #eeeeee; -webkit-text-stroke: 0px #555555} - span.s11 {text-decoration: underline ; font-kerning: none; background-color: #ffffff} - span.s12 {text-decoration: underline ; font-kerning: none; color: #0000ee; background-color: #ffffff; -webkit-text-stroke: 0px #0000ee} - span.s13 {text-decoration: underline ; font-kerning: none; color: #0000ee} - span.s14 {font-kerning: none; background-color: #ffffff; -webkit-text-stroke: 0px #000000} - span.s15 {color: #0000ee; background-color: #ffffff; -webkit-text-stroke: 0px #000000} - span.s16 {text-decoration: underline ; font-kerning: none; -webkit-text-stroke: 0px #0000ee} - span.s17 {font-kerning: none; color: #000000; background-color: #ffffff} - span.s18 {font: 13.0px Arial; text-decoration: underline ; font-kerning: none; color: #0000ee; -webkit-text-stroke: 0px #0000ee} - td.td1 {width: 89.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td2 {width: 234.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td3 {width: 210.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td4 {width: 51.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td5 {width: 38.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td6 {width: 71.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td7 {width: 58.0px; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td8 {width: 89.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td9 {width: 234.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td10 {width: 210.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td11 {width: 51.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td12 {width: 38.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td13 {width: 71.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - td.td14 {width: 58.0px; background-color: #f3f3f3; margin: 0.5px 0.5px 0.5px 0.5px; padding: 6.0px 6.0px 6.0px 6.0px} - ul.ul1 {list-style-type: disc} - </style> -</head> -<body> -<p class="p1"><span class="s1">Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the userâs risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</span></p> -<h2 style="margin: 0.0px 0.0px 16.2px 0.0px; line-height: 23.0px; font: 20.0px Arial; color: #000000; -webkit-text-stroke: #000000"><span class="s1"><b>Project: OFBiz</b></span></h2> -<p class="p3"><span class="s1">Scan Information (</span><span class="s2">show all</span><span class="s1">):</span></p> -<ul class="ul1"> - <li class="li3"><span class="s3"><i></i></span><span class="s1"><i>dependency-check version</i>: 1.3.6</span></li> - <li class="li3"><span class="s3"><i></i></span><span class="s1"><i>Report Generated On</i>: May 31, 2016 at 19:43:00 IST</span></li> - <li class="li3"><span class="s3"><i></i></span><span class="s1"><i>Dependencies Scanned</i>: 293</span></li> - <li class="li3"><span class="s3"><i></i></span><span class="s1"><i>Vulnerable Dependencies</i>: 9</span></li> - <li class="li3"><span class="s3"><i></i></span><span class="s1"><i>Vulnerabilities Found</i>: 19</span></li> - <li class="li3"><span class="s3"><i></i></span><span class="s1"><i>Vulnerabilities Suppressed</i>: 112</span></li> - <li class="li3"><span class="s3"></span><span class="s1">...</span></li> -</ul> -<p class="p4"><span class="s1"></span><br></p> -<p class="p5"><span class="s4">Display: </span><span class="s5">Showing Vulnerable Dependencies (click to show all)</span></p> -<p class="p4"><span class="s1"></span><br></p> -<table cellspacing="0" cellpadding="0"> - <tbody> - <tr> - <td valign="middle" class="td1"> - <p class="p3"><span class="s1"><b>Dependency</b></span></p> - </td> - <td valign="middle" class="td2"> - <p class="p3"><span class="s1"><b>CPE</b></span></p> - </td> - <td valign="middle" class="td3"> - <p class="p3"><span class="s1"><b>GAV</b></span></p> - </td> - <td valign="middle" class="td4"> - <p class="p3"><span class="s1"><b>Highest Severity</b></span></p> - </td> - <td valign="middle" class="td5"> - <p class="p3"><span class="s1"><b>CVE Count</b></span></p> - </td> - <td valign="middle" class="td6"> - <p class="p3"><span class="s1"><b>CPE Confidence</b></span></p> - </td> - <td valign="middle" class="td7"> - <p class="p3"><span class="s1"><b>Evidence Count</b></span></p> - </td> - </tr> - <tr> - <td valign="top" class="td8"> - <p class="p5"><span class="s5">commons-beanutils-core-1.8.3.jar</span></p> - </td> - <td valign="top" class="td9"> - <p class="p3"><span class="s1">cpe:/a:apache:commons_beanutils:1.8.3<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td10"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar";>commons-beanutils:commons-beanutils-core:1.8.3</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td11"> - <p class="p3"><span class="s1">High<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td12"> - <p class="p3"><span class="s1">1</span></p> - </td> - <td valign="top" class="td13"> - <p class="p3"><span class="s1">LOW</span></p> - </td> - <td valign="top" class="td14"> - <p class="p3"><span class="s1">21</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td8"> - <p class="p5"><span class="s5">jsp-api-2.3.jar</span></p> - </td> - <td valign="top" class="td9"> - <p class="p5"><span class="s5"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";>cpe:/a:apache:tomcat:8.0.33</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td10"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=org/apache/tomcat/tomcat-jsp-api/8.0.33/tomcat-jsp-api-8.0.33.jar";>org.apache.tomcat:tomcat-jsp-api:8.0.33</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td11"> - <p class="p3"><span class="s1">High<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td12"> - <p class="p3"><span class="s1">4</span></p> - </td> - <td valign="top" class="td13"> - <p class="p3"><span class="s1">LOW</span></p> - </td> - <td valign="top" class="td14"> - <p class="p3"><span class="s1">16</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td1"> - <p class="p5"><span class="s5">tomcat-8.0.33-jasper.jar</span></p> - </td> - <td valign="top" class="td2"> - <p class="p5"><span class="s5"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";>cpe:/a:apache:tomcat:8.0.33</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td3"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=org/apache/tomcat/tomcat-jasper/8.0.33/tomcat-jasper-8.0.33.jar";>org.apache.tomcat:tomcat-jasper:8.0.33</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td4"> - <p class="p3"><span class="s1">High<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td5"> - <p class="p3"><span class="s1">4</span></p> - </td> - <td valign="top" class="td6"> - <p class="p3"><span class="s1">LOW</span></p> - </td> - <td valign="top" class="td7"> - <p class="p3"><span class="s1">17</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td1"> - <p class="p5"><span class="s5">axis2-kernel-1.7.1.jar</span></p> - </td> - <td valign="top" class="td2"> - <p class="p3"><span class="s1">cpe:/a:apache:axis2:1.7.1<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td3"> - <p class="p3"><span class="s1">org.apache.axis2:axis2-kernel:1.7.1<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td4"> - <p class="p3"><span class="s1">Medium<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td5"> - <p class="p3"><span class="s1">2</span></p> - </td> - <td valign="top" class="td6"> - <p class="p3"><span class="s1">LOW</span></p> - </td> - <td valign="top" class="td7"> - <p class="p3"><span class="s1">15</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td8"> - <p class="p5"><span class="s5">axis-1.4.jar</span></p> - </td> - <td valign="top" class="td9"> - <p class="p5"><span class="s5"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";>cpe:/a:apache:axis:1.4</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td10"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=axis/axis/1.4/axis-1.4.jar";>axis:axis:1.4</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td11"> - <p class="p3"><span class="s1">Medium<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td12"> - <p class="p3"><span class="s1">2</span></p> - </td> - <td valign="top" class="td13"> - <p class="p3"><span class="s1">HIGHEST</span></p> - </td> - <td valign="top" class="td14"> - <p class="p3"><span class="s1">16</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td1"> - <p class="p5"><span class="s5">jaxrpc.jar</span></p> - </td> - <td valign="top" class="td2"> - <p class="p5"><span class="s5"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";>cpe:/a:apache:axis:1.4</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td3"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=axis/axis-jaxrpc/1.4/axis-jaxrpc-1.4.jar";>axis:axis-jaxrpc:1.4</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td4"> - <p class="p3"><span class="s1">Medium<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td5"> - <p class="p3"><span class="s1">2</span></p> - </td> - <td valign="top" class="td6"> - <p class="p3"><span class="s1">HIGHEST</span></p> - </td> - <td valign="top" class="td7"> - <p class="p3"><span class="s1">12</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td1"> - <p class="p5"><span class="s5">saaj.jar</span></p> - </td> - <td valign="top" class="td2"> - <p class="p5"><span class="s5"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";>cpe:/a:apache:axis:1.4</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td3"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=axis/axis-saaj/1.4/axis-saaj-1.4.jar";>axis:axis-saaj:1.4</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td4"> - <p class="p3"><span class="s1">Medium<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td5"> - <p class="p3"><span class="s1">2</span></p> - </td> - <td valign="top" class="td6"> - <p class="p3"><span class="s1">HIGHEST</span></p> - </td> - <td valign="top" class="td7"> - <p class="p3"><span class="s1">12</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td8"> - <p class="p5"><span class="s5">Tidy.jar</span></p> - </td> - <td valign="top" class="td9"> - <p class="p3"><span class="s1">cpe:/a:eclipse:birt:-<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td10"> - <p class="p5"><span class="s5"><a href="http://search.maven.org/remotecontent?filepath=org/eclipse/birt/runtime/3_7_1/Tidy/1/Tidy-1.jar";>org.eclipse.birt.runtime.3_7_1:Tidy:1</a></span><span class="s4"><span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td11"> - <p class="p3"><span class="s1">Medium<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td12"> - <p class="p3"><span class="s1">1</span></p> - </td> - <td valign="top" class="td13"> - <p class="p3"><span class="s1">LOW</span></p> - </td> - <td valign="top" class="td14"> - <p class="p3"><span class="s1">11</span></p> - </td> - </tr> - <tr> - <td valign="top" class="td1"> - <p class="p5"><span class="s5">viewservlets.jar</span></p> - </td> - <td valign="top" class="td2"> - <p class="p3"><span class="s1">cpe:/a:eclipse:birt:-<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td3"> - <p class="p4"><span class="s1"></span><br></p> - </td> - <td valign="top" class="td4"> - <p class="p3"><span class="s1">Medium<span class="Apple-converted-space"> </span></span></p> - </td> - <td valign="top" class="td5"> - <p class="p3"><span class="s1">1</span></p> - </td> - <td valign="top" class="td6"> - <p class="p3"><span class="s1">LOW</span></p> - </td> - <td valign="top" class="td7"> - <p class="p3"><span class="s1">4</span></p> - </td> - </tr> - </tbody> -</table> -<h2 style="margin: 0.0px 0.0px 16.2px 0.0px; line-height: 23.0px; font: 20.0px Arial; color: #000000; -webkit-text-stroke: #000000"><span class="s1"><b>Dependencies</b></span></h2> -<h3 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 17.0px; font: 15.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #cccccc"><span class="s1"><b>commons-beanutils-core-1.8.3.jar</b></span></h3> -<p class="p7"><span class="s6"><b>File Path:</b> /Users/deepakdixit/sandbox/plain_ofbiz/framework/base/lib/commons/commons-beanutils-core-1.8.3.jar</span><span class="s1"><br> -</span><span class="s6"><b>MD5:</b> 944f66e681239c8353e8497920f1e5d3</span><span class="s1"><br> -</span><span class="s6"><b>SHA1:</b> 75812698e5e859f2cb587c622c4cdfcd61676426<span class="Apple-converted-space"> </span></span></p> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Evidence</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Identifiers</b></span></h4> -<ul class="ul1"> - <li class="li5"><span class="s7"><b></b></span><span class="s8"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar";><span class="s2">commons-beanutils:commons-beanutils-core:1.8.3</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>cpe:</b> cpe:/a:apache:commons_beanutils:1.8.3   <i>Confidence</i>:LOW   </span><span class="s10">suppress</span><span class="s6"><span class="Apple-converted-space"> </span></span></li> -</ul> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Published Vulnerabilities</b></span></h4> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114";><b>CVE-2014-0114</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: High </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-20 Improper Input Validation<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">BUGTRAQ - <a href="http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded";><span class="s2">20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">BUGTRAQ - <a href="http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded";><span class="s2">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt";><span class="s2">http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21676091";><span class="s2">http://www-01.ibm.com/support/docview.wss?uid=swg21676091</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21676303";><span class="s2">http://www-01.ibm.com/support/docview.wss?uid=swg21676303</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21676375";><span class="s2">http://www-01.ibm.com/support/docview.wss?uid=swg21676375</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21676931";><span class="s2">http://www-01.ibm.com/support/docview.wss?uid=swg21676931</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html";><span class="s2">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html";><span class="s2">http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html";><span class="s2">http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.vmware.com/security/advisories/VMSA-2014-0012.html";><span class="s2">http://www.vmware.com/security/advisories/VMSA-2014-0012.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://access.redhat.com/solutions/869353";><span class="s2">https://access.redhat.com/solutions/869353</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1091938";><span class="s2">https://bugzilla.redhat.com/show_bug.cgi?id=1091938</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1116665";><span class="s2">https://bugzilla.redhat.com/show_bug.cgi?id=1116665</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://issues.apache.org/jira/browse/BEANUTILS-463";><span class="s2">https://issues.apache.org/jira/browse/BEANUTILS-463</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">DEBIAN - <a href="http://www.debian.org/security/2014/dsa-2940";><span class="s2">DSA-2940</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FEDORA - <a href="http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html";><span class="s2">FEDORA-2014-9380</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FULLDISC - <a href="http://seclists.org/fulldisclosure/2014/Dec/23";><span class="s2">20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FULLDISC - <a href="http://seclists.org/fulldisclosure/2015/Apr/5";><span class="s2">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">HP - <a href="http://marc.info/?l=bugtraq&m=141451023707502&w=2";><span class="s2">HPSBST03160</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html";><span class="s2">http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://openwall.com/lists/oss-security/2014/06/15/10";><span class="s2">[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://openwall.com/lists/oss-security/2014/07/08/1";><span class="s2">[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions: (</span><span class="s12">show all</span><span class="s6">)</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons_beanutils%3A1.9.1";><span class="s13">cpe:/a:apache:commons_beanutils:1.9.1</span></a></span><span class="s8"> and all previous versions</span></li> - <li class="li3"><span class="s9"></span><span class="s6">...</span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<h3 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 17.0px; font: 15.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #cccccc"><span class="s1"><b>jsp-api-2.3.jar</b></span></h3> -<p class="p7"><span class="s6"><b>Description:</b> JSP package</span><span class="s1"><br> -</span></p> -<p class="p7"><span class="s6"><b>License:</b></span></p> -<p class="p11"><span class="s6">Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt</span></p> -<p class="p3"><span class="s6"><b>File Path:</b> /Users/deepakdixit/sandbox/plain_ofbiz/framework/base/lib/j2eespecs/jsp-api-2.3.jar</span></p> -<p class="p3"><span class="s6"><b>MD5:</b> c88199ccae1b0e7ae339bd0c20b3ccde</span></p> -<p class="p12"><span class="s1"><b>SHA1:</b> 896e782956999c2632b3caa0caeb711720f28d7a</span></p> -<p class="p10"><span class="s1"></span><br></p> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Evidence</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Identifiers</b></span></h4> -<ul class="ul1"> - <li class="li13"><span class="s9"><b></b></span><span class="s14"><b>cpe:</b> <a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s2">cpe:/a:apache:tomcat:8.0.33</span></a>   <i>Confidence</i>:LOW   </span><span class="s10">suppress</span><span class="s14"><span class="Apple-converted-space"> </span></span></li> - <li class="li5"><span class="s7"><b></b></span><span class="s8"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=org/apache/tomcat/tomcat-jsp-api/8.0.33/tomcat-jsp-api-8.0.33.jar";><span class="s2">org.apache.tomcat:tomcat-jsp-api:8.0.33</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> -</ul> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Published Vulnerabilities</b></span></h4> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2185";><b>CVE-2013-2185</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: High </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-20 Improper Input Validation<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://www.openwall.com/lists/oss-security/2013/09/05/4";><span class="s2">[oss-security] 20130905 Re: CVE-2013-2185 / Tomcat</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://openwall.com/lists/oss-security/2014/10/24/12";><span class="s2">[oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-1193.html";><span class="s2">RHSA-2013:1193</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-1194.html";><span class="s2">RHSA-2013:1194</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-1265.html";><span class="s2">RHSA-2013:1265</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions: (</span><span class="s12">show all</span><span class="s6">)</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"></span><span class="s6">...</span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2696";><b>CVE-2009-2696</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://bugzilla.redhat.com/show_bug.cgi?id=616717";><span class="s2">https://bugzilla.redhat.com/show_bug.cgi?id=616717</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2010-0580.html";><span class="s2">RHSA-2010:0580</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2010/1986";><span class="s2">ADV-2010-1986</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5461";><b>CVE-2007-5461</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Low </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">APPLE - <a href="http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html";><span class="s2">APPLE-SA-2008-06-30</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">APPLE - <a href="http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html";><span class="s2">APPLE-SA-2008-10-09</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/26070";><span class="s2">26070</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/31681";><span class="s2">31681</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">BUGTRAQ - <a href="http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded";><span class="s2">20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html";><span class="s2">http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://support.apple.com/kb/HT2163";><span class="s2">http://support.apple.com/kb/HT2163</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://support.apple.com/kb/HT3216";><span class="s2">http://support.apple.com/kb/HT3216</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm";><span class="s2">http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://tomcat.apache.org/security-4.html";><span class="s2">http://tomcat.apache.org/security-4.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://tomcat.apache.org/security-5.html";><span class="s2">http://tomcat.apache.org/security-5.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://tomcat.apache.org/security-6.html";><span class="s2">http://tomcat.apache.org/security-6.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www-1.ibm.com/support/docview.wss?uid=swg21286112";><span class="s2">http://www-1.ibm.com/support/docview.wss?uid=swg21286112</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.vmware.com/security/advisories/VMSA-2008-0010.html";><span class="s2">http://www.vmware.com/security/advisories/VMSA-2008-0010.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.vmware.com/security/advisories/VMSA-2009-0016.html";><span class="s2">http://www.vmware.com/security/advisories/VMSA-2009-0016.html</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">DEBIAN - <a href="http://www.debian.org/security/2008/dsa-1447";><span class="s2">DSA-1447</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">DEBIAN - <a href="http://www.debian.org/security/2008/dsa-1453";><span class="s2">DSA-1453</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FEDORA - <a href="https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html";><span class="s2">FEDORA-2007-3456</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FULLDISC - <a href="http://marc.info/?l=full-disclosure&m=119239530508382";><span class="s2">20071014 Apache Tomcat Rem0Te FiLe DiscloSure ZeroDay</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">GENTOO - <a href="http://security.gentoo.org/glsa/glsa-200804-10.xml";><span class="s2">GLSA-200804-10</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">HP - <a href="http://marc.info/?l=bugtraq&m=139344343412337&w=2";><span class="s2">HPSBST02955</span></a></span></li> - <li class="li13"><span class="s9"></span><span class="s14">MANDRIVA - <a href="http://www.mandriva.com/security/advisories?name=MDKSA-2007:241";><span class="s2">MDKSA-2007:241</span></a></span></li> - <li class="li13"><span class="s9"></span><span class="s14">MANDRIVA - <a href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:136";><span class="s2">MDVSA-2009:136</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">MILW0RM - <a href="http://www.milw0rm.com/exploits/4530";><span class="s2">4530</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://issues.apache.org/jira/browse/GERONIMO-3549";><span class="s2">http://issues.apache.org/jira/browse/GERONIMO-3549</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%[email protected]%3E";><span class="s2">[tomcat-users] 20071015 [Security] - Important vulnerability disclosed in Apache Tomcat webdav servlet</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0042.html";><span class="s2">RHSA-2008:0042</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0195.html";><span class="s2">RHSA-2008:0195</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0261.html";><span class="s2">RHSA-2008:0261</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2008-0630.html";><span class="s2">RHSA-2008:0630</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0862.html";><span class="s2">RHSA-2008:0862</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">SECTRACK - <a href="http://www.securitytracker.com/id?1018864";><span class="s2">1018864</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">SUNALERT - <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1";><span class="s2">239312</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">SUSE - <a href="http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html";><span class="s2">SUSE-SR:2008:005</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">SUSE - <a href="http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html";><span class="s2">SUSE-SR:2009:004</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2007/3622";><span class="s2">ADV-2007-3622</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2007/3671";><span class="s2">ADV-2007-3671</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2007/3674";><span class="s2">ADV-2007-3674</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/1856/references";><span class="s2">ADV-2008-1856</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/1979/references";><span class="s2">ADV-2008-1979</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/1981/references";><span class="s2">ADV-2008-1981</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/2780";><span class="s2">ADV-2008-2780</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/2823";><span class="s2">ADV-2008-2823</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2009/3316";><span class="s2">ADV-2009-3316</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://xforce.iss.net/xforce/xfdb/37243";><span class="s2">apache-tomcat-webdav-dir-traversal(37243)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0493";><b>CVE-2002-0493</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: High </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">BUGTRAQ - <a href="http://marc.theaimsgroup.com/?l=bugtraq&m=101709002410365&w=2";><span class="s2">20020325 re: Tomcat Security Exposure</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://www.apachelabs.org/tomcat-dev/200108.mbox/%[email protected]%3E";><span class="s2">http://www.apachelabs.org/tomcat-dev/200108.mbox/%[email protected]%3E</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://www.iss.net/security_center/static/9863.php";><span class="s2">tomcat-xml-bypass-restrictions(9863)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<h3 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 17.0px; font: 15.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #cccccc"><span class="s1"><b>tomcat-8.0.33-jasper.jar</b></span></h3> -<p class="p7"><span class="s6"><b>Description:</b> Tomcats JSP Parser</span><span class="s1"><br> -</span></p> -<p class="p7"><span class="s6"><b>License:</b></span></p> -<p class="p11"><span class="s6">Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt</span></p> -<p class="p3"><span class="s6"><b>File Path:</b> /Users/deepakdixit/sandbox/plain_ofbiz/framework/catalina/lib/tomcat-8.0.33-jasper.jar</span></p> -<p class="p3"><span class="s6"><b>MD5:</b> 77fb07272f972db78bd54712ed82e961</span></p> -<p class="p12"><span class="s1"><b>SHA1:</b> 30525359ecc82c313a71e056adc917f952580f5e</span></p> -<p class="p10"><span class="s1"></span><br></p> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Evidence</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Related Dependencies</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Identifiers</b></span></h4> -<ul class="ul1"> - <li class="li13"><span class="s9"><b></b></span><span class="s14"><b>cpe:</b> <a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s2">cpe:/a:apache:tomcat:8.0.33</span></a>   <i>Confidence</i>:LOW   </span><span class="s10">suppress</span><span class="s14"><span class="Apple-converted-space"> </span></span></li> - <li class="li5"><span class="s7"><b></b></span><span class="s8"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=org/apache/tomcat/tomcat-jasper/8.0.33/tomcat-jasper-8.0.33.jar";><span class="s2">org.apache.tomcat:tomcat-jasper:8.0.33</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> -</ul> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Published Vulnerabilities</b></span></h4> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2185";><b>CVE-2013-2185</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: High </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-20 Improper Input Validation<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://www.openwall.com/lists/oss-security/2013/09/05/4";><span class="s2">[oss-security] 20130905 Re: CVE-2013-2185 / Tomcat</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://openwall.com/lists/oss-security/2014/10/24/12";><span class="s2">[oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-1193.html";><span class="s2">RHSA-2013:1193</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-1194.html";><span class="s2">RHSA-2013:1194</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-1265.html";><span class="s2">RHSA-2013:1265</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions: (</span><span class="s12">show all</span><span class="s6">)</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"></span><span class="s6">...</span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2696";><b>CVE-2009-2696</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://bugzilla.redhat.com/show_bug.cgi?id=616717";><span class="s2">https://bugzilla.redhat.com/show_bug.cgi?id=616717</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2010-0580.html";><span class="s2">RHSA-2010:0580</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2010/1986";><span class="s2">ADV-2010-1986</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5461";><b>CVE-2007-5461</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Low </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">APPLE - <a href="http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html";><span class="s2">APPLE-SA-2008-06-30</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">APPLE - <a href="http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html";><span class="s2">APPLE-SA-2008-10-09</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/26070";><span class="s2">26070</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/31681";><span class="s2">31681</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">BUGTRAQ - <a href="http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded";><span class="s2">20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html";><span class="s2">http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://support.apple.com/kb/HT2163";><span class="s2">http://support.apple.com/kb/HT2163</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://support.apple.com/kb/HT3216";><span class="s2">http://support.apple.com/kb/HT3216</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm";><span class="s2">http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://tomcat.apache.org/security-4.html";><span class="s2">http://tomcat.apache.org/security-4.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://tomcat.apache.org/security-5.html";><span class="s2">http://tomcat.apache.org/security-5.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://tomcat.apache.org/security-6.html";><span class="s2">http://tomcat.apache.org/security-6.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www-1.ibm.com/support/docview.wss?uid=swg21286112";><span class="s2">http://www-1.ibm.com/support/docview.wss?uid=swg21286112</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.vmware.com/security/advisories/VMSA-2008-0010.html";><span class="s2">http://www.vmware.com/security/advisories/VMSA-2008-0010.html</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="http://www.vmware.com/security/advisories/VMSA-2009-0016.html";><span class="s2">http://www.vmware.com/security/advisories/VMSA-2009-0016.html</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">DEBIAN - <a href="http://www.debian.org/security/2008/dsa-1447";><span class="s2">DSA-1447</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">DEBIAN - <a href="http://www.debian.org/security/2008/dsa-1453";><span class="s2">DSA-1453</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FEDORA - <a href="https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html";><span class="s2">FEDORA-2007-3456</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">FULLDISC - <a href="http://marc.info/?l=full-disclosure&m=119239530508382";><span class="s2">20071014 Apache Tomcat Rem0Te FiLe DiscloSure ZeroDay</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">GENTOO - <a href="http://security.gentoo.org/glsa/glsa-200804-10.xml";><span class="s2">GLSA-200804-10</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">HP - <a href="http://marc.info/?l=bugtraq&m=139344343412337&w=2";><span class="s2">HPSBST02955</span></a></span></li> - <li class="li13"><span class="s9"></span><span class="s14">MANDRIVA - <a href="http://www.mandriva.com/security/advisories?name=MDKSA-2007:241";><span class="s2">MDKSA-2007:241</span></a></span></li> - <li class="li13"><span class="s9"></span><span class="s14">MANDRIVA - <a href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:136";><span class="s2">MDVSA-2009:136</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">MILW0RM - <a href="http://www.milw0rm.com/exploits/4530";><span class="s2">4530</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://issues.apache.org/jira/browse/GERONIMO-3549";><span class="s2">http://issues.apache.org/jira/browse/GERONIMO-3549</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%[email protected]%3E";><span class="s2">[tomcat-users] 20071015 [Security] - Important vulnerability disclosed in Apache Tomcat webdav servlet</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0042.html";><span class="s2">RHSA-2008:0042</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0195.html";><span class="s2">RHSA-2008:0195</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0261.html";><span class="s2">RHSA-2008:0261</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2008-0630.html";><span class="s2">RHSA-2008:0630</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://www.redhat.com/support/errata/RHSA-2008-0862.html";><span class="s2">RHSA-2008:0862</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">SECTRACK - <a href="http://www.securitytracker.com/id?1018864";><span class="s2">1018864</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">SUNALERT - <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1";><span class="s2">239312</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">SUSE - <a href="http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html";><span class="s2">SUSE-SR:2008:005</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">SUSE - <a href="http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html";><span class="s2">SUSE-SR:2009:004</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2007/3622";><span class="s2">ADV-2007-3622</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2007/3671";><span class="s2">ADV-2007-3671</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2007/3674";><span class="s2">ADV-2007-3674</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/1856/references";><span class="s2">ADV-2008-1856</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/1979/references";><span class="s2">ADV-2008-1979</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/1981/references";><span class="s2">ADV-2008-1981</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/2780";><span class="s2">ADV-2008-2780</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2008/2823";><span class="s2">ADV-2008-2823</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">VUPEN - <a href="http://www.vupen.com/english/advisories/2009/3316";><span class="s2">ADV-2009-3316</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://xforce.iss.net/xforce/xfdb/37243";><span class="s2">apache-tomcat-webdav-dir-traversal(37243)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0493";><b>CVE-2002-0493</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: High </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">BUGTRAQ - <a href="http://marc.theaimsgroup.com/?l=bugtraq&m=101709002410365&w=2";><span class="s2">20020325 re: Tomcat Security Exposure</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://www.apachelabs.org/tomcat-dev/200108.mbox/%[email protected]%3E";><span class="s2">http://www.apachelabs.org/tomcat-dev/200108.mbox/%[email protected]%3E</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://www.iss.net/security_center/static/9863.php";><span class="s2">tomcat-xml-bypass-restrictions(9863)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Atomcat";><span class="s13">cpe:/a:apache:tomcat</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<h3 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 17.0px; font: 15.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #cccccc"><span class="s1"><b>axis2-kernel-1.7.1.jar</b></span></h3> -<p class="p7"><span class="s6"><b>Description:</b> Core Parts of Axis2. This includes Axis2 engine, Client API, Addressing support, etc., </span><span class="s1"><br> -</span></p> -<p class="p7"><span class="s6"><b>File Path:</b> /Users/deepakdixit/sandbox/plain_ofbiz/framework/service/lib/axis2-kernel-1.7.1.jar</span><span class="s1"><br> -</span><span class="s6"><b>MD5:</b> f3b93056eebaf4c7f71c84def4f486e9</span><span class="s1"><br> -</span><span class="s6"><b>SHA1:</b> b60e8f9dfc753a9d3aff02dbaee58a560afffbc3<span class="Apple-converted-space"> </span></span></p> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Evidence</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Related Dependencies</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Identifiers</b></span></h4> -<ul class="ul1"> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>cpe:</b> cpe:/a:apache:axis2:1.7.1   <i>Confidence</i>:LOW   </span><span class="s10">suppress</span><span class="s6"><span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>maven:</b> org.apache.axis2:axis2-kernel:1.7.1   <i>Confidence</i>:HIGH<span class="Apple-converted-space"> </span></span></li> -</ul> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Published Vulnerabilities</b></span></h4> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351";><b>CVE-2012-5351</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-287 Improper Authentication<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf";><span class="s2">http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://xforce.iss.net/xforce/xfdb/79487";><span class="s2">apache-axis2-saml-sec-bypass(79487)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis2%3A-";><span class="s13">cpe:/a:apache:axis2:-</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418";><b>CVE-2012-4418</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-287 Improper Authentication<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/55508";><span class="s2">55508</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">CONFIRM - <a href="https://bugzilla.redhat.com/show_bug.cgi?id=856755";><span class="s2">https://bugzilla.redhat.com/show_bug.cgi?id=856755</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf";><span class="s2">http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://www.openwall.com/lists/oss-security/2012/09/12/1";><span class="s2">[oss-security] 20120912 CVE Request: Apache Axis2 XML Signature Wrapping Attack</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://www.openwall.com/lists/oss-security/2012/09/13/1";><span class="s2">[oss-security] 20120912 Re: CVE Request: Apache Axis2 XML Signature Wrapping Attack</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions:</span></p> -<ul class="ul1"> - <li class="li5"><span class="s9"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis2%3A-";><span class="s13">cpe:/a:apache:axis2:-</span></a></span><span class="s8"><span class="Apple-converted-space"> </span></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<h3 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 17.0px; font: 15.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #cccccc"><span class="s1"><b>axis-1.4.jar</b></span></h3> -<p class="p7"><span class="s6"><b>Description:</b> An implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. </span><span class="s1"><br> -</span></p> -<p class="p7"><span class="s6"><b>License:</b></span></p> -<p class="p11"><span class="s6">The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt</span></p> -<p class="p3"><span class="s6"><b>File Path:</b> /Users/deepakdixit/sandbox/plain_ofbiz/specialpurpose/birt/lib/axis-1.4.jar</span></p> -<p class="p3"><span class="s6"><b>MD5:</b> 03dcfdd88502505cc5a805a128bfdd8d</span></p> -<p class="p12"><span class="s1"><b>SHA1:</b> 94a9ce681a42d0352b3ad22659f67835e560d107</span></p> -<p class="p10"><span class="s1"></span><br></p> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Evidence</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Related Dependencies</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Identifiers</b></span></h4> -<ul class="ul1"> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=axis/axis/1.4/axis-1.4.jar";><span class="s2">axis:axis:1.4</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>cpe:</b> <a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";><span class="s2">cpe:/a:apache:axis:1.4</span></a>   <i>Confidence</i>:HIGHEST   </span><span class="s10">suppress</span><span class="s6"><span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=org/apache/axis/axis/1.4/axis-1.4.jar";><span class="s2">org.apache.axis:axis:1.4</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> -</ul> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Published Vulnerabilities</b></span></h4> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3596";><b>CVE-2014-3596</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/69295";><span class="s2">69295</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="https://issues.apache.org/jira/browse/AXIS-2905";><span class="s2">https://issues.apache.org/jira/browse/AXIS-2905</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://www.openwall.com/lists/oss-security/2014/08/20/2";><span class="s2">[oss-security] 20140820 CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2014-1193.html";><span class="s2">RHSA-2014:1193</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">SECTRACK - <a href="http://www.securitytracker.com/id/1030745";><span class="s2">1030745</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://xforce.iss.net/xforce/xfdb/95377";><span class="s2">apache-axis-cve20143596-spoofing(95377)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions: (</span><span class="s12">show all</span><span class="s6">)</span></p> -<ul class="ul1"> - <li class="li3"><span class="s15"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";><span class="s16">cpe:/a:apache:axis:1.4</span></a></span><span class="s6"> and all previous versions</span></li> - <li class="li3"><span class="s9"></span><span class="s6">...</span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784";><b>CVE-2012-5784</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-20 Improper Input Validation<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/56408";><span class="s2">56408</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf";><span class="s2">http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-0269.html";><span class="s2">RHSA-2013:0269</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2013-0683.html";><span class="s2">RHSA-2013:0683</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2014-0037.html";><span class="s2">RHSA-2014:0037</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://xforce.iss.net/xforce/xfdb/79829";><span class="s2">apache-axis-ssl-spoofing(79829)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions: (</span><span class="s12">show all</span><span class="s6">)</span></p> -<ul class="ul1"> - <li class="li3"><span class="s15"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";><span class="s16">cpe:/a:apache:axis:1.4</span></a></span><span class="s6"> and all previous versions</span></li> - <li class="li3"><span class="s9"></span><span class="s6">...</span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<h3 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 17.0px; font: 15.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #cccccc"><span class="s1"><b>jaxrpc.jar</b></span></h3> -<p class="p7"><span class="s6"><b>File Path:</b> /Users/deepakdixit/sandbox/plain_ofbiz/specialpurpose/birt/lib/jaxrpc.jar</span><span class="s1"><br> -</span><span class="s6"><b>MD5:</b> b4592e5eccfeeeae87cfadef0ca66c66</span><span class="s1"><br> -</span><span class="s6"><b>SHA1:</b> b393f1f0c0d95b68c86d0b1ab2e687bb71f3c075<span class="Apple-converted-space"> </span></span></p> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Evidence</b></span></h4> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Identifiers</b></span></h4> -<ul class="ul1"> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=axis/axis-jaxrpc/1.4/axis-jaxrpc-1.4.jar";><span class="s2">axis:axis-jaxrpc:1.4</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> - <li class="li3"><span class="s9"><b></b></span><span class="s6"><b>cpe:</b> <a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";><span class="s2">cpe:/a:apache:axis:1.4</span></a>   <i>Confidence</i>:HIGHEST   </span><span class="s10">suppress</span><span class="s6"><span class="Apple-converted-space"> </span></span></li> - <li class="li13"><span class="s9"><b></b></span><span class="s14"><b>maven:</b> <a href="http://search.maven.org/remotecontent?filepath=org/apache/axis/axis-jaxrpc/1.4/axis-jaxrpc-1.4.jar";><span class="s2">org.apache.axis:axis-jaxrpc:1.4</span></a>   <i>Confidence</i>:HIGHEST<span class="Apple-converted-space"> </span></span></li> -</ul> -<h4 style="margin: 0.0px 20.0px 0.0px 0.0px; line-height: 15.0px; font: 13.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #ffffff"><span class="s1"><b>Published Vulnerabilities</b></span></h4> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3596";><b>CVE-2014-3596</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)<span class="Apple-converted-space"> </span></span></p> -<p class="p7"><span class="s6">The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.<span class="Apple-converted-space"> </span></span></p> -<ul class="ul1"> - <li class="li3"><span class="s9"></span><span class="s6">BID - <a href="http://www.securityfocus.com/bid/69295";><span class="s2">69295</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MISC - <a href="https://issues.apache.org/jira/browse/AXIS-2905";><span class="s2">https://issues.apache.org/jira/browse/AXIS-2905</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">MLIST - <a href="http://www.openwall.com/lists/oss-security/2014/08/20/2";><span class="s2">[oss-security] 20140820 CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">REDHAT - <a href="http://rhn.redhat.com/errata/RHSA-2014-1193.html";><span class="s2">RHSA-2014:1193</span></a></span></li> - <li class="li3"><span class="s9"></span><span class="s6">SECTRACK - <a href="http://www.securitytracker.com/id/1030745";><span class="s2">1030745</span></a></span></li> - <li class="li5"><span class="s7"></span><span class="s8">XF - <a href="http://xforce.iss.net/xforce/xfdb/95377";><span class="s2">apache-axis-cve20143596-spoofing(95377)</span></a></span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p7"><span class="s6">Vulnerable Software & Versions: (</span><span class="s12">show all</span><span class="s6">)</span></p> -<ul class="ul1"> - <li class="li3"><span class="s15"><a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aaxis%3A1.4";><span class="s16">cpe:/a:apache:axis:1.4</span></a></span><span class="s6"> and all previous versions</span></li> - <li class="li3"><span class="s9"></span><span class="s6">...</span></li> -</ul> -<p class="p10"><span class="s1"></span><br></p> -<p class="p9"><span class="s11"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784";><b>CVE-2012-5784</b></a></span><span class="s8">  </span><span class="s10">suppress</span></p> -<p class="p7"><span class="s6">Severity: Medium </span><span class="s1"><br> -</span><span class="s6">CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) </span><span class="s1"><br> -</span><span class="s6">CWE: CWE-20 Improper Input Validation<span class="Apple-converted-space"> </span></span></p>
[... 62760 lines stripped ...]
